docusealco
diff --git a/‎app/controllers/submissions_download_controller.rb‎
Lines changed: 19 additions & 11 deletions b/‎app/controllers/submissions_download_controller.rb‎
Lines changed: 19 additions & 11 deletions
diff --git a/‎app/controllers/submit_form_controller.rb‎
Lines changed: 7 additions & 16 deletions b/‎app/controllers/submit_form_controller.rb‎
Lines changed: 7 additions & 16 deletions
diff --git a/‎app/controllers/submit_form_decline_controller.rb‎
Lines changed: 3 additions & 1 deletion b/‎app/controllers/submit_form_decline_controller.rb‎
Lines changed: 3 additions & 1 deletion
diff --git a/‎app/controllers/submit_form_download_controller.rb‎
Lines changed: 2 additions & 1 deletion b/‎app/controllers/submit_form_download_controller.rb‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎app/controllers/submit_form_draw_signature_controller.rb‎
Lines changed: 2 additions & 1 deletion b/‎app/controllers/submit_form_draw_signature_controller.rb‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎app/controllers/submit_form_invite_controller.rb‎
Lines changed: 2 additions & 1 deletion b/‎app/controllers/submit_form_invite_controller.rb‎
Lines changed: 2 additions & 1 deletion
diff --git a/‎app/controllers/submit_form_values_controller.rb‎
Lines changed: 5 additions & 3 deletions b/‎app/controllers/submit_form_values_controller.rb‎
Lines changed: 5 additions & 3 deletions
diff --git a/‎app/controllers/templates_uploads_controller.rb‎
Lines changed: 1 addition & 1 deletion b/‎app/controllers/templates_uploads_controller.rb‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎app/javascript/submission_form/completed.vue‎
Lines changed: 9 additions & 1 deletion b/‎app/javascript/submission_form/completed.vue‎
Lines changed: 9 additions & 1 deletion
diff --git a/‎app/javascript/submission_form/form.vue‎
Lines changed: 9 additions & 1 deletion b/‎app/javascript/submission_form/form.vue‎
Lines changed: 9 additions & 1 deletion
@@ -27,29 +27,37 @@ def index
 
     Submissions::EnsureResultGenerated.call(last_submitter)
 
-    if last_submitter.completed_at < TTL.ago && !signature_valid && !current_user_submitter?(last_submitter)
-      Rollbar.info("TTL: #{last_submitter.id}") if defined?(Rollbar)
+    if !signature_valid && !current_user_submitter?(last_submitter)
+      return head :not_found unless Submitters::AuthorizedForForm.call(@submitter, current_user, request)
 
-      return head :not_found
+      if last_submitter.completed_at < TTL.ago
+        Rollbar.info("TTL: #{last_submitter.id}") if defined?(Rollbar)
+
+        return head :not_found
+      end
     end
 
     if params[:combined] == 'true'
-      url = build_combined_url(@submitter)
-
-      if url
-        render json: [url]
-      else
-        head :not_found
-      end
+      respond_with_combined(last_submitter)
     else
       render json: build_urls(last_submitter)
     end
   end
 
   private
 
+  def respond_with_combined(submitter)
+    url = build_combined_url(submitter)
+
+    if url
+      render json: [url]
+    else
+      head :not_found
+    end
+  end
+
   def current_user_submitter?(submitter)
-    current_user && current_user.account.submitters.exists?(id: submitter.id)
+    current_user && current_ability.can?(:read, submitter)
   end
 
   def build_urls(submitter)
 
@@ -9,15 +9,15 @@ class SubmitFormController < ApplicationController
 
   before_action :load_submitter, only: %i[show update completed]
   before_action :maybe_render_locked_page, only: :show
-  before_action :maybe_require_link_2fa, only: %i[show update]
+  before_action :maybe_require_link_2fa, only: %i[show]
 
