fix: do not add result permissions to see own submissions

susnux · susnux · commit 5a7ccbe0b081 · 2026-01-22T18:45:15.000+01:00
When a user has submitted a form they should not have result
permissions, but instead we should only show their own submissions.

Signed-off-by: Ferdinand Thiessen &lt;opensource@fthiessen.de&gt;
diff --git a/lib/Controller/ApiController.php b/lib/Controller/ApiController.php
@@ -22,6 +22,7 @@
 use OCA\Forms\Db\SubmissionMapper;
 use OCA\Forms\Db\UploadedFile;
 use OCA\Forms\Db\UploadedFileMapper;
+use OCA\Forms\Exception\NoSuchFormException;
 use OCA\Forms\ResponseDefinitions;
 use OCA\Forms\Service\ConfigService;
 use OCA\Forms\Service\FormsService;
@@ -1161,16 +1162,22 @@ public function reorderOptions(int $formId, int $questionId, array $newOrder, ?s
 	#[ApiRoute(verb: 'GET', url: '/api/v3/forms/{formId}/submissions')]
 	public function getSubmissions(int $formId, ?string $query = null, ?int $limit = null, int $offset = 0, ?string $fileFormat = null): DataResponse|DataDownloadResponse {
 		$form = $this->formsService->getFormIfAllowed($formId, Constants::PERMISSION_RESULTS);
+		$permissions = $this->formsService->getPermissions($form);
+		$canSeeAllSubmissions = in_array(Constants::PERMISSION_RESULTS, $permissions, true);
 
 		if ($fileFormat !== null) {
+			if (!$canSeeAllSubmissions) {
+				throw new NoSuchFormException('The current user has no permission to get the results for this form', Http::STATUS_FORBIDDEN);
+			}
+
 			$submissionsData = $this->submissionService->getSubmissionsData($form, $fileFormat);
 			$fileName = $this->formsService->getFileName($form, $fileFormat);
 
 			return new DataDownloadResponse($submissionsData, $fileName, Constants::SUPPORTED_EXPORT_FORMATS[$fileFormat]);
 		}
 
 		// Load submissions and currently active questions
-		if (in_array(Constants::PERMISSION_RESULTS, $this->formsService->getPermissions($form))) {
+		if ($canSeeAllSubmissions) {
 			$submissions = $this->submissionService->getSubmissions($formId, null, $query, $limit, $offset);
 			$filteredSubmissionsCount = $this->submissionMapper->countSubmissions($formId, null, $query);
 		} else {
diff --git a/lib/Service/FormsService.php b/lib/Service/FormsService.php
@@ -212,8 +212,6 @@ public function getForm(Form $form): array {
 			$userSubmissionCount = $this->submissionMapper->countSubmissions($form->getId(), $this->currentUser->getUID());
 			if ($userSubmissionCount > 0) {
 				$result['submissionCount'] = $userSubmissionCount;
-				// Append `results` permission if user has submitted to the form
-				$result['permissions'][] = Constants::PERMISSION_RESULTS;
 			}
 		}
 
diff --git a/src/Forms.vue b/src/Forms.vue
@@ -269,8 +269,13 @@ export default {
 				return false
 			}
 
+			if (this.$route.name === 'results') {
+				return form.permissions.includes(this.$route.name)
+					|| form.submissionCount > 0
+			}
+
 			// Return whether route is in the permissions-list
-			return form?.permissions.includes(this.$route.name)
+			return form.permissions.includes(this.$route.name)
 		},
 
 		selectedForm: {
diff --git a/src/views/Results.vue b/src/views/Results.vue
@@ -50,6 +50,7 @@
 
 				<!-- Action menu for cloud export and deletion -->
 				<NcActions
+					v-if="canExportSubmissions"
 					:aria-label="t('forms', 'Options')"
 					force-name
 					:inline="isMobile ? 0 : 1"
@@ -449,6 +450,10 @@ export default {
 			return this.form.state === FormState.FormArchived
 		},
 
+		canExportSubmissions() {
+			return this.form.permissions.includes(this.PERMISSION_TYPES.PERMISSION_RESULTS)
+		},
+
 		canDeleteSubmissions() {
 			return (
 				this.form.permissions.includes(

Original file line number	Diff line number	Diff line change
`@@ -212,8 +212,6 @@ public function getForm(Form $form): array {`
`212`	`212`	`$userSubmissionCount = $this->submissionMapper->countSubmissions($form->getId(), $this->currentUser->getUID());`
`213`	`213`	`if ($userSubmissionCount > 0) {`
`214`	`214`	`$result['submissionCount'] = $userSubmissionCount;`
`215`		- // Append `results` permission if user has submitted to the form
`216`		`- $result['permissions'][] = Constants::PERMISSION_RESULTS;`
`217`	`215`	`}`
`218`	`216`	`}`
`219`	`217`