ISTWCMS-5863 Authenticated webforms should properly enforce individual user access

f6464467 · Lily Yan · Igor Biki · cff3e2d0 · f6464467
Commit f6464467 authored 2 years ago by Lily Yan Committed by Igor Biki 2 years ago
--- a/uw_cfg_common.module
+++ b/uw_cfg_common.module
@@ -1022,6 +1022,25 @@ function uw_cfg_common_webform_access(WebformInterface $webform, string $operati
        return AccessResult::forbidden();
      }
      break;
+
+    case 'user':
+      // Must be authenticated for group auth.
+      if (!$account->isAuthenticated()) {
+        return AccessResult::forbidden();
+      }
+
+      // Get all users when selecting 'Users specified below' under
+      // admin/structure/webform/manage/WEBFORM_ID/access.
+      $create_user_ids = $webform->getAccessRules()['create']['users'];
+
+      // Get current logged in user id.
+      $current_user_id = \Drupal::currentUser()->id();
+
+      // If the logged user is in not a specified user, get access denied.
+      if (!in_array($current_user_id, $create_user_ids)) {
+        return AccessResult::forbidden();
+      }
+      break;
  }

  return AccessResult::neutral();