feat: policy signature flow

lib/AppInfo/Application.php

@@ -60,7 +60,6 @@ public function register(IRegistrationContext $context): void {
 		$context->registerNotifierService(Notifier::class);
 
 		$context->registerSearchProvider(FileSearchProvider::class);
-
 		$context->registerEventListener(LoadSidebar::class, TemplateLoader::class);
 		$context->registerEventListener(BeforeNodeDeletedEvent::class, BeforeNodeDeletedListener::class);
 		$context->registerEventListener(CacheEntryRemovedEvent::class, BeforeNodeDeletedListener::class);

lib/Command/Developer/Reset.php

@@ -96,6 +96,12 @@ protected function configure(): void {
 				mode: InputOption::VALUE_NONE,
 				description: 'Reset config'
 			)
+			->addOption(
+				name: 'policy',
+				shortcut: null,
+				mode: InputOption::VALUE_NONE,
+				description: 'Reset policy data'
+			)
 		;
 	}
 
@@ -140,6 +146,10 @@ protected function execute(InputInterface $input, OutputInterface $output): int
 				$this->resetConfig();
 				$ok = true;
 			}
+			if ($input->getOption('policy') || $all) {
+				$this->resetPolicy();
+				$ok = true;
+			}
 		} catch (\Exception $e) {
 			$this->logger->error($e->getMessage());
 			throw $e;
@@ -254,4 +264,17 @@ private function resetConfig(): void {
 		} catch (\Throwable) {
 		}
 	}
+
+	private function resetPolicy(): void {
+		try {
+			$delete = $this->db->getQueryBuilder();
+			$delete->delete('libresign_permission_set_binding')
+				->executeStatement();
+
+			$delete = $this->db->getQueryBuilder();
+			$delete->delete('libresign_permission_set')
+				->executeStatement();
+		} catch (\Throwable) {
+		}
+	}
 }

lib/Controller/AdminController.php

@@ -24,12 +24,14 @@
 use OCA\Libresign\Service\IdentifyMethodService;
 use OCA\Libresign\Service\Install\ConfigureCheckService;
 use OCA\Libresign\Service\Install\InstallService;
+use OCA\Libresign\Service\Policy\PolicyService;
 use OCA\Libresign\Service\ReminderService;
 use OCA\Libresign\Service\SignatureBackgroundService;
 use OCA\Libresign\Service\SignatureTextService;
 use OCA\Libresign\Settings\Admin;
 use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\Attribute\ApiRoute;
+use OCP\AppFramework\Http\Attribute\NoAdminRequired;
 use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
 use OCP\AppFramework\Http\ContentSecurityPolicy;
 use OCP\AppFramework\Http\DataDownloadResponse;
@@ -83,6 +85,7 @@ public function __construct(
 		private ReminderService $reminderService,
 		private FooterService $footerService,
 		private DocMdpConfigService $docMdpConfigService,
+		private PolicyService $policyService,
 		private IdentifyMethodService $identifyMethodService,
 		private FileMapper $fileMapper,
 	) {
@@ -875,7 +878,7 @@ public function getFooterTemplate(): DataResponse {
 	public function saveFooterTemplate(string $template = '', int $width = 595, int $height = 50) {
 		try {
 			$this->footerService->saveTemplate($template);
-			$pdf = $this->footerService->renderPreviewPdf('', $width, $height);
+			$pdf = $this->footerService->renderPreviewPdf($template, $width, $height);
 
