Merge pull request #7541 from LibreSign/backport/7538/stable32

[stable32] fix: restore FolderService userId in throwIfFileNotFound finally block

Author: vitormattos

lib/Db/FileMapper.php

@@ -150,9 +150,8 @@ public function getByUuid(string $uuid): File {
 	public function getStorageUserIdByUuid(string $uuid): ?string {
 		$qb = $this->db->getQueryBuilder();
 
-		$qb->select('f.user_id', 'id.user_id AS id_docs_user_id', 'id.id AS id_docs_id')
+		$qb->select('f.user_id')
 			->from($this->getTableName(), 'f')
-			->leftJoin('f', 'libresign_id_docs', 'id', $qb->expr()->eq('f.id', 'id.file_id'))
 			->where($qb->expr()->eq('f.uuid', $qb->createNamedParameter($uuid)));
 
 		$result = $qb->executeQuery();
@@ -163,10 +162,6 @@ public function getStorageUserIdByUuid(string $uuid): ?string {
 			throw new DoesNotExistException('File not found');
 		}
 
-		if ($row['id_docs_id'] !== null && $row['id_docs_user_id'] !== null) {
-			return $row['id_docs_user_id'];
-		}
-
 		return $row['user_id'];
 	}
 

lib/ResponseDefinitions.php

@@ -33,6 +33,7 @@
  *
  * @psalm-type LibresignFolderSettings = array{
  *     folderName?: string,
+ *     path?: string,
  *     separator?: string,
  *     folderPatterns?: array{
  *         name: string,

lib/Service/IdentifyMethod/AbstractIdentifyMethod.php

@@ -10,6 +10,7 @@
 
 use DateTime;
 use InvalidArgumentException;
+use OC\AppFramework\Http as AppFrameworkHttp;
 use OCA\Libresign\AppInfo\Application;
 use OCA\Libresign\Db\IdentifyMethod;
 use OCA\Libresign\Enum\FileStatus;
@@ -189,19 +190,27 @@ protected function throwIfFileNotFound(): void {
 		}
 
 		foreach ($filesToCheck as $fileInfo) {
+			if (!is_int($fileInfo['nodeId'])) {
+				throw new LibresignException(json_encode([
+					'action' => JSActions::ACTION_DO_NOTHING,
+					'errors' => [['message' => $this->identifyService->getL10n()->t('File not found')]],
+				]), AppFrameworkHttp::STATUS_NOT_FOUND);
+			}
+
 			$storageUserId = $this->identifyService->getFileMapper()
 				->getStorageUserIdByUuid($fileInfo['uuid']);
 			$folderService = $this->identifyService->getFolderService();
 			$previousUserId = $folderService->getUserId();
 			$folderService->setUserId($storageUserId);
 			try {
 				$folderService->getFileByNodeId($fileInfo['nodeId']);
-				$folderService->setUserId($previousUserId);
 			} catch (NotFoundException) {
 				throw new LibresignException(json_encode([
 					'action' => JSActions::ACTION_DO_NOTHING,
 					'errors' => [['message' => $this->identifyService->getL10n()->t('File not found')]],
-				]));
+				]), AppFrameworkHttp::STATUS_NOT_FOUND);
+			} finally {
+				$folderService->setUserId($previousUserId);
 			}
 		}
 	}

openapi-full.json

@@ -1399,6 +1399,9 @@
                     "folderName": {
                         "type": "string"
                     },
+                    "path": {
+                        "type": "string"
+                    },
                     "separator": {
                         "type": "string"
                     },

openapi.json

@@ -1000,6 +1000,9 @@
                     "folderName": {
                         "type": "string"
                     },
+                    "path": {
+                        "type": "string"
+                    },
                     "separator": {
                         "type": "string"
                     },

src/types/openapi/openapi-full.ts

@@ -1906,6 +1906,7 @@ export type components = {
         };
         FolderSettings: {
             folderName?: string;
+            path?: string;
             separator?: string;
             folderPatterns?: {
                 name: string;

src/types/openapi/openapi.ts

@@ -1320,6 +1320,7 @@ export type components = {
         };
         FolderSettings: {
             folderName?: string;
+            path?: string;
             separator?: string;
             folderPatterns?: {
                 name: string;

tests/integration/features/bootstrap/FeatureContext.php

@@ -187,6 +187,14 @@ public function userGetsWebDavPropertiesFor(string $user, string $path): void {
 		$this->davRequest($user, 'PROPFIND', $path, $body, ['Depth' => '0']);
 	}
 
