admin/content/webform and */webform-results* should obey node access rules.

Posted by cdale on November 28, 2008 at 1:26am

3 followers

Issue Summary

At the moment, webform allows any user with the 'access webform results' permission to view the results for any form, even if they do not have view (or update) access to that form. The webform-results paths, and the admin/content/webform pages should obey node access restrictions.

Comments

#1

Posted by cdale on November 28, 2008 at 1:27am

This patch corrects this issue.

The patch makes it so the user must also have view access on the node to access the results. i.e. the user must have both view access on the node and the 'access webform results' permission to be able to view results for a node.

NB: A menu rebuild will be required for the patch to take effect.

Attachment	Size
webform-results-access-340034-1.patch	3.62 KB

#2

Posted by quicksketch on January 11, 2009 at 4:48am

Status:

needs review

» fixed

Thanks, I ported it to Drupal 5 and added a bit of PHPdoc for the new webform_results_access(). Great patch!

Attachment	Size
webform_results_access5.patch	2.82 KB

#3

Posted by quicksketch on January 11, 2009 at 4:51am

Oops, forgot the db_rewrite_sql() in the D5 version. Added here.

Attachment	Size
webform_results_access5.patch	3.21 KB

#4

Posted by System Message on January 25, 2009 at 5:00am

Status:

fixed

» closed (fixed)

Automatically closed -- issue fixed for two weeks with no activity.

Project:	Webform
Version:	6.x-2.x-dev
Component:	Code
Category:	bug report
Priority:	normal
Assigned:	Unassigned
Status:	closed (fixed)

admin/content/webform and /webform-results should obey node access rules.

Jump to:

Issue Summary

Comments

#1

#2

#3

#4