 			return new DataDownloadResponse($pdf, 'footer-preview.pdf', 'application/pdf');
 		} catch (\Exception $e) {
@@ -894,15 +897,18 @@ public function saveFooterTemplate(string $template = '', int $width = 595, int
 	 * @param string $template Template to preview
 	 * @param int $width Width of preview in points (default: 595 - A4 width)
 	 * @param int $height Height of preview in points (default: 50)
+	 * @param ?bool $writeQrcodeOnFooter Whether to force QR code rendering in footer preview (null uses policy)
 	 * @return DataDownloadResponse<Http::STATUS_OK, 'application/pdf', array{}>|DataResponse<Http::STATUS_BAD_REQUEST, LibresignErrorResponse, array{}>
 	 *
 	 * 200: OK
 	 * 400: Bad request
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
 	#[ApiRoute(verb: 'POST', url: '/api/{apiVersion}/admin/footer-template/preview-pdf', requirements: ['apiVersion' => '(v1)'])]
-	public function footerTemplatePreviewPdf(string $template = '', int $width = 595, int $height = 50) {
+	public function footerTemplatePreviewPdf(string $template = '', int $width = 595, int $height = 50, ?bool $writeQrcodeOnFooter = null) {
 		try {
-			$pdf = $this->footerService->renderPreviewPdf($template ?: null, $width, $height);
+			$pdf = $this->footerService->renderPreviewPdf($template ?: null, $width, $height, $writeQrcodeOnFooter);
 			return new DataDownloadResponse($pdf, 'footer-preview.pdf', 'application/pdf');
 		} catch (\Exception $e) {
 			return new DataResponse([
@@ -960,57 +966,6 @@ private function saveOrDeleteConfig(string $key, ?string $value, string $default
 		}
 	}
 
-	/**
-	 * Set signature flow configuration
-	 *
-	 * @param bool $enabled Whether to force a signature flow for all documents
-	 * @param string|null $mode Signature flow mode: 'parallel' or 'ordered_numeric' (only used when enabled is true)
-	 * @return DataResponse<Http::STATUS_OK, LibresignMessageResponse, array{}>|DataResponse<Http::STATUS_BAD_REQUEST, LibresignErrorResponse, array{}>|DataResponse<Http::STATUS_INTERNAL_SERVER_ERROR, LibresignErrorResponse, array{}>
-	 *
-	 * 200: Configuration saved successfully
-	 * 400: Invalid signature flow mode provided
-	 * 500: Internal server error
-	 */
-	#[ApiRoute(verb: 'POST', url: '/api/{apiVersion}/admin/signature-flow/config', requirements: ['apiVersion' => '(v1)'])]
-	public function setSignatureFlowConfig(bool $enabled, ?string $mode = null): DataResponse {
-		try {
-			if (!$enabled) {
-				$this->appConfig->deleteKey(Application::APP_ID, 'signature_flow');
-				return new DataResponse([
-					'message' => $this->l10n->t('Settings saved'),
-				]);
-			}
-
-			if ($mode === null) {
-				return new DataResponse([
-					'error' => $this->l10n->t('Mode is required when signature flow is enabled.'),
-				], Http::STATUS_BAD_REQUEST);
-			}
-
-			try {
-				$signatureFlow = \OCA\Libresign\Enum\SignatureFlow::from($mode);
-			} catch (\ValueError) {
-				return new DataResponse([
-					'error' => $this->l10n->t('Invalid signature flow mode. Use "parallel" or "ordered_numeric".'),
-				], Http::STATUS_BAD_REQUEST);
-			}
-
-			$this->appConfig->setValueString(
-				Application::APP_ID,
-				'signature_flow',
-				$signatureFlow->value
-			);
-
-			return new DataResponse([
-				'message' => $this->l10n->t('Settings saved'),
-			]);
-		} catch (\Exception $e) {
-			return new DataResponse([
-				'error' => $e->getMessage(),
-			], Http::STATUS_INTERNAL_SERVER_ERROR);
-		}
-	}
-
 	/**
 	 * Configure DocMDP signature restrictions
 	 *

