diff --git a/lib/Controller/ApiController.php b/lib/Controller/ApiController.php index a96b28007..a3608cdeb 100644 --- a/lib/Controller/ApiController.php +++ b/lib/Controller/ApiController.php @@ -1289,9 +1289,9 @@ public function deleteSubmission(int $formId, int $submissionId): DataResponse { throw new OCSBadRequestException('Submission doesn\'t belong to given form'); } - // The current user has permissions to remove own submission - if (!$this->formsService->canDeleteSubmission($form, $submission)) { - $this->logger->debug('The user cannot delete own submission because AllowEdit is not set'); + // The current user has permissions to remove submissions + if (!$this->formsService->canDeleteResults($form)) { + $this->logger->debug('This form is not owned by the current user and user has no `results_delete` permission'); throw new OCSForbiddenException(); } diff --git a/lib/Service/FormsService.php b/lib/Service/FormsService.php index 699cedb33..55382fc1d 100644 --- a/lib/Service/FormsService.php +++ b/lib/Service/FormsService.php @@ -373,28 +373,6 @@ public function canDeleteResults(Form $form): bool { return !$this->isFormArchived($form); } - /** - * Can the current user delete own submission - * - * @param Form $form - * @param Submission $submission - * @return boolean - */ - public function canDeleteSubmission(Form $form, Submission $submission): bool { - - // Do not allow deleting results on archived forms - if ($this->isFormArchived($form)) { - return false; - } - - // if AllowEdit then the current user can delete own submission - if ($form->getAllowEdit() && $submission->getUserId() == $this->currentUser->getUID()) { - return true; - } - - return false; - } - /** * Can the user submit a form * diff --git a/tests/Unit/Controller/ApiControllerTest.php b/tests/Unit/Controller/ApiControllerTest.php index 4d7f229a7..879385473 100644 --- a/tests/Unit/Controller/ApiControllerTest.php +++ b/tests/Unit/Controller/ApiControllerTest.php @@ -982,7 +982,7 @@ public function testDeleteSubmissionNoPermission($submissionData, $formData) { $this->formsService ->expects($this->once()) - ->method('canDeleteSubmission') + ->method('canDeleteResults') ->with($form) ->willReturn(false); @@ -1009,7 +1009,7 @@ public function testDeleteSubmission($submissionData, $formData) { $this->formsService ->expects($this->once()) - ->method('canDeleteSubmission') + ->method('canDeleteResults') ->with($form) ->willReturn(true); diff --git a/tests/Unit/Service/FormsServiceTest.php b/tests/Unit/Service/FormsServiceTest.php index 0e66c5280..db6556a31 100644 --- a/tests/Unit/Service/FormsServiceTest.php +++ b/tests/Unit/Service/FormsServiceTest.php @@ -959,59 +959,6 @@ public function testCanDeleteResults(string $ownerId, array $sharesArray, bool $ $this->assertEquals($expected, $this->formsService->canDeleteResults($form)); } - public function dataCanDeleteSubmission() { - return [ - 'disallowNoAllowEdit' => [ - 'formArchived' => false, - 'submissionUserId' => 'currentUser', - 'allowEdit' => false, - 'expected' => false - ], - 'disallowArchivedForm' => [ - 'formArchived' => true, - 'submissionUserId' => 'currentUser', - 'allowEdit' => false, - 'expected' => false - ], - 'allowAllowEdit' => [ - 'formArchived' => false, - 'submissionUserId' => 'currentUser', - 'allowEdit' => true, - 'expected' => true - ], - 'disallowAllowEditOtherUser' => [ - 'formArchived' => false, - 'submissionUserId' => 'otherUser', - 'allowEdit' => true, - 'expected' => false - ], - ]; - } - /** - * @dataProvider dataCanDeleteSubmission - * - * @param bool $formArchived - * @param string $submissionUserId, - * @param bool $allowEdit - * @param bool $expected - */ - public function testCanDeleteSubmission(bool $formArchived, string $submissionUserId, bool $allowEdit, bool $expected) { - $form = new Form(); - $form->setId(42); - $form->setAccess([ - 'permitAllUsers' => false, - 'showToAllUsers' => false, - ]); - $form->setState($formArchived?Constants::FORM_STATE_ARCHIVED:Constants::FORM_STATE_ACTIVE); - $form->setAllowEdit($allowEdit); - - $submission = new Submission(); - $submission->setFormId(42); - $submission->setUserId($submissionUserId); - - $this->assertEquals($expected, $this->formsService->canDeleteSubmission($form, $submission)); - } - public function dataCanSubmit() { return [ 'allowFormOwner' => [