Cannot view submissions without webform_group enabled

Created on 14 December 2022, over 1 year ago

Updated 16 June 2023, about 1 year ago

Problem/Motivation

When I am logged in as a non Administrator role, and I create a node within a group (group module), and I attach a webform to the node via a webform field and save, the webform submissions are not accessible unless the webform_group module is enabled (The Results tab does not appear). This does not seem correct because as far as I can tell, I am not using any functionality from the webform_group module, and a user with the Administrator role can access submissions perfectly fine without webform_group enabled.

The issue lies on line 200 of \Drupal\webform_node\Access\WebformNodeAccess::checkAccess. There is a check for whether webform_group is enabled. If it isn't enabled, the code eventually checks $node->access() as well as some interesting str_replace(). At this point $operation = 'webform_submission_view' and $entity_access = 'webform.submission_view_any'.

A few questions:
1. Why does webform_group being enabled bypass $node->access()?
2. What global or group level permission (if any) is attached to the operation 'webform_submission_view' and entity access 'webform.submission_view_any'? Why is a user with the Administrator role able to access submissions but a lesser role is not? I think I've tried granting every permission I can find and the only thing that causes submissions to be accessible is enabling the webform_group module.

Steps to reproduce

1. Login as a user with the Administrator role.
2. Install webform module and leave most config/permissions as default.
3. Create/configure webform and grant access permissions to a lesser role (at /admin/structure/webform/manage/WEBFORM_ID/settings).
4. Login as a user with lesser role (that has far less global webform permissions).
5. Create a node within a group, and attach the webform via a webform field.
6. When viewing the node, you will not see a Results tab.
7. Login as a user with with the Administrator role.
8. When viewing the node you will see a Results tab.
9. Enable the webform_group module.
10. Login as a user with lesser role
11. When viewing the node you will see a Results tab.

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

💬 Support request

Status

Active

Version

1.0

Component

Code

Created by

🇺🇸United States maskedjellybean Portland, OR

Live updates comments and jobs are added and updated live.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment about 1 year ago →
🇺🇸United States maskedjellybean Portland, OR
If I were to create a patch it would remove the check for the existence of webform_group, but it sounds like that is not an acceptable solution. I don't think we've yet explained why the check is necessary, which would explain why removing it is not viable. In the end the question is: Why does the ability of a non Administrator user to access webform submissions depend on whether the webform_group module is enabled instead of depending on the access settings configured on the webform? It feels like an arbitrary dependency, and one that you could never discover unless you dig into the code.
Comment about 1 year ago →
🇺🇸United States ccjjmartin Austin, TX
@maskedjellybean the code looks fine to me, have you tried removing that code to verify that it is the problem? Seems like if $is_group_node is FALSE (the default behavior) that the code will run the node access check.

contrib.social Blog FAQ Discussions

Production build 0.69.0 2024