At the moment, webform allows any user with the 'access webform results' permission to view the results for any form, even if they do not have view (or update) access to that form. The webform-results paths, and the admin/content/webform pages should obey node access restrictions.

Comments

cdale’s picture

StatusFileSize
new3.62 KB

This patch corrects this issue.

The patch makes it so the user must also have view access on the node to access the results. i.e. the user must have both view access on the node and the 'access webform results' permission to be able to view results for a node.

NB: A menu rebuild will be required for the patch to take effect.

quicksketch’s picture

Status: Needs review » Fixed
StatusFileSize
new2.82 KB

Thanks, I ported it to Drupal 5 and added a bit of PHPdoc for the new webform_results_access(). Great patch!

quicksketch’s picture

StatusFileSize
new3.21 KB

Oops, forgot the db_rewrite_sql() in the D5 version. Added here.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.