Access Denied Message on Submission Reply Page for Anonymous user

I see the problem. I am trying to check if the user submitted the form on the confirm page. But for anonymous users I can't tell so I deny access.

I think I will need to pass the entityform_id(of the submission) in the $_SESSION instead of the query string.

I will work on this.

Bumping this up to major, to remind myself I should work on this next.

@highrockmedia I attached a patch for this. Please test it out.

Committed to dev version

Thanks the patch worked for me!

Still exactly the same problem with access denied message. I'm using version 7.x-2.0-beta4. I think the patch above is included, but the spelling in entityform.module is different.

Patch above:

+    //confirm page
+    $entityform_id = $_GET['entityform_id'];
+    if (empty($user->uid)) {
+      // If this is anonymous user then entityform_id should be stored in session
+      if (!isset($_SESSION['entityform_submission'])) {
+        return FALSE;
+      }
+      $match = $_SESSION['entityform_submission'] == $entityform_id;
+      unset($_SESSION['entityform_submission']);
+      return $match;
+    }
+    else {
+      $entityform = entityform_load($entityform_id);
+      //only grant access if this is the user who made the submission
+      return $entityform->uid == $user->uid;
+    }

7.x-2.0-beta4:

//confirm page
      $entityform_id = $_GET['entityform_id'];
      if (user_is_anonymous()) {
        // If this is anonymous user then entityform_id should be stored in session
        if (!isset($_SESSION['entityform_submission'])) {
          $access = FALSE;
        }
        else {
          // Submission was stored in sesssion. Make sure it matches.
          $match = $_SESSION['entityform_submission'] == $entityform_id;
          unset($_SESSION['entityform_submission']);
          $access = $match;
        }
      }
      else {
        if (!$entityform = entityform_load($entityform_id)) {
          // entityform didn't load. It may have been deleted.
          $access = FALSE;
        }
        else {
          //only grant access if this is the user who made the submission
          $access = $entityform->uid == $user->uid;
        }
      }

Maybe that's the cause?

This is still an issue on 7.x-2.0-rc1

I have done this patch to solve the problem for me. Also, to make it work, you have to assign "View own entityform submission" permission to anonymous users. Remember patch applies to latest dev version.

Note: Use this patch as a workaround at your own risk, it may introduce security vulnerabilities.

dp85. could you tell me exactly the spelling error you are referring to?
thanks,

I ran into a very similar issue, and thought I'd post here in case others have this problem.

I have a site where most users post their own entityforms, but there is a small subset who do not have computer access. Administrators need to post entityforms for them.

This was handled by using hook_entityform_access_alter. The site checks to see if the user who submitted the form has administrative access, and if so, set $access = TRUE for $op = 'confirm'.

Please open a new issue with details on this. This was closed a while ago.

People following this issue please have a review of a patch removing the unset($_SESSION['entityform_submission']);, which makes sense but need a second pair of eyes.

#2842523: Access Denied Message on Submission Reply Page for Anonymous user