Adding new permissions for accessing own webform results and deleting webform submissions
johnross.c - April 14, 2008 - 08:33
| Project: | Webform |
| Version: | 6.x-3.x-dev |
| Component: | User interface |
| Category: | feature request |
| Priority: | normal |
| Assigned: | Unassigned |
| Status: | needs review |
Description
Hi,
I am hoping if there's a way wherein an access control of 'Access own Webform Result" could be implemented. For now there is only Access Webform Result which allows other users to view the result even though there not the author of the current webform, which makes it public to those you do not want to show the results.
Thanks a lot.
John Ross
#1
"access own submissions" is already implemented in the 2.x version. I'd suggest upgrading as I'm going to deprecate the 1.x version in the coming weeks.
#2
#3
Hi quicksketch
I don't think 'access own submnissions' is enough to view just your own submissions... You can't (as far as i can see) access any submissions without first allowing 'access webform results'....and then you see everyones submissions...I would also like to restrict users to only seeing their own results so the request from John Ross above to 'Access own Webform Result' would be very useful...
however, if there is a way to view your own submissions without seeing everyone elses then let me know.
B
#4
I need that too.
Perhaps we don't need to create a new permission though. Can we just assume that a user with 'edit own webforms' permission can access the results of his own webforms ?
The attached micro-patch is based on this assumption.
It allows webform creators to access all the results (analysis, table and download).
The ability to clear results or edit each submissions is not given though.
PS : I found a contributed module, "Webform Own Results" (1). It adds "access results from own webforms" permission, which is closer to what you need.
(1) http://drupal.org/project/webform_own_results
#5
hi!
I need this functionality ty too..
I tried with your patch but nothing hapens once I enlabeled permissions. Can you tell me if there is a specific url for the users to see his own webform results?
I tried : http://www.s239557999.onlinehome.fr/drupal/node/5/results
but I have a denied access for the plain autenticated user...
I also tried the module webform_own_results but I could'nt find out how it works eigther...
If somone has an hint...
Thanks
#6
For V1.x "edit own webform submissions" is bugged, it doesn't work.
Here is a patch.
#7
Update version that allow an user to view and edit ONLY is own submissions.
- New perms "view all submissions"
- Display only viewable "results".
#8
Is there also a way to limit access so that only certain users can have access to take a particular survey? Let's say I have 3 surveys and I only want a user to have access to the first and third as those are the only ones that apply to a particular group of users. Added to that, suppose I only want a particular group of users to be able to see the results of a particular survey and not necessarily a survey that they created. Is this currently possible or a planned feature?
#9
I really don't know what's being asked in this issue. It sounds like 3-4 different problems. Could everyone agree on what needs to be addressed here? We need a permission for "view all submissions"? How's that different from "access webform results"?
I'm not understanding what people are meaning by "own" results. I'm thinking two possibilities:
1. The owner of the node can view the all submissions by all users for that node. If this is the case, use webform_own_results.
2. A user needs to see all of their own submissions on a particular node. This is the "access own webform submissions" permission. There isn't an actual listing of submissions anywhere though. You need to upgrade to the 2.0 version where the listing has been added.
mkalbere, Please open a new issue for #6.
#10
for me, the 1. point result is:
Fatal error: Call to undefined function _webform_results_submissions() in /home/naturale/public_html/admin/modules/webform_own_results/webform_own_results.module on line 113i try to show the user's own webform results, not the own submissions! there is an access webform results options, but in this case, the user can see the other user's results too..
i repeat, not the user's submission, the user's result. (results=the own and the other submissions)
D5
Webform 5.x-2.1.3
Webform_Own_Results 5.x-1.0
#11
I am also looking for the exact same functionality. I've created one webform I want all users of the site to use and only allow them to view the results of their own submissions. I hope this is possible.
Thanks
#12
chris.mccreery this is already implemented. My post in #9 mentioned the "access own webform submissions" permission, which is what you need to enable. Then any user can visit the webform node and a message will appear "You have already submitted this form. View previous submissions." This was implemented a few months ago and is in the 2.3 version.
The point eaposztrof makes in #10 is still valid. There is no "access own webform results", but I have no intention of implementing such a feature.
#13
Thanks does this also allow them to Analyze their submissions or only view them?
#14
No, it does not allow them to analyze their own submissions, only view them. I have no intention of implementing per-user analysis currently.
#15
How much would this cost to have you implement this feature?
#16
@quicksketch, #12 What is the reasoning behind not wanting to implement this feature? What is the downside to this? So as I understand, nobody can create a form and see the results for that form without being able to see the results for all the forms on the site, correct? And as mentioned earlier, how much would it cost to get you to implement this feature?
#17
So the issue here is that users can have permission to see their submissions, but not what they submitted. There is a misleading view link right next to the submission number, date and time. When the edit own submissions permission is enabled as well then there is also a mislieading edit link and a not so misleading delete link. So users are able delete their submission, but not able to see what they delete, if they have edit permission for their own submissions.
I would say this a usability bug apart from a feature flaw in the code.
