If set "Confirmation page" ends with a error message if form sent.
"Access denied
You are not authorized to access this page."

CommentFileSizeAuthor
webform_4_beta3_redirect_error_01.png2.52 KBalexhaack
webform_4_beta3_redirect_error_02.png3.45 KBalexhaack
Support from Acquia helps fund testing for Drupal Acquia logo

Comments

alexhaack’s picture

alexhaack CreditAttribution: alexhaack commented
Issue summary: View changes
quicksketch’s picture

quicksketch
he/him
CreditAttribution: quicksketch commented
Status: Active » Postponed (maintainer needs more info)

What's the full URL on your confirmation page? Webform specifically does an access check on the confirmation page to make it so that users can't view confirmation messages of other users.

If logged in, the path should be node/1/done?sid=3205. If logged out, it should be more like node/1/done?sid=3207&token=1eaf0b97dbb6897902e92e9f82727cad. If the token doesn't validate, you'll get an access denied.

Currently, I can't reproduce this as a problem with a stock installation of Webform, so I'll need more information on how to reproduce this issue.

quicksketch’s picture

quicksketch
he/him
CreditAttribution: quicksketch commented
Status: Postponed (maintainer needs more info) » Closed (cannot reproduce)

Closing after lack of activity. If you can provide more information on how to reproduce this issue I'd be happy to take another look.

stijndmd’s picture

stijndmd CreditAttribution: stijndmd commented

You can reproduce this issue if you create a webform and go to node/nid/webform/configure
There you change the redirect location to: node/nid/done?sid=[submission:sid]&email=[submission:values:e_mail]

I have to do this for a client because he needs a javascript pixel on the confirmation page to track stuff.
We need the entered e-mail address from the user in our url to push to the tracker code.

So I could fix this problem if there would be an available token for this:
token=1eaf0b97dbb6897902e92e9f82727cad

But, is there?
How can I fix this for logged out users?

stijndmd’s picture

stijndmd CreditAttribution: stijndmd commented

Nevermind, I changed my approach.
Went back to using the default confirmation page and got the e-mail from
"webform_get_submission(arg(1), $_GET['sid']);"

This is more of a workaround than a fix ofcourse

kpmags’s picture

kpmags CreditAttribution: kpmags commented

So I'm having this issue for Anonymous users.

There are no tokens used - I'm getting this even with a dummy webform with one field set up.

I've verified that the webform data gets sent - but the user is presented with "Access Denied" from ANY confirmation choice (page/custom/none)

Reading this above:

If logged in, the path should be node/1/done?sid=3205. If logged out, it should be more like node/1/done?sid=3207&token=1eaf0b97dbb6897902e92e9f82727cad. If the token doesn't validate, you'll get an access denied.

I've checked the path on the confirmation and my logged out users are getting the path that should only be for logged in -- hence the "Access Denied" declaration (I'm assuming)

What do I do to get the Anonymous users the correct path?

Thanks for any guidance!

ajlow’s picture

ajlow CreditAttribution: ajlow commented

I had the access denied issue too however it was related to the module webform conditional confirmation I am using: https://www.drupal.org/project/webform_conditional_confirmation.

I resolved my issue by applying this patch: https://www.drupal.org/node/2341233.

You may need to check if you have this module (or any other module that requires webform) installed as it may require a patch to take into account the extra security webform 4 has.

I hope it helps!