nextcloud
diff --git a/‎docs/API_v3.md‎
Lines changed: 8 additions & 2 deletions b/‎docs/API_v3.md‎
Lines changed: 8 additions & 2 deletions
diff --git a/‎docs/DataStructure.md‎
Lines changed: 4 additions & 0 deletions b/‎docs/DataStructure.md‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎lib/Controller/ApiController.php‎
Lines changed: 140 additions & 19 deletions b/‎lib/Controller/ApiController.php‎
Lines changed: 140 additions & 19 deletions
diff --git a/‎lib/Db/Form.php‎
Lines changed: 12 additions & 0 deletions b/‎lib/Db/Form.php‎
Lines changed: 12 additions & 0 deletions
@@ -92,7 +92,9 @@ Returns condensed objects of all Forms beeing owned by the authenticated user.
       "submit"
     ],
     "partial": true,
-    "state": 0
+    "state": 0,
+    "lockedBy": null,
+    "lockedUntil": null
   },
   {
     "id": 3,
@@ -105,7 +107,9 @@ Returns condensed objects of all Forms beeing owned by the authenticated user.
       "submit"
     ],
     "partial": true,
-    "state": 0
+    "state": 0,
+    "lockedBy": "someUser"
+    "lockedUntil": 123456789
   }
 ]
 ```
@@ -169,6 +173,8 @@ Returns the full-depth object of the requested form (without submissions).
   "showExpiration": false,
   "canSubmit": true,
   "state": 0,
+  "lockedBy": null,
+  "lockedUntil": null,
   "permissions": [
     "edit",
     "results",
 
@@ -26,6 +26,8 @@ This document describes the Object-Structure, that is used within the Forms App
 | expires              | unix-timestamp                       |                                         | When the form should expire. Timestamp `0` indicates _never_                                                                     |
 | isAnonymous          | Boolean                              |                                         | If Answers will be stored anonymously                                                                                            |
 | state                | Integer                              | [Form state](#form-state)               | The state of the form                                                                                                            |
+| lockedBy             | String                               |                                         | The user ID for who has exclusive edit access at the moment                                                                      |
+| lockedUntil          | unix timestamp                       |                                         | When the form lock will expire                                                                                                   |
 | submitMultiple       | Boolean                              |                                         | If users are allowed to submit multiple times to the form                                                                        |
 | allowEditSubmissions | Boolean                              |                                         | If users are allowed to edit or delete their response                                                                            |
 | showExpiration       | Boolean                              |                                         | If the expiration date will be shown on the form                                                                                 |
@@ -59,6 +61,8 @@ This document describes the Object-Structure, that is used within the Forms App
   ],
   "questions": [],
   "state": 0,
+  "lockedBy": null,
+  "lockedUntil": null,
   "shares": []
   "submissions": [],
   "submissionCount": 0,
 
@@ -52,7 +52,6 @@
 use OCP\IUser;
 use OCP\IUserManager;
 use OCP\IUserSession;
-
 use Psr\Log\LoggerInterface;
 
 /**
@@ -190,6 +189,8 @@ public function newForm(?int $fromId = null): DataResponse {
 			unset($formData['state']);
 			unset($formData['fileId']);
 			unset($formData['fileFormat']);
+			unset($formData['locked_by']);
+			unset($formData['locked_until']);
 			$formData['hash'] = $this->formsService->generateFormHash();
 			// TRANSLATORS Appendix to the form Title of a duplicated/copied form.
