deblan/forms
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Fix Submission Access

Browse source 
Signed-off-by: Jonas Rittershofer <jotoeri@users.noreply.github.com>
This commit is contained in:
Jonas Rittershofer 2020-05-05 10:52:47 +02:00
parent 86de8c0e95
commit 31e2cea76f
1 changed files with 11 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
lib/Controller/ApiController.php
View file

@ -611,7 +611,17 @@ class ApiController extends Controller {
return new Http\JSONResponse(['message' => 'Could not find form'], Http::STATUS_BAD_REQUEST);
}
// Does the user have permissions to display
// Does the user have access to the form
if (!$this->formsService->hasUserAccess($form->getId())) {
return new Http\JSONResponse(['message' => 'Not allowed to access this form'], Http::STATUS_FORBIDDEN);
}
// Not allowed if form expired
if ($form->getExpires() > time()) {
return new Http\JSONResponse(['message' => 'This form is no longer taking answers'], Http::STATUS_FORBIDDEN);
}
// Does the user have permissions to submit
if (!$this->formsService->canSubmit($form->getId())) {
return new Http\JSONResponse(['message' => 'Already submitted'], Http::STATUS_FORBIDDEN);
}