   CONFIG_KEYS = [].freeze
 
   def show
     submission = @submitter.submission
 
+    return render :email_2fa unless Submitters::AuthorizedForForm.pass_email_2fa?(@submitter, request)
     return redirect_to submit_form_completed_path(@submitter.slug) if @submitter.completed_at?
-    return render :email_2fa if require_email_2fa?(@submitter)
 
     @form_configs = Submitters::FormConfigs.call(@submitter, CONFIG_KEYS)
 
@@ -48,7 +48,7 @@ def show
   end
 
   def update
-    if require_email_2fa?(@submitter)
+    unless Submitters::AuthorizedForForm.call(@submitter, current_user, request)
       return render json: { error: I18n.t('verification_required_refresh_the_page_and_pass_2fa') },
                     status: :unprocessable_content
     end
@@ -84,18 +84,17 @@ def update
   def completed
     raise ActionController::RoutingError, I18n.t('not_found') if @submitter.account.archived_at?
 
-    redirect_to submit_form_path(params[:submit_form_slug]) if require_email_2fa?(@submitter)
+    return if Submitters::AuthorizedForForm.call(@submitter, current_user, request)
+
+    redirect_to submit_form_path(params[:submit_form_slug])
   end
 
   def success; end
 
   private
 
   def maybe_require_link_2fa
-    return if @submitter.submission.source != 'link'
-    return unless @submitter.submission.template&.preferences&.dig('shared_link_2fa') == true
-    return if cookies.encrypted[:email_2fa_slug] == @submitter.slug
-    return if @submitter.email == current_user&.email && current_user&.account_id == @submitter.account_id
+    return if Submitters::AuthorizedForForm.pass_link_2fa?(@submitter, current_user, request)
 
     redirect_to start_form_path(@submitter.submission.template.slug)
   end
@@ -117,12 +116,4 @@ def build_attachments_index(submission)
     ActiveStorage::Attachment.where(record: submission.submitters, name: :attachments)
                              .preload(:blob).index_by(&:uuid)
   end
-
-  def require_email_2fa?(submitter)
-    return false if submitter.submission.template&.preferences&.dig('require_email_2fa') != true &&
-                    submitter.preferences['require_email_2fa'] != true
-    return false if cookies.encrypted[:email_2fa_slug] == submitter.slug
-
-    true
-  end
 end
@@ -11,7 +11,9 @@ def create
                                                            submitter.completed_at? ||
                                                            submitter.submission.archived_at? ||
                                                            submitter.submission.expired? ||
-                                                           submitter.submission.template&.archived_at?
+                                                           submitter.submission.template&.archived_at? ||
+                                                           !Submitters::AuthorizedForForm.call(submitter, current_user,
+                                                                                               request)
 
     ApplicationRecord.transaction do
       submitter.update!(declined_at: Time.current)
 
@@ -17,7 +17,8 @@ def index
                                           @submitter.submission.template&.archived_at? ||
                                           AccountConfig.exists?(account_id: @submitter.account_id,
                                                                 key: AccountConfig::ALLOW_TO_PARTIAL_DOWNLOAD_KEY,
-                                                                value: false)
+                                                                value: false) ||
+                                          !Submitters::AuthorizedForForm.call(@submitter, current_user, request)
 
     last_completed_submitter = @submitter.submission.submitters
                                          .where.not(id: @submitter.id)
 
@@ -12,7 +12,8 @@ def show
 
     return redirect_to submit_form_completed_path(@submitter.slug) if @submitter.completed_at?
 
