Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.Hi,
I am very grateful for this module and I am not sure this would be a "bug" or a "feature request" - probably both. I've also tried to find the same issue but I couldn't, I'm sorry if I have missed it.
User case:
I have a node creation that works as an application form. Through commerce and node checkout the user pay to submit that node. Because the node is only visible to admin staff, I have set permission control with that node type only viewable from logged in admin staff. The admin staff needs to be able to print that node.
Problem:
When I logout and I try to navigate to site.com/print/nodeid I get the printing no problem, when it really should say access denied. This is a massive problem for me as the application forms contains sensitive information and anyone would be able to navigate and print everyone else's application forms.
Ideal feature:
Because I need the anonymous user to be able to receive it's own application form in pdf by email, ideally we could generate an hashed link and output it as a token. This token would be used into a simple rule to output the hashed link to print that specific application pdf. This way it would be way harder for the user to realise they could easily browse everyone else details. (It's not the best one but I can't think of anything else - any suggestion is welcome)
Thanks!
Comments
Comment #1
jcnventura CreditAttribution: jcnventura commentedIn theory, the print/nodeid is subject to the same permission as the original content.
Question is, do you use a third-party module to enforce the aditional permissions on the node?
Comment #2
marameodesignSuper late reply, someone emailed me to ask if we found a solution. I did and I am posting it here:
We used the module Node view permission and set up the permission to only see their own nodes.