Problem/Motivation
Currently, only textfield and textarea elements can be encrypted. But there are more elements that should be encrypted as well:
List of ALL elements provided by Webform:
Checkbox
Hidden
Password
Textarea
Text field
Autocomplete
CAPTCHA
CodeMirror
Color
Email
Email confirm
Email multiple
Number
Password confirm
Range
Rating
Search
Signature
Telephone
Text format
Toggle
URL
Value
Address
Contact
Location
Name
Buttons
Buttons other
Checkboxes
Checkboxes other
Likert
Radios
Radios other
Select
Select other
Table select
Tableselect sort
Table sort
Toggles
Container
Details
Fieldset
Flexbox layout
Item
Label
Date
Date/time
Date list
Time
Entity autocomplete
Entity checkboxes
Entity radios
Entity select
HTML markup
Message
Processed text
Table
Generic element
Proposed resolution
I think a good approach for this is allow the encryption for all elements by default, except for the elements listed in an "Exclusion List".
Since the webform elements are extensible, we can't have a hardcoded exclusion list, like on D7 version.
But we can have a default exclusion list containing some elements, like the types details, HTML markup, Table, etc, and then after or before this list be fetched, we trigger an event to allow other modules to change or add other elements.
Update:
The element types whitelist/blacklist is not necessary, since the webform module interface WebformElementInterface has the method isInput() to check whether the element is for input or not, please check the comment #6
Comment | File | Size | Author |
---|---|---|---|
#29 | 2855702-29.patch | 26.47 KB | acbramley |
#29 | interdiff-28-29.txt | 1.22 KB | acbramley |
#15 | webform_encrypt-allow-encryption-for-more-elements-D8-2855702-15.patch | 15.69 KB | l0ke |
Comments
Comment #2
jribeiro CreditAttribution: jribeiro for Pfizer, Inc. commentedWorking on this.
Comment #3
jribeiro CreditAttribution: jribeiro for Pfizer, Inc. commentedNew patch.
This patch allows the module to encrypt/decrypt all default webform elements, except the listed below, that doesn't make sense to encrypt.
Major changes:
Fixed https://www.drupal.org/node/2855766
Comment #4
jribeiro CreditAttribution: jribeiro for Pfizer, Inc. commentedComment #5
jribeiro CreditAttribution: jribeiro for Pfizer, Inc. commentedPatch re-rolled to match the dev commit http://cgit.drupalcode.org/webform_encrypt/commit/?h=8.x-1.x&id=bcdd07cc....
Comment #6
jribeiro CreditAttribution: jribeiro for Pfizer, Inc. commentedI found a way to distinguish whether the Webform elements is for input data or not, by the method isInput() provided by the interface WebformElementInterface.
The method isInput() returns false for elements like container, details, captcha, in other words, elements that are not encrypted and stored on webform_submission_data table.
In this case the Event to whitelist/blacklist elements to be encrypted is not necessary since the module can verify it automatically now.
I've generated a new patch for this update.
Comment #7
jribeiro CreditAttribution: jribeiro for Pfizer, Inc. commentedComment #8
jribeiro CreditAttribution: jribeiro for Pfizer, Inc. commentedComment #9
badjava CreditAttribution: badjava at Metasun for Pfizer, Inc. commentedI've tested #6 extensively and it works well. We are using it on several sites.
Comment #10
l0keCurrently encrypted data provided in
doPostSave()
method. This causes incorrect behavior like: encrypted data sent in webform submission emails etc.Data should be decrypted for further
PostSave
processing, as handlers and emails. Solution is to overridedoPostSave()
method inWebformEncryptSubmissionStorage
and decrypt data before calling parent method.Comment #11
jribeiro CreditAttribution: jribeiro for Pfizer, Inc. commentedHi @l0ke, good catch with the email submissions, you are right, we need the
doPostSave
.I tested your patch, looks good to me.
Comment #12
optimusprime619 CreditAttribution: optimusprime619 commented@jribeiro & @l0ke thanks for this patch!
Not sure if this is worth mentioning but just reporting anyways.
I applied the patch 10, added an email field with encryption (no default value) to an existing webform (that I had made a prior submission).
Loading the form again results in the following undefined index notice messages
Comment #13
badjava CreditAttribution: badjava at Metasun for Pfizer, Inc. commented@optimusprime619 Did you try following these same steps without the patch? This could be a pre-existing issue and not related specifically with the patch in which case a new issue should be created.
Comment #14
optimusprime619 CreditAttribution: optimusprime619 commented@badjava not sure if I can do this without the patch since the ability to encrypt non textfield & textarea fields was available only through the patch along with the WebformEncryptSubmissionStorage.php. However, I haven't been able to reproduce the error message since that one occasion. In case if I am able to do so I will revert with details on the same as a new issue.
Comment #15
l0keI have an another finding.