+	#[Given('user :user sends WebDAV :method to :path')]
+	public function userSendsWebDavRequest(string $user, string $method, string $path): void {
+		$this->setCurrentUser($user);
+		$normalizedMethod = strtoupper(trim($method));
+		Assert::assertContains($normalizedMethod, ['DELETE', 'PUT', 'PROPFIND', 'GET', 'HEAD', 'MOVE', 'COPY', 'MKCOL'], 'Unsupported WebDAV method');
+		$this->davRequest($user, $normalizedMethod, $path);
+	}
+
 	#[Given('the WebDAV response should contain property :property with value :value')]
 	public function theWebDavResponseShouldContainPropertyWithValue(string $property, string $value): void {
 		$result = $this->parseXml()->xpath("//nc:$property");

tests/integration/features/page/validate.feature

@@ -44,3 +44,54 @@ Feature: page/validate
       | /apps/libresign/p/validation                                    |
       | /apps/libresign/pdf/fakeuuid-6037-47be-9d9e-3d90b9d0a3ea        |
       | /apps/libresign/p/pdf/fakeuuid-6037-47be-9d9e-3d90b9d0a3ea      |
+
+  Scenario: Authenticated signer can fetch PDF using sign request UUID
+    Given user "validate-signer" exists
+    And as user "admin"
+    And sending "post" to ocs "/apps/libresign/api/v1/request-signature"
+      | file    | {"base64":"data:application/pdf;base64,JVBERi0xLjYKJcOkw7zDtsOfCjIgMCBvYmoKPDwvTGVuZ3RoIDMgMCBSL0ZpbHRlci9GbGF0ZURlY29kZT4+CnN0cmVhbQp4nDPQM1Qo5ypUMFAw0DMwslAwtTTVMzIxV7AwMdSzMDNUKErlCtdSyOMyVADBonQuA4iUhaVCLheKYqBIDlw7xLAcuLEgFlwVVwZXmhZXoAIAI+sZGAplbmRzdHJlYW0KZW5kb2JqCgozIDAgb2JqCjg2CmVuZG9iagoKNSAwIG9iago8PAo+PgplbmRvYmoKCjYgMCBvYmoKPDwvRm9udCA1IDAgUgovUHJvY1NldFsvUERGL1RleHRdCj4+CmVuZG9iagoKMSAwIG9iago8PC9UeXBlL1BhZ2UvUGFyZW50IDQgMCBSL1Jlc291cmNlcyA2IDAgUi9NZWRpYUJveFswIDAgNTk1LjI3NTU5MDU1MTE4MSA4NDEuODg5NzYzNzc5NTI4XS9Hcm91cDw8L1MvVHJhbnNwYXJlbmN5L0NTL0RldmljZVJHQi9JIHRydWU+Pi9Db250ZW50cyAyIDAgUj4+CmVuZG9iagoKNCAwIG9iago8PC9UeXBlL1BhZ2VzCi9SZXNvdXJjZXMgNiAwIFIKL01lZGlhQm94WyAwIDAgNTk1IDg0MSBdCi9LaWRzWyAxIDAgUiBdCi9Db3VudCAxPj4KZW5kb2JqCgo3IDAgb2JqCjw8L1R5cGUvQ2F0YWxvZy9QYWdlcyA0IDAgUgovT3BlbkFjdGlvblsxIDAgUiAvWFlaIG51bGwgbnVsbCAwXQo+PgplbmRvYmoKCjggMCBvYmoKPDwvQ3JlYXRvcjxGRUZGMDA0NDAwNzIwMDYxMDA3Nz4KL1Byb2R1Y2VyPEZFRkYwMDRDMDA2OTAwNjIwMDcyMDA2NTAwNEYwMDY2MDA2NjAwNjkwMDYzMDA2NTAwMjAwMDM3MDAyRTAwMzA+Ci9DcmVhdGlvbkRhdGUoRDoyMDIxMDIyMzExMDgwOS0wMycwMCcpPj4KZW5kb2JqCgp4cmVmCjAgOQowMDAwMDAwMDAwIDY1NTM1IGYgCjAwMDAwMDAyNzAgMDAwMDAgbiAKMDAwMDAwMDAxOSAwMDAwMCBuIAowMDAwMDAwMTc2IDAwMDAwIG4gCjAwMDAwMDA0MzggMDAwMDAgbiAKMDAwMDAwMDE5NSAwMDAwMCBuIAowMDAwMDAwMjE3IDAwMDAwIG4gCjAwMDAwMDA1MzYgMDAwMDAgbiAKMDAwMDAwMDYxOSAwMDAwMCBuIAp0cmFpbGVyCjw8L1NpemUgOS9Sb290IDcgMCBSCi9JbmZvIDggMCBSCi9JRCBbIDw1RkQ4MDlEMTdFODMwQUU5OTRDODkxNDVBMTMwNUQyQz4KPDVGRDgwOUQxN0U4MzBBRTk5NEM4OTE0NUExMzA1RDJDPiBdCi9Eb2NDaGVja3N1bSAvRDZBQThGQTBBQjMwODg2QkQ5ODU0QzYyMTg5QjI2NDQKPj4Kc3RhcnR4cmVmCjc4NQolJUVPRgo="} |
+      | signers | [{"identifyMethods":[{"method":"account","value":"validate-signer"}]}] |
+      | name    | signer-pdf                                                       |
+    And the response should have a status code 200
+    And as user "validate-signer"
+    And sending "get" to ocs "/apps/libresign/api/v1/file/list?details=1"
+    And fetch field "(SIGN_REQUEST_UUID)ocs.data.data.0.signers.0.sign_request_uuid" from previous JSON response
+    When sending "get" to "/apps/libresign/pdf/<SIGN_REQUEST_UUID>"
+    Then the response should have a status code 200
+
+  Scenario: Missing sign request UUID returns controlled File not found response
+    Given user "validate-signer-2" exists
+    And as user "validate-signer-2"
+    And sending "get" to "/apps/libresign/pdf/fakeuuid-6037-47be-9d9e-3d90b9d0a3ea"
+    Then the response should have a status code 404
+    And the response should be a JSON array with the following mandatory values
+      | key    | value                        |
+      | action | 2000                         |
+      | errors | [{"message":"Invalid UUID"}] |
+
+  Scenario: Unauthenticated email signer can fetch PDF and gets controlled error after source deletion
+    Given as user "admin"
+    And sending "post" to ocs "/apps/provisioning_api/api/v1/config/apps/libresign/identify_methods"
+      | value | (string)[{"name":"email","enabled":true,"mandatory":true,"signatureMethods":{"clickToSign":{"enabled":true}},"can_create_account":false}] |
+    And my inbox is empty
+    When sending "post" to ocs "/apps/libresign/api/v1/request-signature"
+      | file    | {"url":"<BASE_URL>/apps/libresign/develop/pdf"} |
+      | signers | [{"displayName":"External Signer","identifyMethods":[{"method":"email","value":"external@domain.test"}]}] |
+      | name    | external-email-pdf |
+      | settings | {"folderName":"rm-target-folder"} |
+    Then the response should have a status code 200
+    And I open the latest email to "external@domain.test" with subject "LibreSign: There is a file for you to sign"
+    And I fetch the signer UUID from opened email
+    And as user ""
+    When sending "get" to "/apps/libresign/pdf/<SIGN_REQUEST_UUID>"
+    Then the response should have a status code 200
+    And as user "admin"
+    And user "admin" sends WebDAV "DELETE" to "LibreSign/rm-target-folder/external-email-pdf.pdf"
+    And the response should have a status code 204
+    And as user ""
+    When sending "get" to "/apps/libresign/pdf/<SIGN_REQUEST_UUID>"
+    Then the response should have a status code 404
+    And the response should be a JSON array with the following mandatory values
+      | key    | value                          |
+      | action | 2000                           |
+      | errors | [{"message":"File not found"}] |