-    if @submitter.submission.template&.archived_at? || @submitter.submission.archived_at?
+    if @submitter.submission.template&.archived_at? || @submitter.submission.archived_at? ||
+       !Submitters::AuthorizedForForm.call(@submitter, current_user, request)
       return redirect_to submit_form_path(@submitter.slug)
     end
 
 
@@ -45,7 +45,8 @@ def can_invite?(submitter)
       !submitter.completed_at? &&
       !submitter.submission.archived_at? &&
       !submitter.submission.expired? &&
-      !submitter.submission.template&.archived_at?
+      !submitter.submission.template&.archived_at? &&
+      Submitters::AuthorizedForForm.call(submitter, current_user, request)
   end
 
   def filter_invite_submitters(submitter, key = 'invite_by_uuid')
 
@@ -7,10 +7,12 @@ class SubmitFormValuesController < ApplicationController
   def index
     submitter = Submitter.find_by!(slug: params[:submit_form_slug])
 
-    return render json: {} if submitter.completed_at? || submitter.declined_at?
-    return render json: {} if submitter.submission.template&.archived_at? ||
+    return render json: {} if submitter.completed_at? ||
+                              submitter.declined_at? ||
+                              submitter.submission.template&.archived_at? ||
                               submitter.submission.archived_at? ||
-                              submitter.submission.expired?
+                              submitter.submission.expired? ||
+                              !Submitters::AuthorizedForForm.call(submitter, current_user, request)
 
     value = submitter.values[params['field_uuid']]
     attachment = submitter.attachments.where(created_at: params[:after]..).find_by(uuid: value) if value.present?
 
@@ -56,7 +56,7 @@ def save_template!(template, url_params)
   def create_file_params_from_url
     tempfile = Tempfile.new
     tempfile.binmode
-    tempfile.write(DownloadUtils.call(params[:url]).body)
+    tempfile.write(DownloadUtils.call(params[:url], validate: true).body)
     tempfile.rewind
 
     filename = URI.decode_www_form_component(params[:filename]) if params[:filename].present?
 
@@ -161,6 +161,11 @@ export default {
       required: false,
       default: false
     },
+    fetchOptions: {
+      type: Object,
+      required: false,
+      default: () => ({})
+    },
     completedButton: {
       type: Object,
       required: false,
@@ -214,7 +219,10 @@ export default {
     download () {
       this.isDownloading = true
 
-      fetch(this.baseUrl + `/submitters/${this.submitterSlug}/download`).then(async (response) => {
+      fetch(this.baseUrl + `/submitters/${this.submitterSlug}/download`, {
+        method: 'GET',
+        ...this.fetchOptions
+      }).then(async (response) => {
         if (response.ok) {
           const urls = await response.json()
           const isMobileSafariIos = 'ontouchstart' in window && navigator.maxTouchPoints > 0 && /AppleWebKit/i.test(navigator.userAgent)
 
@@ -530,6 +530,7 @@
         v-else-if="isInvite"
         :submitters="inviteSubmitters"
         :optional-submitters="optionalInviteSubmitters"
+        :fetch-options="fetchOptions"
         :submitter-slug="submitterSlug"
         :authenticity-token="authenticityToken"
         :url="baseUrl + submitPath + '/invite'"
@@ -543,6 +544,7 @@
         :has-signature-fields="stepFields.some((fields) => fields.some((f) => ['signature', 'initials'].includes(f.type)))"
         :has-multiple-documents="hasMultipleDocuments"
         :completed-button="completedRedirectUrl ? {} : completedButton"
+        :fetch-options="fetchOptions"
         :completed-message="completedRedirectUrl ? {} : completedMessage"
         :with-send-copy-button="withSendCopyButton && !completedRedirectUrl"
         :with-download-button="withDownloadButton && !completedRedirectUrl && !dryRun"
@@ -678,6 +680,11 @@ export default {
       required: false,
       default: () => []
     },
+    fetchOptions: {
+      type: Object,
+      required: false,
+      default: () => ({})
+    },
     optionalInviteSubmitters: {
       type: Array,
       required: false,
@@ -1467,7 +1474,8 @@ export default {
       } else {
         return fetch(this.baseUrl + this.submitPath, {
           method: 'POST',
-          body: formData || new FormData(this.$refs.form)
+          body: formData || new FormData(this.$refs.form),
+          ...this.fetchOptions
         }).then((response) => {
           if (response.status === 200) {
             currentFieldUuids.forEach((fieldUuid) => {