fix(api): re-check result permission in submission export

pringelmann · pringelmann · commit 0f7e893cdb9d · 2026-05-28T12:03:45.000+02:00
Signed-off-by: Peter Ringelmann &lt;peter.ringelmann@nextcloud.com&gt;
diff --git a/lib/Controller/ApiController.php b/lib/Controller/ApiController.php
@@ -1613,6 +1613,14 @@ public function deleteSubmission(int $formId, int $submissionId): DataResponse {
 	#[ApiRoute(verb: 'POST', url: '/api/v3/forms/{formId}/submissions/export')]
 	public function exportSubmissionsToCloud(int $formId, string $path, string $fileFormat = Constants::DEFAULT_FILE_FORMAT) {
 		$form = $this->formsService->getFormIfAllowed($formId, Constants::PERMISSION_RESULTS);
+
+		// canSeeResults() (used by getFormIfAllowed) also accepts submitters;
+		// exporting every submission needs the strict PERMISSION_RESULTS grant.
+		$permissions = $this->formsService->getPermissions($form);
+		if (!in_array(Constants::PERMISSION_RESULTS, $permissions, true)) {
+			throw new OCSForbiddenException('The current user has no permission to get the results for this form');
+		}
+
 		$file = $this->submissionService->writeFileToCloud($form, $path, $fileFormat);
 
 		return new DataResponse($file->getName());
diff --git a/tests/Unit/Controller/ApiControllerTest.php b/tests/Unit/Controller/ApiControllerTest.php
@@ -465,6 +465,28 @@ public function testExportSubmissionsToCloud_invalidForm() {
 		$this->apiController->exportSubmissionsToCloud(1, '');
 	}
 
+	public function testExportSubmissionsToCloud_noExportPermissions() {
+		$form = new Form();
+		$form->setId(1);
+		$form->setOwnerId('someoneElse');
+
+		$this->formsService->expects($this->once())
+			->method('getFormIfAllowed')
+			->with(1, Constants::PERMISSION_RESULTS)
+			->willReturn($form);
+
+		$this->formsService->expects($this->once())
+			->method('getPermissions')
+			->with($form)
+			->willReturn([Constants::PERMISSION_SUBMIT]);
+
+		$this->submissionService->expects($this->never())
+			->method('writeFileToCloud');
+
+		$this->expectException(OCSForbiddenException::class);
+		$this->apiController->exportSubmissionsToCloud(1, '/', 'csv');
+	}
+
 	public function testCreateNewForm_notAllowed() {
 		$this->configService->expects($this->once())
 			->method('canCreateForms')
