Extend URL token-based access control to submissions

A few quibbles.

1. When including a type in @param, the type goes before the variable, C style.
2. When is_object($object) isn't needed when you know $object is either NULL or an object. Just $object is sufficient.
3. I don't see the upside in drupal_get_query_parameters. I'd be inclined to just access $_GET instead.
4. I don't see the benefit of the type casting and use of type-specific === operator. This isn't the webform style.

Doesn't work because of type hint:

Recoverable fatal error: Argument 1 passed to webform_get_submission_access_token() must be an instance of object, instance of stdClass given, called in C:\wamp\www\drupal7\sites\all\modules\custom\webform\webform.module on line 3197 and defined in webform_get_submission_access_token() (line 531 of C:\wamp\www\drupal7\sites\all\modules\custom\webform\webform.module).

Need to get rid of the object type hint.

http://stackoverflow.com/questions/7839059/type-hinting-for-any-object

Also, I'm not sure I understand the need for the sid in the query. The access function already has the submission, so if the token access is being checked, the sid has already been established by the caller (e.g. via the menu path or some other means). Any reason to not remove that test? The token is only good for that one sid anyhow.

While I'm not completely clear about the use case where the $_SESSION isn't sufficient, I have no problem with this patch.

It makes it possible to share an anonymous submission with someone else.

#11 Committed to 7.x-4.x and 8.x.