 			$formData['title'] .= ' - ' . $this->l10n->t('Copy');
@@ -267,16 +268,85 @@ public function updateForm(int $formId, array $keyValuePairs): DataResponse {
 			'keyValuePairs' => $keyValuePairs
 		]);
 
-		$form = $this->getFormIfAllowed($formId);
+		$form = $this->getFormIfAllowed($formId, Constants::PERMISSION_EDIT);
+		$currentUserId = $this->currentUser->getUID();
 
 		// Don't allow empty array
 		if (sizeof($keyValuePairs) === 0) {
 			$this->logger->info('Empty keyValuePairs, will not update.');
 			throw new OCSForbiddenException('Empty keyValuePairs, will not update.');
 		}
 
+		// Process complete form locking (lockedUntil: 0)
+		if (
+			sizeof($keyValuePairs) === 2
+			&& array_key_exists('lockedBy', $keyValuePairs) && $keyValuePairs['lockedBy'] === $form->getOwnerId()
+			&& array_key_exists('lockedUntil', $keyValuePairs) && $keyValuePairs['lockedUntil'] === 0
+		) {
+			// Only allow form locking for form owner
+			if ($currentUserId !== $form->getOwnerId() || $currentUserId !== $form->getLockedBy()) {
+				$this->logger->debug('Only the form owner can lock the form permanently');
+				throw new OCSForbiddenException('Only the form owner can lock the form permanently');
+			}
+
+			// Only allow if the form is not currently locked by another user
+			if (
+				$form->getLockedBy() !== null
+				&& $form->getLockedBy() !== $currentUserId
+				&& $form->getLockedUntil() >= time()
+			) {
+				$this->logger->debug('Form is currently locked by another user.');
+				throw new OCSForbiddenException('Form is currently locked by another user.');
+			}
+
+			// Abort if form is already completely locked
+			if ($form->getLockedUntil() === 0) {
+				$this->logger->debug('Form is already locked completely.');
+				throw new OCSBadRequestException('Form is already locked completely.');
+			}
+
+			$form->setLockedBy($keyValuePairs['lockedBy']);
+			$form->setLockedUntil($keyValuePairs['lockedUntil']);
+
+			// Update changed Columns in Db.
+			$this->formMapper->update($form);
+
+			return new DataResponse($form->getId());
+		}
+
+		// Process form unlocking
+		if (
+			sizeof($keyValuePairs) === 2
+			&& array_key_exists('lockedBy', $keyValuePairs) && is_null($keyValuePairs['lockedBy'])
+			&& array_key_exists('lockedUntil', $keyValuePairs) && is_null($keyValuePairs['lockedUntil'])
+		) {
+			// Only allow form unlocking if for form owner or lock user
+			if ($currentUserId !== $form->getOwnerId() && $currentUserId !== $form->getLockedBy() && $form->getLockedUntil() !== 0) {
+				$this->logger->debug('Only the form owner or the user who obtained the lock can unlock the form');
+				throw new OCSForbiddenException('Only the form owner or the user who obtained the lock can unlock the form');
+			}
+
+			// remove form lock
+			$form->setLockedBy(null);
+			$form->setLockedUntil(null);
+
+			// Update changed Columns in Db.
+			$this->formMapper->update($form);
+
+			return new DataResponse($form->getId());
+		}
+
+		// Lock form temporary
+		$this->obtainFormLock($form);
+		
 		// Process owner transfer
 		if (sizeof($keyValuePairs) === 1 && key_exists('ownerId', $keyValuePairs)) {
+			// Only allow owner transfer if current user is the form owner
+			if ($currentUserId !== $form->getOwnerId()) {
+				$this->logger->debug('Only the form owner can transfer ownership');
+				throw new OCSForbiddenException('Only the form owner can transfer ownership');
+			}
+
 			$this->logger->debug('Updating owner: formId: {formId}, userId: {uid}', [
 				'formId' => $formId,
 				'uid' => $keyValuePairs['ownerId']
@@ -288,23 +358,33 @@ public function updateForm(int $formId, array $keyValuePairs): DataResponse {
 				throw new OCSBadRequestException('Could not find new form owner');
 			}
 
-			// update form owner
+			// update form owner and remove form lock
 			$form->setOwnerId($keyValuePairs['ownerId']);
+			$form->setLockedBy(null);
+			$form->setLockedUntil(null);
 
 			// Update changed Columns in Db.
