diff --git a/lib/Controller/ApiController.php b/lib/Controller/ApiController.php index 049998b1c..e0cbc228a 100644 --- a/lib/Controller/ApiController.php +++ b/lib/Controller/ApiController.php @@ -268,6 +268,17 @@ public function updateForm(int $formId, array $keyValuePairs): DataResponse { ]); $form = $this->getFormIfAllowed($formId); + if ( + $this->formsService->isFormArchived($form) + && !( + sizeof($keyValuePairs) === 1 + && key_exists('state', $keyValuePairs) + && $keyValuePairs['state'] === Constants::FORM_STATE_CLOSED + ) + ) { + $this->logger->debug('This form is archived and can not be modified except to change state to closed.'); + throw new OCSForbiddenException('This form is archived and can not be modified except to change state to closed.'); + } // Don't allow empty array if (sizeof($keyValuePairs) === 0) { diff --git a/lib/Controller/ShareApiController.php b/lib/Controller/ShareApiController.php index 9bdd3b47b..067c171a1 100644 --- a/lib/Controller/ShareApiController.php +++ b/lib/Controller/ShareApiController.php @@ -123,6 +123,11 @@ public function newShare(int $formId, int $shareType, string $shareWith = '', ar throw new OCSNotFoundException('Could not find form'); } + if ($this->formsService->isFormArchived($form)) { + $this->logger->debug('This form is archived and can not be modified'); + throw new OCSForbiddenException('This form is archived and can not be modified'); + } + // Check for permission to share form if ($form->getOwnerId() !== $this->currentUser->getUID()) { $this->logger->debug('This form is not owned by the current user'); @@ -243,6 +248,11 @@ public function updateShare(int $formId, int $shareId, array $keyValuePairs): Da throw new OCSNotFoundException('Could not find share'); } + if ($this->formsService->isFormArchived($form)) { + $this->logger->debug('This form is archived and can not be modified'); + throw new OCSForbiddenException('This form is archived and can not be modified'); + } + if ($formId !== $formShare->getFormId()) { $this->logger->debug('This share doesn\'t belong to the given Form'); throw new OCSBadRequestException('Share doesn\'t belong to given Form'); @@ -336,6 +346,11 @@ public function deleteShare(int $formId, int $shareId): DataResponse { throw new OCSNotFoundException('Could not find share'); } + if ($this->formsService->isFormArchived($form)) { + $this->logger->debug('This form is archived and can not be modified'); + throw new OCSForbiddenException('This form is archived and can not be modified'); + } + if ($formId !== $share->getFormId()) { $this->logger->debug('This share doesn\'t belong to the given Form'); throw new OCSBadRequestException('Share doesn\'t belong to given Form');