Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Hi,
When I delete a submission without specifying a "destination" (e.g. from a different location than the default "submissions" page - in my case a view) I get an "access denied" error when:
- I do not allow the rights to "Access all webform results" and "Access own webform results"
- I allow "Access/Edit/Delete own webform submissions"
- Now when I delete a submission without specifying a destination I get an Access denied error as I'm redirected to the "webform-results" page instead of (what I assume should be) the "submissions" page.
It looks like the access rights are not checked correctly as it assumes I have access to the webform results which I don't.
Comment | File | Size | Author |
---|---|---|---|
#6 | webform-submission_delete_redirect-2016795-5.patch | 1.82 KB | DanChadwick |
Comments
Comment #1
quicksketchThanks this is a good suggestion. Webform (afaik) always sets a destination parameter when deleting/editing submissions in the UI. Are you linking to these URLs directly instead of accessing it through the UI?
In any case, it'd be good to check the permissions when setting the default redirect like you suggest to prevent any kind of errors when a destination is not set.
Comment #2
Rob Rutten CreditAttribution: Rob Rutten commentedHi,
It' can be reproduced using the default UI.
Just open the submissions page ("see previous submissions") and open (view) one of the submissions. Now you have the option to delete it (if you have set the right permissions). This delete tab does not have a destination set.
Rob.
Comment #3
Rob Rutten CreditAttribution: Rob Rutten commentedHi,
The problem appears to be in the following function:
I've added the extra user_access check.
Comment #4
DanChadwick CreditAttribution: DanChadwick commentedComment #6
DanChadwick CreditAttribution: DanChadwick commentedThere are 3 places where the delete submission URL can be reached. These are:
I fixed the following issues.