bcgov · BrandonSharratt · Oct 25, 2025 · Oct 25, 2025 · Oct 30, 2025 · Nov 5, 2025
diff --git a/app/frontend/src/components/forms/manage/ManageLayout.vue b/app/frontend/src/components/forms/manage/ManageLayout.vue
@@ -5,10 +5,11 @@ import { useI18n } from 'vue-i18n';
 
 import ManageForm from '~/components/forms/manage/ManageForm.vue';
 import ManageFormActions from '~/components/forms/manage/ManageFormActions.vue';
+import { useNotificationStore } from '~/store/notification';
 import { useFormStore } from '~/store/form';
 import { FormPermissions } from '~/utils/constants';
 
-const { locale } = useI18n({ useScope: 'global' });
+const { locale, t } = useI18n({ useScope: 'global' });
 
 const properties = defineProps({
   f: {
@@ -19,17 +20,24 @@ const properties = defineProps({
 
 const loading = ref(true);
 
+const notificationStore = useNotificationStore();
+
 const { form, permissions, isRTL } = storeToRefs(useFormStore());
 
 onMounted(async () => {
   loading.value = true;
 
   const formStore = useFormStore();
 
-  await Promise.all([
-    formStore.fetchForm(properties.f),
-    formStore.getFormPermissionsForUser(properties.f),
-  ]);
+  await formStore.fetchForm(properties.f);
+
+  if (formStore.form.versions) {
+    await formStore.getFormPermissionsForUser(properties.f);
+  } else {
+    notificationStore.addNotification({
+      text: t('trans.baseSecure.401UnAuthorizedErrMsg'),
+    });
+  }
 
   if (permissions.value.includes(FormPermissions.DESIGN_READ))
     await formStore.fetchDrafts(properties.f);

diff --git a/app/src/forms/form/controller.js b/app/src/forms/form/controller.js
@@ -112,7 +112,7 @@ module.exports = {
   },
   readForm: async (req, res, next) => {
     try {
-      const response = await service.readForm(req.params.formId, req.query);
+      const response = await service.readForm(req.params.formId, req.query, req.currentUser);
       res.status(200).json(response);
     } catch (error) {
       next(error);

diff --git a/app/src/forms/form/service.js b/app/src/forms/form/service.js
@@ -3,6 +3,7 @@ const { ref } = require('objection');
 const uuid = require('uuid');
 const { EmailTypes, ScheduleType } = require('../common/constants');
 const eventService = require('../event/eventService');
+const authService = require('../auth/service');
 const moment = require('moment');
 const {
   DocumentTemplate,
@@ -380,16 +381,30 @@ const service = {
     }
   },
 
-  readForm: (formId, params = {}) => {
+  readForm: async (formId, params = {}, currentUser = null) => {
     params = queryUtils.defaultActiveOnly(params);
-    return Form.query()
+
+    let hasPermissionsForVersions = true;
+    // Making an assumption that user is turned away before this if it's protected and they're not logged in
+    if (currentUser !== null && currentUser !== undefined) {
+      const forms = await authService.getUserForms(currentUser, {
+        ...params,
+        active: true,
+        formId: formId,
+      });
+      hasPermissionsForVersions = forms.some((f) => f.permissions.includes(Permissions.DESIGN_CREATE));
+    }
+
+    const query = Form.query()
       .findById(formId)
       .modify('filterActive', params.active)
       .allowGraph('[formMetadata,identityProviders,versions]')
       .withGraphFetched('formMetadata')
-      .withGraphFetched('identityProviders(orderDefault)')
-      .withGraphFetched('versions(selectWithoutSchema, orderVersionDescending)')
-      .throwIfNotFound();
+      .withGraphFetched('identityProviders(orderDefault)');
+    if (hasPermissionsForVersions) {
+      query.withGraphFetched('versions(selectWithoutSchema, orderVersionDescending)');
+    }
+    return query.throwIfNotFound();
   },
 
   readFormOptions: (formId, params = {}) => {