Enhance Form Submission Export Functionality

[chiragchhatrala]

Summary by CodeRabbit

• New Features

  • Enhanced form submission export functionality.
  • Added ability to select specific columns for CSV export.
  • Introduced a new request class to handle export requests.

• Changes

  • Modified export route from GET to POST request.
  • Updated export method to accept column selection parameters.

• Improvements

  • Increased flexibility in form submission data export process.
  • More granular control over exported data columns.
  • Enhanced testing for export functionality, including validation and authorization checks.

[coderabbitai]

Walkthrough

The pull request introduces changes to the form submission export functionality across multiple files. The modifications allow for more dynamic control over exported data by enabling users to specify which columns should be included in the CSV export. The changes involve updating the FormSubmissionController, modifying the API route from GET to POST, and adjusting the client-side component to support the new export mechanism.

Changes

File	Change Summary
api/app/Http/Controllers/Forms/FormSubmissionController.php	Updated method signature to accept FormSubmissionExportRequest, modified logic to retrieve form and filter export columns dynamically.
api/routes/api.php	Changed export route from GET to POST method.
client/components/open/forms/components/FormSubmissions.vue	Modified exportUrl to remove leading slash and updated downloadAsCsv method to support POST request with displayColumns in the request body.
api/app/Http/Requests/FormSubmissionExportRequest.php	Added new class to handle export requests with validation rules for columns.
api/tests/Feature/Forms/FormSubmissionExportTest.php	Added new test cases for exporting submissions with selected columns, handling invalid columns, and unauthorized access attempts.

Sequence Diagram

sequenceDiagram
    participant Client as Form Submissions Component
    participant API as Export Controller
    participant Database as Form Data Storage

    Client->>API: POST /{id}/submissions/export
    API->>Database: Retrieve Form Submissions
    API-->>Client: CSV with Selected Columns

Loading

Poem

🐰 Hop, hop, export with glee!
Columns dance, now wild and free
POST request brings magic's might
CSV sparkles, data's delight
Flexible export, rabbit's design 🌟

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR. (Beta)
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

api/app/Http/Controllers/Forms/FormSubmissionController.php (1)

64-75: Dynamic column export logic looks solid.
Filtering and mapping columns to $filteredData based on $displayColumns is a neat approach. However, consider validating the existence of $column keys in your $formattedData to avoid edge cases if the request or data changes.

client/components/open/forms/components/FormSubmissions.vue (1)

336-342: POST request with column data fosters flexibility but requires server validation.
The new body parameter enhances dynamic exports. Ensure the backend enforces security checks and handles empty or large columns arrays gracefully.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2366f95 and 960c9d2.

📒 Files selected for processing (3)

• api/app/Http/Controllers/Forms/FormSubmissionController.php (2 hunks)
• api/routes/api.php (1 hunks)
• client/components/open/forms/components/FormSubmissions.vue (2 hunks)

🔇 Additional comments (7)

api/app/Http/Controllers/Forms/FormSubmissionController.php (5)

17-17: Good addition of the Request import for improved handling of input data.
This import is essential for the enhanced export functionality.

---

50-50: Method signature update is aligned with the POST approach.
The change from public function export(string $id) to public function export(Request $request, string $id) allows dynamic input parameters.

---

56-56: Security check: Validate $request->columns before usage.
Ensure the request contains the expected data type (array) and handle any malformed input to prevent errors or potential injection.

---

81-81: Filename customization is clear and consistent with this approach.
Appending -submission-data.csv is straightforward and improves clarity.

---

88-89: Check for consistency in file paths.
The dynamic file path is carefully constructed. Ensure consistency with the rest of your file downloads to avoid confusion around leading/trailing slashes.

client/components/open/forms/components/FormSubmissions.vue (1)

216-216: Removing the leading slash is correct for consistent routing.
Make sure your other API calls also follow the same pattern if needed.

api/routes/api.php (1)

164-164: Switching from GET to POST aligns with sending request payload.
This ensures that large or sensitive data can be provided without URL length constraints and is more secure.

[JhumanJ]

Please improve back-end validation

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 960c9d2 and 4d2d8ba.

📒 Files selected for processing (1)

• api/app/Http/Controllers/Forms/FormSubmissionController.php (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: Build the Nuxt app

🔇 Additional comments (6)

api/app/Http/Controllers/Forms/FormSubmissionController.php (6)

17-17: Nice import for dependency injection.
No issues here; using Request as a parameter is cleaner than older style approaches.

---

50-50: The parameter validation requirement has been addressed.
It appears you’ve addressed the previous feedback (“Need to validate the new param you added”) by adding validation below.

---

61-61: Ensure columns exist in the form.
This mirrors the existing comment about verifying that each requested column exists in the form. Consider adding a check to confirm the columns in $request->columns match actual form fields.

---

69-80: Be cautious with fuzzy matching.
Using str_contains($key, $column) could cause collisions if multiple fields contain the same substring. Consider a stricter match to avoid inadvertently matching partial names.

---

86-86: CSV export logic looks good.
Returning the CSV with a consistent file name is clear and user-friendly.

---

93-94: File name handling review.
You may want to ensure the fileName string cannot expose path traversal or invalid file references. The call to Storage::exists($fileName) helps, but further sanitization might be prudent to prevent malicious path input.

[coderabbitai]

🛠️ Refactor suggestion

Consider validating recognized columns.
Currently, you validate the columns array and enforce boolean values, but you might also verify that each column key is valid for the form. This ensures you don’t export or reveal unexpected data columns.

[JhumanJ]

@chiragchhatrala that's what I meant here. please create a dedicated request validation class, checking that it's an array of existing column for this form

[coderabbitai]

Seems like the humans are having a chat. I'll hop back into my burrow for now. If you need me again, just tag @coderabbitai in a new comment, and I'll come hopping out!

[JhumanJ]

Please validate columns properly and add tests

[JhumanJ]

@chiragchhatrala that's what I meant here. please create a dedicated request validation class, checking that it's an array of existing column for this form

[coderabbitai]

Actionable comments posted: 0

🧹 Nitpick comments (2)

api/tests/Feature/Forms/FormSubmissionExportTest.php (2)

7-51: Consider verifying CSV contents in addition to headers.
While it's great that you check for successful status and content-disposition headers, you might also want to parse and validate the CSV data to ensure that all selected columns and corresponding values are exported as expected. This would provide a more robust test against potential issues with CSV generation or data formatting.

    // After asserting headers, parse the CSV content for deeper validation.
+    $csvContent = $response->streamedContent();
+    $lines = explode("\n", trim($csvContent));
+    // For example, verify you have the correct column headers and data rows
+    // This is just a sample check:
+    $this->assertStringContainsString('name_field,email_field,created_at', $lines[0]);
+    $this->assertStringContainsString('John Doe,[email protected]', $lines[1]);
+    $this->assertStringContainsString('Jane Smith,[email protected]', $lines[2]);

---

79-98: Confirm that returning “Unauthenticated” is intended behavior.
Since the code checks for an unauthorized export from another user’s form, consider returning an HTTP 403 “Forbidden” if the user is authenticated but lacks permission, instead of “Unauthenticated” (401). Ensure consistency with your overall authentication and authorization flow.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 4654125 and 25ad641.

📒 Files selected for processing (1)

• api/tests/Feature/Forms/FormSubmissionExportTest.php (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (1)

• GitHub Check: Build the Nuxt app

🔇 Additional comments (1)

api/tests/Feature/Forms/FormSubmissionExportTest.php (1)

53-77: Tests for invalid columns look good.
The test accurately checks for a 422 validation error and ensures the 'columns' field triggers a validation issue.