feat: add submission editing

Signed-off-by: Timotheus Pokorra <timotheus.pokorra@solidcharity.com>

Author: tpokorra

docs/API_v3.md

@@ -822,6 +822,43 @@ Upload a file to an answer before form submission
 "data": {"uploadedFileId": integer, "fileName": "string"}
 ```
 
+### Get a specific submission
+
+Get all Submissions to a Form
+
+- Endpoint: `/api/v3/forms/{formId}/submissions/{submissionId}`
+- Method: `GET`
+- Url-Parameters:
+  | Parameter | Type | Description |
+  |-----------|---------|-------------|
+  | _formId_ | Integer | ID of the form to get the submissions for |
+  | _submissionId_ | Integer | ID of the submission to get |
+- Response: The submission
+
+```
+"data": {
+  "id": 6,
+  "formId": 3,
+  "userId": "jonas",
+  "timestamp": 1611274453,
+  "answers": [
+    {
+      "id": 8,
+      "submissionId": 6,
+      "questionId": 1,
+      "text": "Option 3"
+    },
+    {
+      "id": 9,
+      "submissionId": 6,
+      "questionId": 2,
+      "text": "One more."
+    },
+  ],
+  "userDisplayName": "jonas"
+}
+```
+
 ### Insert a Submission
 
 Store Submission to Database

docs/DataStructure.md

@@ -27,6 +27,7 @@ This document describes the Object-Structure, that is used within the Forms App
 | isAnonymous       | Boolean                              |                                         | If Answers will be stored anonymously                                                                                            |
 | state             | Integer                              | [Form state](#form-state)               | The state of the form                                                                                                            |
 | submitMultiple    | Boolean                              |                                         | If users are allowed to submit multiple times to the form                                                                        |
+| allowEditSubmissions         | Boolean                              |                                         | If users are allowed to edit or delete their response                                                                            |
 | showExpiration    | Boolean                              |                                         | If the expiration date will be shown on the form                                                                                 |
 | canSubmit         | Boolean                              |                                         | If the user can Submit to the form, i.e. calculated information out of `submitMultiple` and existing submissions.                |
 | permissions       | Array of [Permissions](#permissions) | Array of permissions regarding the form |
@@ -46,6 +47,7 @@ This document describes the Object-Structure, that is used within the Forms App
   "expires": 0,
   "isAnonymous": false,
   "submitMultiple": true,
+  "allowEditSubmissions": false,
   "showExpiration": false,
   "canSubmit": true,
   "permissions": [

lib/Controller/ApiController.php

@@ -62,6 +62,7 @@
  * @psalm-import-type FormsPartialForm from ResponseDefinitions
  * @psalm-import-type FormsQuestion from ResponseDefinitions
  * @psalm-import-type FormsQuestionType from ResponseDefinitions
+ * @psalm-import-type FormsSubmission from ResponseDefinitions
  * @psalm-import-type FormsSubmissions from ResponseDefinitions
  * @psalm-import-type FormsUploadedFile from ResponseDefinitions
  */
@@ -172,6 +173,7 @@ public function newForm(?int $fromId = null): DataResponse {
 				'showToAllUsers' => false,
 			]);
 			$form->setSubmitMultiple(false);
+			$form->setAllowEditSubmissions(false);
 			$form->setShowExpiration(false);
 			$form->setExpires(0);
 			$form->setIsAnonymous(false);
@@ -1158,7 +1160,11 @@ public function getSubmissions(int $formId, ?string $fileFormat = null): DataRes
 		}
 
 		// Load submissions and currently active questions
-		$submissions = $this->submissionService->getSubmissions($formId);
+		if (in_array(Constants::PERMISSION_RESULTS, $this->formsService->getPermissions($form))) {
