deblan/forms
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Merge pull request #345 from nextcloud/fix/submission_access

Browse source
This commit is contained in:
John Molakvoæ 2020-05-05 11:14:30 +02:00 committed by GitHub
parent 86de8c0e95 31e2cea76f
commit cb28a3d1a5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 11 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
lib/Controller/ApiController.php
View file

@ -611,7 +611,17 @@ class ApiController extends Controller {
return new Http\JSONResponse(['message' => 'Could not find form'], Http::STATUS_BAD_REQUEST);
}
// Does the user have permissions to display
// Does the user have access to the form
if (!$this->formsService->hasUserAccess($form->getId())) {
return new Http\JSONResponse(['message' => 'Not allowed to access this form'], Http::STATUS_FORBIDDEN);
}
// Not allowed if form expired
if ($form->getExpires() > time()) {
return new Http\JSONResponse(['message' => 'This form is no longer taking answers'], Http::STATUS_FORBIDDEN);
}
// Does the user have permissions to submit
if (!$this->formsService->canSubmit($form->getId())) {
return new Http\JSONResponse(['message' => 'Already submitted'], Http::STATUS_FORBIDDEN);
}