I have a webform where anonymous users can register for a class, receive an email with a link to edit their submission (including the tokenized url), and thus edit their submission. This all works great.
When a user submits an edit to the webform, the edit occurs and the database is updated, but the user gets the message "You are not authorized to access this page."
The action argument of the form tag looks like /node/2113/submission/95737/edit?token=ecf5de5f0cf49f3127accb4292720ab5
but the user is redirected to http://pishposh.com/node/2113/submission/95737
which is missing the token in the url arguments, and thus is denied access.
The user is thus confused about whether or not the edit actually occurred.
Comment | File | Size | Author |
---|---|---|---|
#6 | webform-session_token_access-2555119-6.patch | 1.21 KB | safetypin |
#3 | webform-session_token_access-2555119-3.patch | 1.55 KB | DanChadwick |
Comments
Comment #2
exiteden CreditAttribution: exiteden commentedComment #3
DanChadwick CreditAttribution: DanChadwick commentedThis is really a feature request because token access was added as a tool for users to create their own link. It was never intended to provide comprehensive access.
Nonetheless, this patch provides session access for anonymous users who gained access to a submission by a token. This mean that the session will have the same access as if the submission were just created.
Committed to 7.x-4.x.
Comment #4
DanChadwick CreditAttribution: DanChadwick commentedNeeds D8 port.
Comment #6
safetypinI manually applied the changes in patch #3 to the 8.x-4.x branch. I am currently unable to test, due to other errors preventing the module from functioning properly.
Comment #8
fenstratCommitted and pushed to 8.x-4.x.
Thanks for #6 @safetypin, it was just off on the user object for the first check. Slowly working through the queue to try and get 8.x-4.x into some sort of installable state again.