Contrib.social

Access denied when using webform dialog as anonymous user

Open on Drupal.org →
Created on 27 September 2024, 12 months ago

Problem/Motivation

<a href="/webform/feedback" class="webform-dialog button" data-once="webform-dialog">Feedback</a>

Steps to reproduce

  1. Enable the "Enable site-wide dialog support" setting in global webform settings (/admin/structure/webform/config)
  2. Create a webform
  3. Ensure "Anonymous user" is checked for "Create submissions" at /admin/structure/webform/manage/feedback/access
  4. Copy the dialog code from the webform settings (/admin/structure/webform/manage/feedback/settings) - containing the webform-dialog button classes
  5. Click the dialog button as anonymous user
  6. For a short time you see the "Loading" modal overlay, then you're being redirected to /webform/feedback and see the regular Drupal "Access denied"

Here's the export of the webform configuration:

uuid: 2b932a24-1858-4afb-9431-f39c64f7d269
langcode: de
status: open
dependencies:
  module:
    - antibot
    - honeypot
third_party_settings:
  antibot:
    antibot: true
  honeypot:
    honeypot: true
    time_restriction: true
weight: 0
open: null
close: null
uid: 1
template: false
archive: false
id: feedback
title: Feedback
description: '<p>Feedback-Formular um Verbesserungsvorschläge und Fehler zu melden</p>'
categories:
  - Kontaktformulare
elements: |-
  fieldgroup_message:
    '#type': webform_section
    '#title': 'Ihr Feedback'
    '#title_tag': h3
    description:
      '#type': webform_markup
      '#markup': '<p>Sie haben Verbesserungswünsche, Vorschläge, konstruktive Kritik oder Anmerkungen? Wir freuen uns über Ihr Feedback!</p>'
    cta_page_url:
      '#type': url
      '#title': 'Bezug zur Website (URL)'
      '#help': '<p>Wird automatisch mit der URL der Seite gefüllt, auf der sich das Formular befindet.</p>'
      '#disabled': true
      '#default_value': '[current-page:url]'
      '#wrapper_attributes':
        class:
          - hidden
          - element-invisible
      '#attributes':
        class:
          - hidden
    message:
      '#type': textarea
      '#title': 'Ihre Nachricht an uns'
      '#title_display': before
      '#description_display': after
      '#required': true
    email:
      '#type': email
      '#title': E-Mail
      '#description': '<p>Ihre E-Mail-Adresse für mögliche Rückfragen</p>'
      '#title_display': before
      '#description_display': after
      '#placeholder': E-Mail
      '#required': true
      '#states':
        visible:
          ':input[name="message"]':
            filled: true
  markup:
    '#type': webform_markup
    '#states':
      visible:
        ':input[name="email"]':
          filled: true
    '#markup': '<p>Es gilt unsere <a href="/datenschutzerklaerung">Datenschutzerklärung</a></p>'
  captcha_container:
    '#type': container
    '#states':
      visible:
        ':input[name="email"]':
          filled: true
    captcha:
      '#type': captcha
  actions:
    '#type': webform_actions
    '#title': 'Submit button(s)'
    '#submit__label': 'Nachricht senden'
    '#submit__attributes':
      class:
        - 'primary button'
        - 'lg button'
css: ''
javascript: ''
settings:
  ajax: true
  ajax_scroll_top: form
  ajax_progress_type: ''
  ajax_effect: ''
  ajax_speed: null
  page: false
  page_submit_path: ''
  page_confirm_path: ''
  page_theme_name: ''
  form_title: source_entity_webform
  form_submit_once: true
  form_open_message: ''
  form_close_message: ''
  form_exception_message: ''
  form_previous_submissions: false
  form_confidential: false
  form_confidential_message: ''
  form_disable_remote_addr: true
  form_convert_anonymous: false
  form_prepopulate: false
  form_prepopulate_source_entity: false
  form_prepopulate_source_entity_required: false
  form_prepopulate_source_entity_type: ''
  form_unsaved: false
  form_disable_back: false
  form_submit_back: false
  form_disable_autocomplete: false
  form_novalidate: false
  form_disable_inline_errors: false
  form_required: false
  form_autofocus: false
  form_details_toggle: false
  form_reset: false
  form_access_denied: default
  form_access_denied_title: ''
  form_access_denied_message: ''
  form_access_denied_attributes: {  }
  form_file_limit: ''
  form_attributes: {  }
  form_method: ''
  form_action: ''
  share: false
  share_node: false
  share_theme_name: ''
  share_title: true
  share_page_body_attributes: {  }
  submission_label: ''
  submission_exception_message: ''
  submission_locked_message: ''
  submission_log: false
  submission_excluded_elements: {  }
  submission_exclude_empty: false
  submission_exclude_empty_checkbox: false
  submission_views: {  }
  submission_views_replace:
    webform_routes: {  }
    node_routes: {  }
  submission_user_columns: {  }
  submission_user_duplicate: false
  submission_access_denied: default
  submission_access_denied_title: ''
  submission_access_denied_message: ''
  submission_access_denied_attributes: {  }
  previous_submission_message: ''
  previous_submissions_message: ''
  autofill: false
  autofill_message: ''
  autofill_excluded_elements: {  }
  wizard_progress_bar: false
  wizard_progress_pages: false
  wizard_progress_percentage: false
