Problem/Motivation
Using webform_share to embed a form via the /webform/{webform}/share.js
route, a '403 Forbidden' response is returned when the form page
setting (e.g. Allow users to post submissions from a dedicated URL) is disabled.
Steps to reproduce
- Check 'Form sharing enabled' (from the webform_share submodule)
- Uncheck 'Allow users to post submissions from a dedicated URL'
- Embed the webform on a host page using the JavaScript option (e.g.
<script src="//d9.test/webform/share_test/share.js"></script>
) - The webform will not be embedded on the host page, and developer tools will show a 403 response for the /webform/share_test/share.js URL.
Proposed resolution
Change the _entity_access
route requirement from webform.submission_page
to webform.submission_create
for the entity.webform.share_script
route.
This seems OK because the entity.webform.share_page.javascript
route, which the share script itself embeds for the iframe src, uses webform.submission_create
.
Issue fork webform-3321649
Show commands
Start within a Git clone of the project using the version control instructions.
Or, if you do not have SSH keys set up on git.drupalcode.org:
Comments
Comment #3
jeffamComment #4
jeffamComment #8
jrockowitz CreditAttribution: jrockowitz as a volunteer and at Webform module Open Collective, The Big Blue House commented