Commit c62f0bc9 authored by Manuel Garcia's avatar Manuel Garcia Committed by Manuel Garcia

Issue #2925622 by Manuel Garcia, Rob Holmes, gambry: Encrypted values...

Issue #2925622 by Manuel Garcia, Rob Holmes, gambry: Encrypted values overwritten if submission edited by user without 'view encrypted values' permissions
parent d8afa470
<?php
namespace Drupal\webform_encrypt;
use Drupal\Core\Access\AccessResult;
use Drupal\Core\Entity\EntityInterface;
use Drupal\Core\Session\AccountInterface;
use Drupal\webform\WebformSubmissionAccessControlHandler;
/**
* {@inheritdoc}
*/
class WebformEncryptSubmissionAccessControlHandler extends WebformSubmissionAccessControlHandler {
/**
* {@inheritdoc}
*/
public function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) {
// Disallow access to update if the user cannot view encrypted values and
// any of the elements are encrypted.
if ($operation === 'update') {
$config = $entity->getWebform()->getThirdPartySetting('webform_encrypt', 'element');
$data = $entity->getData();
foreach ($data as $element_name => $value) {
if (isset($config[$element_name]['encrypt']) && $config[$element_name]['encrypt'] && $account->hasPermission('view encrypted values') === FALSE) {
return AccessResult::forbidden();
}
}
}
return parent::checkAccess($entity, $operation, $account);
}
}
<?php
namespace Drupal\Tests\webform_encrypt\Functional;
use Drupal\Tests\BrowserTestBase;
use Drupal\user\Entity\Role;
/**
* Tests editing of encrypted webform submissions.
*
* @group webform_encrypt
*/
class WebformEncryptEditSumissionsTest extends BrowserTestBase {
/**
* The user that can not view encrypted webform submissions.
*
* @var \Drupal\user\Entity\User
*/
protected $notViewEncryptedUser;
/**
* The user that can view encrypted webform submissions.
*
* @var \Drupal\user\Entity\User
*/
protected $viewEncryptedUser;
/**
* {@inheritdoc}
*/
protected static $modules = [
'webform_encrypt',
'webform_encrypt_test',
];
/**
* {@inheritdoc}
*/
protected function setUp() {
parent::setUp();
$this->notViewEncryptedUser = $this->drupalCreateUser([
'view any webform submission',
'edit any webform submission',
]);
$this->viewEncryptedUser = $this->drupalCreateUser([
'view any webform submission',
'edit any webform submission',
'view encrypted values',
]);
}
/**
* Test webform field encryption.
*/
public function testEditSubmissions() {
$assert_session = $this->assertSession();
$this->drupalLogin($this->notViewEncryptedUser);
// Make a submission.
$edit = [
'test_text_field' => 'Test text field encrypted value',
'test_text_area' => 'Test text area encrypted value',
'test_not_encrypted' => 'Test not encrypted value',
];
$this->drupalPostForm('/webform/test_encryption', $edit, 'Submit');
$assert_session->responseContains('New submission added to Test encryption.');
// Ensure form is not accessible by user without the view encrypted values
// permission.
$edit_submission_path = 'admin/structure/webform/manage/test_encryption/submission/1/edit';
$this->drupalGet($edit_submission_path);
$assert_session->statusCodeEquals(403);
$assert_session->responseContains('You are not authorized to access this page.');
// Verify with the view encrypted values permission that form submission is
// editable by user with the view encrypted values permission.
$this->drupalLogin($this->viewEncryptedUser);
$this->drupalGet($edit_submission_path);
$assert_session->fieldValueEquals('test_text_field', $edit['test_text_field']);
$assert_session->fieldValueEquals('test_text_area', $edit['test_text_area']);
$assert_session->fieldValueEquals('test_not_encrypted', $edit['test_not_encrypted']);
// Save the form without changing any values.
$this->drupalPostForm($edit_submission_path, [], 'Save');
// Check submission is still editeable and values are unchanged.
$this->drupalGet($edit_submission_path);
$assert_session->fieldValueEquals('test_text_field', $edit['test_text_field']);
$assert_session->fieldValueEquals('test_text_area', $edit['test_text_area']);
$assert_session->fieldValueEquals('test_not_encrypted', $edit['test_not_encrypted']);
}
}
......@@ -42,4 +42,5 @@ function webform_encrypt_form_webform_ui_element_form_alter(&$form, FormStateInt
function webform_encrypt_entity_type_alter(array &$entity_types) {
/* @var $entity_types \Drupal\Core\Entity\EntityTypeInterface[] */
$entity_types['webform_submission']->setStorageClass('Drupal\webform_encrypt\WebformEncryptSubmissionStorage');
$entity_types['webform_submission']->setAccessClass('Drupal\webform_encrypt\WebformEncryptSubmissionAccessControlHandler');
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment