From 1556fc4f1aa1b5ea046c4d35c8b5d7c33bff41aa Mon Sep 17 00:00:00 2001
From: Julien Veyssier <julien-nc@posteo.net>
Date: Mon, 22 Dec 2025 15:37:41 +0100
Subject: [PATCH] fix: check access permission when requesting rules related
 with a file

Signed-off-by: Julien Veyssier <julien-nc@posteo.net>
---
 lib/Service/ApprovalService.php | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/Service/ApprovalService.php b/lib/Service/ApprovalService.php
index 87669e69..3da891c3 100644
--- a/lib/Service/ApprovalService.php
+++ b/lib/Service/ApprovalService.php
@@ -78,6 +78,10 @@ public function getBasicUserRules(string $userId, string $role): array {
 	 * @return array
 	 */
 	public function getUserRules(string $userId, string $role = 'requesters', ?int $fileId = null): array {
+		if ($fileId !== null && !$this->utilsService->userHasAccessTo($fileId, $userId)) {
+			throw new \InvalidArgumentException('File not found');
+		}
+
 		$userRules = [];
 		$rules = $this->ruleService->getRules();