  wizard_progress_link: false
  wizard_progress_states: false
  wizard_start_label: ''
  wizard_preview_link: false
  wizard_confirmation: true
  wizard_confirmation_label: ''
  wizard_auto_forward: true
  wizard_auto_forward_hide_next_button: false
  wizard_keyboard: true
  wizard_track: ''
  wizard_prev_button_label: ''
  wizard_next_button_label: ''
  wizard_toggle: true
  wizard_toggle_show_label: ''
  wizard_toggle_hide_label: ''
  wizard_page_type: container
  wizard_page_title_tag: h2
  preview: 0
  preview_label: ''
  preview_title: ''
  preview_message: ''
  preview_attributes: {  }
  preview_excluded_elements: {  }
  preview_exclude_empty: true
  preview_exclude_empty_checkbox: false
  draft: none
  draft_multiple: false
  draft_auto_save: false
  draft_saved_message: ''
  draft_loaded_message: ''
  draft_pending_single_message: ''
  draft_pending_multiple_message: ''
  confirmation_type: message
  confirmation_url: ''
  confirmation_title: 'Vielen Dank für Ihre Verbesserungsvorschläge!'
  confirmation_message: '<p><strong>Ihre Nachricht wurde erfolgreich an uns übermittelt.</strong></p><p>Bitte geben Sie uns ein wenig Zeit, um diese individuell zu bearbeiten. Wir freuen uns sehr über Ihr Feedback und sind jederzeit offen für weitere Verbesserungshinweise.<br>Gerne stehen wir für weitere Fragen zu Ihrer Verfügung.</p>'
  confirmation_attributes: {  }
  confirmation_back: true
  confirmation_back_label: ''
  confirmation_back_attributes: {  }
  confirmation_exclude_query: false
  confirmation_exclude_token: false
  confirmation_update: false
  limit_total: null
  limit_total_interval: null
  limit_total_message: ''
  limit_total_unique: false
  limit_user: null
  limit_user_interval: null
  limit_user_message: ''
  limit_user_unique: false
  entity_limit_total: null
  entity_limit_total_interval: null
  entity_limit_user: null
  entity_limit_user_interval: null
  purge: none
  purge_days: null
  results_disabled: false
  results_disabled_ignore: false
  results_customize: false
  token_view: false
  token_update: false
  token_delete: false
  serial_disabled: false
access:
  create:
    roles:
      - anonymous
      - authenticated
    users: {  }
    permissions: {  }
  view_any:
    roles: {  }
    users: {  }
    permissions: {  }
  update_any:
    roles: {  }
    users: {  }
    permissions: {  }
  delete_any:
    roles: {  }
    users: {  }
    permissions: {  }
  purge_any:
    roles: {  }
    users: {  }
    permissions: {  }
  view_own:
    roles: {  }
    users: {  }
    permissions: {  }
  update_own:
    roles: {  }
    users: {  }
    permissions: {  }
  delete_own:
    roles: {  }
    users: {  }
    permissions: {  }
  administer:
    roles: {  }
    users: {  }
    permissions: {  }
  test:
    roles: {  }
    users: {  }
    permissions: {  }
  configuration:
    roles: {  }
    users: {  }
    permissions: {  }
handlers:
  site_mail_notification:
    id: email
    handler_id: site_mail_notification
    label: 'E-Mail an Seiteninhaber'
    notes: ''
    status: true
    conditions: {  }
    weight: -49
    settings:
      states:
        - completed
      to_mail: _default
      to_options: {  }
      bcc_mail: ''
      bcc_options: {  }
      cc_mail: info@example.com
      cc_options: {  }
      from_mail: _default
      from_options: {  }
      from_name: _default
      reply_to: '[webform_submission:values:email:raw]'
      return_path: ''
      sender_mail: ''
      sender_name: ''
      subject: 'Neue Nachricht im Formular: "[webform_submission:webform:title]" auf [site:name]'
      body: '<p>Es wurde eine neue Anfrage im Formular "[webform_submission:webform:title]" (<a href="[webform_submission:webform:url]">[webform_submission:webform:url]</a>) auf <a href="[site:url]">[site:url]</a> erstellt.<br><br>Sie finden den Absender der Nachricht unterhalb, um ihm zu antworten. Ebenso können Sie bei Bedarf die Antworten-Funktion Ihres E-Mail Programms nutzen.<br>&nbsp;</p><h2>Erhaltene Anfrage:</h2><p><hr>[webform_submission:values]&nbsp;<hr><br><br><em>Gesendet: [current-user:name] [webform_submission:completed:medium]</em></p>'
      excluded_elements: {  }
      ignore_access: true
      exclude_empty: true
      exclude_empty_checkbox: false
      exclude_attachments: false
      html: true
      attachments: false
      twig: false
      theme_name: ''
      parameters: {  }
      debug: false
  sender_notification:
    id: email
    handler_id: sender_notification
    label: 'Bestätigungsnachricht an Absender'
    notes: ''
    status: false
    conditions: {  }
    weight: -50
    settings:
      states:
        - completed
      to_mail: '[webform_submission:values:email:raw]'
      to_options: {  }
      bcc_mail: ''
      bcc_options: {  }
      cc_mail: ''
      cc_options: {  }
      from_mail: _default
      from_options: {  }
      from_name: _default
      reply_to: ''
      return_path: ''
      sender_mail: ''
      sender_name: ''
      subject: 'Vielen Dank für Ihre Nachricht im Formular "[webform_submission:webform:title]" auf [site:url]'
      body: |-
        <p>Vielen Dank f&uuml;r Ihre Nachricht auf <a href="[site:url]">[site:url]</a> vom [webform_submission:created:short]</p>

