fix: prevent signers from seeing files with DRAFT sign_request status

Filter out sign_requests with status DRAFT (0) in the file list endpoint
when the user is not the file owner. This ensures that signers do not
see documents where their sign_request is in DRAFT status, unless they
are the requester (owner) of the document.

The filter is applied in the getFilesAssociatedFilesWithMeQueryBuilder
method by adding conditions to exclude:
- Files with status DRAFT (0)
- Sign requests with status DRAFT (0)

Only when the user is not the file owner (not matching f.user_id).

This change affects only the /api/v1/file/list endpoint and does not
impact other file access methods or signature flows.

Ref: Security improvement to prevent premature document visibility
Signed-off-by: Vitor Mattos <[email protected]>

Author: vitormattos

lib/Db/SignRequestMapper.php

@@ -528,7 +528,9 @@ private function getFilesAssociatedFilesWithMeQueryBuilder(string $userId, array
 			$qb->expr()->eq('f.user_id', $qb->createNamedParameter($userId)),
 			$qb->expr()->andX(
 				$qb->expr()->eq('im.identifier_key', $qb->createNamedParameter(IdentifyMethodService::IDENTIFY_ACCOUNT)),
-				$qb->expr()->eq('im.identifier_value', $qb->createNamedParameter($userId))
+				$qb->expr()->eq('im.identifier_value', $qb->createNamedParameter($userId)),
+				$qb->expr()->neq('f.status', $qb->createNamedParameter(File::STATUS_DRAFT)),
+				$qb->expr()->neq('sr.status', $qb->createNamedParameter(SignRequestStatus::DRAFT->value)),
 			)
 		];
 		$qb->where($qb->expr()->orX(...$or))->andWhere($qb->expr()->isNull('id.id'));