- Issue created by @danielkim7755
- Status changed to Closed: won't fix
2 months ago 9:31am 27 June 2024 - πΊπΈUnited States jrockowitz Brooklyn, NY
All new features should be handled via custom code or a dedicated contributed module.
I'm not sure if this is the correct way to tackle our use case but currently we are trying to tie one webform submission per group. So each group member will be updating the same submission after the first submission. This is achieved by adding a webform reference field to the group and with the webform settings, we have configured a certain role that can update the webform submission to that specific webform and have limited the total to one submission per source entity.
We are using the "Link to form" as the display for this field which attaches the source entity type and id as query params to the webform url and have noticed that a user can submit a submission for a source entity that the user does not have access to by changing the id of the entity id in the query parameter.
For example, user A is a member of Group 1 but not a member of Group 2.
The webform reference field in Group 1 is linked to /contact?source_entity_type=group&source_entity_id=1.
Now user A can re-submit the same webform for Group 2 just by navigating to /contact?source_entity_type=group&source_entity_id=2 even though the field is properly hidden for user A when the user visits Group 2's page.
1. Create a webform that allows a specific role to update and create any submission. Also limit the submission to one submission per webform/source entity
2. Create 2 Groups of the same group type where the type has a webform reference field. Set this field to point to the webform that was configured in step 1. Set the field display as link to form. (I used the
field_permissions_group β
to only display the field to members of the group.
3. Add a user with the allowed role to one of the groups and visit the group.
4. Click on the webform link provided by the webform reference field and submit the webform for the group that the user is a member of.
5. Change the source_entity_id as the group id for the second group that the user is not a member of and successfully resubmit the form.
Perform an access check for the user and the source entity before accessing the webform.
Closed: won't fix
6.2
Code
All new features should be handled via custom code or a dedicated contributed module.