At the moment, webform allows any user with the 'access webform results' permission to view the results for any form, even if they do not have view (or update) access to that form. The webform-results paths, and the admin/content/webform pages should obey node access restrictions.

CommentFileSizeAuthor
#3 webform_results_access5.patch3.21 KBquicksketch
#2 webform_results_access5.patch2.82 KBquicksketch
#1 webform-results-access-340034-1.patch3.62 KBcdale

Comments

cdale’s picture

cdale commented
StatusFileSize
new webform-results-access-340034-1.patch3.62 KB

This patch corrects this issue.

The patch makes it so the user must also have view access on the node to access the results. i.e. the user must have both view access on the node and the 'access webform results' permission to be able to view results for a node.

NB: A menu rebuild will be required for the patch to take effect.

quicksketch’s picture

quicksketch
he/him
commented
Status: Needs review » Fixed
StatusFileSize
new webform_results_access5.patch2.82 KB

Thanks, I ported it to Drupal 5 and added a bit of PHPdoc for the new webform_results_access(). Great patch!

quicksketch’s picture

quicksketch
he/him
commented
StatusFileSize
new webform_results_access5.patch3.21 KB

Oops, forgot the db_rewrite_sql() in the D5 version. Added here.

Status: Fixed » Closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.