fix: harden conditional submission handling

- validate active-branch subquestions with full per-question rules
- persist subquestion answers only for the activated branch
- use -PHP_FLOAT_MAX as the value_range lower bound
- drop unused QuestionMapper::deleteByParentQuestion

Signed-off-by: Micke Nordin <kano@sunet.se>

Author: mickenordin

lib/Controller/ApiController.php

@@ -2076,7 +2076,6 @@ private function storeFileAnswer(Form $form, int $submissionId, array $question,
 	private function storeConditionalAnswer(Form $form, int $submissionId, array $question, array $answerData): void {
 		$extraSettings = $question['extraSettings'] ?? [];
 		$triggerType = $extraSettings['triggerType'] ?? null;
-		$branches = $extraSettings['branches'] ?? [];
 
 		// Handle the structure: could be {trigger: [...], subQuestions: {...}} or just trigger array
 		$triggerAnswers = $answerData['trigger'] ?? $answerData;
@@ -2119,8 +2118,9 @@ private function storeConditionalAnswer(Form $form, int $submissionId, array $qu
 			}
 		}
 
-		// Store subquestion answers
-		// Find the active branch to get subquestion definitions
+		// Store subquestion answers only for the branch the trigger activated
+		$activeBranch = $this->submissionService->getActiveBranch($question, $triggerAnswers);
+		$branches = $activeBranch === null ? [] : [$activeBranch];
 		foreach ($branches as $branch) {
 			$branchSubQuestions = $branch['subQuestions'] ?? [];
 			foreach ($branchSubQuestions as $subQuestion) {

lib/Db/QuestionMapper.php

@@ -111,27 +111,6 @@ public function findByBranch(int $parentQuestionId, string $branchId): array {
 		return $this->findEntities($qb);
 	}
 
-	/**
-	 * Delete all subquestions of a parent conditional question
-	 *
-	 * @param int $parentQuestionId The ID of the parent conditional question
-	 */
-	public function deleteByParentQuestion(int $parentQuestionId): void {
-		// First delete options for all subquestions
-		$subQuestions = $this->findByParentQuestion($parentQuestionId, true);
-		foreach ($subQuestions as $subQuestion) {
-			$this->optionMapper->deleteByQuestion($subQuestion->getId());
-		}
-
-		$qb = $this->db->getQueryBuilder();
-		$qb->delete($this->getTableName())
-			->where(
-				$qb->expr()->eq('parent_question_id', $qb->createNamedParameter($parentQuestionId, IQueryBuilder::PARAM_INT))
-			);
-
-		$qb->executeStatement();
-	}
-
 	/**
 	 * @param int $formId
 	 */

lib/Service/SubmissionService.php

@@ -782,25 +782,29 @@ private function validateConditionalQuestion(array $question, array $answerData,
 			return;
 		}
 
-		// If we have an active branch, validate its subquestions
+		// Validate the active branch's subquestions with the full per-question rules
 		if ($activeBranch !== null && isset($activeBranch['subQuestions'])) {
-			$subQuestions = $activeBranch['subQuestions'];
-
-			// Build a questions array from subquestions for validation
-			foreach ($subQuestions as $subQuestion) {
-				$subQuestionId = $subQuestion['id'];
-				$subQuestionAnswered = isset($subQuestionAnswers[$subQuestionId]);
-
-				// Check if required subquestions have an answer
-				if ($subQuestion['isRequired'] ?? false) {
-					if (!$subQuestionAnswered || !array_filter($subQuestionAnswers[$subQuestionId], fn ($v) => $v !== '' && $v !== null)) {
-						throw new \InvalidArgumentException(sprintf('Subquestion "%s" in conditional question "%s" is required.', $subQuestion['text'] ?? 'Unknown', $question['text']));
-					}
-				}
-			}
+			$this->validateSubmission($activeBranch['subQuestions'], $subQuestionAnswers, $formOwnerId);
 		}
 	}
 
+	/**
+	 * Resolve the branch a conditional question's trigger answer activates
+	 *
+	 * @param array $question The conditional question
+	 * @param array $triggerAnswer The trigger answer values
+	 * @return array|null The active branch or null if none matches
+	 */
+	public function getActiveBranch(array $question, array $triggerAnswer): ?array {
+		$extraSettings = $question['extraSettings'] ?? [];
+		return $this->findActiveBranch(
+			$extraSettings['triggerType'] ?? '',
+			$triggerAnswer,
+			$extraSettings['branches'] ?? [],
+			$question['options'] ?? [],
+		);
+	}
+
 	/**
 	 * Find the active branch based on trigger answer
 	 *
@@ -899,7 +903,7 @@ private function evaluateBranchConditions(string $triggerType, array $triggerAns
 							return true;
 						}
 					} elseif ($type === 'value_range') {
-						$min = $condition['min'] ?? PHP_FLOAT_MIN;
+						$min = $condition['min'] ?? -PHP_FLOAT_MAX;
 						$max = $condition['max'] ?? PHP_FLOAT_MAX;
 						if ($numValue >= $min && $numValue <= $max) {
 							return true;