From ca7339e078954ba066b5f8b047fcd509a4aaf60b Mon Sep 17 00:00:00 2001
From: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
Date: Thu, 11 Dec 2025 17:04:55 -0300
Subject: [PATCH] fix: prevent signers from seeing files with DRAFT
 sign_request status

Filter out sign_requests with status DRAFT (0) in the file list endpoint
when the user is not the file owner. This ensures that signers do not
see documents where their sign_request is in DRAFT status, unless they
are the requester (owner) of the document.

The filter is applied in the getFilesAssociatedFilesWithMeQueryBuilder
method by adding conditions to exclude:
- Files with status DRAFT (0)
- Sign requests with status DRAFT (0)

Only when the user is not the file owner (not matching f.user_id).

This change affects only the /api/v1/file/list endpoint and does not
impact other file access methods or signature flows.

Ref: Security improvement to prevent premature document visibility
Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
---
 lib/Db/SignRequestMapper.php | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/lib/Db/SignRequestMapper.php b/lib/Db/SignRequestMapper.php
index 8cd9d7eb3..0c8ad3ffd 100644
--- a/lib/Db/SignRequestMapper.php
+++ b/lib/Db/SignRequestMapper.php
@@ -528,7 +528,9 @@ class SignRequestMapper extends QBMapper {
 			$qb->expr()->eq('f.user_id', $qb->createNamedParameter($userId)),
 			$qb->expr()->andX(
 				$qb->expr()->eq('im.identifier_key', $qb->createNamedParameter(IdentifyMethodService::IDENTIFY_ACCOUNT)),
-				$qb->expr()->eq('im.identifier_value', $qb->createNamedParameter($userId))
+				$qb->expr()->eq('im.identifier_value', $qb->createNamedParameter($userId)),
+				$qb->expr()->neq('f.status', $qb->createNamedParameter(File::STATUS_DRAFT)),
+				$qb->expr()->neq('sr.status', $qb->createNamedParameter(SignRequestStatus::DRAFT->value)),
 			)
 		];
 		$qb->where($qb->expr()->orX(...$or))->andWhere($qb->expr()->isNull('id.id'));