I'm implementing hook_webform_submission_access to give some fine-grained granularity as to which results each user has access to. I've set permissions so that a role has no access to viewing webform results.

I then implement hook_webform_results_access to grant the user access to the list of results for the webform.

What this results in is a table of *all* results, with links to view each one.

This contradicts the logic defined in hook_webform_submission_access, which grants access to some results, and denies access to other results.

When this table is generated, I think in webform_results_table in webform.report.inc, the list of results is generated by webform_get_submissions and webform_get_submission_count. Seems to me, these functions should also invoke hook_webform_submission_access, to determine whether or not the user can actually access the results, and remove those rows if not.

As it stands, I think I will either have to hack in at the preprocess_webform_results_submissions level, or re-write the menu call back for the node/%node/webform-results path.

Comments

danchadwick’s picture

danchadwick commented
Issue summary: View changes
Status: Active » Closed (won't fix)

The entries in the tables are not individually run through the access function. Consider using a view for your use case. Upgrade to 7.x-4.x for view support.