Overriding permissions?

Hello! I cannot say I've fully understood your problem but from what I was able to grasp I want to say that the overall access logic for Webform Views module is "show whatever Webform module allows showing". Basically Webform Views does not intend to define a new access layer for webforms and their submissions nor it should violate the access restrictions that come from Webform module itself, in other words Webform Views is neutral when it comes to access logic, it simply follows what others dictate to follow.

I shall check with additional precision what access logic is defined in Webforms module and make sure webform views obeys it (chances are it does not in some edge cases).

From your description to me it sounds logical that such users should at least have access to see their own submission. So at very least they should see your view with just 1 row. Although I'll have to double check this logic and whether the code follows it.

We also have this problem and there was an issue in the main webform queue that pointed back to webform views--https://www.drupal.org/node/2848923#9

We'd like to be able show only what's available via a view to anonymous users and not the "view" and "results" tabs on webforms that "view webform submissions" permission allows.

So really, something of a subset of the permission from webform?

Hello, guys!

I did read this issue and the webform issue that owenpm3 mentioned. Overall I still argue that Webform Views shall not introduce any additional access policies, only obey the existing ones.

I think the issue we are discussing is wider. It is rather difficult to enforce "allow anonymous user view his own submissions" because by definition "anonymous" user is anonymous, i.e. undefined... whoever. Webform submissions track userID of who has submitted it. But for anonymous users it will be just 0. Thus with the existing machinery it is hard to determine whether "this" anonymous user or "that" anonymous user has submitted a particular webform submission. I am not sure about your particular case but in general if we define "allow anonymous users see all submissions", then they should see all set of the submissions - that's what was solved in #2848923: View webform submissions permission. If we define "allow anonymous users see own submissions", then they should see the submissions that were submitted by "this" anonymous user and not "that one". The latter is difficult. Moreover, it just does not fit into the scope of Webform Views module. The correct procedure is to file an issue against Webform (or look up an existing). I've coded anonymous drafts for Webforms #2838423: Drafts for anonymous users. Once that is committed, it could be explored whether similar approach can be extended to full submissions so it becomes possible to distinguish between submissions of "this" anonymous user and submissions of "that" anonymous user.

That's the main complexity of the ticket, not the "results" tab visibility.

Did I understand correctly your cases, guys?

The webform maintainer sent off the guy to Webform Views to build a custom visualization of a webform submission. He did not sent off the guy to Webform Views to solve the access rights.

Actually, I'm just trying to get rid of the "results" tab. I'd like to post a view to the front page of my site of webform submissions. Sounds like I should just create a module to override the admin routes for anonymous users so they're hidden. Mine's more of a cleaning up the UI than anything.

I think I will close this ticket for inactivity. I understood your logic, owenpm3, but yes, that sounds like custom code because I do not want this module to do anything in the domain of content/route access.

I have similar use-case - print names from a form publicly, but keep other fields and metadata hidden (enabling webform permission will reveal a lot of metadata).

Expected Disable SQL rewrites will also disable access checks like for node does, but it have no effect.

Do anybody know how custom views handler could override this access check? (So anonymous user can see a view without permission to view submissions.)

I would raise the case that views already has access limitation, such that webform submission can be filtered using sid or token to identify which submission a user can access.

Having a view that enable viewing a particular submission allow anonymous users to view their particular submission. For example, using adding contextual filter of sid in URL and sending it via email handler, enabling anonymous visitor to view their submission.

This is great as webform handlers can be coded to do back end calculations, such as scoring quizzes as per OP's intention, where submission include calculated results.

If this require the "view any submission" permission for anonymous users (or non admins), this will mean the data gathered through webform is available for anyone to view via "results" tab, which is not ideal (or even unacceptable).

The disable SQL rewrite within core views might exist to accommodate such requirement? However, disabling SQL rewrite still doesn't work to display submission.

I have the same need. I have created a view to list subscriptions of a particular Event Organizer.
When Disable SQL Rewrites is Off, I get no results found.
When Disable SQL rewrites is On, I see view rows containing custom HTML (custom labels etc.) however any data of the webform submission is not displayed.

I slept on it and found a way to do it!
I figured there should have been a way to override access check for entities in general...
Here is how to allow the Organizer of an Event to view the webform_submissions related to his/her Event.
With two Entity Reference fields. One on the webform_submission to point to the Event, the other on the Event to point to the Organizer.

WARNING : for a View, this however still requires to Disable SQL rewrites.

<?php
/**
 * Implements hook_ENTITY_TYPE_access
 */
function MY_MODULE_webform_submission_access(\Drupal\webform\Entity\WebformSubmission $webform_submission, $operation, \Drupal\Core\Session\AccountInterface $account) {
  $user_roles = $account->getRoles();

  if (in_array("MY_ORGANIZER_ROLE", $user_roles)) {

    if ($operation == 'view') { // allow to view the submission

      $subscription_data = $webform_submission->getData();
      $event_id = $subscription_data["MY_ENTITY_REFERENCE_EVENT_FIELD_NAME"];
      $event = Node::load($event_id);
      $organizer_uid = $event->get('MY_ENTITY_REF_ORGANIZER_FIELD')->first()->get('entity')->getTarget()->getValue()->id();

      if($account->id() == $organizer_uid) {
        return AccessResult::allowed();
      }
    }
  }

  return AccessResult::neutral();
}
?>

I added config option to the view field settings form.

Very timely. I just ran into this issue and was playing with no rewrite option. This solves my problem because I need to be able to provide a view based on a role rather than providing full access to everyone that has the role. I like that it works at the field level too.

I have applied the patch and it works for me.

I applied #13 patch and it works for me, Drupal 8.6, with Webform 5.1, Webform Views 5.0@alpha

Will use this is production.

I also applied patch #13 and it works very well. Very clean solution! Thanks a lot, Bobik!

Tested patch #13 , excellent results. Have been looking for a solution like this for a while. Thank you Bobík!

@ Bobík: I believe you should add a small note next to the checkbox, stating that SQL rewriting needs to be disabled for this to work.

@ bucefal91: any chance you will commit this to the module? Considering you still need to disable SQL rewriting, with which you get a strict security warning anyway for any type of content, i don't believe we are adding a new access-bypass layer on webform results as such. The view results can be used in many ways, not just for anonymous users. For example i have a use case to list contact messages sent to node owners in their personal account.

I bumped this problem and I am very lucky that there is solution now. I used #13 for site on production with many modules and worked with 0 problem. Thanks.

I'm also grateful for the patch from #13, but I'm curious if the functionality could go further to allow for overriding permissions when a field is being accessed through a relationship.

I've applied the patch from #13, but don't see a checkbox in my Views field config options. Am I looking in the wrong spot?

I'm running Dupal 8.7.7, Webform 5.4, and Webform Views 5.0-alpha.

I use it with stable webform 6 - and patch works great for me. Using "Disable SQL Rewriting" empty records are shown. Unchecking the "Check view acces for this field" for each views field makes them visible for anonymouse users ;-)
Great job @Bobik !!

I applied patch #13. It's working without any issues. Great solution, thanx!

Great! Patch #13 works like a charm.

Need to be added to stable release.

Thank you for your contribution.
Committed.