Added proper entity access en preview routes

[rimi-itk]

Adds proper entity access checks on preview routes.

The previous checks allowed any user with view any webform submission permission to preview submission data (if guessing a webform ID and a matching submission ID – which is pretty easy to do …).

If all users have access to all webforms and submissions, this is not an issue. However, if some sort of access checks are used to deny some users access to some webforms and submissions, e.g. by enabling the OS2Forms permission by term module module¹, all users will be able to preview any Maestro notification an any submission, i.e. only submissions on forms with a Maestro notification handler can be previewed (and only the data included in the notification).

Note

The failing checks will be resolved when/if #290 is completed.

Footnotes

1. The OS2Forms permission by term module module is missing an access check on wbforms submissions. The check has been added in https://github.com/itk-dev/selvbetjening.aarhuskommune.dk/tree/develop/web/modules/custom/os2forms_permissions_by_term. ↩

[rimi-itk]

@skifter @ds-bellcom Bruger I OS2Forms permission by term module eller noget tilsvarende til at begrænse adgang til formularer?

[ds-bellcom]

@skifter @ds-bellcom Bruger I OS2Forms permission by term module eller noget tilsvarende til at begrænse adgang til formularer?

@rimi-itk Vi har kun en enkelt der har modulet aktiveret på et test-miljø, da man ville teste det - ellers ikke.

CC: @skifter

[rimi-itk]

Tjek, @ds-bellcom. Som antydet i pull request-beskrivelsen bruger vi (ITK Dev/Aarhus) en opdateret udgave af modulet (https://github.com/itk-dev/selvbetjening.aarhuskommune.dk/tree/develop/web/modules/custom/os2forms_permissions_by_term) og det står os lidt uklart hvorfor vi har det (og det har forvirret mig for ganske nylig i forbindelse med fejlsøgning).

Hvis det kun er Aarhus der bruger modulet så synes jeg det skal slettes fra OS2Forms/os2forms, men hvis andre er interesserede i at bruge det så bør det opdateres med rettelser og forbedringer fra https://github.com/itk-dev/selvbetjening.aarhuskommune.dk/tree/develop/web/modules/custom/os2forms_permissions_by_term.

[ds-bellcom]

@rimi-itk jeg forstår dig og vil lade det være op til @OS2Forms/koordinationsgruppe at bestemme om modulet skal fjernes eller opdateres? @ChatBotBerg @simh1995 vil en af jer bringe det op på jeres næste møde og vende retur?