Submission access is checked only when viewing a webform node, but it is not validated when submitting the form itself. This can cause that a form can be submitted, if the user isn't allowed to submit it (e.g was logged out in an other window / another user logged in without submit permission).
Test case: Limit Submission access to authenticated users only, authenticate to view form, log out in an other browser window, submit the form
Desired behavior: validate submission access like validating e.g. per user submission limit
Actual behavior: the form can be submitted without any error message
Attached a patch that possibly fix this behavior.
| Comment | File | Size | Author |
|---|---|---|---|
| #7 | webform-1680952-follow-up.patch | 1.44 KB | quicksketch |
| #5 | webform_submission_role_check-7x-3x.patch | 3.65 KB | quicksketch |
| #4 | webform_submission_role_check-7x-3x.patch | 3.46 KB | quicksketch |
| #3 | webform_submission_user_limit_check.patch | 4.92 KB | quicksketch |
| #1 | webform-submission-access_2.patch | 1.08 KB | shafter |
Comments
Comment #1
shafter commentedObviously, i missed
Please try this patch instead of the first one. Thx.
Comment #2
quicksketchHuh, surprising. I wouldn't think this would be possible, since the same problem would affect all forms throughout all of Drupal, but it looks like most other forms are merely protected by access to the page itself being blocked. Since Webform doesn't block access to the page, but only the form, it looks like this becomes a problem. Thanks for the patch, I'll review when I get a chance.
Comment #3
quicksketchI rerolled this for 7.x-4.x, but it needs backporting to the 3.x versions. Rather than having 3 separate calls to theme('webform_view_messages'), which has 9(!) parameters, I consolidated it down to a single call to reduce redundancy. In theory it would also allow the error message theming to report all the problems at once if needed. This patch needs testing and backporting before we can commit it, considering this changes the central validation mechanism for Webform.
Comment #4
quicksketchSorry wrong patch. Here we are.
Comment #5
quicksketchUgh, okay here's the patch I meant. A little more verbose documentation and skips the role check for users editing completed submissions.
Comment #6
quicksketchI've committed #5 to the 7.x-4.x branch, but because this problem rarely affects forms, I've decided to take the safer route and not commit this to the 3.x branch.
Comment #7
quicksketchThis patch required a follow-up to fix issues with undefined variables and issues with user #1, which needs special casing due to user_access().