Anyone willing to?:
- populate the "submission view" for users that have permission to view their own submissions
(I see no reason why a user should not be allowed to know what he submitted...
Optionally, if you see a reason:
- add permission for viewing own results(on top of submissions)
Seems a bit pernickular though.
Or:
- remove the misleading view and edit links on own submission lists for users that have no access to results
- and rename edit own submissions to delete own submissions
#16: I think the main reason for most people a lack of motivation is due to a lack of time and energy to do something which isn't quite clearly formulated in the first place. Also, some people might really want to do it but simply not have the time and energy. If I was a programmer I'd happily supply a patch with the above mentioned changes, unfortunately I don't have the skills, so I depend on someone else to translate it into php. I hope someone is happy to help me out ;-)
#18
Here's a patch I'm using on a site, that covers some of the requests in this thread (for webform 5.x-2.3)
#19
@quicksketch #12
I've built a bit upon the new feature that shows the previous submissions for any user because IMHO the usability was lacking a bit. Since I don't like the idea of patching against modules that are heavily maintained (that's a compliment!) I've built it as a small module that renders a block with links for every submission the current user has made.
This is my first Drupal module and I'm not a programmer so please feel free to provide feedback. If you think it's worthwhile I can add it as a module to the download section.
Kind regards,
Eric
#20
Thank you so much Eric. Just one question, (also a drupal noob, obviously more than you) how do I install this patch or is the zip file another module on it's own? Thanks again.
#21
Thanks for sharing the patch. Just wondering if this limits the user to view only their submissions on a webform created by another user? For example I have a form that I created as the admin and want all users to use this webform but then be able to view only their results and download them or the analysis. Can I do this with this patch?
Thanks in advance.
#22
@rank Thanks for the excellent patch! I'd be happy to include this in the next version of Webform, however, a recent change has made the whole thing not apply. Could you reroll (both Drupal 5 and 6) and change the permission name to simply "access own webform results"? We've eventually got to change all the permission names to match Drupal 6 ("access webform results" needs to be "access all webform results") but that's for a different issue. Great work so far!
@chris.mccreery, that particular permission is again, something different. This makes it so that a user can see ALL submissions on a webform they have created. The request you're making requires more effort, since all the results pages need to be adjusted to include only one user's data.
#23
I'll try to create and test the new patches within a few days.
#24
If the attached patch is of any use to you, please feel free to adapt, adopt, or abandon. Three or four lines amended create the permission and administer it. I need this permission to be separate from "edit own webform" because I trust my users to read but not write.
I have very little patch experience, so if it does not work for you, I apologize in advance, but the changes work for me!
#25
Here's a Drupal 6 patch in the context of #18 and #22 (I'll follow up later on with a D5 patch).
It was tested with Drupal 6.9 and Webform 6.x-2.4.
Features:
Known issues:
User roles that only have the new "access own webform results" enabled, on sites configured to use Drupal's file system private download method (Administer->Site Configuration->File System->Download Method), will not be able to download their webform results.
#26
Looks pretty good at first take! I think we're going to have a problem with webform_file_download(), since we don't have a $node variable in the local scope. In order to get one, we'll need to start managing files in the files database table. Though in Drupal 5, we're out of luck there since the files table is only for the use of upload.module. :\
#27
So does that mean the patch in #25 would not support a private download method for files? My test was using a public method.
Any other way to test that a user is the author of a webform without using $node->uid?
#28
That's awesome, the Drupal 5 patch would be great as I haven't made the upgrade to 6 for my site cause a few other modules I'm using haven't been updated.
Thanks again
#29
Yeah, that's right. It'll work fine for user's who have "access webform results", but not user's that have only "access own webform results". You can easily switch your site temporarily to private downloads to test this.
Well the good news is we're already managing files in D6, so you can "SELECT * FROM {files} WHERE filepath = '%s'" and that will give you the file record. Though, it STILL doesn't get us the NID, we'd need a separate table for webform_files to manage the nid, fid relationship. There aren't any other ways of finding the owner of a file afaik, without manually storing all this information ourselves (that is until Drupal 7, which has much, much better file handling).
#30
A Drupal 5 patch for Webform 5.x-2.4, with the same features and limitations as #25.
This was not tested as I do not have an updated D5 test bed.
#31
Tracking.
#32
The patch from comment #25 is great, just what I'm looking for. I am new to drupal modules, I'm trying to include a way for a user to print the individual results on the fly as a a PDF file.
Secondly, is there a way to theme the submission page?
Any help would be much appreciated! :)
#33
Hi rank, these patches do well for D5, however are they applicable for D6? Thank you
#34
please ignore the previous comment, I used patches at comment # 25 (http://drupal.org/node/246371#comment-1208118) and it works fine, thank you rank
#35
Tracking...
#36
I think i found a futher bug: When a guest calls his own submission again, he can use the serial number any other message submissions. If he changes in the address bar called number . This is obviously just for sensitive data is a serious security hole.
I hope I could help and now waiting on the bug fix.
Thank you and good luck
sorry for my terrible english..
Alex
#37
Hello - I'm trying to switch off the "view results" link in emails that are sent to the from senders email address - am I missing something or is it always there?