 			$this->formMapper->update($form);
 
 			return new DataResponse($form->getOwnerId());
 		}
 
-		// Don't allow to change params id, hash, ownerId, created, lastUpdated, fileId
-		if (
-			key_exists('id', $keyValuePairs) || key_exists('hash', $keyValuePairs) ||
-			key_exists('ownerId', $keyValuePairs) || key_exists('created', $keyValuePairs) ||
-			isset($keyValuePairs['fileId']) || key_exists('lastUpdated', $keyValuePairs)
-		) {
-			$this->logger->info('Not allowed to update id, hash, ownerId, created, fileId or lastUpdated');
-			throw new OCSForbiddenException('Not allowed to update id, hash, ownerId, created, fileId or lastUpdated');
+		// Don't allow to change the following attributes
+		$forbiddenKeys = [
+			'id', 'hash', 'ownerId', 'created', 'lastUpdated', 'lockedBy', 'lockedUntil'
+		];
+
+		foreach ($forbiddenKeys as $key) {
+			if (array_key_exists($key, $keyValuePairs)) {
+				$this->logger->info("Not allowed to update {$key}");
+				throw new OCSForbiddenException("Not allowed to update {$key}");
+			}
+		}
+
+		// Don't allow to change fileId
+		if (isset($keyValuePairs['fileId'])) {
+			$this->logger->info('Not allowed to update fileId');
+			throw new OCSForbiddenException('Not allowed to update fileId');
 		}
 
 		// Do not allow changing showToAllUsers if disabled
@@ -477,7 +557,9 @@ public function getQuestion(int $formId, int $questionId): DataResponse {
 	#[BruteForceProtection(action: 'form')]
 	#[ApiRoute(verb: 'POST', url: '/api/v3/forms/{formId}/questions')]
 	public function newQuestion(int $formId, ?string $type = null, string $text = '', ?int $fromId = null): DataResponse {
-		$form = $this->getFormIfAllowed($formId);
+		$form = $this->getFormIfAllowed($formId, Constants::PERMISSION_EDIT);
+		$this->obtainFormLock($form);
+
 		if ($this->formsService->isFormArchived($form)) {
 			$this->logger->debug('This form is archived and can not be modified');
 			throw new OCSForbiddenException('This form is archived and can not be modified');
@@ -608,7 +690,9 @@ public function updateQuestion(int $formId, int $questionId, array $keyValuePair
 
 		// Make sure we query the form first to check the user has permissions
 		// So the user does not get information about "questions" if they do not even have permissions to the form
-		$form = $this->getFormIfAllowed($formId);
+		$form = $this->getFormIfAllowed($formId, Constants::PERMISSION_EDIT);
+		$this->obtainFormLock($form);
+
 		if ($this->formsService->isFormArchived($form)) {
 			$this->logger->debug('This form is archived and can not be modified');
 			throw new OCSForbiddenException('This form is archived and can not be modified');
@@ -682,7 +766,9 @@ public function deleteQuestion(int $formId, int $questionId): DataResponse {
 		]);
 
 
-		$form = $this->getFormIfAllowed($formId);
+		$form = $this->getFormIfAllowed($formId, Constants::PERMISSION_EDIT);
+		$this->obtainFormLock($form);
+
 		if ($this->formsService->isFormArchived($form)) {
 			$this->logger->debug('This form is archived and can not be modified');
 			throw new OCSForbiddenException('This form is archived and can not be modified');
@@ -748,7 +834,9 @@ public function reorderQuestions(int $formId, array $newOrder): DataResponse {
 			'newOrder' => $newOrder
 		]);
 
-		$form = $this->getFormIfAllowed($formId);
+		$form = $this->getFormIfAllowed($formId, Constants::PERMISSION_EDIT);
+		$this->obtainFormLock($form);
+
 		if ($this->formsService->isFormArchived($form)) {
 			$this->logger->debug('This form is archived and can not be modified');
 			throw new OCSForbiddenException('This form is archived and can not be modified');
@@ -847,7 +935,9 @@ public function newOption(int $formId, int $questionId, array $optionTexts): Dat
 			'text' => $optionTexts,
 		]);
 
-		$form = $this->getFormIfAllowed($formId);
+		$form = $this->getFormIfAllowed($formId, Constants::PERMISSION_EDIT);
+		$this->obtainFormLock($form);
+
 		if ($this->formsService->isFormArchived($form)) {
 			$this->logger->debug('This form is archived and can not be modified');
 			throw new OCSForbiddenException('This form is archived and can not be modified');
@@ -929,7 +1019,9 @@ public function updateOption(int $formId, int $questionId, int $optionId, array
 			'keyValuePairs' => $keyValuePairs
 		]);
 
-		$form = $this->getFormIfAllowed($formId);
+		$form = $this->getFormIfAllowed($formId, Constants::PERMISSION_EDIT);
