Early Bird Registration for DrupalCon Portland 2024 is open! Register by 23:59 PST on 31 March 2024, to get $100 off your ticket.
I use the webform report module to generate a report with sensitive information (emails, phone#, etc.). It acts like a node and is linked to a Content Type.
View options for Anonymous users is not selected (see attached), it doesn't honor it and visitors still are able to view the report.
The Webform permissions are also attached and it seems the main permissions are taking precedence over the module's permissions...?
Can someone shed some light as why it's not working as it's supposed to?
Comment | File | Size | Author |
---|---|---|---|
#19 | webform_report.zip | 2.99 KB | Vako |
#13 | Drupal 7.png | 94.09 KB | vanapandi |
roles.jpg | 55.73 KB | Vako | |
Wreport.jpg | 27.79 KB | Vako |
Comments
Comment #1
good_man CreditAttribution: good_man commentedI've tried the same settings you have, and it's working fine for me. Did you rebuild your permissions after enabling content access from admin/content/node-settings/rebuild ?
Comment #2
Vako CreditAttribution: Vako commentedYes I have rebuilt permissions.
Here are the steps:
- Create a webform report (not just a webform)
- In Access Control, make it not viewable by Anonymous users
- In user permissions for webform_report module, keep access webform reports checked (because other reports need to be accessible by Anonymous users, only some reports will not be accessible, controlled by the Content Access module)
I've tried the above procedure on 2 domains using different themes and both behaved the same.
In summary: the user permissions are taking priority over Access Control settings.
Comment #3
good_man CreditAttribution: good_man commentedYes confirmed, webform is fine with content access, where webform report does not play well with content access.
If you have further info or a patch it'll make the fix faster.
Comment #4
good_man CreditAttribution: good_man commentedSince webform report uses access hooks, there is no way content access can change it's permissions. I'm moving this to webform reports, if they would like I can provide a patch so they include it in the next version?
Comment #5
good_man CreditAttribution: good_man commentedrelated #1145984: API Documentaion in order to use the API in webform report.
Comment #6
Vako CreditAttribution: Vako commentedThank you very much for the detailed reply and feedback. I will follow-up with Webform report and hopefully we can find a solution.
Comment #7
Vako CreditAttribution: Vako commentedWebform report being an important add-on to the Webform module, I am surprised that this issue has not come to attention.
Surely people create reports that have confidential information, how can you make it viewable to only authenticated users? At the moment any report is open for everyone to see.
I hope we can solve this issue soon. Please see good_man's suggestion on post#4.
Thanks!
Comment #8
konieczny CreditAttribution: konieczny commentedThis is a very important feature to be included.
I believe it's not only an issue with Content Access module (or should I say incompatibility of Webform Reports with Content Access), but also with other access control modules. I would guess it's not so correct (not along with Drupal "standards") implementation of the control access in Webform Reports module.
Your help would be greatly appreciated.
Comment #9
Vako CreditAttribution: Vako commentedNot sure why this issue hasn't surfaced with others. It's a high-priority and a security issue.
I hope Jim will dedicate some time to find a solution for this. Maybe good_man's suggestion in post#4 above will make it faster for Jim to fix it.
Comment #10
jlea9378 CreditAttribution: jlea9378 commentedI would really like permissions fixed also.
Comment #11
math-hew CreditAttribution: math-hew commentedSame here, this has become a problem for me. I'm using TAC for access control.
Comment #12
Tesira CreditAttribution: Tesira commentedI have the same problem. The permissions don't work with content access.
Comment #13
vanapandi CreditAttribution: vanapandi commentedI want to Hide Edit Link columns to normal user .Here How can i do that with drupal 7?
Comment #14
Vako CreditAttribution: Vako commentedNot sure why you changed the title of this post. Your issue might not be related to this one, consider creating a new issue please.
Comment #15
Vako CreditAttribution: Vako commentedThis issue should be considered as critical due to the security implications of it. I have tried several permission modules to put a lock on the Webform Report to be viewed by anonymous users, still it has a mind of it's own and all reports are open for all. That's not acceptable since we might have confidential information on them.
Can someone help please!!! there must be an easy way to keep those reports Role-based.
Comment #16
raul.vadillo CreditAttribution: raul.vadillo commentedIn 7.x-1.0 version, the Webform module ignore any control access module such "Content Access", "Nodeaccess" or "Node Privacy Byrole" because is implementing it's own node_access hook.
I found the solution deleting the webform_report_node_access function in webform_report.module.
I suppose this can resolve the issue in the 6 version too.
Comment #17
Vako CreditAttribution: Vako commentedThanks, but wouldn't this disable authenticated access as well?
Comment #18
raul.vadillo CreditAttribution: raul.vadillo commentedVako, it's working fine for me. You can try and test.
Comment #19
Vako CreditAttribution: Vako commentedThere is no
webform_report_node_access
function in the 6.x version. I have the file attached.Comment #20
raul.vadillo CreditAttribution: raul.vadillo commentedVako, my solution is for Drupal 7. Try editing/deleting the "webform_report_access" function in your Drupal 6.
Comment #21
dexter42 CreditAttribution: dexter42 commentedI have tried something better - I have renamed 'webform_report_access' to 'webform_report_custom_access', so it is no longer hook, only a normal php function.
Then in 'webform_report_menu' the 'access callback' in $items where originally linked to 'webform_report_access' I have changed to 'webform_report_custom_access'.
Seems to work fine, but I am not sure, if it is 100% sollution. This approach was only based on 'observe, compare and try' approach.
Comment #22
orcrystal CreditAttribution: orcrystal commentedThank you dexter42, I made changes in the script, and 'webform reports' are well managed by the permission normally (configuring by report), but the problem remains with the menus who they react to global permissions of 'webform report', not permissions by 'webform report'.