Access Denied [#2275735]

When I select the option "Delete submissions immediately", and I have my Redirection location set to "Confirmation page" with a confirmation message set up, after submitting the form I am redirected to a page with a URL similar to: mywebsite.com/node/1/done?sid=10. However instead of seeing my confirmation message I am shown the following error:

"Access denied"
You are not authorized to access this page.

Is it not possible to redirect to the default "Confirmation page" when using this module? I did not see that documented anywhere...

Comments

Comment #1

ladybug_3777 commented 28 May 2014 at 20:11

I should add I am using Webform 7.x-4.0-beta3 (also just tried version rc3)

Comment #2

ladybug_3777 commented 28 May 2014 at 19:15

It looks like the denied access is coming from the webform.module function for webform_confirmation_page_access($node);

/**
 * Access function for confirmation pages.
 *
 * @param $node
 *   The webform node object.
 *
 * @return
 *  Boolean whether the user has access to the confirmation page.
 */
function webform_confirmation_page_access($node) {
  global $user;

  // Make sure SID is a positive integer.
  $sid = (!empty($_GET['sid']) && (int) $_GET['sid'] > 0) ? (int) $_GET['sid'] : NULL;

  if ($sid) {
    module_load_include('inc', 'webform', 'includes/webform.submissions');
    $submission = webform_get_submission($node->nid, $sid);
  }
  else {
    $submission = NULL;
  }

  if ($submission) {
    // Logged-in users.
    if ($user->uid) {
      // User's own submission.
      if ($submission->uid === $user->uid && node_access('view', $node)) {
        return TRUE;
      }
      // User has results access to this submission.
      elseif (webform_submission_access($node, $submission)) {
        return TRUE;
      }
    }
    // Anonymous user for their own submission. Hash of submission data must
    // match the hash in the query string.
    elseif ((int) $user->uid === 0 && (int) $submission->uid === 0) {
      $hash_query = !empty($_GET['token']) ? $_GET['token'] : NULL;
      $hash = md5($submission->submitted . $submission->sid . drupal_get_private_key());
      if ($hash_query === $hash) {
        return TRUE;
      }
    }
  }

  return FALSE;
}

The issue here is that the variable $submission is empty since the submission has been deleted, which ends up returning FALSE for the access.

Not sure the best way to address this, seems like there should be something in place that will allow the page to show the confirmation message even if the submission has been deleted.