Field-level access not checked in view

Created on 29 August 2022, over 2 years ago
Updated 30 October 2023, about 1 year ago

Problem/Motivation

A webform's field-level access controls are not being checked by webform_views. This results in fields being shown on views using webform_views when they're normally not shown on a vanilla webform submission page.

Steps to reproduce

1. Install webform and webform_views.
2. Create a role called "Content Admin"
3. Create a webform with two text fields.
4. Configure the webform to be viewable by authenticated users.
5. Configure the SECOND field created in Step 3 to NOT be viewable by a Content Admin.
- See the Access tab when editing a field.
6. Create a view of the webform in Step 3 showing the two fields. Make this view accessible to authenticated users.
7. Create a submission on that webform.
8. As an authenticated user, view both the submission as a page and via the view.
9. As a Content Admin, view both the submission as a page and via the view.

Expected

- On step 8, an authenticated user should see their own submission's data in full.
- On step 9, a Content Admin should NOT see the second field.

Actual

- On step 8, an authenticated user should see their own submission's data in full.
- On step 9, the Content Admin can see the second field.

Proposed resolution

- The plugin should mimic how Webform is rendering fields. During render, Webform checks the field-level access control during render (See Drupal\webform\WebformSubmissionViewBuilder::isElementVisible()). Currently, Drupal\webform_views\Plugin\views\field\WebformSubmissionField::render() currently only checks the webform-level view access, but not the field's.
- Alternatively, the data could be made not present at all if access is not allowed. This treads more into Webform territory.

Remaining tasks

-
- test
- review
- merge

User interface changes

None

API changes

None

Data model changes

None

πŸ› Bug report
Status

Needs review

Version

5.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States fskreuz

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

  • πŸ‡³πŸ‡±Netherlands casey

    Maybe we should also check visibility rules? Something like this might work.

  • πŸ‡³πŸ‡±Netherlands casey

    Previous patch used the wrong variable in constructor

  • πŸ‡¨πŸ‡¦Canada earthangelconsulting

    for what it's worth... i tried the patch in #7 applied against version 5.2 of the module, in a simple test case, and it worked exactly as expected! awesome! i hope this can get incorporated into a release soon.

    (otherwise that checkbox "Check view access for this field" that appears for webform fields in Views is very misleading ;-) )

  • πŸ‡¨πŸ‡ΏCzech Republic milos.kroulik

    It seems to be working fine. There's an understandable gotcha - if access is disable for an element and it's rewritten in views, there's no output even if the other element accessed there is accessible.

    It's also inconvenient in case we have a lot of elements in the webform but we want to make accessible only small amount of them, which means we need to manually disable access to the rest. It would be good if it was possible to make it other way around.

Production build 0.71.5 2024