delete submissions

Chartman123 · Chartman123 · commit fb6c06a9ac7a · 2025-05-02T10:23:02.000+02:00
Signed-off-by: Christian Hartmann &lt;chris-hartmann@gmx.de&gt;
diff --git a/lib/Controller/ApiController.php b/lib/Controller/ApiController.php
@@ -1474,6 +1474,13 @@ public function deleteSubmission(int $formId, int $submissionId): DataResponse {
 			throw new OCSBadRequestException('Submission doesn\'t belong to given form');
 		}
 
+		if (
+			!in_array(Constants::PERMISSION_RESULTS_DELETE, $this->formsService->getPermissions($form))
+			&& $this->currentUser->getUID() !== $submission->getUserId()
+		) {
+			throw new OCSForbiddenException('Can only delete your own submissions');
+		}
+
 		// Delete submission (incl. Answers)
 		$this->submissionMapper->deleteById($submissionId);
 		$this->formMapper->update($form);
diff --git a/lib/Service/FormsService.php b/lib/Service/FormsService.php
@@ -331,31 +331,39 @@ public function canEditForm(Form $form): bool {
 	 * @param Form $form The form for which the results visibility is being checked.
 	 * @return bool True if the user can see the results, false otherwise.
 	 */
-	/**
-	 * Can the current user see results of a form
-	 *
-	 * @param Form $form
-	 * @return boolean
-	 */
 	public function canSeeResults(Form $form): bool {
 		return $this->submissionMapper->countSubmissions($form->getId(), $this->currentUser->getUID()) > 0
 			|| in_array(Constants::PERMISSION_RESULTS, $this->getPermissions($form));
 	}
 
 	/**
-	 * Can the current user delete results of a form
+	 * Determines if the current user has permission to delete the results of a given form.
 	 *
-	 * @param Form $form
-	 * @return boolean
+	 * A user can delete the results of a form if the form is not archived and one of the following conditions is met:
+	 * - The user has the "results_delete" permission.
+	 * - The user has not submitted any responses, and the form allows editing.
+	 * - The form is not archived.
+	 *
+	 * @param Form $form The form for which the results deletion permission is being checked.
+	 * @return bool True if the user can delete the results, false otherwise.
 	 */
 	public function canDeleteResults(Form $form): bool {
-		// Check permissions
-		if (!in_array(Constants::PERMISSION_RESULTS_DELETE, $this->getPermissions($form))) {
+		// Do not allow deleting results on archived forms
+		if ($this->isFormArchived($form)) {
 			return false;
 		}
+		
+		// Allow deleting results if the current user has the "results_delete" permission
+		if (in_array(Constants::PERMISSION_RESULTS_DELETE, $this->getPermissions($form))) {
+			return true;
+		}
 
-		// Do not allow deleting results on archived forms
-		return !$this->isFormArchived($form);
+		// Allow deleting results if the current user has already submitted
+		if ($form->getAllowEdit() && $this->submissionMapper->countSubmissions($form->getId(), $this->currentUser->getUID()) > 0) {
+			return true;
+		}
+
+		return false;
 	}
 
 	/**
