Submit Access Permission

seken,

i think you can use the taxonomy module to apply access control to any content, so u can use it to restrict acces to the webform nodes.

quineto is right, webform doesn't handle any permissions because this can be provided by any other module which allows you to restrict access to nodes (since webforms are nodes). You can also try out nodeaccess and simple access. Please update the post if any of these module fulfill your need. Thanks!

Yes, from Categories you can control access to nodes. I recommend you to take a lot at tac_lite module: http://drupal.org/project/taxonomy_access
I find it really useful for cross permissions in drupal.

When creating new Content Types (page/story/etc) they have the ability to set access permissions.

Since Webforms is creating a new content type, I do believe it should come with a "access" and "submit" permission out of the box. This would eliminate people searching for alternative means to create private webforms.

Two things would complete an already impressive module:
- Access webforms: This will allow users to view the forms.
- Submit webforms: This allows the users to submit forms.

I am happy to test any code to make this happen :)

Just my 0.02 cents.

Webform-level 'view' access in fact used to be a feature of webform (circa 4.6 and very early 4.7). It was taken out when other contrib modules started providing this functionality to all types. Think about the mess when there are access permissions in two or more places.

So I'm still against implementing access control into a content-based module. There are several access control modules available. Surely one will provide the proper view/edit/delete permissions for all content types, not just webforms.

On the available permission already in place, webform creates all the same permissions as other content types: create, edit, and edit own. No other content type provides it's own 'view' permission because this characteristic is shared among all content and can be controlled by a comprehensive module.

In short, there will never (again) be a 'view' permission in webform, though the 'submit' permission show promise. As this is webform-specific and would need to be implemented in webform. I'm just not sure about the demand. Why would a user be able to view a webform node but not fill out the form?

Thanks for the outline regarding the view permission stance. I see your POV and Im going to agree.

Here are two examples regarding the submit access:
1) Anonymous users can see the webform, but when they submit they are taken to the login/registration page then the results are stored.
2) Users can see the webforms, however they are subscription based and therefore only applies to subscribed users (roles). On submit users are directed to the correct area to apply for subscription before their form results are stored.

Just quick examples for demand. Im sure there are plenty of other applications for this use ;)

That would be useful functionality I agree. I won't have time to implement such a feature, but if someone else contribute it I'd be glad to put it in.

The trick here is that we're not just dealing with a page access. We're dealing with submission access. This would require webform to check if the user has access to submit the form, then be prepared to save all the values when the user is redirected to a user login form (if you have loggintoboggan), store them via the database and a cookie, and then retrieve them once the user has logged in.

I don't think a SESSION based approach will work, since the user gets a new session once they have logged in.

How about via destination after login/register?

Something like this might do the trick:
sitename.com/user/login?destination=/webform?field1=foo&field2=bar&field3=baz&form_submit

Not sure how reliable this is if a user decides to register rather than login.

Submit for anonymous users is needed. We are doing a usability test with an initial survey. We are interested in every person filling this survey, not only registered users. It seems that webforms can only be filled out by registered users, isn't it? Why aren't webforms accessible by anonymous users? At least, I can't find a place where I can allow anonymous users to fill a webform and submit it. Also, even though I promoted it to the front page, it only shows in the registered users front page, not in anonymous one.

@Farreres, there are currently NO permissions in webform for restricting access to webforms or submitting them. This thread is about adding that functionality. If anonymous users can't see/submit webforms on your site, it's probably due to a setting outside of webform module.

After upgrading to 5.0, my webforms no longer appear as menu items for anonymous site visitors. They can access the webforms, but the links disappear for anonymous users. I'm not sure if this relates to the post above, or if it's just an issue with my upgrade or some old access privilege conflicting with the upgraded module.

-s

Just tried with a new webform. It's accessible to anonymous users and shows in the menus. Must have been an update issue.

@quicksketch: When do you estimate you'll have time to work on adding submit access permissions? Alternatively, if you point me in the right direction I can attempt to get it done and contribute it back into the module.

Lets revive this thread please?

Any answers to my suggestions in #10 and #15?

Additionally, in Drupal 5.x we need the webform module to support multiple content types. This will in turn solve our read/write access needs as the node system will handle this for us automagically. I do believe this will make the module consistent with Drupal?

@BioAlien, I have no intention of implementing this feature. But if someone puts up the code then I'd be willing to put it in.

Something like this might do the trick:
sitename.com/user/login?destination=/webform?field1=foo&field2=bar&field3=baz&form_submit

Unfortunately, that method doesn't work anymore (as far as I know) in Drupal 4.7 and higher. I think that you'd need to actually store all the values into the $_SESSION variable (or possibly a cookie). Especially if the user had to go and create a new account, it could be a long while before they get back to finish filling in the form.

I've been thinking about this more. Since it's not as easy as it sounds, why not follow this approach instead:

1) Add submit permissions in the access control so it can be flexible.
2) Make this control the submit button on the webform nodes so if visitor is logged in show SUBMIT button, if visitor is anonymous show the message "Please Login or Register in order to submit this form." with links leading to the login or registration pages with the destination=node/1 (leading back to the same page they were at).

3) Optionally, this access control could also make all form elements generated by the webform module into "disabled" state so the anonymous visitor cannot fill out any webforms, then realise they have to Register or Login - so it doesn't piss them off ;)

I think 2 is how the comments.module does it. What do you think of this proposal?

