You are here

public function WebformSubmissionAccessControlHandler::checkAccess in Webform 8.5

Same name and namespace in other branches
  1. 6.x src/WebformSubmissionAccessControlHandler.php \Drupal\webform\WebformSubmissionAccessControlHandler::checkAccess()

Performs access checks.

This method is supposed to be overwritten by extending classes that do their own custom access checking.


\Drupal\Core\Entity\EntityInterface $entity: The entity for which to check access.

string $operation: The entity operation. Usually one of 'view', 'view label', 'update' or 'delete'.

\Drupal\Core\Session\AccountInterface $account: The user for which to check access.

Return value

\Drupal\Core\Access\AccessResultInterface The access result.

Overrides EntityAccessControlHandler::checkAccess


src/WebformSubmissionAccessControlHandler.php, line 66


Defines the access control handler for the webform submission entity type.




public function checkAccess(EntityInterface $entity, $operation, AccountInterface $account) {

  /** @var \Drupal\webform\WebformSubmissionInterface $entity */

  // Check 'administer webform' permission.
  if ($account
    ->hasPermission('administer webform')) {
    return WebformAccessResult::allowed();

  // Check 'administer webform submission' permission.
  if ($account
    ->hasPermission('administer webform submission')) {
    return WebformAccessResult::allowed();

  // Check webform 'update' permission.
  if ($entity
    ->access('update', $account)) {
    return WebformAccessResult::allowed($entity, TRUE);

  // Check view and delete operations token access.
  if (($operation === 'view' || $operation === 'delete') && $entity
    ->getSetting('token_' . $operation)) {
    $token = $this->request->query
    if ($token === $entity
      ->getToken()) {
      return WebformAccessResult::allowed($entity)

  // Check 'any' or 'own' webform submission permissions.
  $operations = [
    'view' => 'view',
    'update' => 'edit',
    'delete' => 'delete',
  if (isset($operations[$operation])) {
    $action = $operations[$operation];

    // Check operation any.
    if ($account
      ->hasPermission("{$action} any webform submission")) {
      return WebformAccessResult::allowed();

    // Check operation own.
    if ($account
      ->hasPermission("{$action} own webform submission") && $entity
      ->isOwner($account)) {
      return WebformAccessResult::allowed($entity, TRUE);

  // Check other operations.
  switch ($operation) {
    case 'duplicate':

      // Check for 'create' or 'update' access.
      return WebformAccessResult::allowedIf($entity
        ->access('create', $account) || $entity
        ->access('update', $account));
    case 'resend':

      // Check for 'update any submission' access.
      return WebformAccessResult::allowedIf($entity
        ->access('submission_update_any', $account));

  // Check webform access rules.
  $webform_access = $this->accessRulesManager
    ->checkWebformSubmissionAccess($operation, $account, $entity);
  if ($webform_access
    ->isAllowed()) {
    return $webform_access;
  return parent::checkAccess($entity, $operation, $account);