From ee3c13687d8c0211cceba6901afdf8657b8c9f27 Mon Sep 17 00:00:00 2001
From: Christian Hartmann <chris-hartmann@gmx.de>
Date: Sat, 4 Apr 2026 15:10:42 +0200
Subject: [PATCH] fix(api): enforce submission visibility based on user
 permissions

fix(submit): adjust conditional rendering for submission state

Signed-off-by: Christian Hartmann <chris-hartmann@gmx.de>
---
 lib/Controller/ApiController.php            |  6 ++++++
 src/views/Submit.vue                        | 10 +++++++++-
 tests/Unit/Controller/ApiControllerTest.php | 15 +++++++++++++++
 3 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/lib/Controller/ApiController.php b/lib/Controller/ApiController.php
index 7a2a1d012..8a5797564 100644
--- a/lib/Controller/ApiController.php
+++ b/lib/Controller/ApiController.php
@@ -1259,6 +1259,8 @@ public function getSubmissions(int $formId, ?string $query = null, ?int $limit =
 	#[ApiRoute(verb: 'GET', url: '/api/v3/forms/{formId}/submissions/{submissionId}')]
 	public function getSubmission(int $formId, int $submissionId): DataResponse|DataDownloadResponse {
 		$form = $this->formsService->getFormIfAllowed($formId, Constants::PERMISSION_RESULTS);
+		$permissions = $this->formsService->getPermissions($form);
+		$canSeeAllSubmissions = in_array(Constants::PERMISSION_RESULTS, $permissions, true);
 
 		$submission = $this->submissionService->getSubmission($submissionId);
 		if ($submission === null) {
@@ -1269,6 +1271,10 @@ public function getSubmission(int $formId, int $submissionId): DataResponse|Data
 			throw new OCSBadRequestException('Submission doesn\'t belong to given form');
 		}
 
+		if (!$canSeeAllSubmissions && $submission['userId'] !== $this->currentUser->getUID()) {
+			throw new OCSForbiddenException('User is not allowed to see submission');
+		}
+
 		// Append Display Names
 		if (substr($submission['userId'], 0, 10) === 'anon-user-') {
 			// Anonymous User
diff --git a/src/views/Submit.vue b/src/views/Submit.vue
index bcc30bcc9..4f800ece2 100644
--- a/src/views/Submit.vue
+++ b/src/views/Submit.vue
@@ -57,7 +57,7 @@
 				</template>
 			</NcEmptyContent>
 			<NcEmptyContent
-				v-else-if="success || !form.canSubmit"
+				v-else-if="success || (!form.canSubmit && !submissionId)"
 				class="forms-emptycontent"
 				:name="
 					form.submissionMessage
@@ -657,6 +657,14 @@ export default {
 								`option ${text} could not be mapped to an option for question ${questionId}`,
 							)
 						}
+					} else if (question.type === 'file') {
+						// File answers cannot be restored when editing a submission —
+						// the uploaded file has already been moved to permanent storage
+						// and the temporary uploadedFileId no longer exists.
+						// The user must re-upload files if needed.
+						logger.debug(
+							`Skipping file answer for question ${questionId} — cannot restore uploaded files`,
+						)
 					} else {
 						answers[questionId].push(text)
 					}
diff --git a/tests/Unit/Controller/ApiControllerTest.php b/tests/Unit/Controller/ApiControllerTest.php
index c7ad3fdbb..ca63507ce 100644
--- a/tests/Unit/Controller/ApiControllerTest.php
+++ b/tests/Unit/Controller/ApiControllerTest.php
@@ -1057,6 +1057,11 @@ public function testGetSubmission_success() {
 			->with(1, Constants::PERMISSION_RESULTS)
 			->willReturn($form);
 
+		$this->formsService->expects($this->once())
+			->method('getPermissions')
+			->with($form)
+			->willReturn([Constants::PERMISSION_RESULTS]);
+
 		$this->submissionService->expects($this->once()) // Changed from submissionMapper
 			->method('getSubmission')
 			->with(42)
@@ -1120,6 +1125,11 @@ public function testGetSubmission_anonymousUser() {
 			->with(1, Constants::PERMISSION_RESULTS)
 			->willReturn($form);
 
+		$this->formsService->expects($this->once())
+			->method('getPermissions')
+			->with($form)
+			->willReturn([Constants::PERMISSION_RESULTS]);
+
 		$this->submissionService->expects($this->once()) // Changed from submissionMapper
 			->method('getSubmission')
 			->with(42)
@@ -1153,6 +1163,11 @@ public function testGetSubmission_userNotFound() {
 			->with(1, Constants::PERMISSION_RESULTS)
 			->willReturn($form);
 
+		$this->formsService->expects($this->once())
+			->method('getPermissions')
+			->with($form)
+			->willReturn([Constants::PERMISSION_RESULTS]);
+
 		$this->submissionService->expects($this->once()) // Changed from submissionMapper
 			->method('getSubmission')
 			->with(42)