This new bit of code in webform.module:

  // Check if the user is allowed to submit based on role. This check is
  // repeated here to ensure the user is still logged in at the time of
  // submission, otherwise a stale form in another window may be allowed.
  $allowed_role = TRUE;
  if (variable_get('webform_submission_access_control', 1) && !$finished) {
    $allowed_roles = array();
    foreach ($node->webform['roles'] as $rid) {
      $allowed_roles[$rid] = isset($user->roles[$rid]) ? TRUE : FALSE;
    if (array_search(TRUE, $allowed_roles) === FALSE) {
      $allowed_role = FALSE;

... fails to make the global $user variable available before using it.

It's a regression from #1680952: Submission role access isn't re-checked when validating a form.

Patch to follow.

#1 webform-2023439-1.patch467 bytespjcdawkins
Members fund testing for the Drupal project. Drupal Association Learn more


pjcdawkins’s picture

467 bytes
quicksketch’s picture

Status: Needs review » Reviewed & tested by the community

Well, son of a gun. Thanks @pjcdawkins. I'll make a new release shortly.

quicksketch’s picture

Status: Reviewed & tested by the community » Fixed

I hate it when this happens, but that's what I get for not running the tests again before a release. I made alpha8 and it's now available for download.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.