Access denied when deleting a submission directly from URL with no destination specified [#2016795]

Hi,

When I delete a submission without specifying a "destination" (e.g. from a different location than the default "submissions" page - in my case a view) I get an "access denied" error when:

I do not allow the rights to "Access all webform results" and "Access own webform results"
I allow "Access/Edit/Delete own webform submissions"
Now when I delete a submission without specifying a destination I get an Access denied error as I'm redirected to the "webform-results" page instead of (what I assume should be) the "submissions" page.

It looks like the access rights are not checked correctly as it assumes I have access to the webform results which I don't.

Comment	File	Size	Author
#6	webform-submission_delete_redirect-2016795-5.patch	1.82 KB	DanChadwick
#6

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

quicksketch

he/him

CreditAttribution: quicksketch commented 13 June 2013 at 22:07

Title:

Access denied when deleting a submission

» Access denied when deleting a submission directly from URL with no destination specified

Thanks this is a good suggestion. Webform (afaik) always sets a destination parameter when deleting/editing submissions in the UI. Are you linking to these URLs directly instead of accessing it through the UI?

In any case, it'd be good to check the permissions when setting the default redirect like you suggest to prevent any kind of errors when a destination is not set.

Comment #2

Rob Rutten CreditAttribution: Rob Rutten commented 14 June 2013 at 08:45

Hi,

It' can be reproduced using the default UI.

Just open the submissions page ("see previous submissions") and open (view) one of the submissions. Now you have the option to delete it (if you have set the right permissions). This delete tab does not have a destination set.

Rob.

Comment #3

Rob Rutten CreditAttribution: Rob Rutten commented 14 June 2013 at 08:52

Hi,

The problem appears to be in the following function:

<?php

function webform_submission_delete_form_submit($form, &$form_state) {
  global $user;

  $node = node_load($form_state['values']['details']['nid']);
  $submission = webform_get_submission($form_state['values']['details']['nid'], $form_state['values']['details']['sid']);
  webform_submission_delete($node, $submission);
  drupal_set_message(t('Submission deleted.'));
    
  if (user_access('access all webform results', $user)) {
  	$form_state['redirect'] = 'node/' . $node->nid . '/webform-results';
  }
  else {
  	$form_state['redirect'] = 'node/' . $node->nid . '/submissions';
  }
}

?>

I've added the extra user_access check.

Comment #4

DanChadwick CreditAttribution: DanChadwick commented 18 August 2014 at 12:52

Version:	7.x-4.0-alpha6	» 7.x-4.x-dev
Issue summary:	View changes

Comment #5

18 August 2014 at 20:06

DanChadwick committed 87c3da6 on 7.x-4.x

Issue #2016795 by DanChadwick: Proper redirect after deleting submission...

DanChadwick committed 9eccbd6 on 8.x-4.x

Issue #2016795 by DanChadwick: Proper redirect after deleting submission...

Comment #6

DanChadwick CreditAttribution: DanChadwick commented 18 August 2014 at 20:07

Status:

Active

» Fixed

File	Size
webform-submission_delete_redirect-2016795-5.patch	1.82 KB

There are 3 places where the delete submission URL can be reached. These are:

The EDIT tab when viewing the submission. In this case there is no destination in the URL.
The webform-results tab (either global or for this user). In either case, the destination returns to this webform-results url.
The submissions list. In this case the destination returns to the submission list.

I fixed the following issues.

When the delete confirmation form is generated, the destination passed to it should be the destination if the CANCEL button is clicked. The OK button is handled by the submit handler. In this case, a destination query in the URL overrides the passed parameter. Thus it is not necessary to test for this. In the absence of a destination query in the URL, it is best to return to the submission itself (i.e. the VIEW tab).
After deleting the submission, the user must be redirected somewhere because the URL is now invalid. If there is a destination query in the URL, that will be used (/submissions or /webform-results). If there isn't one (EDIT tab), then redirect to either the results or submission list, whichever the user is most authorized to see. The correct test for seeing the results tab is webform_results_access as it contains additional necessary tests.