I checked the "Allowing users to edit their webform submission with token URL" checkbox and send the token URL to the users E-Mail.
Opening the URL just loads the empty form, even when permissions to view, edit and delete own submissions for guest users are set.
Viewing and deleting the Own submission via token URL works.
What seems strange to me is the fact, that the generated URLs differ:
Edit:
https://blablub.com/Formular-D9?token=CJQDGqu1W8BrKpZPQ0KnO3yEKv0HBXOBLU...
View:
https://blablub.com/webform/drupal_9_test/submissions/19?token=CJQDGqu1W...
Delete:
https://blablub.com/webform/drupal_9_test/submissions/19/delete?token=CJ...
But as soon as a logged in User submits the form, the URL for editing sent by mail changes to
https://blablub.com/webform/drupal_9_test?token=CJQDGqu1W8BrKpZPQ0KnO3yE...
and it can be edited by anybody who gets hold of that URL
I wonder if the statement at 'update' shouldn't be using the route webform.user.submission.edit like the view and delete case does:
public function getTokenUrl($operation = 'update') {
switch ($operation) {
case 'view':
/** @var \Drupal\webform\WebformRequestInterface $request_handler */
$request_handler = \Drupal::service('webform.request');
$url = $request_handler->getUrl($this, $this->getSourceEntity(), 'webform.user.submission');
break;
case 'update':
$url = $this->getSourceUrl();
break;
case 'delete':
/** @var \Drupal\webform\WebformRequestInterface $request_handler */
$request_handler = \Drupal::service('webform.request');
$url = $request_handler->getUrl($this, $this->getSourceEntity(), 'webform.user.submission.delete');
break;
default:
throw new \Exception("Token URL operation $operation is not supported");
}
Needs work
6.2
Code
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.