Webform Fields Permission (private components)

Could you post the module? Looks like your upload may be missing. I'd like to integrate a similar feature directly into Webform if you're interested in writing it as a patch instead of a separate module. See #313639: Public vs. private components .

This is exactly what I was looking for. Can this either be

1) Set up as its own Drupal project (my company may be interested in sponsorship) or
2) Integrated into Webform (I know that getting new features integrated may be a PITA)?

Thanks!

this module is great!
Thank you!

@quicksketch & yogev004: I'll give this a go as a patch - it fits in nicely with development I'm currently doing. Further feedback on/by 06 June 2011

Do we want:
a) to limit role-based access to a component (and its value/s) purely to the client forms; or,
b) include table listings, downloads etc. in the limitation?

Seems to make sense that there could be authenticated roles to whom "super-admin" would want to restrict access to certain kinds of information, e.g. a "junior" admin could access a submitted name and telephone number, but not be able to get that same submissions email address, or other information deemed to be "sensitive". This sensitive information would, obviously then, be accessible to a more privileged role.

The idea is to restrict access to information, yet retain access to webform features for all qualified roles.

I guess that this could go some way to integrating (duplicating?) some of the webform_report functionality if we're not careful :-)

Being as how the direction of development here is towards a webform patch, the plan at the moment is to add a role-id array to the webform_component.extra field with the additional fieldset on the webform_component_edit_form. It doesn't seem necessary to create additional database IO.

What say you?

The way I see this working is really quite simple. If you have access to the "Results" tab of a Webform, you are considered an "Admin" and have access to all private components when viewing and (if allowed to edit) editing submissions. I don't really want to implement per-role access to components personally, though if that became enabled (API-wise) through these changes, I wouldn't be opposed. Rather than "field permissions" which seems a bit more complex (from an end-user stand-point), I'd really like to pursue something more along the lines of #313639: Public vs. private components .

In my particular use case, I need the functionality to limit webform form components based on user role. Although, table listings, downloads would be nice, I can't think of a use where I would need them.

Thanks!

Here are non-standard p0 patches for webform.module and webform.components.inc of Webform 6.x-3.11 for the time being. I'm busy wading through the morass of information around getting properly set up with git and will post standard patches as soon as I have any idea at all what I'm supposed to be doing.

A 'Private' checkbox has been added to 'Form components' (next to the Mandatory checkbox) and to the component edit form (at the bottom of the 'Display' fieldset). If user does not have 'access all webform results' permissions, the checkboxes are visible but disabled.

In my rudimentary testing, private fields were not displayed on client forms when form was viewed by an anonymous user, or by an authenticated user without 'access all webform results' permission.

Hi vernond! This looks pretty great. A few things that need adjustment:

- Put two spaces before global $user.
- I don't thing that "Private" is important enough to list on the main component listing page at node/x/webform. Users regularly make fields required, but making a field Private I'm guessing will be a much less common situation.
- We should be checking both permissions for "access all webform results" and "access own webform results". Or even better we should just re-use the existing webform_results_access() function.
- We don't need to be so parenthesis heavy. This code:

+      '#disabled' => (!(user_access('access all webform results'))),

could simply be:

+      '#disabled' => !user_access('access all webform results'),

It's okay to roll two separate patches (though I find it easier just to do "git diff > patch.txt" which works on all files in that directory), but next time just upload them individually so I don't have to untar them to do the review. Thanks! This is looking great! It's much simpler than I would have expected. :D

Cool, thanks for the review quicksketch:

- making use of webform_results_access got rid of redundant global $user bits;
- removed Private checkbox from component listing page;
- made description text a little more descriptive on component edit page;
- tidied up the condition check in _webform_client_form_rule_check;
- went easier on parenthesisesses :-)

I toyed briefly with the idea of not showing the disabled Private checkbox to ineligible users on component edit page at all, but then realised that they would need some idea of why a listed component is not showing on their form view (which was the main motivation for originally showing the checkbox on the component listing page as well).

Still wrestling with git, so 'old style' patches attached:

Thanks again vernond! I promise I'll also get back to you RE: maintainership too. But as you may have noticed, I'm a lot better at the issue queue than I am my e-mail inbox. ;)

A few more points:

• I don't think this change is needed any more because "Private" isn't on the component listing page:
  

  -    $component = in_array($type, array_keys($components)) ? array('type' => $type, 'nid' => $nid, 'name' => $_GET['name'], 'mandatory' => $_GET['mandatory'], 'pid' => $_GET['pid'], 'weight' => $_GET['weight']) : FALSE;
  +    $component = in_array($type, array_keys($components)) ? array('type' => $type, 'nid' => $nid, 'name' => $_GET['name'], 'mandatory' => $_GET['mandatory'], 'private' => $_GET['private'], 'pid' => $_GET['pid'], 'weight' => $_GET['weight']) : FALSE;
  

• All comments should always be "Sentence case", starting with a capital letter and ending with punctuation.
  

  +    // may user mark fields as Private?
  

• What happens if you mark a pagebreak private? Should we set 'private' => FALSE in webform_webform_component_info() for page break?
• We should also only show the "Private" checkbox based on a component's ability to be displayed privately, this would probably mean wrapping the checkbox part of the form in if (webform_component_feature($component['type'], 'private')) {.

I still can't believe how simple this patch is. Great work!

Righty ho, take 3:

- removed private from GET (and also the hidden field on component form);
- fixed sentence case in two comments;
- I had already placed the Private checkbox on component edit form within the condition that checks if this component should have a Display fieldset to avoid worry about which components the users try to make Private -> if it has no display settings fieldset (such as pagebreak component) then the Private checkbox is not visible and therefore does not apply. I think this achieves the same end as what you describe.

I too spend some time pretty much daily going through the posted issues, so if there's something you would like me to pick up on just leave a note on the issue in the queue.

#3 Thank you, your module is soo useful!

@quicksketch - patches for 6 and 7 branches attached for review.

@vernond - the links to those patch files don't work.

@mherchel - trying again with pound signs removed from file names.

Committed to both branches

New webform releases for D6 & D7 include the requested feature

Hello!

I am very interested in this feature. I have downloaded latest version, but I can't see where field permissions can be set. Can anyone throw a tip?

Thank you very much!

When you edit a component you will see a checkbox called Private at the of the Display fieldset. Check this box to make the field visible to admins only.

Hello yogev004 !

I greet you from Guatemala. He has called the attention of your module. I think it's great. I took the confidence and freedom to use part of their code to make a version for Drupal 7. But before sharing with the community, I wonder if you agree with this. I await your confirmation. Greetings again.

Updating title as I was having trouble finding this issue.

Is it possible to add it to my drupal installation?
I'm working with Webform 7.x-3.18 and this is my second week using Drupal and this is my first comment (pls forgive me if I'm doing something wrong).

Thanks.

@jplascencia - see post #22 above.

A question in regards to to the 2 to 3 patches posted above. Do I need to apply all the patches or the last one only? In other words, does the last patch include all the corrections from the previous patches? Is there a .zip of the module that has all the patches incorporated available?

Thanks!

@sydneyDK - the patches have been committed to the project. You should see the Private checkbox as the last field in the DISPLAY fieldset on the component edit page.

@vernond
Has this been committed to 4.x branch?

Private fields seem to be broken currently. Let's continue in the bug report filed at #1698438: Private fields are not hidden, including dependent fields.