+			$submissions = $this->submissionService->getSubmissions($formId);
+		} else {
+			$submissions = $this->submissionService->getSubmissions($formId, $this->currentUser->getUID());
+		}
 		$questions = $this->formsService->getQuestions($formId);
 
 		// Append Display Names
@@ -1195,6 +1201,54 @@ public function getSubmissions(int $formId, ?string $fileFormat = null): DataRes
 		return new DataResponse($response);
 	}
 
+	/**
+	 * Get a specific submission
+	 *
+	 * @param int $formId of the form
+	 * @param int $submissionId of the submission
+	 * @return DataResponse<Http::STATUS_OK, FormsSubmission, array{}>
+	 * @throws OCSBadRequestException Submission doesn't belong to given form
+	 * @throws OCSNotFoundException Could not find form
+	 * @throws OCSNotFoundException Submission doesn't exist
+	 * @throws OCSForbiddenException The current user has no permission to get this submission
+	 *
+	 * 200: the submissions of the form
+	 */
+	#[CORS()]
+	#[NoAdminRequired()]
+	#[BruteForceProtection(action: 'form')]
+	#[ApiRoute(verb: 'GET', url: '/api/v3/forms/{formId}/submissions/{submissionId}')]
+	public function getSubmission(int $formId, int $submissionId): DataResponse|DataDownloadResponse {
+		$form = $this->getFormIfAllowed($formId, Constants::PERMISSION_RESULTS);
+
+		$submission = $this->submissionService->getSubmission($submissionId);
+		if ($submission === null) {
+			throw new OCSNotFoundException('Submission doesn\'t exist');
+		}
+
+		if ($submission['formId'] !== $formId) {
+			throw new OCSBadRequestException('Submission doesn\'t belong to given form');
+		}
+
+		// Append Display Names
+		if (substr($submission['userId'], 0, 10) === 'anon-user-') {
+			// Anonymous User
+			// TRANSLATORS On Results when listing the single Responses to the form, this text is shown as heading of the Response.
+			$submission['userDisplayName'] = $this->l10n->t('Anonymous response');
+		} else {
+			$userEntity = $this->userManager->get($submission['userId']);
+
+			if ($userEntity instanceof IUser) {
+				$submission['userDisplayName'] = $userEntity->getDisplayName();
+			} else {
+				// Fallback, should not occur regularly.
+				$submission['userDisplayName'] = $submission['userId'];
+			}
+		}
+
+		return new DataResponse($submission);
+	}
+
 	/**
 	 * Delete all submissions of a specified form
 	 *
@@ -1309,6 +1363,84 @@ public function newSubmission(int $formId, array $answers, string $shareHash = '
 		return new DataResponse(null, Http::STATUS_CREATED);
 	}
 
+	/**
+	 * Update an existing submission
+	 *
+	 * @param int $formId the form id
+	 * @param int $submissionId the submission id
+	 * @param array<string, list<string>> $answers [question_id => arrayOfString]
+	 * @return DataResponse<Http::STATUS_OK, int, array{}>
+	 * @throws OCSBadRequestException Can only update submission if allowEditSubmissions is set and the answers are valid
+	 * @throws OCSForbiddenException Can only update your own submission
+	 *
+	 * 200: the id of the updated submission
+	 */
+	#[CORS()]
+	#[NoAdminRequired()]
+	#[NoCSRFRequired()]
+	#[PublicPage()]
+	#[ApiRoute(verb: 'PUT', url: '/api/v3/forms/{formId}/submissions/{submissionId}')]
+	public function updateSubmission(int $formId, int $submissionId, array $answers): DataResponse {
+		$this->logger->debug('Updating submission: formId: {formId}, answers: {answers}', [
+			'formId' => $formId,
+			'answers' => $answers,
+		]);
+
+		// submissions can't be updated on public shares, so passing empty shareHash
+		$form = $this->loadFormForSubmission($formId, '');
+
+		if (!$form->getAllowEditSubmissions()) {
+			throw new OCSBadRequestException('Can only update if allowEditSubmissions is set');
+		}
+
+		$questions = $this->formsService->getQuestions($formId);
+		try {
+			// Is the submission valid
+			$this->submissionService->validateSubmission($questions, $answers, $form->getOwnerId());
+		} catch (\InvalidArgumentException $e) {
+			throw new OCSBadRequestException($e->getMessage());
+		}
+
+		// get existing submission of this user
+		try {
