Admin only fields hidden on view submission data

Maybe we just need to get the results table to respect the element's access controls.

That would be great. Is there a ticket you can refer to me to see how to call that access method? Or if you point me in the right direction in the code to start wrapping my head around it.

Thanks

I reviewed your changes yet I am not sure how to implement this to do what I want.

I am trying to achieve this,

As a survey author, I want to create fields that require a higher level of permission to view, so I can have a better control on how results are rendered.

So thinking about this, I want users to have access to view/edit submissions but some fields should require a higher level access. This means that on the following pages and features, users without this escalated permission would not be able to interact with the fields:

1. All submission pages (submission/submission_id/*)
2. Results table (results/table)
1. including customizations button to select hiding and showing fields/columns
3. csv exports

So I have played around with the different level access permissions and field access. This was done while testing example masking fields. First, I created a test user with no roles. For the field zip_code, I granted them view access. However, since they do not have the webform permission to view results this gives you a 403 forbidden. Now, if you add the user to a role with view access, that role is assigned view access to all fields. This checkbox is also disabled so you cannot remove view access per field for a given role. Finally, I tried making the zip_code field "private" via the checkbox under Administration. However, the helptext doesn't really explain what it basis this permission off of

Private elements are shown only to users with results access.

There are no field result access nor explicit result role permissions. Possibly, it means it will show it to user with edit access, but my role does not have that permission and the test user can still see the zip_code field on the submission page.

Here are the settings on the field:

Here is the display of the results:

All I am trying to do in the patch is fix element access controls when viewing a submission in the Results Table and exporting the submission data.

That sounds great.

I am very doubtful that I can immediately address your use case but I think you can use the Webform Views module to build a completely custom results and details view.

Yea that's fine I just wanted to give enough detail to understand the request and to help troubleshoot if anything didn't behave as expected. The one issue I have with with Webform Views is I can't display the machine name of the field. I put this issue in earlier this week #2851017: use machine_name instead of human field name for column/fields. Basically, my questions are too long to be used as column headers so I would prefer the shorter machine names.

When we get this working you are going to owe me a recipe

consider it done.

Thanks for pushing through this.

access rules are respected by 'Results' table, 'Customize' columns, and the Download columns.

Cool. So how do I go about testing? Any user with view access permission will have defaulted view access to all fields, similar to my test condition in #16.

I think your specific requirements may be better addressed using a custom Webform Submission View

That seems right. I think the only request not solved by your above solution is removing the fields from all submission pages (submission/submission_id/*). Any reason reason why we shouldn't? In general, I think my confusion about field access is because my requirements need more granular control of permissions. Similar to setting a block, where you have the the option of making an inclusive list (white list) or excluded (blacklist) access.