Merge pull request #6141 from LibreSign/backport/6139/stable32

[stable32] fix: prevent signers from seeing files with DRAFT sign_request status

Author: vitormattos

lib/Db/SignRequestMapper.php

@@ -527,7 +527,9 @@ private function getFilesAssociatedFilesWithMeQueryBuilder(string $userId, array
 			$qb->expr()->eq('f.user_id', $qb->createNamedParameter($userId)),
 			$qb->expr()->andX(
 				$qb->expr()->eq('im.identifier_key', $qb->createNamedParameter(IdentifyMethodService::IDENTIFY_ACCOUNT)),
-				$qb->expr()->eq('im.identifier_value', $qb->createNamedParameter($userId))
+				$qb->expr()->eq('im.identifier_value', $qb->createNamedParameter($userId)),
+				$qb->expr()->neq('f.status', $qb->createNamedParameter(File::STATUS_DRAFT)),
+				$qb->expr()->neq('sr.status', $qb->createNamedParameter(SignRequestStatus::DRAFT->value)),
 			)
 		];
 		$qb->where($qb->expr()->orX(...$or))->andWhere($qb->expr()->isNull('id.id'));

tests/integration/features/sign/sequential_signing.feature

@@ -43,21 +43,26 @@ Feature: sequential-signing
       | users | [{"identify":{"account":"signer1"},"signingOrder":1},{"identify":{"account":"signer2"},"signingOrder":2}] |
       | name | Sequential Document |
     Then the response should have a status code 200
-    And as user "signer2"
-    And sending "get" to ocs "/apps/libresign/api/v1/file/list"
-    And the response should have a status code 200
-    And fetch field "(SIGN_UUID_2)ocs.data.data.0.signers.1.sign_uuid" from previous JSON response
-    When sending "post" to ocs "/apps/libresign/api/v1/sign/uuid/<SIGN_UUID_2>"
-      | method | clickToSign |
-    Then the response should have a status code 422
-    And as user "signer1"
-    And sending "get" to ocs "/apps/libresign/api/v1/file/list"
-    And the response should have a status code 200
+    # Signer2 should NOT see the file yet (their sign_request is in DRAFT status)
+    Given as user "signer2"
+    When sending "get" to ocs "/apps/libresign/api/v1/file/list"
+    Then the response should have a status code 200
+    And the response should be a JSON array with the following mandatory values
+      | key                        | value |
+      | (jq).ocs.data.data\|length | 0     |
+    # Signer1 can see and sign the document
+    Given as user "signer1"
+    When sending "get" to ocs "/apps/libresign/api/v1/file/list"
+    Then the response should have a status code 200
     And fetch field "(SIGN_UUID_1)ocs.data.data.0.signers.0.sign_uuid" from previous JSON response
     When sending "post" to ocs "/apps/libresign/api/v1/sign/uuid/<SIGN_UUID_1>"
       | method | clickToSign |
     Then the response should have a status code 200
-    And as user "signer2"
+    # After signer1 signs, signer2 should now see the file and be able to sign
+    Given as user "signer2"
+    When sending "get" to ocs "/apps/libresign/api/v1/file/list"
+    Then the response should have a status code 200
+    And fetch field "(SIGN_UUID_2)ocs.data.data.0.signers.1.sign_uuid" from previous JSON response
     When sending "post" to ocs "/apps/libresign/api/v1/sign/uuid/<SIGN_UUID_2>"
       | method | clickToSign |
     Then the response should have a status code 200