Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
In #828566: Webform Token support on confirmation message, a URL token was added to provide access control to submission confirmation pages, allowing Webform tokens to be used for anonymous users. This access token should also allow access in general to a particular submission. This would make it easier to allow anonymous users to download PDFs with FillPDF. I will write a patch.
Comment | File | Size | Author |
---|---|---|---|
#11 | webform-token_access-2470385-11-D7.patch | 2.38 KB | Liam Morland |
#10 | webform-token_access-2470385-10-D7.patch | 2.44 KB | Liam Morland |
#8 | webform-token_access-2470385-8-D7.patch | 2.44 KB | Liam Morland |
#1 | webform-token_access-2470385-1-D7.patch | 2.58 KB | Liam Morland |
Comments
Comment #1
Liam MorlandComment #2
Liam MorlandComment #4
Liam MorlandWrong core version.
I don't think the test failure is related to the patch.
Comment #6
Liam MorlandNote that only third hunk is specific to this issue. The other hunks just create webform_get_submission_access_token() and put it in use.
Comment #7
DanChadwick CreditAttribution: DanChadwick commentedA few quibbles.
Comment #8
Liam MorlandThanks. Updated with your changes. I thought drupal_get_query_parameters() was the proper Drupal way of accessing query parameters.
Comment #9
DanChadwick CreditAttribution: DanChadwick commentedDoesn't work because of type hint:
Need to get rid of the
object
type hint.http://stackoverflow.com/questions/7839059/type-hinting-for-any-object
Also, I'm not sure I understand the need for the sid in the query. The access function already has the submission, so if the token access is being checked, the sid has already been established by the caller (e.g. via the menu path or some other means). Any reason to not remove that test? The token is only good for that one sid anyhow.
Comment #10
Liam MorlandThanks.
Comment #11
Liam MorlandWith sid check removed.
Comment #13
DanChadwick CreditAttribution: DanChadwick commentedWhile I'm not completely clear about the use case where the $_SESSION isn't sufficient, I have no problem with this patch.
It makes it possible to share an anonymous submission with someone else.
#11 Committed to 7.x-4.x and 8.x.
Comment #14
Liam MorlandThanks.