Merge pull request #3128 from nextcloud/fix/perms

fix: do not add result permissions to see own submissions

Author: susnux

eslint.config.js

@@ -6,7 +6,4 @@
 import { recommendedVue2 } from '@nextcloud/eslint-config'
 import eslintPluginPrettierRecommended from 'eslint-plugin-prettier/recommended'
 
-export default [
-	...recommendedVue2,
-	eslintPluginPrettierRecommended,
-]
+export default [...recommendedVue2, eslintPluginPrettierRecommended]

lib/Controller/ApiController.php

@@ -22,6 +22,7 @@
 use OCA\Forms\Db\SubmissionMapper;
 use OCA\Forms\Db\UploadedFile;
 use OCA\Forms\Db\UploadedFileMapper;
+use OCA\Forms\Exception\NoSuchFormException;
 use OCA\Forms\ResponseDefinitions;
 use OCA\Forms\Service\ConfigService;
 use OCA\Forms\Service\FormsService;
@@ -1161,16 +1162,22 @@ public function reorderOptions(int $formId, int $questionId, array $newOrder, ?s
 	#[ApiRoute(verb: 'GET', url: '/api/v3/forms/{formId}/submissions')]
 	public function getSubmissions(int $formId, ?string $query = null, ?int $limit = null, int $offset = 0, ?string $fileFormat = null): DataResponse|DataDownloadResponse {
 		$form = $this->formsService->getFormIfAllowed($formId, Constants::PERMISSION_RESULTS);
+		$permissions = $this->formsService->getPermissions($form);
+		$canSeeAllSubmissions = in_array(Constants::PERMISSION_RESULTS, $permissions, true);
 
 		if ($fileFormat !== null) {
+			if (!$canSeeAllSubmissions) {
+				throw new NoSuchFormException('The current user has no permission to get the results for this form', Http::STATUS_FORBIDDEN);
+			}
+
 			$submissionsData = $this->submissionService->getSubmissionsData($form, $fileFormat);
 			$fileName = $this->formsService->getFileName($form, $fileFormat);
 
 			return new DataDownloadResponse($submissionsData, $fileName, Constants::SUPPORTED_EXPORT_FORMATS[$fileFormat]);
 		}
 
 		// Load submissions and currently active questions
-		if (in_array(Constants::PERMISSION_RESULTS, $this->formsService->getPermissions($form))) {
+		if ($canSeeAllSubmissions) {
 			$submissions = $this->submissionService->getSubmissions($formId, null, $query, $limit, $offset);
 			$filteredSubmissionsCount = $this->submissionMapper->countSubmissions($formId, null, $query);
 		} else {

lib/Service/FormsService.php

@@ -212,8 +212,6 @@ public function getForm(Form $form): array {
 			$userSubmissionCount = $this->submissionMapper->countSubmissions($form->getId(), $this->currentUser->getUID());
 			if ($userSubmissionCount > 0) {
 				$result['submissionCount'] = $userSubmissionCount;
-				// Append `results` permission if user has submitted to the form
-				$result['permissions'][] = Constants::PERMISSION_RESULTS;
 			}
 		}
 

src/Forms.vue

@@ -269,8 +269,15 @@ export default {
 				return false
 			}
 
+			if (this.$route.name === 'results') {
+				return (
+					form.permissions.includes(this.$route.name)
+					|| form.submissionCount > 0
+				)
+			}
+
 			// Return whether route is in the permissions-list
-			return form?.permissions.includes(this.$route.name)
+			return form.permissions.includes(this.$route.name)
 		},
 
 		selectedForm: {

src/views/Results.vue

@@ -50,6 +50,7 @@
 
 				<!-- Action menu for cloud export and deletion -->
 				<NcActions
+					v-if="canExportSubmissions"
 					:aria-label="t('forms', 'Options')"
 					force-name
 					:inline="isMobile ? 0 : 1"
@@ -449,6 +450,12 @@ export default {
 			return this.form.state === FormState.FormArchived
 		},
 
+		canExportSubmissions() {
+			return this.form.permissions.includes(
+				this.PERMISSION_TYPES.PERMISSION_RESULTS,
+			)
+		},
+
 		canDeleteSubmissions() {
 			return (
 				this.form.permissions.includes(

tests/Unit/Controller/ApiControllerTest.php

@@ -304,7 +304,7 @@ public function testExportSubmissions_invalidForm() {
 			->willThrowException(new NoSuchFormException('Could not find form'));
 
 		$this->expectException(NoSuchFormException::class);
-		$this->apiController->getSubmissions(99, 'csv');
+		$this->apiController->getSubmissions(99, fileFormat: 'csv');
 	}
 
 	public function testExportSubmissions_noPermissions() {
@@ -318,7 +318,27 @@ public function testExportSubmissions_noPermissions() {
 			->willThrowException(new NoSuchFormException('The current user has no permission to get the results for this form'));
 
 		$this->expectException(NoSuchFormException::class);
-		$this->apiController->getSubmissions(1, 'csv');
+		$this->apiController->getSubmissions(1, fileFormat: 'csv');
+	}
+
+	public function testExportSubmissions_noExportPermissions() {
+		$form = new Form();
+		$form->setId(1);
+		$form->setOwnerId('currentUser');
+
+		$this->formsService->expects($this->once())
+			->method('getFormIfAllowed')
+			->with(1, Constants::PERMISSION_RESULTS)
+			->willReturn($form);
+
+		$this->formsService->expects($this->once())
+			->method('getPermissions')
+			->with($form)
+			->willReturn([Constants::PERMISSION_SUBMIT]);
+
+
+		$this->expectException(NoSuchFormException::class);
+		$this->apiController->getSubmissions(1, fileFormat: 'csv');
 	}
 
 	public function testExportSubmissions() {
@@ -331,6 +351,11 @@ public function testExportSubmissions() {
 			->with(1, Constants::PERMISSION_RESULTS)
 			->willReturn($form);
 
+		$this->formsService->expects($this->once())
+			->method('getPermissions')
+			->with($form)
+			->willReturn([Constants::PERMISSION_SUBMIT, Constants::PERMISSION_RESULTS]);
+
 		$csv = 'foo,bar';
 		$this->submissionService->expects($this->once())
 			->method('getSubmissionsData')