From 1e9dd864eaaaebbf9cd9b7bdae09aec3d3b71215 Mon Sep 17 00:00:00 2001
From: Christian Hartmann <chris-hartmann@gmx.de>
Date: Sat, 4 Apr 2026 15:10:42 +0200
Subject: [PATCH] fix(api): enforce submission visibility based on user
 permissions

fix(submit): adjust conditional rendering for submission state

Signed-off-by: Christian Hartmann <chris-hartmann@gmx.de>
---
 lib/Controller/ApiController.php            |  6 ++++++
 src/views/Submit.vue                        |  7 +++++--
 tests/Unit/Controller/ApiControllerTest.php | 15 +++++++++++++++
 3 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/lib/Controller/ApiController.php b/lib/Controller/ApiController.php
index 0cbe6a73e..d3fe43a40 100644
--- a/lib/Controller/ApiController.php
+++ b/lib/Controller/ApiController.php
@@ -1265,6 +1265,8 @@ public function getSubmissions(int $formId, ?string $query = null, ?int $limit =
 	#[ApiRoute(verb: 'GET', url: '/api/v3/forms/{formId}/submissions/{submissionId}')]
 	public function getSubmission(int $formId, int $submissionId): DataResponse|DataDownloadResponse {
 		$form = $this->formsService->getFormIfAllowed($formId, Constants::PERMISSION_RESULTS);
+		$permissions = $this->formsService->getPermissions($form);
+		$canSeeAllSubmissions = in_array(Constants::PERMISSION_RESULTS, $permissions, true);
 
 		$submission = $this->submissionService->getSubmission($submissionId);
 		if ($submission === null) {
@@ -1275,6 +1277,10 @@ public function getSubmission(int $formId, int $submissionId): DataResponse|Data
 			throw new OCSBadRequestException('Submission doesn\'t belong to given form');
 		}
 
+		if (!$canSeeAllSubmissions && $submission['userId'] !== $this->currentUser->getUID()) {
+			throw new OCSForbiddenException('User is not allowed to see submission');
+		}
+
 		// Append Display Names
 		if (substr($submission['userId'], 0, 10) === 'anon-user-') {
 			// Anonymous User
diff --git a/src/views/Submit.vue b/src/views/Submit.vue
index 4b9385847..ad0905a10 100644
--- a/src/views/Submit.vue
+++ b/src/views/Submit.vue
@@ -58,7 +58,10 @@
 				</template>
 			</NcEmptyContent>
 			<NcEmptyContent
-				v-else-if="success || (!form.canSubmit && !isMaxSubmissionsReached)"
+				v-else-if="
+					success
+					|| (!form.canSubmit && !isMaxSubmissionsReached && !submissionId)
+				"
 				class="forms-emptycontent"
 				:name="
 					form.submissionMessage
@@ -75,7 +78,7 @@
 				</template>
 			</NcEmptyContent>
 			<NcEmptyContent
-				v-else-if="isMaxSubmissionsReached"
+				v-else-if="isMaxSubmissionsReached && !submissionId"
 				class="forms-emptycontent"
 				:name="t('forms', 'Limit reached')"
 				:description="
diff --git a/tests/Unit/Controller/ApiControllerTest.php b/tests/Unit/Controller/ApiControllerTest.php
index bb75417a3..8a0f0b6e7 100644
--- a/tests/Unit/Controller/ApiControllerTest.php
+++ b/tests/Unit/Controller/ApiControllerTest.php
@@ -1058,6 +1058,11 @@ public function testGetSubmission_success() {
 			->with(1, Constants::PERMISSION_RESULTS)
 			->willReturn($form);
 
+		$this->formsService->expects($this->once())
+			->method('getPermissions')
+			->with($form)
+			->willReturn([Constants::PERMISSION_RESULTS]);
+
 		$this->submissionService->expects($this->once()) // Changed from submissionMapper
 			->method('getSubmission')
 			->with(42)
@@ -1121,6 +1126,11 @@ public function testGetSubmission_anonymousUser() {
 			->with(1, Constants::PERMISSION_RESULTS)
 			->willReturn($form);
 
+		$this->formsService->expects($this->once())
+			->method('getPermissions')
+			->with($form)
+			->willReturn([Constants::PERMISSION_RESULTS]);
+
 		$this->submissionService->expects($this->once()) // Changed from submissionMapper
 			->method('getSubmission')
 			->with(42)
@@ -1154,6 +1164,11 @@ public function testGetSubmission_userNotFound() {
 			->with(1, Constants::PERMISSION_RESULTS)
 			->willReturn($form);
 
+		$this->formsService->expects($this->once())
+			->method('getPermissions')
+			->with($form)
+			->willReturn([Constants::PERMISSION_RESULTS]);
+
 		$this->submissionService->expects($this->once()) // Changed from submissionMapper
 			->method('getSubmission')
 			->with(42)