Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.Problem/Motivation
The Groups module only works on content entities and not config entities. Webforms are config entities while webform nodes are content entities. Individual groups need a mechanism to control group role access to a group's webform (content) nodes.
Proposed resolution
Add Group roles to the Webform's Access tab (/admin/structure/webform/manage/{webform}/access) and the Webform Element Access group (/admin/structure/webform/manage/{webform}/element/{element_key}/edit). When a group's webform node is loaded we will check the current user's group roles against the current webform's operation's assigned group roles.
Remaining tasks
- Create webform_demo_group.module to set up demo groups, roles, nodes, webforms, and submissions.
- Create dedicate webform_group.module
- Update webform.entity.webform.schema to support 'access.group_roles'. @see hook_config_schema_info_alter()
- Create webform_groups access control element
- Refactor and update Webform Access tab (/admin/structure/webform/manage/contact/access) @see \Drupal\webform\EntitySettings\WebformEntitySettingsAccessForm
- Refactor and update Element access checker to support group roles.
- Add hook support to webform_query_webform_submission_access_alter() via HOOK_webform_query_webform_submission_access_alter();
Notes
- https://api.drupal.org/api/drupal/core!core.api.php/function/hook_config...
- Issue #2856333: Webform as group content
Webform Group Role Permissions
- Create submissions
- View any submissions
- Update any submissions
- Delete any submissions
- Purge any submissions
- View own submissions
- Update own submissions
- Delete own submissions
- Administer submissions
Note: Access webform configuration permission is not applicable to group roles.
User interface changes
New group roles access element
API changes
New hooks.
Data model changes
N/A
Release notes snippet
TBD
User Acceptance Testing
Setup
- Enable the Webform Demo Group module -/admin/modules
- Confirm Webform Group module is marked as experimental /admin/reports/status
Form Builder
- Create webform -/admin/structure/webform/add
- Assign and remove Group Roles via the Access tab - /admin/structure/webform/manage/{webform}/access
- Confirm warning message below group roles is displayed when Anonymous or Authenticated user roles are checked -/admin/structure/webform/manage/{webform}/access
- Assign Group Roles via the Element edit tab. -/admin/structure/webform/manage/{webform}/element/{element_key}/edit
Email Handler and Token support
- Confirm the email handler include Group token options - /admin/structure/webform/manage/{webform}/handlers/add/email
Member
- Login as a A:1 member -/user/login (username: webform_group_a_1_member / password: webform_group_a_1_member)
- Confirm A:1 member can access A:1 contact form -/webform/group/a/1/contact
- Confirm A:1 member can NOT access A:2 contact form with an access denied message. - /webform/group/a/2/contact
- Confirm that no reviewer, manager, or administrator elements are accessible -/webform/group/a/2/contact
Reviewer
- Login as a A:1 reviewer -/user/login (username: webform_group_a_1_reviewer / password: webform_group_a_1_reviewer)
- Confirm A:1 manager can review (view) A:1 contact form submission - /webform/group/a/1/contact
- Confirm that reviewer element is accessible - /webform/group/a/2/contact
Manager
- Login as a A:1 manager -/user/login (username: webform_group_a_1_manager / password: webform_group_a_1_manager)
- Confirm A:1 manager can manage (view, update, and delete) A:1 contact form submission - /webform/group/a/1/contact
- Confirm that manager element is accessible - /webform/group/a/2/contact
Administrator
- Login as a A:1 administrator - /user/login (username: webform_group_a_1_administrator / password: webform_group_a_1_administrator)
- Confirm A:1 administrator can administer A:1 contact form -/webform/group/a/1/contact
- Confirm that administrator see all elements. -/webform/group/a/2/contact
| Comment | File | Size | Author |
|---|---|---|---|
| #68 | 3089026-67.patch | 153.98 KB | jrockowitz |
| #65 | 3089026-65.patch | 153.87 KB | jrockowitz |
| #55 | 3089026-55.patch | 153.87 KB | jrockowitz |
| #54 | 3089026-54.patch | 154.07 KB | jrockowitz |
| #49 | element_access+group-3089026-49.patch | 192.37 KB | danchadwick |
Comments
Comment #2
jrockowitz commentedComment #8
knopf21 commentedAdditionally it would be very helpful, if it were possible to add the group roles also to each single field.
