IBX-11053: Describe restricting access to form submissions (#3171)

dabrt · mnocon · dabrt · commit 49c200c05c2b · 2026-05-06T13:23:18.000+02:00
* IBX-11053: Describe restricting access to form submissions --------- Co-Authored-By: dabrt <dabrt@users.noreply.github.com> Co-Authored-By: Marek Nocoń <mnocon@users.noreply.github.com>
diff --git a/code_samples/back_office/limitation/config/append_to_services.yaml b/code_samples/back_office/limitation/config/append_to_services.yaml
@@ -10,3 +10,18 @@ services:
     App\Security\Limitation\Mapper\CustomLimitationValueMapper:
         tags:
             - { name: 'ibexa.admin_ui.limitation.mapper.value', limitationType: 'CustomLimitation' }
+
+    App\Security\FormPolicyProvider:
+        tags:
+            - { name: ibexa.permissions.limitation_type }
+
+    App\Security\FormSubmissionsTabDecorator:
+        parent: Ibexa\FormBuilder\Tab\LocationView\SubmissionsTab
+        decorates: 'Ibexa\FormBuilder\Tab\LocationView\SubmissionsTab'
+        arguments:
+            $innerTab: '@.inner'
+
+    App\Security\FormSubmissionServiceDecorator:
+        decorates: Ibexa\FormBuilder\FormSubmission\FormSubmissionService
+        arguments:
+            $innerService: '@App\Security\FormSubmissionServiceDecorator.inner'
diff --git a/code_samples/back_office/limitation/src/Kernel.php b/code_samples/back_office/limitation/src/Kernel.php
@@ -4,6 +4,7 @@
 
 namespace App;
 
