From 773721b634f9337178052ef23bba55e97b864d75 Mon Sep 17 00:00:00 2001 From: TekH Date: Fri, 14 Nov 2025 13:49:58 +0100 Subject: [PATCH] fix(AnnotationController): enforce proper rejection and history checks in CreateOrUpdate - Updated `AnyHistoryAsync` call to filter by `EnvelopeRejected` and `DocumentRejected` statuses, returning 403 instead of 200 when applicable. - Ensures users cannot proceed if envelope was previously rejected. - Minor cleanup in CreateOrUpdate logic to better handle authorization and signed checks. --- .../Histories/Queries/CountHistoryQuery.cs | 2 +- EnvelopeGenerator.Web/Controllers/AnnotationController.cs | 5 ++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/EnvelopeGenerator.Application/Histories/Queries/CountHistoryQuery.cs b/EnvelopeGenerator.Application/Histories/Queries/CountHistoryQuery.cs index a4f04baf..2213005a 100644 --- a/EnvelopeGenerator.Application/Histories/Queries/CountHistoryQuery.cs +++ b/EnvelopeGenerator.Application/Histories/Queries/CountHistoryQuery.cs @@ -26,7 +26,7 @@ public static class CountHistoryQueryExtensions /// /// /// - public static async Task AnyHistoryAsync(this ISender sender, string uuid, IEnumerable statuses, CancellationToken cancel) + public static async Task AnyHistoryAsync(this ISender sender, string uuid, IEnumerable statuses, CancellationToken cancel = default) { var count = await sender.Send(new CountHistoryQuery { diff --git a/EnvelopeGenerator.Web/Controllers/AnnotationController.cs b/EnvelopeGenerator.Web/Controllers/AnnotationController.cs index c7db46f0..f29a40bd 100644 --- a/EnvelopeGenerator.Web/Controllers/AnnotationController.cs +++ b/EnvelopeGenerator.Web/Controllers/AnnotationController.cs @@ -12,7 +12,6 @@ using Microsoft.AspNetCore.Authentication; using Microsoft.AspNetCore.Authentication.Cookies; using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Mvc; -using System.Dynamic; namespace EnvelopeGenerator.Web.Controllers; @@ -60,8 +59,8 @@ public class AnnotationController : ControllerBase // Again check if receiver has already signed if (await _mediator.IsSignedAsync(uuid, signature, cancel)) return Problem(statusCode: 403); - else if (await _mediator.AnyHistoryAsync()) - return Problem(statusCode: 200); + else if (await _mediator.AnyHistoryAsync(uuid, new[] { EnvelopeStatus.EnvelopeRejected, EnvelopeStatus.DocumentRejected }, cancel)) + return Problem(statusCode: 403); var docSignedNotification = await _mediator .ReadEnvelopeReceiverAsync(uuid, signature, cancel)