Solution I've proposed in #10 to decrypt data at the beginning of
doPostSave
is not good enough.Thing is when form is submitted by user who doesn't have a permission
view encrypted values
email have placeholder[Value Encrypted]
instead of actual value.Added parameter that controls permission check in
decrypt
method and rungetDecryptedData
with this parameter set toFALSE
, so post save actions will always have an actual decrypted values.Comment #16
jribeiro CreditAttribution: jribeiro for Pfizer, Inc. commented@l0ke thanks for pointing that issue. I have tested #15, the patch looks good.
@optimusprime619 I could reproduce the issue #12 as well.
I generated a new patch containing the changes on #15 and the fix for #12.
Comment #17
badjava CreditAttribution: badjava at Metasun for Pfizer, Inc. commentedTested and running #16 on several sites - RTBC.
Comment #18
Christopher Riley CreditAttribution: Christopher Riley commentedI also agree that this is RTBC as it makes the module actually useful.
Comment #19
jribeiro CreditAttribution: jribeiro for Pfizer, Inc. commentedI've just included an improvement to bypass the decrypt permission check if it is running through the command line interface, like Drush for example.
Comment #20
acbramley CreditAttribution: acbramley commentedWith such large changes and given the sensitive nature of this module, we definitely need tests here.
Comment #21
acbramley CreditAttribution: acbramley commentedI've just manually tested and this seems like a really good improvement for the module. The only regression I can see currently is that for some reason the submission view pages are no longer being treated as admin pages (i.e they are themed with the site's frontend theme rather than admin theme). EDIT: Strangely enough once I debugged into it fixed itself, not sure what was happening there.
Other than that it fixes a lot of problems with encrypted values being shown to users that have access to decrypt.
I may have a look at writing some tests for this today.
Comment #22
acbramley CreditAttribution: acbramley commentedMarking #2884812: Fix fatal error on individual submission page and #2884810: Fix various php notices and warings as duplicates as this solves both.
Comment #23
acbramley CreditAttribution: acbramley at PreviousNext for Transport for NSW commentedHere's some pretty low level tests for checking that the correct values are displayed to the end user.
Comment #24
acbramley CreditAttribution: acbramley at PreviousNext for Transport for NSW commentedAdd a test for the admin form changes too.
Comment #25
fenstratThe tests added in #23 and #24 looks to cover things nicely. Given the re-architecture has been RTBC'd before I'm marking as such again.
Tests don't seem to be running (these are the first the d8 branch has). I think the module maintainer @th_tushar needs to enable qa on the 'Automated testing' tab of the module?
Comment #26
acbramley CreditAttribution: acbramley at PreviousNext for Transport for NSW commentedBack to needs work, we've found a bug where a user with permission to view webform submission, but without the permission to see unencrypted values is able to view the unencrypted value via the submission route.
EDIT: To clarify, I believe this is a caching issue of some sort. Working on steps to reproduce now.
EDIT2: Even stranger, the bug only occurs with the destination param in the url (i.e when clicking the view button from the results page)
Comment #27
acbramley CreditAttribution: acbramley at PreviousNext for Transport for NSW commentedI've tracked this down to the
$_SERVER['argc']
variable being set on our environments. For some reason this is set to 1 when viewing a submission via the UI but only when the destination query parameter is set.EDIT: This is caused by the ini setting
register_argc_argv = On
Comment #28
acbramley CreditAttribution: acbramley at PreviousNext for Transport for NSW commentedUpdated patch removing the check for argc.
Comment #29
acbramley CreditAttribution: acbramley at PreviousNext for Transport for NSW commentedAfter chatting about this more, I think we should have the same behaviour on CLI and UI. If you want to load submission values via drush you can use the -u parameter.
Comment #30
fenstratHad some more discussion on this. I agree that #29 is the right approach.
#29 changes the cli/drush behaviour, normally drush does not actively check any permissions. So the changes is actually a break from standard drush practice. However given the sensitive nature of the encrypted data then it seems like a sensible change. As @acbramley noted this could be overcome by running
drush --user=1 ...
Tests still look like they need to be turned on for the d8 branch.
Comment #31
jrglasgow CreditAttribution: jrglasgow commentedthis is working for me as well
Comment #32
jribeiro CreditAttribution: jribeiro for Pfizer, Inc. commentedThe latest changes makes sense for me as well. I guess we are ready to go with it.
Waiting by the maintainer.
@th_tushar this issue is opened and RTBCed for a while, any chance to get it committed soon? This module needs an alpha release, that will help everyone to work on new improvements.
I would like to be a co-maintainer as well.
Thanks.
Comment #34
vijaycs85Thanks all. Commited to 8.x-1.x
Comment #35
th_tushar CreditAttribution: th_tushar commentedAdded jribeiro as a co-maintainer.
Comment #36
th_tushar CreditAttribution: th_tushar commentedComment #37
jribeiro CreditAttribution: jribeiro for Pfizer, Inc. commentedThanks guys.