diff --git a/src/app/document/controllers/DocumentController.php b/src/app/document/controllers/DocumentController.php
old mode 100755
new mode 100644
index b2cd37b8459b52873588a309522f0f60cb5d77c5..9041dd510877ded3fe3de2d047eb4c0212dba2f1
--- a/src/app/document/controllers/DocumentController.php
+++ b/src/app/document/controllers/DocumentController.php
@@ -817,6 +817,18 @@ class DocumentController
}
$workflow = WorkflowModel::getCurrentStep(['select' => ['id', 'mode', 'user_id', 'signature_mode', 'digital_signature_id'], 'documentId' => $args['id']]);
+
+ if (empty($workflow)) {
+ return $response->withStatus(400)->withJson(['errors' => 'Workflow is over']);
+ }
+
+ $substitute = UserModel::getById(['id' => $workflow['user_id'], 'select' => ['substitute']]);
+
+ if ($GLOBALS['id'] != $workflow['user_id'] && $GLOBALS['id'] != $substitute['substitute']) {
+ return $response->withStatus(403)->withJson(['errors' => 'Current user unauthorized for this step']);
+ }
+
+
$libDir = CoreConfigModel::getLibrariesDirectory();
$loadedXml = CoreConfigModel::getConfig();
$tmpPath = CoreConfigModel::getTmpPath();
@@ -1356,7 +1368,7 @@ class DocumentController
$document = DocumentModel::getById(['select' => ['typist'], 'id' => $args['id']]);
if (!empty($document['typist']) && $document['typist'] == $GLOBALS['id']) {
- return true;
+ return true;
}
if (!$args['readOnly']) {
@@ -1368,8 +1380,8 @@ class DocumentController
if ($currentStep['user_id'] == $args['userId']) {
return true;
} else {
- $user = UserModel::getById(['id' => $args['userId'], 'select' => ['substitute']]);
- return $currentStep['user_id'] == $user['substitute'];
+ $user = UserModel::getById(['id' => $currentStep['user_id'], 'select' => ['substitute']]);
+ return $user['substitute'] ?? null == $args['userId'];
}
}