        <p>Wir werden schnellstm&ouml;glich auf einem der von Ihnen angegebenen Kontaktwege mit Ihnen in Verbindung treten. F&uuml;r weitere Fragen stehen wir gerne zu Ihrer Verf&uuml;gung.</p>

        <p>Im Folgenden erhalten Sie eine &Uuml;bersicht Ihrer Angaben im Formular in Kopie:<br />
        &nbsp;</p>

        <h2>Ihre Angaben:</h2>

        <hr />[webform_submission:values]
        <hr />
      excluded_elements: {  }
      ignore_access: false
      exclude_empty: true
      exclude_empty_checkbox: false
      exclude_attachments: false
      html: true
      attachments: false
      twig: false
      theme_name: ''
      parameters: {  }
      debug: false
variants: {  }

Proposed resolution

Remaining tasks

User interface changes

API changes

Data model changes

🐛 Bug report
Status

Active

Version

6.2

Component

Code

Created by

🇩🇪Germany Anybody Porta Westfalica

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @Anybody
  • Comment 12 months ago
    🇩🇪Germany Anybody Porta Westfalica

    One question upfront: Does this require "Allow users to post submissions from a dedicated URL for all webform" option to be enabled at /admin/structure/webform/config?
    If yes, maybe this should be added to the documentation or even better use Form States API to ensure it's both enabled?

    I also enabled this one and tried /form and /webform but both didn't fix the issue.

    What am I missing or doing wrong? I'm even quite sure it was working in the past, but sadly only 99% sure I've tested it as anonymous user.
    As admin user it works as expected in the dialog!