To add a "view" permission, here is the code change to the webform module (sorry my trial to araxis expired yesterday... so no easy patch creation tool)

Line: 65

function webform_perm() {
  return array ("view webforms","create webforms", "edit own webforms", "edit webforms", "access webform results", "clear webform results","use PHP for additional processing");
}

Line: 82

function webform_access($op, $node) {
  global $user;
  
  switch ($op) {
    case "view":
      return user_access("view webforms");
	case "create":
    ....

> have to make sure and give rights in access manager
> Also helpful to change admin/settings/error-reporting for 403's to go to /user so they get to the login screen if don't have access rights.

gbear, thank you for the contribution. My idea was to show people the webform contents to encourage them to login/sign up. However, we need to either lock the submit button and get them to login (then return to the webform node) or register. There are a few methods outlined above, so we're still throwing ideas around.

Hi everybody,
how is it going with the Submit Access Permission?
I would like to implement in my webforms a Submit feature as outlined by BioALIEN, i.e. I would like to have the possibility to choose which form can be filled out by all (including anonymous visitors) and which form instead may be filled out only by registered user. Yet the form visualization should be accessible to all, so a visitor can see what the form is all about and can be "inspired" to register to fill out the webform.

I would be happy to help on this issue, but I'm not a programmer, so I count on you ;-)

To add a "view" permission, here is the code change to the webform module (sorry my trial to araxis expired yesterday... so no easy patch creation tool)

Line: 65
function webform_perm() {
return array ("view webforms","create webforms", "edit own webforms", "edit webforms", "access webform results", "clear webform results","use PHP for additional processing");
}

Line: 82
function webform_access($op, $node) {
global $user;

switch ($op) {
case "view":
return user_access("view webforms");
case "create":
....

> have to make sure and give rights in access manager
> Also helpful to change admin/settings/error-reporting for 403's to go to /user so they get to the login screen if don't have access rights.

thank you very much,
I solve the view problem with your effort
thanks alot :)

I don't see the usefullness of showing the user a form they can't submit. This just doesn't make sense to me. But if you still want to have this functionality why don't show te user the complete form, with all components disabled. This can easily be done by addding an extra parameter to the function that shows the webform components "webform_render_controltype". I used the same approach when i added the Edit submission functionality, only there i used the "webform_display_submission_controltype" function, because i wanted the submission data to be present in te form.
To finish it of you could show the user an information message/link that instructs him/her to login first... Then after submission the user is automatically taken back to the page (s)he was coming from. (i beleve this is the default behaviour). The only remaining question is how to name the permission. "readonly access" / "view webform" / "view only" or something like that.

Let me know if this suits your needs, then i'm willing to try implementing the functionality.

This patch was just what I needed!

In my case I wanted users of certain roles being able to apply for another role, so not all user roles should actually see the form!

Thanks!

hmm, gbear's hack does not work on webform 2.0 any more. anyone knows why?

Here's what could be your problem. Check out the following piece of code in webform 2.0 starting on line 109:

<?php
      $items[] = array(
        'path' => 'node/'. $nid,
        'title' => $node->title, // Set the title for the node menu item.
        'callback' => 'node_page_view',
        'callback arguments' => array($node),
        'access' => TRUE,
        'type' => MENU_CALLBACK,
?>

The parameter -- 'access' => TRUE, -- could be your problem. It silently (very sneaky, as mr Deeds would put it) enforces view access rights on webform nodes (which I found yesterday overrides any Content Access module view permissions I tried to set and gives the impression that Content Access doesn't work) and I'm guessing that is your problem as well.

I solved the problem by replacing the access parameter with -- 'access' => node_access('view', $node),-- which is what the node module does for the same menu item (which webform is overriding with the code above as I understand it).

I don't like hacking modules so I'd very much like to hear if it's just a typo in the code or if it's in there for some other reason? And why is the webform module overriding the node module version of this menu item in the first place? Because of the title parameter? Anyonye? Quicksketch?

Petter

Thanks PWG, that was definitely a problem in the 2.x branch. The menu item needed to be redefined so that we could have separate sub-tabs for the node edit form. Without setting the node title, it wasn't possible to label the sub-tabs as "Configuration" and "Components". I've changed the line to use node_access() as you suggest.

Once again, if you want to simply prevent access to webforms, you can use any one of a dozen of node access modules. This request is for making the webform node visible, but not able to submit. I personally think it's a bit of edge-case request and don't think it should be implemented in webform. It could be easily implemented as a dependent module, or even in the theme layer (though the security would be weak there).

I'm going mark "won't fix" because after this issue has been open for well over a year, I still don't think it's a feature that should be included.

If your webforms aren't showing to anonymous users, check that the webform node has it's publishing options set to 'published'

Webforms may be set as unpublished by default.

hth

I would like to have this functionality (webform form submission control limited to specific roles) in place in my current site, using which is using Webforms 6.x-2.x branch. It would really be great to expose this access control check function to allow per-node submission control, but that is probably not in the scope of this module at all and something I am unsure how to implement properly.

I realize this use-case is likely not very frequent, however since I do need it and think it could be useful for other Webform users, I'll post any work on this front to this issue, for consideration in Webforms or to at least help people coming to this thread find up-to-date information on this topic.