Is there a way to allow anonymous users to download only their filled form?

Created on 11 July 2024, 5 months ago

Updated 5 September 2024, 3 months ago

Problem/Motivation

In D7, with a PDF attached to a webform, anonymous users could download the filled PDF via a URL if it included the "token" parameter uniquely identifying the one submission. Requiring this token prevented users from seeing other filled PDFs just by adjusting the form ID and/or webform submission ID.

With current Drupal versions, I don't see a way to do this. The permissions that seem to be needed to allow them to download a filled PDF at all, let them download any filled PDF just by decrementing the submission ID, without needing to provide a token.

I'm hoping there's something I'm missing - any ideas? In D7, it seems that granting "publish own PDFs" and appending the token was the way to make this work, but it doesn't in modern Drupal.

Steps to reproduce

configure fillPDF permissions so anonymous users do not have any of the permissions
configure webform permissions so anonymous users do not have access to view webform submissions
set up fillPDF so that there is a PDF connected to a web form
create a web form with a confirmation page linking to the filled PDF at [site:url]/fillpdf?fid=(file ID)&entity_type=webform_submission&entity_id=[webform_submission:sid]&token=[webform_submission:token] (replacing the information in round brackets with the actual information)
fill in the web form
note that access is denied
give the anonymous user "publish own PDFs" and retry the URL and note that access is still denied
give the anonymous user "publish all PDFs" and retry the URL and note that access is now granted, even if you remove the token
fill in the web form a few times as anonymous and authenticated users, and retry the URL with the webform submission IDs for those items, and note the anonymous user has access to them all, without needing the token

✨ Feature request

Status

Needs review

Version

5.2

Component

Code

Created by

🇨🇦Canada kpaxman

Live updates comments and jobs are added and updated live.

Merge Requests

!54Is there a way to allow anonymous users to download only their filled form?
Open
🇨🇦Canada ebremner
updated 3 months ago

Comments & Activities

Issue created by @kpaxman
First commit to issue fork.
Comment 3 months ago →
🇨🇦Canada ebremner
ebremner → changed the visibility of the branch 3460893-webform-fillpdf to hidden.
Comment 3 months ago →
🇨🇦Canada ebremner
ebremner → changed the visibility of the branch 3460893-webform-fillpdf to active.
Merge request !54Issue #3460893: Update code to allow anon users to download fillable pdfs if... → (Open) created by ebremner
Pipeline finished with Failed
3 months ago
Total: 320s
#273689
Status changed to Needs review 3 months ago9:10pm 4 September 2024
Comment 3 months ago →
🇨🇦Canada kpaxman
It's working for me, but it would be nice if someone outside the organization could test. Setting the status to "needs review" in the hopes that happens.
Comment 3 months ago →
🇨🇦Canada Liam Morland Ontario, CA 🇨🇦
Hi, Kevin, please rebase on 5.2.x. I don't think there is currently a way to do this. Thanks for the merge request.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024

Is there a way to allow anonymous users to download only their filled form?

Problem/Motivation

Steps to reproduce

Merge Requests

!54Is there a way to allow anonymous users to download only their filled form?Open

Comments & Activities

!54Is there a way to allow anonymous users to download only their filled form?
Open