Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
When attempting to implement my own custom permissions hook with webform, restricting the results further, I was unable to do so with the stock module. My module looked like nothing more than so:
function nnlm_core_webform_results_access($node, $account){
return FALSE;
}
Looking at the code that invokes this hook, we see the following:
function webform_results_access($node, $account = NULL) {
global $user;
$account = isset($account) ? $account : $user;
$module_access = count(array_filter(module_invoke_all('webform_results_access', $node, $account))) > 0;
return node_access('view', $node, $account) && ($module_access || user_access('access all webform results', $account) || (user_access('access own webform results', $account) && $account->uid == $node->uid));
}
If my hook returns false, the user will still be able to access the results as long as the permissions of the webform module allow it. Which is fine, but it would be nice if the documentation clarified that. Currently, it implies (at least to me) that I can restrict access by returning false.
Comments
Comment #1
quicksketchThanks for opening this issue. Looks like you're correct. If Webform grants access (via the normal permissions) then access is granted even if you return FALSE.
Comment #2
DanChadwick CreditAttribution: DanChadwick commentedMinor addition to docblock. Committed to 7.x-4.x and 8.x.