Skip to content

#3485026 "Block unknown users"

Orest Yakymchukrequested to merge
issue/webform_civicrm-3485026:3485026-block-unknown-users into 6.x

Proposed enhancement to improve UX for anonymous users when "Block unknown users" is enabled

I’ve investigated the current issue. While it appears that the originally reported behavior is fixed in recent versions, I found that the current implementation could be improved further from a UX and access control perspective.

Current behavior: If "Block unknown users" is enabled in the Webform CiviCRM settings, and an anonymous user visits a page that embeds the webform (e.g., via a node), the entire page is denied with a generic:

"You are not authorized to access this page." This happens even if:

  • The user has view access to the node.
  • The webform is publicly viewable,
  • The intention is only to block submission, not the entire route.

This behavior is due to an unconditional AccessDeniedHttpException() being thrown in webform_civicrm/src/WebformCivicrmPreProcess.php, around this line:

if ($this->settings['block_unknown_users']) {
  $this->form['submitted']['#access'] = $this->form['actions']['#access'] = FALSE;
  throw new AccessDeniedHttpException();
}

Proposed enhancement: Instead of denying access to the entire page (route), we can cleanly hide only the webform output by setting:

$this->form['#access'] = FALSE;

This preserves access to the rest of the page (e.g., node content) and aligns better with the principle of least surprise: users see what they’re allowed to, and only the form itself is hidden.

Benefits:

  • Prevents unnecessarily blocking access to the parent route.
  • Plays well with nodes/pages embedding webforms.
  • Provides a cleaner UX — users don’t hit an abrupt 403 if they're just browsing content.

Merge request reports