tests/php/Unit/Db/FileMapperTest.php

@@ -0,0 +1,72 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * SPDX-FileCopyrightText: 2026 LibreCode coop and contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\Libresign\Tests\Unit\Db;
+
+use OCA\Libresign\Db\File;
+use OCA\Libresign\Db\FileMapper;
+use OCA\Libresign\Db\IdDocsMapper;
+use OCA\Libresign\Enum\FileStatus;
+use OCP\Server;
+
+/**
+ * @group DB
+ */
+final class FileMapperTest extends \OCA\Libresign\Tests\Unit\TestCase {
+	private FileMapper $fileMapper;
+	private IdDocsMapper $idDocsMapper;
+
+	public function setUp(): void {
+		parent::setUp();
+		$this->fileMapper = Server::get(FileMapper::class);
+		$this->idDocsMapper = Server::get(IdDocsMapper::class);
+	}
+
+	public function testGetStorageUserIdByUuidReturnsFileOwnerWhenNoIdDocsExists(): void {
+		$file = $this->createFileEntity(
+			uuid: 'a1111111-1111-4111-8111-111111111111',
+			nodeId: 10101,
+			userId: 'owner-user'
+		);
+
+		$inserted = $this->fileMapper->insert($file);
+
+		$storageUserId = $this->fileMapper->getStorageUserIdByUuid($inserted->getUuid());
+		$this->assertSame('owner-user', $storageUserId);
+	}
+
+	public function testGetStorageUserIdByUuidPrefersFileOwnerWhenIdDocsExists(): void {
+		$file = $this->createFileEntity(
+			uuid: 'b2222222-2222-4222-8222-222222222222',
+			nodeId: 20202,
+			userId: 'owner-user'
+		);
+
+		$inserted = $this->fileMapper->insert($file);
+		$this->idDocsMapper->save(
+			$inserted->getId(),
+			null,
+			'external-signer',
+			'proofOfIdentity'
+		);
+
+		$storageUserId = $this->fileMapper->getStorageUserIdByUuid($inserted->getUuid());
+		$this->assertSame('owner-user', $storageUserId);
+	}
+
+	private function createFileEntity(string $uuid, int $nodeId, ?string $userId): File {
+		$file = new File();
+		$file->setNodeId($nodeId);
+		$file->setUserId($userId);
+		$file->setUuid($uuid);
+		$file->setCreatedAt(new \DateTime('now', new \DateTimeZone('UTC')));
+		$file->setName('storage-user-resolution.pdf');
+		$file->setStatus(FileStatus::DRAFT->value);
+		return $file;
+	}
+}