Currently, the access to the Notes page of a webform submission is checking if the user has access to the "notes" operation. This operation however does not have an actual check in the access controller, so the only way for a user to gain access to that page is for them to have the "administer webform" or "administer webform submission".

This operation should probably be treated the same as the "resend" operation; i.e. a user may perform that operation if they have the "submission_update_any".

Patch incoming.

CommentFileSizeAuthor
#2 webform-handle_notes_operation-3516134-2.patch732 bytesjohnjw59

Issue fork webform-3516134

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

johnjw59 created an issue. See original summary.

johnjw59’s picture

johnjw59 commented
StatusFileSize
new webform-handle_notes_operation-3516134-2.patch732 bytes

jeremy1606 made their first commit to this issue’s fork.

jrockowitz’s picture

jrockowitz commented

Please create an MR and lets see if the test pass.

I am not sure we can make this type of access control change without impact existing expectations.

keshav patel made their first commit to this issue’s fork.

keshav patel opened merge request !622

keshav patel’s picture

keshav patel commented
Status: Active » Needs review

Ported #2 into an MR.

jrockowitz’s picture

jrockowitz commented

This operation should probably be treated the same as the "resend" operation; i.e. a user may perform that operation if they have the "submission_update_any".

I agree with this assumption. Let's make the improvement.

jrockowitz’s picture

jrockowitz commented
Status: Needs review » Fixed

Status: Fixed » Closed (fixed)

Automatically closed - issue fixed for 2 weeks with no activity.