I use the webform report module to generate a report with sensitive information (emails, phone#, etc.). It acts like a node and is linked to a Content Type.
View options for Anonymous users is not selected (see attached), it doesn't honor it and visitors still are able to view the report.
The Webform permissions are also attached and it seems the main permissions are taking precedence over the module's permissions...?

Can someone shed some light as why it's not working as it's supposed to?

CommentFileSizeAuthor
#19 webform_report.zip2.99 KBVako
#13 Drupal 7.png94.09 KBvanapandi
roles.jpg55.73 KBVako
Wreport.jpg27.79 KBVako
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

good_man’s picture

I've tried the same settings you have, and it's working fine for me. Did you rebuild your permissions after enabling content access from admin/content/node-settings/rebuild ?

Vako’s picture

Yes I have rebuilt permissions.
Here are the steps:
- Create a webform report (not just a webform)
- In Access Control, make it not viewable by Anonymous users
- In user permissions for webform_report module, keep access webform reports checked (because other reports need to be accessible by Anonymous users, only some reports will not be accessible, controlled by the Content Access module)

I've tried the above procedure on 2 domains using different themes and both behaved the same.

In summary: the user permissions are taking priority over Access Control settings.

good_man’s picture

Status: Active » Needs work

Yes confirmed, webform is fine with content access, where webform report does not play well with content access.

If you have further info or a patch it'll make the fix faster.

good_man’s picture

Project: Content Access » Webform Report
Status: Needs work » Active

Since webform report uses access hooks, there is no way content access can change it's permissions. I'm moving this to webform reports, if they would like I can provide a patch so they include it in the next version?

good_man’s picture

related #1145984: API Documentaion in order to use the API in webform report.

Vako’s picture

Thank you very much for the detailed reply and feedback. I will follow-up with Webform report and hopefully we can find a solution.

Vako’s picture

Webform report being an important add-on to the Webform module, I am surprised that this issue has not come to attention.
Surely people create reports that have confidential information, how can you make it viewable to only authenticated users? At the moment any report is open for everyone to see.
I hope we can solve this issue soon. Please see good_man's suggestion on post#4.

Thanks!

konieczny’s picture

This is a very important feature to be included.
I believe it's not only an issue with Content Access module (or should I say incompatibility of Webform Reports with Content Access), but also with other access control modules. I would guess it's not so correct (not along with Drupal "standards") implementation of the control access in Webform Reports module.

Your help would be greatly appreciated.

Vako’s picture

Not sure why this issue hasn't surfaced with others. It's a high-priority and a security issue.
I hope Jim will dedicate some time to find a solution for this. Maybe good_man's suggestion in post#4 above will make it faster for Jim to fix it.

jlea9378’s picture

I would really like permissions fixed also.

math-hew’s picture

Same here, this has become a problem for me. I'm using TAC for access control.

Tesira’s picture

I have the same problem. The permissions don't work with content access.

vanapandi’s picture

Title: Permissions don't work for Webform Reports » WEb Form Report
Version: 6.x-1.x-dev » 7.x-1.x-dev
FileSize
94.09 KB

I want to Hide Edit Link columns to normal user .Here How can i do that with drupal 7?

Vako’s picture

Title: WEb Form Report » Permissions don't work for Webform Reports
Version: 7.x-1.x-dev » 6.x-2.x-dev

Not sure why you changed the title of this post. Your issue might not be related to this one, consider creating a new issue please.

Vako’s picture

Priority: Major » Critical

This issue should be considered as critical due to the security implications of it. I have tried several permission modules to put a lock on the Webform Report to be viewed by anonymous users, still it has a mind of it's own and all reports are open for all. That's not acceptable since we might have confidential information on them.
Can someone help please!!! there must be an easy way to keep those reports Role-based.

raul.vadillo’s picture

Version: 6.x-2.x-dev » 7.x-1.0

In 7.x-1.0 version, the Webform module ignore any control access module such "Content Access", "Nodeaccess" or "Node Privacy Byrole" because is implementing it's own node_access hook.

I found the solution deleting the webform_report_node_access function in webform_report.module.

I suppose this can resolve the issue in the 6 version too.

Vako’s picture

Thanks, but wouldn't this disable authenticated access as well?

raul.vadillo’s picture

Vako, it's working fine for me. You can try and test.

Vako’s picture

FileSize
2.99 KB

There is no webform_report_node_accessfunction in the 6.x version. I have the file attached.

raul.vadillo’s picture

Vako, my solution is for Drupal 7. Try editing/deleting the "webform_report_access" function in your Drupal 6.

dexter42’s picture

Issue summary: View changes

I have tried something better - I have renamed 'webform_report_access' to 'webform_report_custom_access', so it is no longer hook, only a normal php function.

Then in 'webform_report_menu' the 'access callback' in $items where originally linked to 'webform_report_access' I have changed to 'webform_report_custom_access'.

Seems to work fine, but I am not sure, if it is 100% sollution. This approach was only based on 'observe, compare and try' approach.

orcrystal’s picture

Thank you dexter42, I made changes in the script, and 'webform reports' are well managed by the permission normally (configuring by report), but the problem remains with the menus who they react to global permissions of 'webform report', not permissions by 'webform report'.