Cannot resend email to users without the Access All Webform Results permission. #178
Comments
|
Additional info - in my use case, the Results tab only appears when a new form is being created or in draft. It does not appear when already submitted forms are being viewed and/or edited. |
|
@pnmgman2 Thanks for reporting the webform email issue! I was curious and tried to reproduce it but wasn't able to do so: Sending a webform email to the email address of an user with the mentioned permission combination was possible. I'm wondering if the Access Own Results / Access All Results permissions are meant to change Webform's ability to send mails to certain addresses. If I recall correct, these permissions are only relevant for the "Results" tab in the web interface. |
|
Hi Olaf –
Thanks for responding – I went back to my issue and need to clarify a couple of things about our use case re: Webform, as I was not clear:
When we allow users to create and “submit” a webform submission, the aforementioned permissions do work as you have pointed out.
In our use case; however we create the webform submissions for our users in advance. Therefore, when the user logs in to complete entering of data, they must use the “resend” email function to notify parties. This function s at node/xxx/submission/xxx/resend.
It seems to be specifically the page at “node/xxx/submission/xxx/resend” that webform email becomes inaccessible to the user unless that also have “Access All Results” permission. In this case, yes the “Results” tab must be showing to the user (which we don’t want) as that exposes all webform submissions.
I hope this helps, and thank you again, in advance, for taking the time to investigate this.
…-Kerry Gray
From: Olaf Grabienski <[email protected]>
Sent: Monday, February 15, 2021 2:22 AM
To: backdrop-contrib/webform <[email protected]>
Cc: Kerry Gray <[email protected]>; Mention <[email protected]>
Subject: Re: [backdrop-contrib/webform] Webform cannot send email to users without the Access All Webform Results permission. (#178)
@pnmgman2<https://github.com/pnmgman2> Thanks for reporting the webform email issue! I was curious and tried to reproduce it but wasn't able to do so: Sending a webform email to the email address of an user with the mentioned permission combination was possible.
I'm wondering if the Access Own Results / Access All Results permissions are meant to change Webform's ability to send mails to certain addresses. If I recall correct, these permissions are only relevant for the "Results" tab in the web interface.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#178 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AA4MUCNSTRRFCB6OGVK7P5DS7DRU3ANCNFSM4XTOJREQ>.
|
|
Hi again, I've just realized I didn't come back to this. I'm not maintaining Webform, so I can't give an official answer, and unfortunately, I don't know how to solve your use case either. Idea for a workaround, if the information isn't top secret: hide the "Results" tab via CSS |
|
Hi-thanks for the input. Hiding the Results tab via CSS is also the conclusion that I also came to.
In our use case, Webform results are not “top secret”, they just do not need to be made accessible to everyone who happens to click on the “results” tab.
From what I can tell, “submissions” is tied to the user that created the submission and “results” is tied to any user who is able to “view results”; these are not the same things in practical use cases.
We use webform to gather information from users who should never see any other users submissions in any circumstance, but the user must have “view results” permissions to access the webform mail functions; which, then displays the “Results” tab while the new form is visible and before it is submitted.
Thanks again for your feedback
From: Olaf Grabienski ***@***.***>
Sent: Thursday, March 11, 2021 8:02 AM
To: backdrop-contrib/webform ***@***.***>
Cc: Kerry Gray ***@***.***>; Mention ***@***.***>
Subject: Re: [backdrop-contrib/webform] Webform cannot send email to users without the Access All Webform Results permission. (#178)
Hi again, I've just realized I didn't come back to this. I'm not maintaining Webform, so I can't give an official answer, and unfortunately, I don't know how to solve your use case either.
Idea for a workaround, if the information isn't top secret: hide the "Results" tab via CSS
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<#178 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AA4MUCNZJHO45YHL5YAMWWDTDDLO7ANCNFSM4XTOJREQ>.
|
jenlampton
changed the title
|
I suspect that the menu callback for that resend URL is not using the same access callback as the results page, where the |
Webform will not send email to users who have the Access Own Results permission set without also having the Access All Results permission set.
This is not ideal, as I want users to only have access to their submissions and still be able to email as a 'ball-in-court' method for notifying others via an email they add to a webform component field.
Adding the Access All Results exposes the Results tab on the webform which shows users all forms submitted by all users, which for us is a privacy issue. I have never been able to find a way around this issue going back to Drupal days.
The text was updated successfully, but these errors were encountered: