Skip to content

fix: prevent modifications to archived forms in ApiController and ShareApiController #2741

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Chartman123 merged 1 commit into from
May 14, 2025
Merged

fix: prevent modifications to archived forms in ApiController and ShareApiController #2741

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 11 additions & 0 deletions lib/Controller/ApiController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -268,6 +268,17 @@
]);

$form = $this->getFormIfAllowed($formId);
if (
$this->formsService->isFormArchived($form)
&& !(
sizeof($keyValuePairs) === 1
&& key_exists('state', $keyValuePairs)
Comment thread
Chartman123 marked this conversation as resolved.
&& $keyValuePairs['state'] === Constants::FORM_STATE_CLOSED
)
) {
$this->logger->debug('This form is archived and can not be modified except to change state to closed.');
throw new OCSForbiddenException('This form is archived and can not be modified except to change state to closed.');

Check warning on line 280 in lib/Controller/ApiController.php

View check run for this annotation

Codecov / codecov/patch

lib/Controller/ApiController.php#L279-L280 

Added lines #L279 - L280 were not covered by tests
}

// Don't allow empty array
if (sizeof($keyValuePairs) === 0) {
Expand Down
15 changes: 15 additions & 0 deletions lib/Controller/ShareApiController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -123,6 +123,11 @@
throw new OCSNotFoundException('Could not find form');
}

if ($this->formsService->isFormArchived($form)) {
$this->logger->debug('This form is archived and can not be modified');
throw new OCSForbiddenException('This form is archived and can not be modified');

Check warning on line 128 in lib/Controller/ShareApiController.php

View check run for this annotation

Codecov / codecov/patch

lib/Controller/ShareApiController.php#L127-L128 

Added lines #L127 - L128 were not covered by tests
}

// Check for permission to share form
if ($form->getOwnerId() !== $this->currentUser->getUID()) {
$this->logger->debug('This form is not owned by the current user');
Expand Down Expand Up @@ -243,6 +248,11 @@
throw new OCSNotFoundException('Could not find share');
}

if ($this->formsService->isFormArchived($form)) {
$this->logger->debug('This form is archived and can not be modified');
throw new OCSForbiddenException('This form is archived and can not be modified');

Check warning on line 253 in lib/Controller/ShareApiController.php

View check run for this annotation

Codecov / codecov/patch

lib/Controller/ShareApiController.php#L252-L253 

Added lines #L252 - L253 were not covered by tests
}

if ($formId !== $formShare->getFormId()) {
$this->logger->debug('This share doesn\'t belong to the given Form');
throw new OCSBadRequestException('Share doesn\'t belong to given Form');
Expand Down Expand Up @@ -336,6 +346,11 @@
throw new OCSNotFoundException('Could not find share');
}

if ($this->formsService->isFormArchived($form)) {
$this->logger->debug('This form is archived and can not be modified');
throw new OCSForbiddenException('This form is archived and can not be modified');

Check warning on line 351 in lib/Controller/ShareApiController.php

View check run for this annotation

Codecov / codecov/patch

lib/Controller/ShareApiController.php#L350-L351 

Added lines #L350 - L351 were not covered by tests
}

if ($formId !== $share->getFormId()) {
$this->logger->debug('This share doesn\'t belong to the given Form');
throw new OCSBadRequestException('Share doesn\'t belong to given Form');
Expand Down
Loading