#867: Allow denying address protected citizen from webform

CHANGELOG.md

@@ -12,10 +12,10 @@ before starting to add changes. Use example [placed in the end of the page](#exa
 ## [Unreleased]
 
 - Adding Lat and Long fetching to DataAddress
-
 - CprFetchData adding ajax error fix
 - [#84](https://github.com/OS2Forms/os2forms/pull/84)
   Added digital post test command.
+- Allow denying address protected citizen from webform.
 
 ## [3.14.0]
 

modules/os2forms_nemid/README.md

@@ -14,6 +14,7 @@ Besides this module adds a special settings to the Third Party Webform settings:
 
 - Webform type
 - Redirect to nemlogin automatically
+-
 
 Settings: admin/structure/webform/manage/[webform]/settings
 

modules/os2forms_nemid/os2forms_nemid.module

@@ -11,6 +11,9 @@ use Drupal\migrate\Plugin\MigrateSourceInterface;
 use Drupal\migrate\Plugin\MigrationInterface;
 use Drupal\migrate\Row;
 use Drupal\os2forms_nemid\Plugin\WebformElement\NemidElementBase;
+use Drupal\os2forms_nemid\Service\FormsHelper;
+use Drupal\webform\Utility\WebformFormHelper;
+use Drupal\webform\WebformSubmissionInterface;
 
 /**
  * Implements hook_form_FORM_ID_alter().
@@ -21,6 +24,15 @@ function os2forms_nemid_form_webform_os2forms_settings_form_alter(&$form, FormSt
   os2forms_nemid_webform_third_party_settings_form_alter($form, $form_state);
 }
 
+/**
+ * Implements hook_ENTITY_TYPE_prepare_form().
+ *
+ * Prepare webform.
+ */
+function os2forms_nemid_webform_submission_prepare_form(WebformSubmissionInterface $webform_submission, string $operation, FormStateInterface $form_state): void {
+  Drupal::service('os2forms_nemid.forms_helper')->webformSubmissionPrepareForm($webform_submission, $operation, $form_state);
+}
+
 /**
  * Implements hook_webform_third_party_settings_form_alter().
  */
@@ -71,12 +83,80 @@ function os2forms_nemid_webform_third_party_settings_form_alter(&$form, FormStat
     '#default_value' => !(empty($settings)) ? $settings['nemlogin_auto_redirect'] : FALSE,
     '#description' => t('Redirection will happen right after user has is accessing the form, if user is already authenticated via NemID, redirection will not happen.'),
   ];
+
+
+  $nemloginProtectionSettings = $webform->getThirdPartySetting('os2forms', 'os2forms_nemid_address_protection');
+
+  // OS2Forms NemID.
+  $form['third_party_settings']['os2forms']['os2forms_nemid_address_protection'] = [
+    '#type' => 'details',
+    '#title' => t('OS2Forms address protection settings'),
+    '#open' => TRUE,
+  ];
+
+
+  // Nemlogin auto redirect.
+  $form['third_party_settings']['os2forms']['os2forms_nemid_address_protection']['nemlogin_hide_form'] = [
+    '#type' => 'select',
+    '#options' => [
+      FormsHelper::WEBFORM_NEM_LOGIN_ADDRESS_PROTECTION_DEFAULT_BEHAVIOUR => t('No'),
+      FormsHelper::WEBFORM_NEM_LOGIN_ADDRESS_PROTECTION_DISPLAY_ERROR => t('Yes'),
+    ],
+    '#title' => t('Hide form if user is under protection'),
+    '#default_value' => !(empty($nemloginProtectionSettings)) ? $nemloginProtectionSettings['nemlogin_hide_form'] : FormsHelper::WEBFORM_NEM_LOGIN_ADDRESS_PROTECTION_DEFAULT_BEHAVIOUR,
+    '#description' => t('Hides elements and displays error if nemlogin reveals that citizen is under address protection and an address element is found on the webform'),
+  ];
+
+  // Nemlogin address protection.
+  $form['third_party_settings']['os2forms']['os2forms_nemid_address_protection']['nemlogin_hide_message'] = [
+    '#title' => t('Hide message'),
+    '#type' => 'textarea',
+    '#default_value' => !(empty($nemloginProtectionSettings)) ? $nemloginProtectionSettings['nemlogin_hide_message'] : '',
+    '#description' => t('Message shown to user when visiting form'),
+    '#states' => [
+      'visible' => [
+        [':input[name="third_party_settings[os2forms][os2forms_nemid_address_protection][nemlogin_hide_form]"]' => ['value' => FormsHelper::WEBFORM_NEM_LOGIN_ADDRESS_PROTECTION_DISPLAY_ERROR]],
+      ],
+      'required' => [
+        [':input[name="third_party_settings[os2forms][os2forms_nemid_address_protection][nemlogin_hide_form]"]' => ['value' => FormsHelper::WEBFORM_NEM_LOGIN_ADDRESS_PROTECTION_DISPLAY_ERROR]],
+      ]
+    ],
+  ];
 }
 
