From 02269db2e3dd01c9c857ba9902486faaaae210ec Mon Sep 17 00:00:00 2001
From: Peter Ringelmann <peter.ringelmann@nextcloud.com>
Date: Thu, 21 May 2026 14:50:11 +0200
Subject: [PATCH] fix(api): re-check result permission in submission export

fix(api): re-check result permission in submission export

Signed-off-by: Peter Ringelmann <peter.ringelmann@nextcloud.com>

[skip ci]
---
 tests/Unit/Controller/ApiControllerTest.php | 22 +++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/tests/Unit/Controller/ApiControllerTest.php b/tests/Unit/Controller/ApiControllerTest.php
index 96640d101..6b67a7dd7 100644
--- a/tests/Unit/Controller/ApiControllerTest.php
+++ b/tests/Unit/Controller/ApiControllerTest.php
@@ -369,6 +369,28 @@ public function testExportSubmissionsToCloud_invalidForm() {
 		$this->apiController->exportSubmissionsToCloud(1, '');
 	}
 
+	public function testExportSubmissionsToCloud_noExportPermissions() {
+		$form = new Form();
+		$form->setId(1);
+		$form->setOwnerId('someoneElse');
+
+		$this->formsService->expects($this->once())
+			->method('getFormIfAllowed')
+			->with(1, Constants::PERMISSION_RESULTS)
+			->willReturn($form);
+
+		$this->formsService->expects($this->once())
+			->method('getPermissions')
+			->with($form)
+			->willReturn([Constants::PERMISSION_SUBMIT]);
+
+		$this->submissionService->expects($this->never())
+			->method('writeFileToCloud');
+
+		$this->expectException(OCSForbiddenException::class);
+		$this->apiController->exportSubmissionsToCloud(1, '/', 'csv');
+	}
+
 	public function testCreateNewForm_notAllowed() {
 		$this->configService->expects($this->once())
 			->method('canCreateForms')