Merge pull request #3271 from nextcloud/backport/3269/stable5.2

[stable5.2] fix: handle submissions correctly when user wants to edit a given response

Author: Chartman123

lib/Controller/ApiController.php

@@ -1259,6 +1259,8 @@ public function getSubmissions(int $formId, ?string $query = null, ?int $limit =
 	#[ApiRoute(verb: 'GET', url: '/api/v3/forms/{formId}/submissions/{submissionId}')]
 	public function getSubmission(int $formId, int $submissionId): DataResponse|DataDownloadResponse {
 		$form = $this->formsService->getFormIfAllowed($formId, Constants::PERMISSION_RESULTS);
+		$permissions = $this->formsService->getPermissions($form);
+		$canSeeAllSubmissions = in_array(Constants::PERMISSION_RESULTS, $permissions, true);
 
 		$submission = $this->submissionService->getSubmission($submissionId);
 		if ($submission === null) {
@@ -1269,6 +1271,10 @@ public function getSubmission(int $formId, int $submissionId): DataResponse|Data
 			throw new OCSBadRequestException('Submission doesn\'t belong to given form');
 		}
 
+		if (!$canSeeAllSubmissions && $submission['userId'] !== $this->currentUser->getUID()) {
+			throw new OCSForbiddenException('User is not allowed to see submission');
+		}
+
 		// Append Display Names
 		if (substr($submission['userId'], 0, 10) === 'anon-user-') {
 			// Anonymous User

src/views/Submit.vue

@@ -57,7 +57,7 @@
 				</template>
 			</NcEmptyContent>
 			<NcEmptyContent
-				v-else-if="success || !form.canSubmit"
+				v-else-if="success || (!form.canSubmit && !submissionId)"
 				class="forms-emptycontent"
 				:name="
 					form.submissionMessage
@@ -657,6 +657,14 @@ export default {
 								`option ${text} could not be mapped to an option for question ${questionId}`,
 							)
 						}
+					} else if (question.type === 'file') {
+						// File answers cannot be restored when editing a submission —
+						// the uploaded file has already been moved to permanent storage
+						// and the temporary uploadedFileId no longer exists.
+						// The user must re-upload files if needed.
+						logger.debug(
+							`Skipping file answer for question ${questionId} — cannot restore uploaded files`,
+						)
 					} else {
 						answers[questionId].push(text)
 					}

tests/Unit/Controller/ApiControllerTest.php

@@ -1057,6 +1057,11 @@ public function testGetSubmission_success() {
 			->with(1, Constants::PERMISSION_RESULTS)
 			->willReturn($form);
 
+		$this->formsService->expects($this->once())
+			->method('getPermissions')
+			->with($form)
+			->willReturn([Constants::PERMISSION_RESULTS]);
+
 		$this->submissionService->expects($this->once()) // Changed from submissionMapper
 			->method('getSubmission')
 			->with(42)
@@ -1120,6 +1125,11 @@ public function testGetSubmission_anonymousUser() {
 			->with(1, Constants::PERMISSION_RESULTS)
 			->willReturn($form);
 
+		$this->formsService->expects($this->once())
+			->method('getPermissions')
+			->with($form)
+			->willReturn([Constants::PERMISSION_RESULTS]);
+
 		$this->submissionService->expects($this->once()) // Changed from submissionMapper
 			->method('getSubmission')
 			->with(42)
@@ -1153,6 +1163,11 @@ public function testGetSubmission_userNotFound() {
 			->with(1, Constants::PERMISSION_RESULTS)
 			->willReturn($form);
 
+		$this->formsService->expects($this->once())
+			->method('getPermissions')
+			->with($form)
+			->willReturn([Constants::PERMISSION_RESULTS]);
+
 		$this->submissionService->expects($this->once()) // Changed from submissionMapper
 			->method('getSubmission')
 			->with(42)