+			$submission = $this->submissionMapper->findById($submissionId);
+		} catch (DoesNotExistException $e) {
+			throw new OCSBadRequestException('Submission doesn\'t exist');
+		}
+
+		if ($formId !== $submission->getFormId()) {
+			throw new OCSBadRequestException('Submission doesn\'t belong to given form');
+		}
+
+		if ($this->currentUser->getUID() !== $submission->getUserId()) {
+			throw new OCSForbiddenException('Can only update your own submissions');
+		}
+
+		$submission->setTimestamp(time());
+		$this->submissionMapper->update($submission);
+
+		// Delete current answers
+		$this->answerMapper->deleteBySubmission($submissionId);
+
+		// Process Answers
+		foreach ($answers as $questionId => $answerArray) {
+			// Search corresponding Question, skip processing if not found
+			$questionIndex = array_search($questionId, array_column($questions, 'id'));
+			if ($questionIndex === false) {
+				continue;
+			}
+
+			$question = $questions[$questionIndex];
+
+			$this->storeAnswersForQuestion($form, $submission->getId(), $question, $answerArray);
+		}
+
+		//Create Activity
+		$this->formsService->notifyNewSubmission($form, $submission);
+
+		return new DataResponse($submissionId);
+	}
+
 	/**
 	 * Delete a specific submission
 	 *
@@ -1343,6 +1475,13 @@ public function deleteSubmission(int $formId, int $submissionId): DataResponse {
 			throw new OCSBadRequestException('Submission doesn\'t belong to given form');
 		}
 
+		if (
+			!in_array(Constants::PERMISSION_RESULTS_DELETE, $this->formsService->getPermissions($form))
+			&& $this->currentUser->getUID() !== $submission->getUserId()
+		) {
+			throw new OCSForbiddenException('Can only delete your own submissions');
+		}
+
 		// Delete submission (incl. Answers)
 		$this->submissionMapper->deleteById($submissionId);
 		$this->formMapper->update($form);

lib/Controller/PageController.php

@@ -11,6 +11,7 @@
 use OCA\Forms\Db\Form;
 use OCA\Forms\Db\FormMapper;
 use OCA\Forms\Db\ShareMapper;
+use OCA\Forms\Db\SubmissionMapper;
 use OCA\Forms\Service\ConfigService;
 use OCA\Forms\Service\FormsService;
 
@@ -45,6 +46,7 @@ public function __construct(
 		IRequest $request,
 		private FormMapper $formMapper,
 		private ShareMapper $shareMapper,
+		private SubmissionMapper $submissionMapper,
 		private ConfigService $configService,
 		private FormsService $formsService,
 		private IAccountManager $accountManager,
@@ -63,7 +65,7 @@ public function __construct(
 	#[NoAdminRequired()]
 	#[NoCSRFRequired()]
 	#[FrontpageRoute(verb: 'GET', url: '/')]
-	public function index(?string $hash = null): TemplateResponse {
+	public function index(?string $hash = null, ?int $submissionId = null): TemplateResponse {
 		Util::addScript($this->appName, 'forms-main');
 		Util::addStyle($this->appName, 'forms');
 		Util::addStyle($this->appName, 'forms-style');
@@ -81,6 +83,15 @@ public function index(?string $hash = null): TemplateResponse {
 			}
 		}
 
+		if (isset($submissionId)) {
+			try {
+				$submission = $this->submissionMapper->findById($submissionId);
+				$this->initialState->provideInitialState('submissionId', $submission->id);
+			} catch (DoesNotExistException $e) {
+				// Ignore exception and just don't set the initialState value
+			}
+		}
+
 		return new TemplateResponse($this->appName, self::TEMPLATE_MAIN, [
 			'id-app-content' => '#app-content-vue',
 			'id-app-navigation' => '#app-navigation-vue',
@@ -97,6 +108,16 @@ public function views(string $hash): TemplateResponse {
 		return $this->index($hash);
 	}
 
+	/**
+	 * @return TemplateResponse
+	 */
+	#[NoAdminRequired()]
+	#[NoCSRFRequired()]
+	#[FrontpageRoute(verb: 'GET', url: '/{hash}/submit/{submissionId}', requirements: ['hash' => '[a-zA-Z0-9]{16,}', 'submissionId' => '\d+'])]
+	public function submitViewWithSubmission(string $hash, int $submissionId): TemplateResponse {
+		return $this->formMapper->findByHash($hash)->getAllowEditSubmissions() ? $this->index($hash, $submissionId) : $this->index($hash);
+	}
+
 	/**
 	 * @param string $hash
 	 * @return RedirectResponse|TemplateResponse Redirect to login or internal view.