 /**
  * Implements hook_webform_submission_form_alter().
  */
 function os2forms_nemid_webform_submission_form_alter(array &$form, FormStateInterface $form_state, $form_id) {
+
+  // Handle address protection
+  if ($tempValue = $form_state->getTemporaryValue(FormsHelper::TEMPORARY_KEY)) {
+    if (FALSE === ($tempValue['access'] ?? TRUE)) {
+      // Flattening the elements makes it much easier to access nested elements.
+      $elements = &WebformFormHelper::flattenElements($form['elements']);
+
+      \Drupal::messenger()->addError(t('Access to form denied'));
+
+      if (isset($tempValue['message'])) {
+        $form['os2forms_nemlogin_message'] = [
+          '#theme' => 'status_messages',
+          '#message_list' => [
+            'error' => [$tempValue['message']],
+          ],
+        ];
+      }
+
+      // Hide all actions ….
+      $form['actions']['#access'] = FALSE;
+      // … and elements.
+      foreach ($elements as &$element) {
+        $element['#access'] = FALSE;
+      }
+    }
+
+    return;
+  }
+
   // Getting webform Nemid settings.
   /** @var \Drupal\webform\WebformSubmissionInterface Interface $webformSubmission */
   $webformSubmission = $form_state->getFormObject()->getEntity();

modules/os2forms_nemid/os2forms_nemid.services.yml

@@ -6,4 +6,4 @@ services:
       - {name: event_subscriber}
   os2forms_nemid.forms_helper:
     class: Drupal\os2forms_nemid\Service\FormsHelper
-    arguments: ['@os2web_nemlogin.auth_provider', '@plugin.manager.os2web_datalookup']
+    arguments: ['@os2web_nemlogin.auth_provider', '@plugin.manager.os2web_datalookup', '@current_route_match']

modules/os2forms_nemid/src/Service/FormsHelper.php

@@ -4,13 +4,15 @@
 
 use Drupal\Component\Utility\NestedArray;
 use Drupal\Core\Form\FormStateInterface;
+use Drupal\Core\Routing\RouteMatchInterface;
 use Drupal\os2forms_nemid\Element\NemidCompanyCvrFetchData;
 use Drupal\os2forms_nemid\Element\NemidCompanyPNumber;
 use Drupal\os2forms_nemid\Element\NemidCprFetchData;
 use Drupal\os2web_datalookup\LookupResult\CompanyLookupResult;
 use Drupal\os2web_datalookup\LookupResult\CprLookupResult;
 use Drupal\os2web_datalookup\Plugin\DataLookupManager;
 use Drupal\os2web_nemlogin\Service\AuthProviderService;
+use Drupal\webform\WebformSubmissionInterface;
 
