Merge pull request #8 from OS2Forms/feature/446-update-access-checks

#446: Updated access checks to allow view_all permission access to API

Author: jekuaitk

CHANGELOG.md

@@ -8,6 +8,10 @@ about writing changes to this log.
 
 ## [Unreleased]
 
+## [2.0.3]
+
+- Gave users with `view_any` submission permission access to API.
+
 ## [2.0.2]
 
 - Added `OS2Forms Attachment` to attachments data.
@@ -32,7 +36,8 @@ about writing changes to this log.
 
 - Release 1.0.0
 
-[Unreleased]: https://github.com/OS2Forms/os2forms_rest_api/compare/2.0.2...HEAD
+[Unreleased]: https://github.com/OS2Forms/os2forms_rest_api/compare/2.0.3...HEAD
+[2.0.3]: https://github.com/OS2Forms/os2forms_rest_api/compare/2.0.2...2.0.3
 [2.0.2]: https://github.com/OS2Forms/os2forms_rest_api/compare/2.0.1...2.0.2
 [2.0.1]: https://github.com/OS2Forms/os2forms_rest_api/compare/2.0.0...2.0.1
 [2.0.0]: https://github.com/OS2Forms/os2forms_rest_api/compare/1.1.0...2.0.0

README.md

@@ -166,7 +166,7 @@ Response:
 To give access to webforms, you need to specify a list of API users that are
 allowed to access a webform's data via the API.
 
-Go to Settings > General > Third party settings > OS2Forms > REST API to specify
+Go to Settings > Access > View any submissions > Users to specify
 which users can access a webform's data.
 
 ### Technical details

os2forms_rest_api.module

@@ -18,12 +18,3 @@ use Drupal\os2forms_rest_api\WebformHelper;
 function os2forms_rest_api_webform_third_party_settings_form_alter(array &$form, FormStateInterface $form_state): void {
   \Drupal::service(WebformHelper::class)->webformThirdPartySettingsFormAlter($form, $form_state);
 }
-
-/**
- * Implements hook_file_download().
- *
- * @phpstan-return int|array<string, string>|null
- */
-function os2forms_rest_api_file_download(string $uri) {
-  return \Drupal::service(WebformHelper::class)->fileDownload($uri);
-}

os2forms_rest_api.services.yml

@@ -7,8 +7,6 @@ services:
     arguments:
       - '@entity_type.manager'
       - '@current_user'
-      - '@key_auth.authentication.key_auth'
-      - '@request_stack'
 
   Drupal\os2forms_rest_api\EventSubscriber\WebformAccessEventSubscriber:
     arguments:

src/WebformHelper.php

@@ -8,10 +8,8 @@
 use Drupal\Core\Session\AccountProxyInterface;
 use Drupal\Core\StringTranslation\StringTranslationTrait;
 use Drupal\Core\Url;
-use Drupal\key_auth\Authentication\Provider\KeyAuth;
 use Drupal\webform\WebformInterface;
 use Drupal\webform\WebformSubmissionInterface;
-use Symfony\Component\HttpFoundation\RequestStack;
 
 /**
  * Webform helper for helping with webforms.
@@ -33,28 +31,12 @@ class WebformHelper {
    */
   private AccountProxyInterface $currentUser;
 
-  /**
-   * The key authentication service.
-   *
-   * @var \Drupal\key_auth\Authentication\Provider\KeyAuth
-   */
-  private KeyAuth $keyAuth;
-
-  /**
-   * The request stack.
-   *
-   * @var \Symfony\Component\HttpFoundation\RequestStack
-   */
-  private RequestStack $requestStack;
-
   /**
    * Constructor.
    */
-  public function __construct(EntityTypeManagerInterface $entityTypeManager, AccountProxyInterface $currentUser, KeyAuth $keyAuth, RequestStack $requestStack) {
+  public function __construct(EntityTypeManagerInterface $entityTypeManager, AccountProxyInterface $currentUser) {
     $this->entityTypeManager = $entityTypeManager;
     $this->currentUser = $currentUser;
-    $this->keyAuth = $keyAuth;
-    $this->requestStack = $requestStack;
   }
 
   /**
@@ -241,8 +223,9 @@ private function getAllowedUsers(WebformInterface $webform): array {
   /**
    * Check if a user has access to a webform.
    *
-   * A user has access to a webform if the list of allowed users is empty or the
-   * user is included in the list.
+   * A user has access to a webform if the user is
+   * contained in the list of allowed users or the
+   * user has been granted the 'view_any' webform permission.
    *
    * @param \Drupal\webform\WebformInterface $webform
    *   The webform.
@@ -260,7 +243,7 @@ public function hasWebformAccess(WebformInterface $webform, $user): bool {
 
     $allowedUsers = $this->getAllowedUsers($webform);
 
-    return isset($allowedUsers[$userId]);
+    return isset($allowedUsers[$userId]) || $webform->access('view_any');
   }
 
   /**
@@ -275,40 +258,6 @@ private function loadUsers(array $spec): array {
       ->loadMultiple(array_column($spec, 'target_id'));
   }
 
-  /**
-   * Implements hook_file_download().
-   *
-   * Note: This is only used to deny access to a file that is attached to a
-   * webform (submission) that the user does not have permission to access.
-   * Permission to access private files are handled elsewhere.
-   *
-   * @phpstan-return int|array<string, string>|null
-   */
-  public function fileDownload(string $uri) {
-    $request = $this->requestStack->getCurrentRequest();
-
-    // We are only concerned with users authenticated via Key Auth (cf.
-    // os2forms_rest_api.services.yml).
-    if ($user = $this->keyAuth->authenticate($request)) {
-      // Find webform id from uri, see example uri.
-      // @Example: private://webform/some_webform_id/119/some_file_name.png
-      $pattern = '/private:\/\/webform\/(?<webform>[^\/]*)/';
-      if (preg_match($pattern, $uri, $matches)) {
-        $webform = $this->getWebform($matches['webform']);
-        if (NULL !== $webform) {
-          // Deny access to file if user does not have access to the webform.
-          if (!$this->hasWebformAccess($webform, $user)) {
-            return -1;
-          }
-        }
-      }
-    }
-
-    // We cannot deny access to the file. Let others handle the access control
-    // for the (private) file.
-    return NULL;
-  }
-
   /**
    * Return current user.
    *