Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
As a survey author, I want to create fields that require a higher level of permission to view, so I can have a better control on how results are rendered.
For example, say I have a calculated field based off of a user response that we populate via hook_form_alter(). I don't want the user to see the results and I may not want other users who have access to tables results to see the data.
Proposed resolution
New property for field, "hide results"
Remaining tasks
User interface changes
Field would be added to edit field.
Remove any field that was true for "hide results" from table result configure dropdown and view results page.
API changes
Data model changes
Comment | File | Size | Author |
---|---|---|---|
#22 | admin_only_fields-2848223-22.patch | 36.85 KB | jrockowitz |
| |||
#17 | views.view_.webform_views_example_contact.yml | 14.78 KB | jrockowitz |
#17 | Webform Views Detail.png | 78.01 KB | jrockowitz |
#17 | Webform Views Summary.png | 128.57 KB | jrockowitz |
#16 | zipcode_element.png | 54.61 KB | robpowell |
Comments
Comment #2
jrockowitz CreditAttribution: jrockowitz as a volunteer and at The Big Blue House commentedMaybe we just need to get the results table to respect the element's access controls.
You could use the Webform Views module to build a custom results table,
Comment #3
robpowellThat would be great. Is there a ticket you can refer to me to see how to call that access method? Or if you point me in the right direction in the code to start wrapping my head around it.
Thanks
Comment #4
jrockowitz CreditAttribution: jrockowitz as a volunteer and at The Big Blue House commentedI guess this is the ticket to "Add field access control the submission entity list builder"
Comment #8
jrockowitz CreditAttribution: jrockowitz as a volunteer and at The Big Blue House commentedComment #10
jrockowitz CreditAttribution: jrockowitz as a volunteer and at The Big Blue House commentedComment #13
jrockowitz CreditAttribution: jrockowitz as a volunteer and at The Big Blue House commentedComment #16
robpowellI reviewed your changes yet I am not sure how to implement this to do what I want.
I am trying to achieve this,
So thinking about this, I want users to have access to view/edit submissions but some fields should require a higher level access. This means that on the following pages and features, users without this escalated permission would not be able to interact with the fields:
So I have played around with the different level access permissions and field access. This was done while testing example masking fields. First, I created a test user with no roles. For the field zip_code, I granted them view access. However, since they do not have the webform permission to view results this gives you a 403 forbidden. Now, if you add the user to a role with view access, that role is assigned view access to all fields. This checkbox is also disabled so you cannot remove view access per field for a given role. Finally, I tried making the zip_code field "private" via the checkbox under Administration. However, the helptext doesn't really explain what it basis this permission off of
There are no field result access nor explicit result role permissions. Possibly, it means it will show it to user with edit access, but my role does not have that permission and the test user can still see the zip_code field on the submission page.
Here are the settings on the field:
Here is the display of the results:
Comment #17
jrockowitz CreditAttribution: jrockowitz as a volunteer and at The Big Blue House commented@robpowell All I am trying to do in the patch is fix element access controls when viewing a submission in the Results Table and exporting the submission data.
The private property is somewhat deprecated because you can achieve similar functionality using element access controls.
I am very doubtful that I can immediately address your use case but I think you can use the Webform Views module to build a completely custom results and details view.
The attached view illustrates the concept using the default Contact form.
/admin/structure/webform/manage/contact/results/view
/admin/structure/webform/manage/contact/results/view/{SID}
The key secret to the above detail view display is I am using the serial number/sid as a Contextual Filter.
Comment #18
jrockowitz CreditAttribution: jrockowitz as a volunteer and at The Big Blue House commented@robpowell When we get this working you are going to owe me a recipe.
Comment #19
robpowellThat sounds great.
Yea that's fine I just wanted to give enough detail to understand the request and to help troubleshoot if anything didn't behave as expected. The one issue I have with with Webform Views is I can't display the machine name of the field. I put this issue in earlier this week #2851017: use machine_name instead of human field name for column/fields. Basically, my questions are too long to be used as column headers so I would prefer the shorter machine names.
consider it done.
Thanks for pushing through this.
Comment #22
jrockowitz CreditAttribution: jrockowitz as a volunteer and at The Big Blue House commentedComment #24
jrockowitz CreditAttribution: jrockowitz as a volunteer and at The Big Blue House commentedI committed the attached patch which just makes sure that element access rules are respected by 'Results' table, 'Customize' columns, and the Download columns.
@Robpowell I think your specific requirements maybe better addressed using a custom Webform Submission View which should be handled in a new ticket.
Comment #25
robpowellCool. So how do I go about testing? Any user with view access permission will have defaulted view access to all fields, similar to my test condition in #16.
That seems right. I think the only request not solved by your above solution is removing the fields from all submission pages (submission/submission_id/*). Any reason reason why we shouldn't? In general, I think my confusion about field access is because my requirements need more granular control of permissions. Similar to setting a block, where you have the the option of making an inclusive list (white list) or excluded (blacklist) access.
Comment #26
jrockowitz CreditAttribution: jrockowitz as a volunteer and at The Big Blue House commentedIf you set an element's view access, it will be hidden from the Results, Customize, and Download pages based on which roles or users have access.