plugins-nextcloud-mirror/libresign
1
0
Fork 0
mirror of https://github.com/LibreSign/libresign.git synced 2025-12-18 05:20:45 +01:00
Code Projects Releases Activity

fix: prevent signers from seeing files with DRAFT sign_request status

Browse source 
Filter out sign_requests with status DRAFT (0) in the file list endpoint
when the user is not the file owner. This ensures that signers do not
see documents where their sign_request is in DRAFT status, unless they
are the requester (owner) of the document.

The filter is applied in the getFilesAssociatedFilesWithMeQueryBuilder
method by adding conditions to exclude:
- Files with status DRAFT (0)
- Sign requests with status DRAFT (0)

Only when the user is not the file owner (not matching f.user_id).

This change affects only the /api/v1/file/list endpoint and does not
impact other file access methods or signature flows.

Ref: Security improvement to prevent premature document visibility
Signed-off-by: Vitor Mattos <1079143+vitormattos@users.noreply.github.com>
This commit is contained in:
Vitor Mattos 2025-12-11 17:04:55 -03:00
commit ca7339e078
No known key found for this signature in database
GPG key ID: 6FECE2AD4809003A
1 changed files with 3 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

4
lib/Db/SignRequestMapper.php
View file

@ -528,7 +528,9 @@ class SignRequestMapper extends QBMapper {
$qb->expr()->eq('f.user_id', $qb->createNamedParameter($userId)), $qb->expr()->eq('f.user_id', $qb->createNamedParameter($userId)),
$qb->expr()->andX( $qb->expr()->andX(
$qb->expr()->eq('im.identifier_key', $qb->createNamedParameter(IdentifyMethodService::IDENTIFY_ACCOUNT)), $qb->expr()->eq('im.identifier_key', $qb->createNamedParameter(IdentifyMethodService::IDENTIFY_ACCOUNT)),
$qb->expr()->eq('im.identifier_value', $qb->createNamedParameter($userId)) $qb->expr()->eq('im.identifier_value', $qb->createNamedParameter($userId)),
$qb->expr()->neq('f.status', $qb->createNamedParameter(File::STATUS_DRAFT)),
$qb->expr()->neq('sr.status', $qb->createNamedParameter(SignRequestStatus::DRAFT->value)),
) )
]; ];
$qb->where($qb->expr()->orX(...$or))->andWhere($qb->expr()->isNull('id.id')); $qb->where($qb->expr()->orX(...$or))->andWhere($qb->expr()->isNull('id.id'));