From 8b172e85ca8fcc8ae49cf163baf96b42172be83f Mon Sep 17 00:00:00 2001 From: Peter Ringelmann Date: Thu, 21 May 2026 14:50:11 +0200 Subject: [PATCH] fix(api): re-check result permission in submission export Signed-off-by: Peter Ringelmann --- lib/Controller/ApiController.php | 8 ++++++++ tests/Unit/Controller/ApiControllerTest.php | 22 +++++++++++++++++++++ 2 files changed, 30 insertions(+) diff --git a/lib/Controller/ApiController.php b/lib/Controller/ApiController.php index ef6be2f8c..56590b76f 100644 --- a/lib/Controller/ApiController.php +++ b/lib/Controller/ApiController.php @@ -1569,6 +1569,14 @@ public function deleteSubmission(int $formId, int $submissionId): DataResponse { #[ApiRoute(verb: 'POST', url: '/api/v3/forms/{formId}/submissions/export')] public function exportSubmissionsToCloud(int $formId, string $path, string $fileFormat = Constants::DEFAULT_FILE_FORMAT) { $form = $this->formsService->getFormIfAllowed($formId, Constants::PERMISSION_RESULTS); + + // canSeeResults() (used by getFormIfAllowed) also accepts submitters; + // exporting every submission needs the strict PERMISSION_RESULTS grant. + $permissions = $this->formsService->getPermissions($form); + if (!in_array(Constants::PERMISSION_RESULTS, $permissions, true)) { + throw new OCSForbiddenException('The current user has no permission to get the results for this form'); + } + $file = $this->submissionService->writeFileToCloud($form, $path, $fileFormat); return new DataResponse($file->getName()); diff --git a/tests/Unit/Controller/ApiControllerTest.php b/tests/Unit/Controller/ApiControllerTest.php index eed2cb106..60effa815 100644 --- a/tests/Unit/Controller/ApiControllerTest.php +++ b/tests/Unit/Controller/ApiControllerTest.php @@ -482,6 +482,28 @@ public function testExportSubmissionsToCloud_invalidForm() { $this->apiController->exportSubmissionsToCloud(1, ''); } + public function testExportSubmissionsToCloud_noExportPermissions() { + $form = new Form(); + $form->setId(1); + $form->setOwnerId('someoneElse'); + + $this->formsService->expects($this->once()) + ->method('getFormIfAllowed') + ->with(1, Constants::PERMISSION_RESULTS) + ->willReturn($form); + + $this->formsService->expects($this->once()) + ->method('getPermissions') + ->with($form) + ->willReturn([Constants::PERMISSION_SUBMIT]); + + $this->submissionService->expects($this->never()) + ->method('writeFileToCloud'); + + $this->expectException(OCSForbiddenException::class); + $this->apiController->exportSubmissionsToCloud(1, '/', 'csv'); + } + public function testCreateNewForm_notAllowed() { $this->configService->expects($this->once()) ->method('canCreateForms')