My webform is only visible to authenticaed users and functions the way it should be.

But if an anonymous puts the confirmation page url in the browsers address bar (e.g. site_name/node/xxx/done) he can actually see that page. It's not much of a use for him, but he shouldn't be able to see it, the way he is not allowed to see the form itself?

Comments

Liam Morland’s picture

I think this issue is fixed by #828566: Webform Token support on confirmation message. Try the latest development version.

quicksketch’s picture

Our code already checks that the user has access to view the node before he is granted access to the node/x/done URL.

  $items['node/%webform_menu/done'] = array(
    'title' => 'Webform confirmation',
    'page callback' => '_webform_confirmation',
    'page arguments' => array(1),
    'access callback' => 'node_access',
    'access arguments' => array('view', 1),
    'type' => MENU_CALLBACK,
  );

However if your access to the main node URL is not protected through the node access system but some other method, then the page will still be accessible.

quicksketch’s picture

Title: Visibility confirmation page » Confirmation page accessible to users who may not see the form
Priority: Normal » Minor

Oh, I just realized that "some other method" in your case is probably the Webform built-in access control to the form itself. I think that's a valid use-case that should probably be addressed, but I don't think it's a significant problem. I'm pretty sure this is fixed in the 4.x branch as Liam said. I'm not sure how likely it is that we'll address this in 3.x.

DanChadwick’s picture

Issue summary: View changes
Status: Active » Closed (won't fix)

Closing for lack of activity and likelihood that it's fixed in -4.x