* fix: Add brute force protection to form endpoints
Endpoints that query for forms are now protected against brute force
attacks to find valid forms, invalid hashes or IDs.
---------
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
Signed-off-by: Christian Hartmann <chris-hartmann@gmx.de>
Co-authored-by: Christian Hartmann <chris-hartmann@gmx.de>
This commit refactors the form creation and update logic in the `ApiController` class. It removes the unnecessary setting of the `created` and `lastUpdated` timestamps in the `Form` entity, as these values are now automatically set in the `FormMapper` class. This improves code readability and reduces redundancy.
The changes also include updates to the `FormMapper` class, where the `insert` and `update` methods now automatically set the `created` and `lastUpdated` timestamps respectively.
Signed-off-by: Christian Hartmann <chris-hartmann@gmx.de>
The `ActivityManager` only needs the user ID so we just can inject the `userId`.
Also make sure that it can be null, because the `ActivityManager` is DI in the `FormsService`
and the `FormsService` is used also for public forms where no user is logged in.
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
Signed-off-by: Rello <Rello@users.noreply.github.com>
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
Signed-off-by: Christian Hartmann <chris-hartmann@gmx.de>
Co-authored-by: Ferdinand Thiessen <opensource@fthiessen.de>
Co-authored-by: F. E Noel Nfebe <fenn25.fn@gmail.com>
Co-authored-by: Christian Hartmann <chris-hartmann@gmx.de>
* Add embedded endpoint for page controller and allow
inserting submissions without CSFR as anonymous submissions
for public shares.
* Added submenu entry for copying the embedding code to the clipboard
and added documentation on how to use the embedded view.
* Switched to `vue-clipboard2` to allow copying to clipboard
from submenu entry (allows setting a container for the copy action).
Signed-off-by: Ferdinand Thiessen <rpm@fthiessen.de>
Archived forms can not be changed (except from being un-archived).
Closed forms behave like expired forms and just do not allow new submissions.
By default forms are in state `active`.
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
* ApiController can now receive a duplication request, copies the question and options to new ones and then returns that new question object.
* All questions can now handle duplication.
* Create can now handle the duplication of questions.
* Added the new api route.
* Some styling and variables renamed to fit nextcloud guidelines
* Written an integration test.
* Added some comments to new methods added.
* Added start for translation
* Refactored variable names and some cleanup.
* Create is now more concise.
* Updated routes
Signed-off-by: Mitchel van Hamburg <mitchelvanhamburg@posteo.net>
In the backend it handling the "other" answer setting was not changed
after switching from object to array for extra settings.
In the frontend the value handling of the checkboxes or radio switches
was not correct as the initial values is always an empty array.
This lead to issues with radio switch answers.
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
Ferdinand Thiessen
Christian Hartmann
Hamza Mahjoubi
Andrii
Kostiantyn Miakshyn
Thomas Citharel
Marcel Klehr
Rello
Ferdinand Thiessen
Mitchel