[stable4] fix: Check admin settings when fetching shared forms

.github/workflows/phpunit-sqlite.yml

@@ -175,13 +175,13 @@ jobs:
         working-directory: apps/${{ env.APP_NAME }}
         run: composer run test:integration
 
-      - name: Upload Unit coverage
+      - name: Upload integration coverage
         uses: codecov/codecov-action@e28ff129e5465c2c0dcc6f003fc735cb6ae0c673 # v4.5.0
         env:
           CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
         with:
           working-directory: apps/${{ env.APP_NAME }}
-          file: tests/clover.unit.xml
+          file: tests/clover.integration.xml
           fail_ci_if_error: true
           flags: integration
 

lib/Controller/ApiController.php

@@ -287,6 +287,17 @@
 			throw new OCSForbiddenException();
 		}
 
+		// Do not allow changing showToAllUsers if disabled
+		if (isset($keyValuePairs['access'])) {
+			$showAll = $keyValuePairs['access']['showToAllUsers'] ?? false;
+			$permitAll = $keyValuePairs['access']['permitAllUsers'] ?? false;
+			if (($showAll && !$this->configService->getAllowShowToAll())
+				|| ($permitAll && !$this->configService->getAllowPermitAll())) {
+				$this->logger->info('Not allowed to update showToAllUsers or permitAllUsers');
+				throw new OCSForbiddenException();
+			}
+		}
+
 		// Process file linking
 		if (isset($keyValuePairs['path']) && isset($keyValuePairs['fileFormat'])) {
 			$file = $this->submissionService->writeFileToCloud($form, $keyValuePairs['path'], $keyValuePairs['fileFormat']);
@@ -1627,6 +1638,17 @@
 			throw new OCSForbiddenException();
 		}
 
+		// Do not allow changing showToAllUsers if disabled
+		if (isset($keyValuePairs['access'])) {
+			$showAll = $keyValuePairs['access']['showToAllUsers'] ?? false;
+			$permitAll = $keyValuePairs['access']['permitAllUsers'] ?? false;
+			if (($showAll && !$this->configService->getAllowShowToAll())
+				|| ($permitAll && !$this->configService->getAllowPermitAll())) {
+				$this->logger->info('Not allowed to update showToAllUsers or permitAllUsers');
+				throw new OCSForbiddenException();
+			}
+		}
+
 		// Create FormEntity with given Params & Id.
 		foreach ($keyValuePairs as $key => $value) {
 			$method = 'set' . ucfirst($key);

lib/Db/FormMapper.php

@@ -27,6 +27,7 @@
 namespace OCA\Forms\Db;
 
 use OCA\Forms\Constants;
+use OCA\Forms\Service\ConfigService;
 use OCP\AppFramework\Db\Entity;
 use OCP\AppFramework\Db\QBMapper;
 use OCP\DB\QueryBuilder\IQueryBuilder;
@@ -43,10 +44,11 @@ class FormMapper extends QBMapper {
 	 * @param IDBConnection $db
 	 */
 	public function __construct(
+		IDBConnection $db,
 		private QuestionMapper $questionMapper,
 		private ShareMapper $shareMapper,
 		private SubmissionMapper $submissionMapper,
-		IDBConnection $db,
+		private ConfigService $configService,
 	) {
 		parent::__construct($db, 'forms_v2_forms', Form::class);
 	}
@@ -151,20 +153,23 @@ public function findSharedForms(string $userId, array $groups = [], array $teams
 		}
 
 		// build expression for publicy shared forms (default only directly shown)
-		if ($filterShown) {
-			// Only shown
-			$access = $qbShares->expr()->in('access_enum', $qbShares->createNamedParameter(Constants::FORM_ACCESS_ARRAY_SHOWN, IQueryBuilder::PARAM_INT_ARRAY));
-		} else {
-			// All
-			$access = $qbShares->expr()->neq('access_enum', $qbShares->createNamedParameter(Constants::FORM_ACCESS_NOPUBLICSHARE, IQueryBuilder::PARAM_INT));
+		if ($this->configService->getAllowPermitAll()) {
+			if ($filterShown && $this->configService->getAllowShowToAll()) {
+				// Only shown forms
+				$access = $qbShares->expr()->in('access_enum', $qbShares->createNamedParameter(Constants::FORM_ACCESS_ARRAY_SHOWN, IQueryBuilder::PARAM_INT_ARRAY, ':access_shown'));
+			} elseif ($filterShown === false) {
+				// All
+				$access = $qbShares->expr()->neq('access_enum', $qbShares->createNamedParameter(Constants::FORM_ACCESS_NOPUBLICSHARE, IQueryBuilder::PARAM_INT, ':access_nopublicshare'));
+			}
 		}
+		// Build the where clause for membership or public access
+		$memberOrPublic = isset($access) ? $qbShares->expr()->orX($memberships, $access) : $memberships;
 
 		// Select all DISTINCT IDs of shared forms
 		$qbShares->selectDistinct('forms.id')
 			->from($this->getTableName(), 'forms')
 			->leftJoin('forms', $this->shareMapper->getTableName(), 'shares', $qbShares->expr()->eq('forms.id', 'shares.form_id'))
-			->where($memberships)
-			->orWhere($access)
+			->where($memberOrPublic)
 			->andWhere($qbShares->expr()->neq('forms.owner_id', $qbShares->createNamedParameter($userId, IQueryBuilder::PARAM_STR)));
 
 		// Select the whole forms for the DISTINCT shared forms IDs