From f6464467603870eb6214439bf24bff6aed82bd01 Mon Sep 17 00:00:00 2001
From: Lily Yan <l26yan@uwaterloo.ca>
Date: Thu, 6 Oct 2022 14:14:15 -0400
Subject: [PATCH] ISTWCMS-5863 Authenticated webforms should properly enforce
 individual user access

---
 uw_cfg_common.module | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/uw_cfg_common.module b/uw_cfg_common.module
index dcf49899..ed72eb93 100644
--- a/uw_cfg_common.module
+++ b/uw_cfg_common.module
@@ -1022,6 +1022,25 @@ function uw_cfg_common_webform_access(WebformInterface $webform, string $operati
         return AccessResult::forbidden();
       }
       break;
+
+    case 'user':
+      // Must be authenticated for group auth.
+      if (!$account->isAuthenticated()) {
+        return AccessResult::forbidden();
+      }
+
+      // Get all users when selecting 'Users specified below' under
+      // admin/structure/webform/manage/WEBFORM_ID/access.
+      $create_user_ids = $webform->getAccessRules()['create']['users'];
+
+      // Get current logged in user id.
+      $current_user_id = \Drupal::currentUser()->id();
+
+      // If the logged user is in not a specified user, get access denied.
+      if (!in_array($current_user_id, $create_user_ids)) {
+        return AccessResult::forbidden();
+      }
+      break;
   }
 
   return AccessResult::neutral();
-- 
GitLab