Thanks in advance
Duncan
#38
You can remove this link by theming the e-mail, read the THEMING.txt file that comes with Webform.
#39
Thanks but how the heck do i use this? I dont know how to patch this module!
#40
See the handbook page on applying patches.
#41
Any hope in implementing this in the next webform release...?
In case the issue is still somehow unclear:
The problem is that any one with "access webform results" can view the results of any webform in the system. This creates a privacy issue in which any user with the "access webform results" can view the results of forms which they didn't create. Imagine creating a webform which has somewhat sensitive results. It's essentially impossible to hide your results from anyone else who has the "access webform results" permission.
The "access own webform submissions" permission doesn't fix this problem. "access own webform submission" simply gives any user who has submitted the webform the ability to take a look at only what they submitted to the form.
What's needed is an "access own webform results" so that a creator and maintainer of a specific webform only has access to the results of forms which they have created.
...I haven't tried any of the patches... even so, does anyone know if they resolve the issue? Can they be pushed into the next release or something?
#42
One workaround is to use webform reports and wrap the desired permissions around that, possibly by assigning authorship to the "owner"
#43
I'm using the webform module in an application where we do not want users to be able to delete their submissions, even though we allow users to come back and revise (edit) their submissions.
I've re-rolled the patch from #30 for webform version 5.x-2.7 and added two more granular permissions for 'delete webform submissions' and 'delete own webform submissions'.
With this patch, users can be granted permission to edit their own submissions but not to delete them (by granting neither of these new permissions). Otherwise, users granted the 'delete webform submissions' permission can delete any submissions, while users with the 'delete own webform submissions' permission can only delete their own submissions.
#44
Looking for the exact same thing as comment 41 for Drupal 6. Is there any update to the status of this request. I would like for authors of webforms to be able to view the results of their webform, but not every webform on the site.
#45
@#41
Here is a revision for function webform_submission_access() which makes this happen:
<?php
function webform_submission_access($node, $submission, $op = 'view', $account = NULL) {
global $user;
$account = isset($account) ? $account : $user;
if($node->uid != $user->uid)
{
return (user_access('admin'));
}
switch ($op) {
case 'view':
return user_access('access webform results') || (user_access('access own webform submissions') && ($account->uid == $submission->uid)) || (user_access('access own webform results') && $user->uid == $node->uid);
case 'edit':
return user_access('edit webform submissions') || (user_access('edit own webform submissions') && ($account->uid == $submission->uid));
case 'delete':
return user_access('edit webform submissions') || (user_access('edit own webform submissions') && ($account->uid == $submission->uid)) || user_access('clear webform results');
case 'list':
return user_access('access webform results') || user_access('access webform submissions') || (user_access('access own webform submissions') && $user->uid) || (user_access('access own webform results') && $user->uid == $node->uid);
}
}
?>
#46
This is the change I need to implement, but I don't know how to make this raw PHP into a patch. Where would you suggest I go to learn how to turn this into a patch? Thanks.
#47
@#45
...I've attempted to implement this solution and it doesn't seem to be working.
I create the "access own webform results" permission in webform_perm and make the code changes you suggested, and now it seems that anyone with "access own webform results" simply cannot view webform results whether it be a form they have created or not.
I can't see what could be going wrong.
#48
Rerolled patches from #25 using 6.x-2.x-dev into one patch, using standardized patch naming, so it's a bit easier to manage.
#49
@43
Detour,
I almost applied your patch to my 6.x version install. I was so focused on following the instructions of how to apply a patch (this is my first go at patching a module) that I completely overlooked it is for 5.x. But I caught it just in time.
Since I also want to block users from deleting their form and still allow editing this is a perfect solution. Any chance of seeing a 6.x version?
An aside for which a new thread is likely is permission problems I am having with with accessing webforms. Don't know if anyone else has this problem but a user that is registered on my site with a completely different role can submit the webform. I do have access control selected for the webform which I thought should limit submitting to that role but it doesn't. Even after trying other modules like taxonomy_access and content_access any registered user can submit the form. I'm at a loss.
Anyone else ever experienced this?
#50
Sorry. My mistake.
Although I cleared the webform results and deleted the product from U-cart the test user was still awarded the roles. I discovered this by accident when viewing user profile. The roles were still active because I had an expire set for one year forward. Spent most of the day yesterday fussing with roles/permissions/access/access modules, etc. and solved it in two minutes today.
However I would still like to see something for D6 that disallows the user to delete their form submission.
#51
Just tried this on my test site and it worked like a charm. many thanks. Will move it to the live site on Friday. Thanks a million.
#52
I've tried out these patches, and none of them seem to create a functional "access own webform results" functionality. All I can say, is that even after rebuilding the menus, etc. selecting this permission for any role does absolutely nothing.
Not sure what to suggest...
#53
This is not a bug report, but a misunderstanding of the options that Webform makes available. This patch adds a new feature for "access own webform results". New features are no longer being added to Drupal 5 or the 2.x version of the module, so this patch needs a reroll for the 3.x version.
#54
Here's the patch from #48 rerolled using 3.x-dev.