+use App\Security\FormPolicyProvider;
 use App\Security\MyPolicyProvider;
 use Symfony\Bundle\FrameworkBundle\Kernel\MicroKernelTrait;
 use Symfony\Component\DependencyInjection\ContainerBuilder;
@@ -18,7 +19,9 @@ protected function build(ContainerBuilder $container): void
         // Retrieve "ibexa" container extension
         /** @var \Ibexa\Bundle\Core\DependencyInjection\IbexaCoreExtension $ibexaExtension */
         $ibexaExtension = $container->getExtension('ibexa');
-        // Add the policy provider
+
+        // Add the policy provider, you can register multiple providers by calling the method repeatedly
+        $ibexaExtension->addPolicyProvider(new FormPolicyProvider());
         $ibexaExtension->addPolicyProvider(new MyPolicyProvider());
     }
 }
diff --git a/code_samples/back_office/limitation/src/Resources/config/policies.yaml b/code_samples/back_office/limitation/src/Resources/config/policies.yaml
@@ -1,4 +1,5 @@
-# src/Resources/config/policies.yaml
 custom_module:
     custom_function_1: ~
     custom_function_2: [CustomLimitation]
+form:
+    read_submissions: ~
diff --git a/code_samples/back_office/limitation/src/Security/Form/FormSubmissionServiceDecorator.php b/code_samples/back_office/limitation/src/Security/Form/FormSubmissionServiceDecorator.php
@@ -0,0 +1,105 @@
+<?php declare(strict_types=1);
+
+namespace App\Security;
+
+use Ibexa\Contracts\Core\Repository\ContentService;
+use Ibexa\Contracts\Core\Repository\PermissionResolver;
+use Ibexa\Contracts\Core\Repository\Values\Content\ContentInfo;
+use Ibexa\Contracts\FormBuilder\FieldType\Model\Form;
+use Ibexa\Contracts\FormBuilder\FieldType\Model\FormSubmission;
+use Ibexa\Contracts\FormBuilder\FieldType\Model\FormSubmissionList;
+use Ibexa\Contracts\FormBuilder\FormSubmission\FormSubmissionServiceInterface;
+use Ibexa\Core\Base\Exceptions\NotFoundException;
+use Ibexa\Core\Base\Exceptions\UnauthorizedException;
+use Ibexa\FormBuilder\FormSubmission\Gateway\FormSubmissionGateway;
+
+class FormSubmissionServiceDecorator implements FormSubmissionServiceInterface
+{
+    public FormSubmissionServiceInterface $innerService;
+    public PermissionResolver $permissionResolver;
+    public ContentService $contentService;
+    public FormSubmissionGateway $gateway;
+    public function __construct(FormSubmissionServiceInterface $innerService, PermissionResolver $permissionResolver, ContentService $contentService, FormSubmissionGateway $gateway)
+    {
+        $this->innerService = $innerService;
+        $this->permissionResolver = $permissionResolver;
+        $this->contentService = $contentService;
+        $this->gateway = $gateway;
+    }
+
+    public function create(ContentInfo $content, string $languageCode, Form $form, array $data): FormSubmission
+    {
+        return $this->innerService->create($content, $languageCode, $form, $data);
+    }
+
+    public function loadById(int $id): FormSubmission
+    {
+        $submissions = $this->gateway->loadById($id); // First manual data fetch
+
+        if (empty($submissions)) {
+            throw new NotFoundException('FormSubmission', $id);
+        }
+
+        $content = $this->contentService->loadContent($submissions[0]['content_id']);
+        if (!$this->permissionResolver->canUser('form', 'read_submissions', $content)) {
+            throw new UnauthorizedException('form', 'read_submissions', ['contentId' => $content->getId()]); // Permission check
+        }
+
+        return $this->innerService->loadById($id); // Second data fetch through inner service
+    }
+
+    // The same permission check pattern is repeated in the methods below
+
+    public function delete(FormSubmission $submission): void
+    {
+        $submissionId = $submission->getId();
+        $submissions = $this->gateway->loadById($submissionId);
+
+        if (empty($submissions)) {
+            throw new NotFoundException('FormSubmission', $submissionId);
+        }
+
+        $content = $this->contentService->loadContent($submissions[0]['content_id']);
+        if (!$this->permissionResolver->canUser('form', 'read_submissions', $content)) {
+            throw new UnauthorizedException('form', 'read_submissions', ['contentId' => $content->getId()]);
+        }
+
+        $this->innerService->delete($submission);
+    }
+
+    public function loadByContent(ContentInfo $content, ?string $languageCode = null, int $offset = 0, int $limit = 25): FormSubmissionList
+    {
+        if (!$this->permissionResolver->canUser('form', 'read_submissions', $content)) {
+            throw new UnauthorizedException('form', 'read_submissions', ['contentId' => $content->getId()]);
+        }
+
+        return $this->innerService->loadByContent($content, $languageCode, $offset, $limit);
+    }
+
+    public function loadAllByContentForExport(ContentInfo $content, ?string $languageCode = null): array
+    {
+        if (!$this->permissionResolver->canUser('form', 'read_submissions', $content)) {
+            throw new UnauthorizedException('form', 'read_submissions', ['contentId' => $content->getId()]);
+        }
+
+        return $this->innerService->loadAllByContentForExport($content, $languageCode);
+    }
+
+    public function loadHeaders(ContentInfo $content, ?string $languageCode = null): array
+    {
+        if (!$this->permissionResolver->canUser('form', 'read_submissions', $content)) {
+            throw new UnauthorizedException('form', 'read_submissions', ['contentId' => $content->getId()]);
+        }
+
+        return $this->innerService->loadHeaders($content, $languageCode);
+    }
+
+    public function getCount(ContentInfo $content, ?string $languageCode = null): int
+    {
+        if (!$this->permissionResolver->canUser('form', 'read_submissions', $content)) {
+            throw new UnauthorizedException('form', 'read_submissions', ['contentId' => $content->getId()]);
+        }
+
+        return $this->innerService->getCount($content, $languageCode);
+    }
+}
diff --git a/code_samples/back_office/limitation/src/Security/Form/FormSubmissionsTabDecorator.php b/code_samples/back_office/limitation/src/Security/Form/FormSubmissionsTabDecorator.php
@@ -0,0 +1,73 @@
+<?php declare(strict_types=1);
+
+namespace App\Security;
+
+use Ibexa\Contracts\AdminUi\Tab\ConditionalTabInterface;
+use Ibexa\Contracts\AdminUi\Tab\OrderedTabInterface;
+use Ibexa\Contracts\AdminUi\Tab\TabInterface;
+use Ibexa\Contracts\Core\Repository\ContentTypeService;
+use Ibexa\Contracts\Core\Repository\LanguageService;
+use Ibexa\Contracts\Core\Repository\PermissionResolver;
+use Ibexa\Contracts\Core\SiteAccess\ConfigResolverInterface;
+use Ibexa\Contracts\FormBuilder\FormSubmission\FormSubmissionServiceInterface;
+use Ibexa\FormBuilder\FieldType\FormFactory;
+use Ibexa\FormBuilder\FieldType\Type;
+use Ibexa\FormBuilder\Tab\LocationView\SubmissionsTab;
+use Symfony\Contracts\Translation\TranslatorInterface;
+use Twig\Environment;
+
+class FormSubmissionsTabDecorator extends SubmissionsTab implements TabInterface, OrderedTabInterface, ConditionalTabInterface
+{
+    private SubmissionsTab $innerTab;
+    private PermissionResolver $permissionResolver;
+    public function __construct(
+        Environment $twig,
+        TranslatorInterface $translator,
+        FormSubmissionServiceInterface $formSubmissionService,
+        FormFactory $formFactory,
+        ContentTypeService $contentTypeService,
+        LanguageService $languageService,
+        Type $formBuilderType,
+        ConfigResolverInterface $configResolver,
+        SubmissionsTab $innerTab,
+        PermissionResolver $permissionResolver
+    ) {
+        parent::__construct($twig, $translator, $formSubmissionService, $formFactory, $contentTypeService, $languageService, $formBuilderType, $configResolver);
+        $this->innerTab = $innerTab;
+        $this->permissionResolver = $permissionResolver;
+    }
+
+    #[\Override]
+    public function getIdentifier(): string
+    {
+        return $this->innerTab->getIdentifier();
+    }
+
+    #[\Override]
+    public function getName(): string
+    {
+        return $this->innerTab->getName();
+    }
+
+    #[\Override]
+    public function renderView(array $parameters): string
+    {
+        return $this->innerTab->renderView($parameters);
+    }
+
+    #[\Override]
+    public function evaluate(array $parameters): bool
+    {
+        /** @var \Ibexa\Contracts\Core\Repository\Values\Content\Content $content */
+        $content = $parameters['content'];
+
+        return $this->innerTab->evaluate($parameters) &&
+            $this->permissionResolver->canUser('form', 'read_submissions', $content);
+    }
+
+    #[\Override]
+    public function getOrder(): int
+    {
+        return  $this->innerTab->getOrder();
+    }
+}
diff --git a/code_samples/back_office/limitation/src/Security/FormPolicyProvider.php b/code_samples/back_office/limitation/src/Security/FormPolicyProvider.php
@@ -0,0 +1,29 @@
+<?php declare(strict_types=1);
+
+namespace App\Security;
+
+use Ibexa\Bundle\Core\DependencyInjection\Configuration\ConfigBuilderInterface;
+use Ibexa\Bundle\Core\DependencyInjection\Security\PolicyProvider\PolicyProviderInterface;
+use JMS\TranslationBundle\Model\Message;
+use JMS\TranslationBundle\Translation\TranslationContainerInterface;
+
+class FormPolicyProvider implements PolicyProviderInterface, TranslationContainerInterface
+{
+    public function addPolicies(ConfigBuilderInterface $configBuilder): void
+    {
+        $configBuilder->addConfig([
+            'form' => [
+                'read_submissions' => null,
+            ],
+        ]);
+    }
+
+    public static function getTranslationMessages(): array
+    {
+        return [
+            (new Message('role.policy.form', 'forms'))->setDesc('Forms'),
+            (new Message('role.policy.form.all_functions', 'forms'))->setDesc('Forms / All functions'),
+            (new Message('role.policy.form.read_submissions', 'forms'))->setDesc('Forms / Read submissions'),
+        ];
+    }
+}
diff --git a/code_samples/back_office/limitation/translations/forms.en.yaml b/code_samples/back_office/limitation/translations/forms.en.yaml
@@ -2,3 +2,6 @@ role.policy.custom_module: 'Custom module'
 role.policy.custom_module.all_functions: 'Custom module / All functions'
 role.policy.custom_module.custom_function_1: 'Custom module / Function #1'
 role.policy.custom_module.custom_function_2: 'Custom module / Function #2'
+role.policy.form: 'Forms'
+role.policy.form.all_functions: 'Forms / All functions'
+role.policy.form.read_submissions: 'Forms / Read submissions'
diff --git a/docs/content_management/forms/form_api.md b/docs/content_management/forms/form_api.md
@@ -9,6 +9,12 @@ edition: experience
 