lib/Controller/FileController.php

@@ -182,7 +182,7 @@ public function validateBinary(): DataResponse {
 				->toArray();
 			$statusCode = Http::STATUS_OK;
 		} catch (InvalidArgumentException $e) {
-			$message = $this->l10n->t($e->getMessage());
+			$message = $e->getMessage();
 			$return = [
 				'action' => JSActions::ACTION_DO_NOTHING,
 				'errors' => [['message' => $message]]
@@ -254,15 +254,15 @@ private function validate(
 				->toArray();
 			$statusCode = Http::STATUS_OK;
 		} catch (LibresignException $e) {
-			$message = $this->l10n->t($e->getMessage());
+			$message = $e->getMessage();
 			$return = [
 				'action' => JSActions::ACTION_DO_NOTHING,
 				'errors' => [['message' => $message]]
 			];
 			$statusCode = Http::STATUS_NOT_FOUND;
 		} catch (\Throwable $th) {
-			$message = $this->l10n->t($th->getMessage());
-			$this->logger->error($message);
+			$this->logger->error($th->getMessage(), ['exception' => $th]);
+			$message = $this->l10n->t('Internal error. Contact admin.');
 			$return = [
 				'action' => JSActions::ACTION_DO_NOTHING,
 				'errors' => [['message' => $message]]

lib/Controller/PageController.php

@@ -12,6 +12,7 @@
 use OCA\Libresign\Db\FileMapper;
 use OCA\Libresign\Db\SignRequestMapper;
 use OCA\Libresign\Exception\LibresignException;
+use OCA\Libresign\Handler\FooterHandler;
 use OCA\Libresign\Helper\JSActions;
 use OCA\Libresign\Helper\ValidateHelper;
 use OCA\Libresign\Middleware\Attribute\PrivateValidation;
@@ -23,6 +24,7 @@
 use OCA\Libresign\Service\FileService;
 use OCA\Libresign\Service\IdentifyMethod\SignatureMethod\TokenService;
 use OCA\Libresign\Service\IdentifyMethodService;
+use OCA\Libresign\Service\Policy\PolicyService;
 use OCA\Libresign\Service\RequestSignatureService;
 use OCA\Libresign\Service\SessionService;
 use OCA\Libresign\Service\SignerElementsService;
@@ -58,6 +60,8 @@ public function __construct(
 		private AccountService $accountService,
 		protected SignFileService $signFileService,
 		protected RequestSignatureService $requestSignatureService,
+		private PolicyService $policyService,
+		private FooterHandler $footerHandler,
 		private SignerElementsService $signerElementsService,
 		protected IL10N $l10n,
 		private IdentifyMethodService $identifyMethodService,
@@ -106,7 +110,14 @@ public function index(): TemplateResponse {
 
 		$this->provideSignerSignatues();
 		$this->initialState->provideInitialState('identify_methods', $this->identifyMethodService->getIdentifyMethodsSettings());
-		$this->initialState->provideInitialState('signature_flow', $this->appConfig->getValueString(Application::APP_ID, 'signature_flow', \OCA\Libresign\Enum\SignatureFlow::NONE->value));
+		$resolvedPolicies = [];
+		foreach ($this->policyService->resolveKnownPolicies() as $policyKey => $resolvedPolicy) {
+			$resolvedPolicies[$policyKey] = $resolvedPolicy->toArray();
+		}
+		$this->initialState->provideInitialState('effective_policies', [
+			'policies' => $resolvedPolicies,
+		]);
+		$this->initialState->provideInitialState('footer_template', $this->footerHandler->getTemplate());
 		$this->initialState->provideInitialState('docmdp_config', $this->docMdpConfigService->getConfig());
 		$this->initialState->provideInitialState('legal_information', $this->appConfig->getValueString(Application::APP_ID, 'legal_information'));
 
@@ -120,7 +131,6 @@ public function index(): TemplateResponse {
 		$response = new TemplateResponse(Application::APP_ID, 'main');
 
 		$policy = new ContentSecurityPolicy();
-		$policy->allowEvalScript(true);
 		$policy->addAllowedFrameDomain('\'self\'');
 		$policy->addAllowedWorkerSrcDomain("'self'");
 		$response->setContentSecurityPolicy($policy);
@@ -387,7 +397,6 @@ public function sign(string $uuid): TemplateResponse {
 		$response = new TemplateResponse(Application::APP_ID, 'external', [], TemplateResponse::RENDER_AS_BASE);
 
 		$policy = new ContentSecurityPolicy();
-		$policy->allowEvalScript(true);
 		$policy->addAllowedWorkerSrcDomain("'self'");
 		$response->setContentSecurityPolicy($policy);