fix(api): enforce submission visibility based on user permissions

fix(submit): adjust conditional rendering for submission state

Signed-off-by: Christian Hartmann <chris-hartmann@gmx.de>

Author: Chartman123

lib/Controller/ApiController.php

@@ -1265,6 +1265,8 @@ public function getSubmissions(int $formId, ?string $query = null, ?int $limit =
 	#[ApiRoute(verb: 'GET', url: '/api/v3/forms/{formId}/submissions/{submissionId}')]
 	public function getSubmission(int $formId, int $submissionId): DataResponse|DataDownloadResponse {
 		$form = $this->formsService->getFormIfAllowed($formId, Constants::PERMISSION_RESULTS);
+		$permissions = $this->formsService->getPermissions($form);
+		$canSeeAllSubmissions = in_array(Constants::PERMISSION_RESULTS, $permissions, true);
 
 		$submission = $this->submissionService->getSubmission($submissionId);
 		if ($submission === null) {
@@ -1275,6 +1277,10 @@ public function getSubmission(int $formId, int $submissionId): DataResponse|Data
 			throw new OCSBadRequestException('Submission doesn\'t belong to given form');
 		}
 
+		if (!$canSeeAllSubmissions && $submission['userId'] !== $this->currentUser->getUID()) {
+			throw new OCSForbiddenException('User is not allowed to see submission');
+		}
+
 		// Append Display Names
 		if (substr($submission['userId'], 0, 10) === 'anon-user-') {
 			// Anonymous User

src/views/Submit.vue

@@ -58,7 +58,7 @@
 				</template>
 			</NcEmptyContent>
 			<NcEmptyContent
-				v-else-if="success || (!form.canSubmit && !isMaxSubmissionsReached)"
+				v-else-if="success || ((!form.canSubmit && !isMaxSubmissionsReached) && !submissionId)"
 				class="forms-emptycontent"
 				:name="
 					form.submissionMessage