At the moment there is only the possibility to add users and/or drupal roles.
It would be much easier for us to implement simple workflows in our organization.
Comment #16
jrockowitz commentedComment #31
jrockowitz commentedComment #32
jrockowitz commentedComment #39
jrockowitz commentedComment #41
jrockowitz commentedComment #43
jrockowitz commentedComment #44
jrockowitz commentedThis ticket is ready for review. You can also read this blog post to get a better understanding of the changes.
Comment #45
danchadwick commentedWorking on merging this with the current dev branch and then the element access issue. Step one. Re-roll for current 8.x-5.x to resolve conflict in webform.api.php.
Comment #46
danchadwick commentedTrying again, this time bypassing a SourceTree bug when making working copy patches. Grrr.
Also, I corrected an incorrect docblock comment in hook_webform_element_access in webform.api.php. The
$accountargument is simply the account whose access should be checked. Patch 43 has some weird text about a format, suggesting that maybe the docblock was copied from some unrelated function.Testing the reroll before proceeding further....
Comment #47
danchadwick commentedThis patch is element access #39 (element-access-3092634-39.patch + this issue's #46 (groups-3089026-46.patch), merged.
One additional change: I changed the hook_webform_element_access signature again to remove the
= []initializer for$contextThe context should always be provided with webform and webform_submission array entries; it is not optional.If this patch passes tests, the I suggest we comment the element access patch individually and create another patch with just webform group.
Comment #48
danchadwick commentedComment #49
danchadwick commentedOther than a .rej file that snuck into #48, I'm at a loss as to why tests are failing. I have compared #49 to #46 (which passed) and the only difference I see are correctly attributable to the element access patch with this comment's patch includes.
Comment #50
jrockowitz commentedFor anyone reviewing this ticket, the patch from #43 can be reviewed. @DanChadwick and I are just trying to improve the element access API but the UX still needs to be reviewed.
Comment #51
danchadwick commented@jrockowitz - #46 is a re-roll of #43 that applies to the current 8.x-5.x. Probably want to review that one since #43 won't apply at this point.
Comment #52
brt commented@jrockowitz Thanks for another great module.
Testing #46 against v 5.5:
1) The patch applies without problems using composer
2) The new webform_group can be activated using drush
3) On the access tab of a webform the group roles can be selected in the widget
4) Access to webforms on nodes linked to groups behave as expected
5) Access to submissions does correctly depend on the the selected group roles - FANTASTIC!!!
I've not yet tested element access
Comment #53
brt commentedFor me, managing element access via group roles seems to be working fine with #46.
Comment #54
jrockowitz commentedThe attached patch must be applied to the latest dev release only.
Comment #55
jrockowitz commentedComment #56
jrockowitz commentedWOOT! @DanChadwick and @brt This patch is ready for review.
Comment #57
danchadwick commentedI'm not using groups, but looking at
webform_group_webform_element_access()as it relates to element access and the previous implementation in #46, that part looks good. Thanks for your work on this.Comment #58
brt commentedThanks @jrockowitz we'll do some more detail testing with the new patch.
Comment #59
akerbel.dev commentedI have tested hook_webform_submission_query_access_alter(). Looks like it doesn't trigger on WebformSubmissionListBuilder page. Regarding its name, it should.
Comment #60
jrockowitz commentedYou are right MY_MODULE_webform_submission_query_access_alter is only triggered for Views related queries.
Comment #61
brt commentedComment #63
jrockowitz commentedComment #65
jrockowitz commentedMerging group support may have broken the automated tests. Attached is the patch that was committed.
Comment #68
jrockowitz commentedComment #69
jrockowitz commented