- Issue created by @nicholosophy
- First commit to issue fork.
- 🇺🇦Ukraine yakim
Proposed enhancement to improve UX for anonymous users when "Block unknown users" is enabled
I’ve investigated this issue. While the originally reported behavior appears to be resolved in recent versions, I believe the current implementation can still be improved from a UX and access control standpoint.
Current behavior:
When "Block unknown users" is enabled in the Webform CiviCRM settings, and an anonymous user visits a page that embeds a webform (e.g., via a node), the entire page is blocked with the generic message:"You are not authorized to access this page."
This happens even if:
- - The user has view access to the node.
- - The webform is publicly viewable,
- - The intention is only to block submission, not the entire route.
This behavior is due to an AccessDeniedHttpException() being thrown in
webform_civicrm/src/WebformCivicrmPreProcess.php, around this line:if ($this->settings['block_unknown_users']) { $this->form['submitted']['#access'] = $this->form['actions']['#access'] = FALSE; throw new AccessDeniedHttpException(); }Proposed enhancement:
Instead of denying access to the entire page (route), we can cleanly hide only the webform output by setting:$this->form['#access'] = FALSE;This preserves access to the rest of the page (e.g., node content) and aligns better with the principle of least surprise: users see what they’re allowed to, and only the form itself is hidden.
Benefits:
- - Prevents unnecessarily blocking access to the parent route.
- - Plays well with nodes/pages embedding webforms.
- - Provides a cleaner UX — users don’t hit an abrupt 403 if they're just browsing content.
As I do not have push access to the Git repository, I’ve submitted a merge request here:
🔗 MR #21 on git.drupalcode.org@karing, please let me know if this change makes sense. I’d be happy to refine or adjust it if needed.
cc @colemanw