 To manage form submissions created in the [Form Builder](form_builder_guide.md), use `FormSubmissionServiceInterface`.
 
+!!! tip "Restricting access to form submissions"
+
+    By default, back office users with access to the form content item can access the form submissions.
+    
+    If your form submissions require stricter access control than the form itself, you can introduce a [dedicated policy that manages access to submission data](custom_policies.md#restrict-access-to-form-submissions).
+
 ### Getting form submissions
 
 To get existing form submissions, use `FormSubmissionServiceInterface::loadByContent()` (which takes a `ContentInfo` object as parameter), or `FormSubmissionServiceInterface::loadById()`.
diff --git a/docs/content_management/forms/form_builder_guide.md b/docs/content_management/forms/form_builder_guide.md
@@ -122,6 +122,12 @@ Here you can view the details of each submission or delete any of them.
 
 The **Download submissions** button enables you to download all the submissions in a .CSV (comma-separated value) file.
 
+!!! tip "Restricting access to form submissions"
+
+    By default, back office users with access to the form content item can access the form submissions.
+    
+    If your form submissions require stricter access control than the form itself, you can introduce a [dedicated policy that manages access to submission data](custom_policies.md#restrict-access-to-form-submissions).
+
 ## Benefits
 
 ### General overview
diff --git a/docs/permissions/custom_policies.md b/docs/permissions/custom_policies.md
