Problem/Motivation
A webform's field-level access controls are not being checked by webform_views. This results in fields being shown on views using webform_views when they're normally not shown on a vanilla webform submission page.
Steps to reproduce
1. Install webform and webform_views.
2. Create a role called "Content Admin"
3. Create a webform with two text fields.
4. Configure the webform to be viewable by authenticated users.
5. Configure the SECOND field created in Step 3 to NOT be viewable by a Content Admin.
- See the Access tab when editing a field.
6. Create a view of the webform in Step 3 showing the two fields. Make this view accessible to authenticated users.
7. Create a submission on that webform.
8. As an authenticated user, view both the submission as a page and via the view.
9. As a Content Admin, view both the submission as a page and via the view.
Expected
- On step 8, an authenticated user should see their own submission's data in full.
- On step 9, a Content Admin should NOT see the second field.
Actual
- On step 8, an authenticated user should see their own submission's data in full.
- On step 9, the Content Admin can see the second field.
Proposed resolution
- The plugin should mimic how Webform is rendering fields. During render, Webform checks the field-level access control during render (See Drupal\webform\WebformSubmissionViewBuilder::isElementVisible()). Currently, Drupal\webform_views\Plugin\views\field\WebformSubmissionField::render() currently only checks the webform-level view access, but not the field's.
- Alternatively, the data could be made not present at all if access is not allowed. This treads more into Webform territory.
Remaining tasks
-
- test
- review
- merge
User interface changes
None
API changes
None
Data model changes
None