Delete own submission with secure token not working

Following.

Just added a patch that enables webform deletion with a secure token.
Still not solved: The redirect after the delete operation

Another patch solving the redirect after a delete operation with a secure token

I have applied both of these patches and they seem to be applied without error. Unfortunately, they don't seem to be adding the delete button to the bottom of a submission edit page. Here's the url it is using:

/form/make-a-reservation/?source_entity_type=node&source_entity_id=856&_webform_dialog=1&token=rOD1ryxqVYPQj4SGgOGWSgjmhil9L4J0Q1mD3BSXyHA

Is this because we are using webform nodes instead of a static webform? Why would the same methodology not apply?

@loopy1492
The delete button should appear on top of the submission edit page when using webform nodes.

Did you set all the permissions to the anonymous user needed to delete an own submission?
I have added screenshots of the concerning permissions and of a submission edit page, taken from the project on which I developed the patches (also using webform nodes).

Thanks so much for sharing that with me and trying to help us out @itssimple . I double checked all the permissions and also checked the permissions on the local actions block and it seems like everything is correct. I also double checked composer.lock to ensure the patches have been applied. See screenshots for this info.

I remember back in d7 there used to be a user permissions table that had to be refreshed manually from time to time. Is there something that I can clear that doesn't usually get run with drush cr?

Fascinating. I added some alerts to WebformSubmissionAccessControlHandler.php to make absolute sure the changes were being used by my site and also to ensure that our forms were even using that script at all, and it does seem to be firing on both the function itself and the if(delete) conditional.

It's just not printing the delete button for some reason, neither in Local Tasks menu or at the bottom of the form. Do you think you could throw up a screenshot of the code printed to the HTML where the delete button is on your site? I've looked to see if it's just hidden for me on my site when I'm logged out and running as Anonymous and I'm not really seeing it there, so I don't think that's the case.

So I was looking for the wrong thing. I was looking for #local-tasks for the anonymous user, but it was located in .webform-submission-information which WAS being hidden by CSS by the vendor who crafted the theme.

Sorry for the confusion. Thanks for the patches.

Can someone please role/create a single patch that can be reviewed.

Added a single patch including the commits of the former two patches.

Patch in #14 works, but things are missing:

- A checkbox to activate this behavior, like the other ones: "Allow users to view a submission using a secure token" + "Allow users to update a submission using a secure token"
- A delete URL token

I'll probably work on this soon.

Since this patch affects access controls is must also have test coverage.

Indeed !!!

This is more work than I expected, so I just added the functionality I needed now in a custom router + access check on a route like /my-path/{submission}/delete?token=abc with abc that must be the submission token.

I'm not sure I'll still try to submit a patch, at least not until 6.0.0 is out, that's for sure.

Sorry for changing my mind :(

The attached patch still needs to test coverage checking for token delete access and the delete submission form's cancel/redirect URL added to WebformSubmissionTokenOperationsTest.

When the patch applied to 6.x we need to accommodate for #3106961: [Webform 6.x] Improve token naming conventions and change 'delete-url' to 'token-delete-url'.

The patch now includes test coverage and updates the webform configuration.

Since the patch has test coverage, I committed the patch. Please download the latest dev release to review.

The token's name in the hint is not the same as in real. See the screenshots

Good catch!!! Fixed!

Hey, y'all. I noticed that https://www.drupal.org/files/issues/2020-08-24/0002-Handle-the-redirect-... isn't being included in the 3158114-22.patch and it's also not in the most recent dev release, but it's still failing on composer update. I've removed the patch from composer.json, but I'm wondering if that patch needs to be re-created or if the redirect is being fixed elsewhere in the code and it's just not commented the same way.

Upon review, it does appear that the patch from #6 needs to be re-created and added to develop. As it stands, after deleting their submission, the user is dumped onto a blank page that reports that their submission has been deleted and no other information.