lib/Db/Form.php

@@ -35,6 +35,8 @@
  * @method void setIsAnonymous(bool $value)
  * @method int getSubmitMultiple()
  * @method void setSubmitMultiple(bool $value)
+ * @method int getAllowEditSubmissions()
+ * @method void setAllowEditSubmissions(bool $value)
  * @method int getShowExpiration()
  * @method void setShowExpiration(bool $value)
  * @method int getLastUpdated()
@@ -58,6 +60,7 @@ class Form extends Entity {
 	protected $expires;
 	protected $isAnonymous;
 	protected $submitMultiple;
+	protected $allowEditSubmissions;
 	protected $showExpiration;
 	protected $submissionMessage;
 	protected $lastUpdated;
@@ -71,6 +74,7 @@ public function __construct() {
 		$this->addType('expires', 'integer');
 		$this->addType('isAnonymous', 'boolean');
 		$this->addType('submitMultiple', 'boolean');
+		$this->addType('allowEditSubmissions', 'boolean');
 		$this->addType('showExpiration', 'boolean');
 		$this->addType('lastUpdated', 'integer');
 		$this->addType('state', 'integer');
@@ -140,6 +144,7 @@ public function setAccess(array $access): void {
 	 *   expires: int,
 	 *   isAnonymous: bool,
 	 *   submitMultiple: bool,
+	 *   allowEditSubmissions: bool,
 	 *   showExpiration: bool,
 	 *   lastUpdated: int,
 	 *   submissionMessage: ?string,
@@ -160,6 +165,7 @@ public function read() {
 			'expires' => (int)$this->getExpires(),
 			'isAnonymous' => (bool)$this->getIsAnonymous(),
 			'submitMultiple' => (bool)$this->getSubmitMultiple(),
+			'allowEditSubmissions' => (bool)$this->getAllowEditSubmissions(),
 			'showExpiration' => (bool)$this->getShowExpiration(),
 			'lastUpdated' => (int)$this->getLastUpdated(),
 			'submissionMessage' => $this->getSubmissionMessage(),

lib/Db/SubmissionMapper.php

@@ -47,6 +47,28 @@ public function findByForm(int $formId): array {
 		return $this->findEntities($qb);
 	}
 
+	/**
+	 * @param int $formId
+	 * @param string $userId
+	 *
+	 * @return Submission[]
+	 * @throws \OCP\AppFramework\Db\DoesNotExistException if not found
+	 */
+	public function findByFormAndUser(int $formId, string $userId): array {
+		$qb = $this->db->getQueryBuilder();
+
+		$qb->select('*')
+			->from($this->getTableName())
+			->where(
+				$qb->expr()->eq('form_id', $qb->createNamedParameter($formId, IQueryBuilder::PARAM_INT)),
+				$qb->expr()->eq('user_id', $qb->createNamedParameter($userId, IQueryBuilder::PARAM_STR))
+			)
+			//Newest submissions first
+			->orderBy('timestamp', 'DESC');
+
+		return $this->findEntities($qb);
+	}
+
 	/**
 	 * @param int $id
 	 * @return Submission
@@ -86,10 +108,11 @@ public function hasFormSubmissionsByUser(Form $form, string $userId): bool {
 	/**
 	 * Count submissions by form
 	 * @param int $formId ID of the form to count submissions
+	 * @param null|string $userId (optional) ID of the current user, defaults to `null`
 	 * @throws \Exception
 	 */
-	public function countSubmissions(int $formId): int {
-		return $this->countSubmissionsWithFilters($formId, null, -1);
+	public function countSubmissions(int $formId, ?string $userId = null): int {
+		return $this->countSubmissionsWithFilters($formId, $userId, -1);
 	}
 
 	/**

lib/FormsMigrator.php

@@ -146,6 +146,7 @@ public function import(IUser $user, IImportSource $importSource, OutputInterface
 				$form->setExpires($formData['expires']);
 				$form->setIsAnonymous($formData['isAnonymous']);
 				$form->setSubmitMultiple($formData['submitMultiple']);
+				$form->setAllowEditSubmissions($formData['allowEditSubmissions']);
 				$form->setShowExpiration($formData['showExpiration']);
 
 				$this->formMapper->insert($form);