Skip to content

Commit e4b7ffb

Browse files
Chartman123Chartman123
committed
fix: prevent modifications to archived forms in ApiController and ShareApiController
Signed-off-by: Christian Hartmann <chris-hartmann@gmx.de>
1 parent f15d740 commit e4b7ffb

2 files changed

Lines changed: 26 additions & 0 deletions

File tree

lib/Controller/ApiController.php

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -268,6 +268,17 @@ public function updateForm(int $formId, array $keyValuePairs): DataResponse {
268268
]);
269269

270270
$form = $this->getFormIfAllowed($formId);
271+
if (
272+
$this->formsService->isFormArchived($form)
273+
&& !( // Forbid if NOT (the specific allowed condition)
274+
sizeof($keyValuePairs) === 1
275+
&& key_exists('state', $keyValuePairs)
276+
&& $keyValuePairs['state'] === Constants::FORM_STATE_CLOSED
277+
)
278+
) {
279+
$this->logger->debug('This form is archived and can not be modified except to change state to closed.');
280+
throw new OCSForbiddenException('This form is archived and can not be modified except to change state to closed.');
281+
}
271282

272283
// Don't allow empty array
273284
if (sizeof($keyValuePairs) === 0) {

lib/Controller/ShareApiController.php

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -123,6 +123,11 @@ public function newShare(int $formId, int $shareType, string $shareWith = '', ar
123123
throw new OCSNotFoundException('Could not find form');
124124
}
125125

126+
if ($this->formsService->isFormArchived($form)) {
127+
$this->logger->debug('This form is archived and can not be modified');
128+
throw new OCSForbiddenException('This form is archived and can not be modified');
129+
}
130+
126131
// Check for permission to share form
127132
if ($form->getOwnerId() !== $this->currentUser->getUID()) {
128133
$this->logger->debug('This form is not owned by the current user');
@@ -243,6 +248,11 @@ public function updateShare(int $formId, int $shareId, array $keyValuePairs): Da
243248
throw new OCSNotFoundException('Could not find share');
244249
}
245250

251+
if ($this->formsService->isFormArchived($form)) {
252+
$this->logger->debug('This form is archived and can not be modified');
253+
throw new OCSForbiddenException('This form is archived and can not be modified');
254+
}
255+
246256
if ($formId !== $formShare->getFormId()) {
247257
$this->logger->debug('This share doesn\'t belong to the given Form');
248258
throw new OCSBadRequestException('Share doesn\'t belong to given Form');
@@ -336,6 +346,11 @@ public function deleteShare(int $formId, int $shareId): DataResponse {
336346
throw new OCSNotFoundException('Could not find share');
337347
}
338348

349+
if ($this->formsService->isFormArchived($form)) {
350+
$this->logger->debug('This form is archived and can not be modified');
351+
throw new OCSForbiddenException('This form is archived and can not be modified');
352+
}
353+
339354
if ($formId !== $share->getFormId()) {
340355
$this->logger->debug('This share doesn\'t belong to the given Form');
341356
throw new OCSBadRequestException('Share doesn\'t belong to given Form');

0 commit comments

Comments
 (0)