 /**
  * FormsHelper.
@@ -20,6 +22,32 @@
  * @package Drupal\os2forms_nemid\Service
  */
 class FormsHelper {
+  const TEMPORARY_KEY = 'os2forms_nemlogin_address_protection';
+
+  /**
+   * Defines NemID login address protection display error option.
+   */
+  const WEBFORM_NEM_LOGIN_ADDRESS_PROTECTION_DISPLAY_ERROR = 'os2forms_nemlogin_address_protection_display_error';
+
+  /**
+   * Defines NemID login address protection display default behaviour.
+   */
+  const WEBFORM_NEM_LOGIN_ADDRESS_PROTECTION_DEFAULT_BEHAVIOUR = 'os2forms_nemlogin_address_protection_default_behaviour';
+
+  /**
+   * Defines NemID login address related elements.
+   */
+  private const WEBFORM_NEM_LOGIN_ADDRESS_PROTECTION_ELEMENT_TYPES = [
+    'os2forms_nemid_address',
+    'os2forms_nemid_street',
+    'os2forms_nemid_house_nr',
+    'os2forms_nemid_floor',
+    'os2forms_nemid_apartment_nr',
+    'os2forms_nemid_postal_code',
+    'os2forms_nemid_city',
+    'os2forms_nemid_kommunekode',
+    'os2forms_nemid_coaddress'
+  ];
 
   /**
    * Auth provider service.
@@ -35,6 +63,13 @@ class FormsHelper {
    */
   private $dataLookManager;
 
+  /**
+   * The route match.
+   *
+   * @var \Drupal\Core\Routing\RouteMatchInterface
+   */
+  private RouteMatchInterface $routeMatch;
+
   /**
    * Constructor.
    *
@@ -43,9 +78,10 @@ class FormsHelper {
    * @param \Drupal\os2web_datalookup\Plugin\DataLookupManager $dataLookPluginManager
    *   Datalookup plugin manager.
    */
-  public function __construct(AuthProviderService $authProviderService, DataLookupManager $dataLookPluginManager) {
+  public function __construct(AuthProviderService $authProviderService, DataLookupManager $dataLookPluginManager, RouteMatchInterface $routeMatch) {
     $this->authProviderService = $authProviderService;
     $this->dataLookManager = $dataLookPluginManager;
+    $this->routeMatch = $routeMatch;
   }
 
   /**
@@ -307,4 +343,51 @@ protected function getDataFetchTriggerValue($dataFetchValueFieldName, FormStateI
     return $value;
   }
 
+  /**
+   * Implements hook_ENTITY_TYPE_prepare_form().
+   */
+  public function webformSubmissionPrepareForm(WebformSubmissionInterface $webformSubmission, string $operation, FormStateInterface $formState): void {
+    // Only perform address protection check when displaying submission form.
+    $accessCheckRouteNames = [
+      // Webform attached to a node.
+      'entity.node.canonical',
+      // Creating a new submission.
+      'entity.webform.canonical',
+      // Editing a submission.
+      'entity.webform_submission.edit_form',
+    ];
+
+    if (!in_array($this->routeMatch->getRouteName(), $accessCheckRouteNames, TRUE)) {
+      return;
+    }
+
+    // Check if hide address protection is selected
+    $hideForm = $webformSubmission->getWebform()->getThirdPartySettings('os2forms')['os2forms_nemid_address_protection']['nemlogin_hide_form'] ?? NULL;
+
+    if ($hideForm === self::WEBFORM_NEM_LOGIN_ADDRESS_PROTECTION_DISPLAY_ERROR) {
+      $cprResult = $this->retrieveCprLookupResult($formState);
+
+      if ($cprResult && $cprResult->isNameAddressProtected()) {
+
+        // Check if any element violating address protection is present in webform.
+        $elements  = $webformSubmission->getWebform()->getElementsDecodedAndFlattened();
+
+        foreach ($elements as $element) {
+
+          if(in_array($element['#type'], self::WEBFORM_NEM_LOGIN_ADDRESS_PROTECTION_ELEMENT_TYPES)) {
+
+            // Violation detected, mark form state with temporary key and return.
+            $message = $webformSubmission->getWebform()->getThirdPartySettings('os2forms')['os2forms_nemid_address_protection']['nemlogin_hide_message'];
+
+            $formState->setTemporaryValue(self::TEMPORARY_KEY, [
+              'access' => FALSE,
+              'message' => $message
+            ]);
+
+            return;
+          }
+        }
+      }
+    }
+  }
 }