Merge pull request #6139 from LibreSign/fix/filter-draft-sign-requests-in-list

fix: prevent signers from seeing files with DRAFT sign_request status
2025-12-17 21:12:16 +01:00 · 2025-12-11 18:31:44 -03:00 · 2025-12-11 18:31:44 -03:00 · 778067f5f1
commit 778067f5f1
parent dd252f3c6f adc396d52e
2 changed files with 19 additions and 12 deletions
--- a/lib/Db/SignRequestMapper.php
+++ b/lib/Db/SignRequestMapper.php
@ -528,7 +528,9 @@ class SignRequestMapper extends QBMapper {
 			$qb->expr()->eq('f.user_id', $qb->createNamedParameter($userId)),
 			$qb->expr()->andX(
 				$qb->expr()->eq('im.identifier_key', $qb->createNamedParameter(IdentifyMethodService::IDENTIFY_ACCOUNT)),
-				$qb->expr()->eq('im.identifier_value', $qb->createNamedParameter($userId))
+				$qb->expr()->eq('im.identifier_value', $qb->createNamedParameter($userId)),
+				$qb->expr()->neq('f.status', $qb->createNamedParameter(File::STATUS_DRAFT)),
+				$qb->expr()->neq('sr.status', $qb->createNamedParameter(SignRequestStatus::DRAFT->value)),
 			)
 		];
 		$qb->where($qb->expr()->orX(...$or))->andWhere($qb->expr()->isNull('id.id'));
--- a/tests/integration/features/sign/sequential_signing.feature
+++ b/tests/integration/features/sign/sequential_signing.feature
@ -43,21 +43,26 @@ Feature: sequential-signing
      | users | [{"identify":{"account":"signer1"},"signingOrder":1},{"identify":{"account":"signer2"},"signingOrder":2}] |
      | name | Sequential Document |
    Then the response should have a status code 200
-    And as user "signer2"
-    And sending "get" to ocs "/apps/libresign/api/v1/file/list"
-    And the response should have a status code 200
-    And fetch field "(SIGN_UUID_2)ocs.data.data.0.signers.1.sign_uuid" from previous JSON response
-    When sending "post" to ocs "/apps/libresign/api/v1/sign/uuid/<SIGN_UUID_2>"
-      | method | clickToSign |
-    Then the response should have a status code 422
-    And as user "signer1"
-    And sending "get" to ocs "/apps/libresign/api/v1/file/list"
-    And the response should have a status code 200
+    # Signer2 should NOT see the file yet (their sign_request is in DRAFT status)
+    Given as user "signer2"
+    When sending "get" to ocs "/apps/libresign/api/v1/file/list"
+    Then the response should have a status code 200
+    And the response should be a JSON array with the following mandatory values
+      | key                        | value |
+      | (jq).ocs.data.data\|length | 0     |
+    # Signer1 can see and sign the document
+    Given as user "signer1"
+    When sending "get" to ocs "/apps/libresign/api/v1/file/list"
+    Then the response should have a status code 200
    And fetch field "(SIGN_UUID_1)ocs.data.data.0.signers.0.sign_uuid" from previous JSON response
    When sending "post" to ocs "/apps/libresign/api/v1/sign/uuid/<SIGN_UUID_1>"
      | method | clickToSign |
    Then the response should have a status code 200
-    And as user "signer2"
+    # After signer1 signs, signer2 should now see the file and be able to sign
+    Given as user "signer2"
+    When sending "get" to ocs "/apps/libresign/api/v1/file/list"
+    Then the response should have a status code 200
+    And fetch field "(SIGN_UUID_2)ocs.data.data.0.signers.1.sign_uuid" from previous JSON response
    When sending "post" to ocs "/apps/libresign/api/v1/sign/uuid/<SIGN_UUID_2>"
      | method | clickToSign |
    Then the response should have a status code 200