From 46aa29410c7a56c757d1b6a7baf9b9be56c6b04a Mon Sep 17 00:00:00 2001
From: Mikkel Ricky <rimi@aarhus.dk>
Date: Mon, 23 Feb 2026 13:06:11 +0100
Subject: [PATCH] Added proper entity access checks on Maestro notification
 preview routes

---
 CHANGELOG.md                                          | 3 +++
 modules/os2forms_forloeb/os2forms_forloeb.routing.yml | 4 ++--
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index f6f3e756..6b5fd19f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -11,6 +11,9 @@ before starting to add changes. Use example [placed in the end of the page](#exa
 
 ## [Unreleased]
 
+- [PR-307](https://github.com/OS2Forms/os2forms/pull/307)
+  Added proper entity access checks on Maestro notification preview routes
+
 ## [5.0.0] 2025-11-18
 
 - [PR-192](https://github.com/OS2Forms/os2forms/pull/192)
diff --git a/modules/os2forms_forloeb/os2forms_forloeb.routing.yml b/modules/os2forms_forloeb/os2forms_forloeb.routing.yml
index a51f54e5..785d27ff 100644
--- a/modules/os2forms_forloeb/os2forms_forloeb.routing.yml
+++ b/modules/os2forms_forloeb/os2forms_forloeb.routing.yml
@@ -17,7 +17,7 @@ os2forms_forloeb.meastro_notification.preview:
       webform:
         type: 'entity:webform'
   requirements:
-    _permission: 'view any webform submission'
+    _entity_access: 'webform.view'
 
 os2forms_forloeb.meastro_notification.preview_render:
   path: '/admin/structure/webform/manage/{webform}/os2forms_forloeb/notification/{handler}/preview/{notification_type}/{content_type}/render/{submission}'
@@ -31,7 +31,7 @@ os2forms_forloeb.meastro_notification.preview_render:
       submission:
         type: 'entity:webform_submission'
   requirements:
-    _permission: 'view any webform submission'
+    _entity_access: 'submission.view'
 
 os2forms_forloeb.meastro_notification.preview_message:
   path: '/os2forms_forloeb/notification/message'