Prevent leaking personnal infos on forms

Signed-off-by: John Molakvoæ (skjnldsv) <skjnldsv@protonmail.com>
2020-05-04 19:06:53 +02:00 · 2020-05-04 19:06:53 +02:00 · f6b294f455
commit f6b294f455
parent 78b53cbb8e
11 changed files with 182 additions and 81 deletions
--- a/lib/Service/FormsService.php
+++ b/lib/Service/FormsService.php
@ -26,8 +26,11 @@ namespace OCA\Forms\Service;
 use OCA\Forms\Db\FormMapper;
 use OCA\Forms\Db\OptionMapper;
 use OCA\Forms\Db\QuestionMapper;
+use OCA\Forms\Db\SubmissionMapper;
 use OCP\AppFramework\Db\DoesNotExistException;
 use OCP\AppFramework\Db\IMapperException;
+use OCP\IGroupManager;
+use OCP\IUserSession;

 /**
 * Trait for getting forms information in a service
@ -43,12 +46,27 @@ class FormsService {
 	/** @var OptionMapper */
 	private $optionMapper;

+	/** @var SubmissionMapper */
+	private $submissionMapper;
+	
+	/** @var IGroupManager */
+	private $groupManager;
+
+	/** @var IUserSession */
+	private $userSession;
+
 	public function __construct(FormMapper $formMapper,
 								QuestionMapper $questionMapper,
-								OptionMapper $optionMapper) {
+								OptionMapper $optionMapper,
+								SubmissionMapper $submissionMapper,
+								IGroupManager $groupManager,
+								IUserSession $userSession) {
 		$this->formMapper = $formMapper;
 		$this->questionMapper = $questionMapper;
 		$this->optionMapper = $optionMapper;
+		$this->submissionMapper = $submissionMapper;
+		$this->groupManager = $groupManager;
+		$this->userSession = $userSession;
 	}


@ -96,4 +114,95 @@ class FormsService {

 		return $result;
 	}
+
+	/**
+	 * Get a form data without sensitive informations
+	 *
+	 * @param integer $id
+	 * @return array
+	 * @throws IMapperException
+	 */
+	public function getPublicForm(int $id): array {
+		$form = $this->getForm($id);
+
+		// Remove sensitive data
+		unset($form['access']);
+		unset($form['ownerId']);
+
+		return $form;
+	}
+
+	/**
+	 * Can the user submit a form
+	 */
+	public function canSubmit($formId) {
+		$form = $this->formMapper->findById($formId);
+		$access = $form->getAccess();
+		$user = $this->userSession->getUser();
+
+		// We cannot control how many time users can submit in public mode
+		if ($access['type'] === 'public') {
+			return true;
+		}
+
+		// Refuse access, if SubmitOnce is set and user already has taken part.
+		if ($form->getSubmitOnce()) {
+			$participants = $this->submissionMapper->findParticipantsByForm($form->getId());
+			foreach ($participants as $participant) {
+				if ($participant === $user->getUID()) {
+					return false;
+				}
+			}
+		}
+
+		return true;
+	}
+
+	/**
+	 * Check if user has access to this form
+	 *
+	 * @param integer $formId
+	 * @return boolean
+	 */
+	public function hasUserAccess(int $formId): bool {
+		$form = $this->formMapper->findById($formId);
+		$access = $form->getAccess();
+		$ownerId = $form->getOwnerId();
+		$user = $this->userSession->getUser();
+
+		if ($access['type'] === 'public') {
+			return true;
+		}
+		
+		// Refuse access, if not public and no user logged in.
+		if (!$user) {
+			return false;
+		}
+
+		// Always grant access to owner.
+		if ($ownerId === $user->getUID()) {
+			return true;
+		}
+
+		// Now all remaining users are allowed, if access-type 'registered'.
+		if ($access['type'] === 'registered') {
+			return true;
+		}
+
+		// Selected Access remains.
+		// Grant Access, if user is in users-Array.
+		if (in_array($user->getUID(), $access['users'])) {
+			return true;
+		}
+
+		// Check if access granted by group.
+		foreach ($access['groups'] as $group) {
+			if ($this->groupManager->isInGroup($user->getUID(), $group)) {
+				return true;
+			}
+		}
+
+		// None of the possible access-options matched.
+		return false;
+	}
 }