Contrib.social

Permission issues when creating a submission

Open on Drupal.org →
Created on 16 November 2023, about 1 year ago
Updated 17 January 2024, 11 months ago

I am receiving the following error message in my response when trying to POST a new webform submission:
"The 'restful post webform_rest_submit' permission is required."
I am attempting this through Postman with OAuth2 bearer tokens as I do for other JSON:API spec endpoints.
I have added the Rest UI module and have enabled the Webform Submit REST resource at "/admin/config/services/rest".
The configuration for it is:
- Granularity: Resource
- Method: POST
- Accepted request formats: json
- Authentication providers: oauth2
I have also enabled the "Access POST on Webform Submit resource" permission and ALL webform permissions for all user roles.
I try adding all user roles including admin to my user but still the same result.
The only way it works is if I authenticate with the admin (id 1) user.

This is the cURL export for my Postman call:

curl --location 'https://my.site/webform_rest/submit' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer my-bearer-token-hash' \
--data-raw '{
"webform_id": "contact",
"name": "My Name",
"last_name": "My Last Name",
"email": "email@gmail.com",
"message": "This is a message"
}'

🐛 Bug report
Status

Active

Version

4.0

Component

Code

Created by

🇨🇾Cyprus EliasPapa

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

  • Issue created by @EliasPapa
  • Comment 11 months ago
    🇬🇧United Kingdom dave_______1

    Having a similar issue.
    Only way I can submit a from is:
    1. Create new user
    2. Give the role of the user access to 

    Administer webforms
Warning: Give to trusted roles only; this permission has security implications. Allows administration of global YAML configuration and options.

    3. Add a header to the request of
    'Authorization': 'Basic ' + btoa("user:password"),

    NB. If I give access to Administer webforms to Anonymous user I do not need to add the "Authorization" header

    Obviously this is not something I can/will do but as of now I cannot use my contact form (headless website).

  • Comment 11 months ago
    🇬🇧United Kingdom rviner

    I noticed a similar permission error when upgrading from 4.0.3 and realised due to the extra permission checks introduced in 4.1.0 I had to tick off the 'View own webform submission' permission for the role.

    This was due to the extra check in 'WebformSubmissionResource.php' to view the submission. I also noticed there's an error in the comment:

    // Check user have permission to delete webform submission.

    should be:

    // Check user have permission to view webform submission.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024