From bddcd68a87fa706882ff7acf836d25a14b66a17e Mon Sep 17 00:00:00 2001 From: Ferdinand Thiessen Date: Thu, 22 Jan 2026 18:45:15 +0100 Subject: [PATCH] fix: do not add result permissions to see own submissions When a user has submitted a form they should not have result permissions, but instead we should only show their own submissions. Signed-off-by: Ferdinand Thiessen --- lib/Controller/ApiController.php | 9 ++++++- lib/Service/FormsService.php | 2 -- src/Forms.vue | 9 ++++++- src/views/Results.vue | 7 +++++ tests/Unit/Controller/ApiControllerTest.php | 29 +++++++++++++++++++-- 5 files changed, 50 insertions(+), 6 deletions(-) diff --git a/lib/Controller/ApiController.php b/lib/Controller/ApiController.php index 1f9d95f6f..016c77d99 100644 --- a/lib/Controller/ApiController.php +++ b/lib/Controller/ApiController.php @@ -22,6 +22,7 @@ use OCA\Forms\Db\SubmissionMapper; use OCA\Forms\Db\UploadedFile; use OCA\Forms\Db\UploadedFileMapper; +use OCA\Forms\Exception\NoSuchFormException; use OCA\Forms\ResponseDefinitions; use OCA\Forms\Service\ConfigService; use OCA\Forms\Service\FormsService; @@ -1155,8 +1156,14 @@ public function reorderOptions(int $formId, int $questionId, array $newOrder) { #[ApiRoute(verb: 'GET', url: '/api/v3/forms/{formId}/submissions')] public function getSubmissions(int $formId, ?string $query = null, ?int $limit = null, int $offset = 0, ?string $fileFormat = null): DataResponse|DataDownloadResponse { $form = $this->formsService->getFormIfAllowed($formId, Constants::PERMISSION_RESULTS); + $permissions = $this->formsService->getPermissions($form); + $canSeeAllSubmissions = in_array(Constants::PERMISSION_RESULTS, $permissions, true); if ($fileFormat !== null) { + if (!$canSeeAllSubmissions) { + throw new NoSuchFormException('The current user has no permission to get the results for this form', Http::STATUS_FORBIDDEN); + } + $submissionsData = $this->submissionService->getSubmissionsData($form, $fileFormat); $fileName = $this->formsService->getFileName($form, $fileFormat); @@ -1164,7 +1171,7 @@ public function getSubmissions(int $formId, ?string $query = null, ?int $limit = } // Load submissions and currently active questions - if (in_array(Constants::PERMISSION_RESULTS, $this->formsService->getPermissions($form))) { + if ($canSeeAllSubmissions) { $submissions = $this->submissionService->getSubmissions($formId, null, $query, $limit, $offset); $filteredSubmissionsCount = $this->submissionMapper->countSubmissions($formId, null, $query); } else { diff --git a/lib/Service/FormsService.php b/lib/Service/FormsService.php index 9a4c2d546..48e5ae49a 100644 --- a/lib/Service/FormsService.php +++ b/lib/Service/FormsService.php @@ -212,8 +212,6 @@ public function getForm(Form $form): array { $userSubmissionCount = $this->submissionMapper->countSubmissions($form->getId(), $this->currentUser->getUID()); if ($userSubmissionCount > 0) { $result['submissionCount'] = $userSubmissionCount; - // Append `results` permission if user has submitted to the form - $result['permissions'][] = Constants::PERMISSION_RESULTS; } } diff --git a/src/Forms.vue b/src/Forms.vue index cc3dec6bd..5739f2e47 100644 --- a/src/Forms.vue +++ b/src/Forms.vue @@ -272,8 +272,15 @@ export default { return false } + if (this.$route.name === 'results') { + return ( + form.permissions.includes(this.$route.name) + || form.submissionCount > 0 + ) + } + // Return whether route is in the permissions-list - return form?.permissions.includes(this.$route.name) + return form.permissions.includes(this.$route.name) }, selectedForm: { diff --git a/src/views/Results.vue b/src/views/Results.vue index a01464b8f..1ac1c530a 100644 --- a/src/views/Results.vue +++ b/src/views/Results.vue @@ -50,6 +50,7 @@ willThrowException(new NoSuchFormException('Could not find form')); $this->expectException(NoSuchFormException::class); - $this->apiController->getSubmissions(99, 'csv'); + $this->apiController->getSubmissions(99, fileFormat: 'csv'); } public function testExportSubmissions_noPermissions() { @@ -318,7 +318,27 @@ public function testExportSubmissions_noPermissions() { ->willThrowException(new NoSuchFormException('The current user has no permission to get the results for this form')); $this->expectException(NoSuchFormException::class); - $this->apiController->getSubmissions(1, 'csv'); + $this->apiController->getSubmissions(1, fileFormat: 'csv'); + } + + public function testExportSubmissions_noExportPermissions() { + $form = new Form(); + $form->setId(1); + $form->setOwnerId('currentUser'); + + $this->formsService->expects($this->once()) + ->method('getFormIfAllowed') + ->with(1, Constants::PERMISSION_RESULTS) + ->willReturn($form); + + $this->formsService->expects($this->once()) + ->method('getPermissions') + ->with($form) + ->willReturn([Constants::PERMISSION_SUBMIT]); + + + $this->expectException(NoSuchFormException::class); + $this->apiController->getSubmissions(1, fileFormat: 'csv'); } public function testExportSubmissions() { @@ -331,6 +351,11 @@ public function testExportSubmissions() { ->with(1, Constants::PERMISSION_RESULTS) ->willReturn($form); + $this->formsService->expects($this->once()) + ->method('getPermissions') + ->with($form) + ->willReturn([Constants::PERMISSION_SUBMIT, Constants::PERMISSION_RESULTS]); + $csv = 'foo,bar'; $this->submissionService->expects($this->once()) ->method('getSubmissionsData')