Submission access is checked only when viewing a webform node, but it is not validated when submitting the form itself. This can cause that a form can be submitted, if the user isn't allowed to submit it (e.g was logged out in an other window / another user logged in without submit permission).
Test case: Limit Submission access to authenticated users only, authenticate to view form, log out in an other browser window, submit the form
Desired behavior: validate submission access like validating e.g. per user submission limit
Actual behavior: the form can be submitted without any error message

Attached a patch that possibly fix this behavior.

Comments

StatusFileSize
new1.08 KB

Obviously, i missed

<?php
global $user;
?>

Please try this patch instead of the first one. Thx.

Huh, surprising. I wouldn't think this would be possible, since the same problem would affect all forms throughout all of Drupal, but it looks like most other forms are merely protected by access to the page itself being blocked. Since Webform doesn't block access to the page, but only the form, it looks like this becomes a problem. Thanks for the patch, I'll review when I get a chance.

StatusFileSize
new4.92 KB

I rerolled this for 7.x-4.x, but it needs backporting to the 3.x versions. Rather than having 3 separate calls to theme('webform_view_messages'), which has 9(!) parameters, I consolidated it down to a single call to reduce redundancy. In theory it would also allow the error message theming to report all the problems at once if needed. This patch needs testing and backporting before we can commit it, considering this changes the central validation mechanism for Webform.

StatusFileSize
new3.46 KB

Sorry wrong patch. Here we are.

StatusFileSize
new3.65 KB

Ugh, okay here's the patch I meant. A little more verbose documentation and skips the role check for users editing completed submissions.

Title:Submission access isn't validated when submitting a formSubmission role access isn't re-checked when validating a form
Version:6.x-3.x-dev» 7.x-4.x-dev
Status:Needs review» Fixed

I've committed #5 to the 7.x-4.x branch, but because this problem rarely affects forms, I've decided to take the safer route and not commit this to the 3.x branch.

StatusFileSize
new1.44 KB

This patch required a follow-up to fix issues with undefined variables and issues with user #1, which needs special casing due to user_access().

Status:Fixed» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.