Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
At the moment, webform allows any user with the 'access webform results' permission to view the results for any form, even if they do not have view (or update) access to that form. The webform-results paths, and the admin/content/webform pages should obey node access restrictions.
Comment | File | Size | Author |
---|---|---|---|
#3 | webform_results_access5.patch | 3.21 KB | quicksketch |
#2 | webform_results_access5.patch | 2.82 KB | quicksketch |
#1 | webform-results-access-340034-1.patch | 3.62 KB | cdale |
Comments
Comment #1
cdale CreditAttribution: cdale commentedThis patch corrects this issue.
The patch makes it so the user must also have view access on the node to access the results. i.e. the user must have both view access on the node and the 'access webform results' permission to be able to view results for a node.
NB: A menu rebuild will be required for the patch to take effect.
Comment #2
quicksketchThanks, I ported it to Drupal 5 and added a bit of PHPdoc for the new webform_results_access(). Great patch!
Comment #3
quicksketchOops, forgot the db_rewrite_sql() in the D5 version. Added here.