From 10d45c3e2071649e1f0c4bca4869104c19c10bb4 Mon Sep 17 00:00:00 2001
From: Pete Matsyburka <pete@docuseal.com>
Date: Sun, 21 Jun 2026 12:35:43 +0300
Subject: [PATCH] add checks

---
 app/controllers/start_form_controller.rb          | 9 ++++++---
 app/controllers/submit_form_decline_controller.rb | 7 ++++++-
 app/controllers/submitters_controller.rb          | 8 +++++++-
 app/controllers/submitters_resubmit_controller.rb | 2 ++
 app/jobs/send_submitter_invitation_email_job.rb   | 2 ++
 app/views/submit_form/completed.html.erb          | 2 +-
 6 files changed, 24 insertions(+), 6 deletions(-)

diff --git a/app/controllers/start_form_controller.rb b/app/controllers/start_form_controller.rb
index 9b2a80ba..4a0d7890 100644
--- a/app/controllers/start_form_controller.rb
+++ b/app/controllers/start_form_controller.rb
@@ -108,13 +108,16 @@ class StartFormController < ApplicationController
   end
 
   def can_resubmit?(submitter)
-    %w[api embed mcp].exclude?(submitter.submission.source) &&
+    submitter.completed_at? && submitter.completed_at > 14.days.ago &&
+      %w[api embed mcp].exclude?(submitter.submission.source) &&
       submitter.account.account_configs.find_or_initialize_by(key: AccountConfig::ALLOW_TO_RESUBMIT).value != false
   end
 
   def authorize_start!
-    return redirect_to submit_form_path(@resubmit_submitter.slug) if @resubmit_submitter && @template.archived_at?
-    return redirect_to start_form_path(@template.slug) if @template.archived_at?
+    is_archived = @template.archived_at? || @template.account.archived_at?
+
+    return redirect_to submit_form_path(@resubmit_submitter.slug) if @resubmit_submitter && is_archived
+    return redirect_to start_form_path(@template.slug) if is_archived
 
     return if @resubmit_submitter
     return if @template.shared_link? || (current_user && current_ability.can?(:read, @template))
diff --git a/app/controllers/submit_form_decline_controller.rb b/app/controllers/submit_form_decline_controller.rb
index a55590f1..73139f79 100644
--- a/app/controllers/submit_form_decline_controller.rb
+++ b/app/controllers/submit_form_decline_controller.rb
@@ -7,7 +7,8 @@ class SubmitFormDeclineController < ApplicationController
   before_action :load_submitter
 
   def create
-    return redirect_to submit_form_path(@submitter.slug) if @submitter.declined_at? ||
+    return redirect_to submit_form_path(@submitter.slug) if declining_disabled? ||
+                                                            @submitter.declined_at? ||
                                                             @submitter.completed_at? ||
                                                             @submitter.submission.archived_at? ||
                                                             @submitter.submission.expired? ||
@@ -35,6 +36,10 @@ class SubmitFormDeclineController < ApplicationController
 
   private
 
+  def declining_disabled?
+    @submitter.account.account_configs.find_by(key: AccountConfig::ALLOW_TO_DECLINE_KEY)&.value == false
+  end
+
   def load_submitter
     @submitter = Submitter.find_by!(slug: params[:submit_form_slug])
   end
diff --git a/app/controllers/submitters_controller.rb b/app/controllers/submitters_controller.rb
index 697b3dc1..1eae06d8 100644
--- a/app/controllers/submitters_controller.rb
+++ b/app/controllers/submitters_controller.rb
@@ -13,7 +13,7 @@ class SubmittersController < ApplicationController
   def update
     submission = @submitter.submission
 
-    if @submitter.submission_events.exists?(event_type: 'start_form') || submission.archived_at? || submission.expired?
+    unless submitter_editable?(submission)
       return redirect_back fallback_location: submission_path(submission), alert: I18n.t('submitter_cannot_be_updated')
     end
 
@@ -48,6 +48,12 @@ class SubmittersController < ApplicationController
 
   private
 
+  def submitter_editable?(submission)
+    !@submitter.submission_events.exists?(event_type: 'start_form') &&
+      !@submitter.completed_at? && !@submitter.declined_at? &&
+      !submission.archived_at? && !submission.expired? && !submission.template&.archived_at?
+  end
+
   def maybe_resend_email_sms(submitter, params)
     if params[:send_email] == '1' && submitter.email.present?
       is_sent_recently = Docuseal.multitenant? &&
diff --git a/app/controllers/submitters_resubmit_controller.rb b/app/controllers/submitters_resubmit_controller.rb
index 6ab28731..c34f83b3 100644
--- a/app/controllers/submitters_resubmit_controller.rb
+++ b/app/controllers/submitters_resubmit_controller.rb
@@ -5,6 +5,8 @@ class SubmittersResubmitController < ApplicationController
 
   def update
     return redirect_to submit_form_path(slug: @submitter.slug) if @submitter.email != current_user.email
+    return redirect_to submit_form_path(slug: @submitter.slug) if @submitter.completed_at.blank? ||
+                                                                  @submitter.completed_at < 1.month.ago
 
     submission = @submitter.account.submissions.new(created_by_user: current_user,
                                                     submitters_order: :preserved,
diff --git a/app/jobs/send_submitter_invitation_email_job.rb b/app/jobs/send_submitter_invitation_email_job.rb
index 49bf22bd..d236010b 100644
--- a/app/jobs/send_submitter_invitation_email_job.rb
+++ b/app/jobs/send_submitter_invitation_email_job.rb
@@ -7,7 +7,9 @@ class SendSubmitterInvitationEmailJob
     submitter = Submitter.find(params['submitter_id'])
 
     return if submitter.completed_at?
+    return if submitter.declined_at?
     return if submitter.submission.archived_at?
+    return if submitter.submission.expired?
     return if submitter.template&.archived_at?
     return if submitter.submission.source == 'invite' && !Accounts.can_send_emails?(submitter.account, on_events: true)
 
diff --git a/app/views/submit_form/completed.html.erb b/app/views/submit_form/completed.html.erb
index 8dfe1e5f..a1a5a80a 100644
--- a/app/views/submit_form/completed.html.erb
+++ b/app/views/submit_form/completed.html.erb
@@ -43,7 +43,7 @@
       <% end %>
     </div>
     <% undefined_submitters = Templates.filter_undefined_submitters(@submitter.submission.template_submitters) %>
-    <% if undefined_submitters.size == 1 && undefined_submitters.first['uuid'] == @submitter.uuid && %w[api embed mcp].exclude?(@submitter.submission.source) && @submitter.account.account_configs.find_or_initialize_by(key: AccountConfig::ALLOW_TO_RESUBMIT).value != false && @submitter.template && !@submitter.template.archived_at? %>
+    <% if undefined_submitters.size == 1 && undefined_submitters.first['uuid'] == @submitter.uuid && @submitter.completed_at? && @submitter.completed_at > 14.days.ago && %w[api embed mcp].exclude?(@submitter.submission.source) && @submitter.account.account_configs.find_or_initialize_by(key: AccountConfig::ALLOW_TO_RESUBMIT).value != false && @submitter.template && !@submitter.template.archived_at? %>
       <div class="divider uppercase"><%= t('or') %></div>
       <toggle-submit class="block">
         <%= button_to button_title(title: t('resubmit'), disabled_with: t('resubmit'), icon: svg_icon('reload', class: 'w-6 h-6')), resubmit_form_path, params: { resubmit: @submitter.slug }, method: :put, class: 'white-button w-full' %>