  • Comment 11 months ago
    🇩🇪Germany Anybody Porta Westfalica

    OK, I finally had some time to go into details.

    Indeed, it's only possible to use the "Site-wide dialog support", if

    So I see some possibilities to solve this, but I think it would make sense to first discuss the way to go, before touching code.

    Some resolution ideas:

    At webform global settings /admin/structure/webform/config and each individual webform configuration (/admin/structure/webform/manage/X/settings):

    1. ... a warning could be shown, if Enable site-wide dialog support checkbox is checked, which informs users that this option also needs the Allow users to post submissions from a dedicated URL for all webform option to be enabled
    2. ... an error could be triggered on form save, if Enable site-wide dialog support checkbox is checked, but Allow users to post submissions from a dedicated URL for all webform option is disabled.
    3. ... place the dialog option within the Allow users to post submissions from a dedicated URL fieldset to show the relation more clearly and make it dependent

    Would be great to get maintainer feedback, perhaps there are better alternatives or I'm still missing something.

    Now at least with both options enabled, the functionality works as expected! 🎉
    But it's super risky to run into this currently, as it's not documented in the admin UI.

  • Comment 11 months ago
    🇩🇪Germany Anybody Porta Westfalica

    Settings this "Needs review" to review #3 and get some attention to be able to proceed here in code. Thanks!

  • Comment 11 months ago
    🇩🇪Germany gogowitsch

    Personally, I would go with your solution 2, “an error could be triggered on form save”. It strikes a good balance for site owners to understand what the problem is.

    About solution 2, I also like that GET requests are not affected by the small performance penalty of the additional permission check.

  • Status changed to Needs review 24 days ago
  • Comment 24 days ago
    🇺🇸United States jrockowitz Brooklyn, NY
    1. ... a warning could be shown, if Enable site-wide dialog support checkbox is checked, which informs users that this option also needs the Allow users to post submissions from a dedicated URL for all webform option to be enabled

    I am always open to adding documentation to the UI.

    1. ... an error could be triggered on form save, if Enable site-wide dialog support checkbox is checked, but Allow users to post submissions from a dedicated URL for all webform option is disabled.

    'Enable site-wide dialog support checkbox" allows webform dialogs to be used on any page of the website, which is a good thing. Some sites might be using this API to open nodes via Some page

    1. ... place the dialog option within the Allow users to post submissions from a dedicated URL fieldset to show the relation more clearly and make it dependent

    Webform dialogs support does not have to be tied to posting submissions.

    1. ... use form state to only show the dialog option and links, if Enable site-wide dialog support checkbox is checked (but I think that might be confusing!)

    Better documentation is more important.

  • Comment 24 days ago
    🇺🇸United States jrockowitz Brooklyn, NY

    The MR adds the below warning to the webform dialog details widget.

  • Comment 24 days ago
    🇺🇸United States jrockowitz Brooklyn, NY
  • Comment 24 days ago
    🇺🇸United States jrockowitz Brooklyn, NY
  • Comment 22 days ago
    🇩🇪Germany Anybody Porta Westfalica

    Thank you very very much @jrockowitz thank you!

  • Merge request !703Issue #3477308: Access denied when using webform dialog as anonymous user → (Merged) created by jrockowitz
  • Comment 22 days ago
    🇺🇸United States jrockowitz Brooklyn, NY

    I forgot to push my MR.

  • Pipeline finished with Skipped
    22 days ago
    #581128
  • Pipeline finished with Skipped
    22 days ago
    #581130
  • Comment 22 days ago
    System Message
    • jrockowitz committed 55529b9e on 6.3.x 
      Issue #3477308 by jrockowitz, anybody, gogowitsch: Access denied when...
  • Comment 22 days ago
    🇺🇸United States jrockowitz Brooklyn, NY
  • Comment 22 days ago
    🇺🇸United States jrockowitz Brooklyn, NY
  • Comment 22 days ago
    System Message
    • jrockowitz committed 55529b9e on 6.x 
      Issue #3477308 by jrockowitz, anybody, gogowitsch: Access denied when...
  • Comment 8 days ago
    System Message

    Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024