Access Check for source_entity_type and source_entity_id

Created on 26 June 2024, 5 months ago
Updated 27 June 2024, 5 months ago

Problem/Motivation

I'm not sure if this is the correct way to tackle our use case but currently we are trying to tie one webform submission per group. So each group member will be updating the same submission after the first submission. This is achieved by adding a webform reference field to the group and with the webform settings, we have configured a certain role that can update the webform submission to that specific webform and have limited the total to one submission per source entity.

We are using the "Link to form" as the display for this field which attaches the source entity type and id as query params to the webform url and have noticed that a user can submit a submission for a source entity that the user does not have access to by changing the id of the entity id in the query parameter.

For example, user A is a member of Group 1 but not a member of Group 2.
The webform reference field in Group 1 is linked to /contact?source_entity_type=group&source_entity_id=1.
Now user A can re-submit the same webform for Group 2 just by navigating to /contact?source_entity_type=group&source_entity_id=2 even though the field is properly hidden for user A when the user visits Group 2's page.

Steps to reproduce

1. Create a webform that allows a specific role to update and create any submission. Also limit the submission to one submission per webform/source entity
2. Create 2 Groups of the same group type where the type has a webform reference field. Set this field to point to the webform that was configured in step 1. Set the field display as link to form. (I used the field_permissions_group β†’ to only display the field to members of the group.
3. Add a user with the allowed role to one of the groups and visit the group.
4. Click on the webform link provided by the webform reference field and submit the webform for the group that the user is a member of.
5. Change the source_entity_id as the group id for the second group that the user is not a member of and successfully resubmit the form.

Proposed resolution

Perform an access check for the user and the source entity before accessing the webform.

✨ Feature request
Status

Closed: won't fix

Version

6.2

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States danielkim7755 San Diego

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Production build 0.71.5 2024