+		$this->obtainFormLock($form);
+
 		if ($this->formsService->isFormArchived($form)) {
 			$this->logger->debug('This form is archived and can not be modified');
 			throw new OCSForbiddenException('This form is archived and can not be modified');
@@ -996,7 +1088,9 @@ public function deleteOption(int $formId, int $questionId, int $optionId): DataR
 			'optionId' => $optionId
 		]);
 
-		$form = $this->getFormIfAllowed($formId);
+		$form = $this->getFormIfAllowed($formId, Constants::PERMISSION_EDIT);
+		$this->obtainFormLock($form);
+
 		if ($this->formsService->isFormArchived($form)) {
 			$this->logger->debug('This form is archived and can not be modified');
 			throw new OCSForbiddenException('This form is archived and can not be modified');
@@ -1052,7 +1146,9 @@ public function deleteOption(int $formId, int $questionId, int $optionId): DataR
 	#[BruteForceProtection(action: 'form')]
 	#[ApiRoute(verb: 'PATCH', url: '/api/v3/forms/{formId}/questions/{questionId}/options')]
 	public function reorderOptions(int $formId, int $questionId, array $newOrder) {
-		$form = $this->getFormIfAllowed($formId);
+		$form = $this->getFormIfAllowed($formId, Constants::PERMISSION_EDIT);
+		$this->obtainFormLock($form);
+
 		if ($this->formsService->isFormArchived($form)) {
 			$this->logger->debug('This form is archived and can not be modified');
 			throw new OCSForbiddenException('This form is archived and can not be modified');
@@ -1797,6 +1893,12 @@ private function getFormIfAllowed(int $formId, string $permissions = 'all'): For
 					throw new NoSuchFormException('This form is not owned by the current user and user has no `results_delete` permission', Http::STATUS_FORBIDDEN);
 				}
 				break;
+			case Constants::PERMISSION_EDIT:
+				if (!$this->formsService->canEditForm($form)) {
+					$this->logger->debug('This form is not owned by the current user and user has no `edit` permission');
+					throw new NoSuchFormException('This form is not owned by the current user and user has no `edit` permission', Http::STATUS_FORBIDDEN);
+				}
+				break;
 			default:
 				// By default we request full permissions
 				if ($form->getOwnerId() !== $this->currentUser->getUID()) {
@@ -1807,4 +1909,23 @@ private function getFormIfAllowed(int $formId, string $permissions = 'all'): For
 		}
 		return $form;
 	}
+
+	/**
+	 * Locks the given form for the current user for a duration of 15 minutes.
+	 *
+	 * @param Form $form The form instance to lock.
+	 */
+	private function obtainFormLock(Form $form): void {
+		// Only lock if not locked or locked by current user, or lock has expired
+		if (
+			$form->getLockedBy() !== null
+			&& $form->getLockedBy() !== $this->currentUser->getUID()
+			&& ($form->getLockedUntil() >= time() || $form->getLockedUntil() === 0)
+		) {
+			throw new OCSForbiddenException('Form is currently locked by another user.');
+		}
+
+		$form->setLockedBy($this->currentUser->getUID());
+		$form->setLockedUntil(time() + 15 * 60);
+	}
 }
@@ -47,6 +47,10 @@
  * @psalm-method 0|1|2 getState()
  * @method void setState(int|null $value)
  * @psalm-method void setState(0|1|2|null $value)
+ * @method string getLockedBy()
+ * @method void setLockedBy(string $value)
+ * @method int getLockedUntil()
+ * @method void setLockedUntil(int $value)
  */
 class Form extends Entity {
 	protected $hash;
@@ -65,6 +69,8 @@ class Form extends Entity {
 	protected $submissionMessage;
 	protected $lastUpdated;
 	protected $state;
+	protected $lockedBy;
+	protected $lockedUntil;
 
 	/**
 	 * Form constructor.
@@ -78,6 +84,8 @@ public function __construct() {
 		$this->addType('showExpiration', 'boolean');
 		$this->addType('lastUpdated', 'integer');
 		$this->addType('state', 'integer');
+		$this->addType('locked_by', 'string');
+		$this->addType('locked_until', 'integer');
 	}
 
 	// JSON-Decoding of access-column.
@@ -149,6 +157,8 @@ public function setAccess(array $access): void {
 	 *   lastUpdated: int,
 	 *   submissionMessage: ?string,
 	 *   state: 0|1|2,
+	 *   locked_by: ?string,
+	 *   locked_until: ?int,
 	 *  }
 	 */
 	public function read() {
@@ -170,6 +180,8 @@ public function read() {
 			'lastUpdated' => (int)$this->getLastUpdated(),
 			'submissionMessage' => $this->getSubmissionMessage(),
 			'state' => $this->getState(),
+			'locked_by' => $this->getLockedBy(),
+			'locked_until' => $this->getLockedUntil(),
 		];
 	}
 }