Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
If the Webform Services webform/{UUID}/submissions endpoint includes some access control (e.g. session authentication) then there should be some user_access() checking of permissions before returning webform submissions. This does not happen currently.
Comments
Comment #1
joe-b CreditAttribution: joe-b commentedHere's a patch that adds this permissions check.
Comment #2
Nodz CreditAttribution: Nodz commentedI noticed the patch doesn't work as expected in all cases.
This works if you have access own webform results but if you don't have that right then no filtering takes place at all and you can see all submissions just like if you had access all webform results. This is probably not desired behavior.
Also it seems the webform permissions for submissions might be more appropriate:
'access own webform submissions' though it doesn't have a counterpart for access all submissions.
I've solved the problem with the following checks:
Note: There's no access all webform submissiosn permission so i just used edit all, if you can edit you can basically access. Also when logged in as admin (user 1) you by default will see all.
I now wonder if the other resources (put and post) also lack similar access checks.
Comment #3
dureaghin CreditAttribution: dureaghin commentedYou forgot to add
global $user;
Should be:
Thanks!
Comment #4
tyler.frankenstein CreditAttribution: tyler.frankenstein commentedPlease re-roll the patch and I can look to get this committed, thank you.
Comment #5
dureaghin CreditAttribution: dureaghin commentedI put
global $user;
to a wrong spot, I think the right place is the first line. I tested and now it works.Comment #6
tyler.frankenstein CreditAttribution: tyler.frankenstein commentedWe can't ignore $parameters here, many depend on the ability to use that. The use of $filters must be replaced with $parameters instead, and each filter should not overwrite any pre-existing $parameters coming in. Also, please post a patch instead of all the code in the comment.
Comment #7
dureaghin CreditAttribution: dureaghin commentedHere you go.
Comment #8
tyler.frankenstein CreditAttribution: tyler.frankenstein commentedThank you, but the incoming $parameters is still being ignored, the filter values need to be added to parameters (and not overwrite any pre-existing incoming values). Essentially, use $parameters instead of $filters.
Comment #9
dureaghin CreditAttribution: dureaghin commentedThank you Tyler. Please test it.
Comment #10
tyler.frankenstein CreditAttribution: tyler.frankenstein commented$parameters was still being overwritten, so I adjusted the patch a bit to not overwrite it, and to use the correct access permission check.
Comment #12
tyler.frankenstein CreditAttribution: tyler.frankenstein commented