Merge pull request #7816 from nextcloud/fix/federation-correct-controller-attributes

fix: use correct controller attributes for federation endpoints

Author: grnd-alt

lib/Controller/AttachmentOcsController.php

@@ -11,9 +11,7 @@
 use OCA\Deck\NotImplementedException;
 use OCA\Deck\Service\AttachmentService;
 use OCA\Deck\Service\BoardService;
-use OCP\AppFramework\Http\Attribute\CORS;
 use OCP\AppFramework\Http\Attribute\NoAdminRequired;
-use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\OCSController;
 use OCP\IRequest;
@@ -38,44 +36,34 @@ private function ensureLocalBoard(?int $boardId): void {
 	}
 
 	#[NoAdminRequired]
-	#[CORS]
-	#[NoCSRFRequired]
 	public function getAll(int $cardId, ?int $boardId = null): DataResponse {
 		$this->ensureLocalBoard($boardId);
 		$attachment = $this->attachmentService->findAll($cardId, true);
 		return new DataResponse($attachment);
 	}
 
 	#[NoAdminRequired]
-	#[CORS]
-	#[NoCSRFRequired]
 	public function create(int $cardId, string $type, string $data = '', ?int $boardId = null): DataResponse {
 		$this->ensureLocalBoard($boardId);
 		$attachment = $this->attachmentService->create($cardId, $type, $data);
 		return new DataResponse($attachment);
 	}
 
 	#[NoAdminRequired]
-	#[CORS]
-	#[NoCSRFRequired]
 	public function update(int $cardId, int $attachmentId, string $data, string $type = 'file', ?int $boardId = null): DataResponse {
 		$this->ensureLocalBoard($boardId);
 		$attachment = $this->attachmentService->update($cardId, $attachmentId, $data, $type);
 		return new DataResponse($attachment);
 	}
 
 	#[NoAdminRequired]
-	#[CORS]
-	#[NoCSRFRequired]
 	public function delete(int $cardId, int $attachmentId, string $type = 'file', ?int $boardId = null): DataResponse {
 		$this->ensureLocalBoard($boardId);
 		$attachment = $this->attachmentService->delete($cardId, $attachmentId, $type);
 		return new DataResponse($attachment);
 	}
 
 	#[NoAdminRequired]
-	#[CORS]
-	#[NoCSRFRequired]
 	public function restore(int $cardId, int $attachmentId, string $type = 'file', ?int $boardId = null): DataResponse {
 		$this->ensureLocalBoard($boardId);
 		$attachment = $this->attachmentService->restore($cardId, $attachmentId, $type);

lib/Controller/BoardOcsController.php

@@ -10,9 +10,7 @@
 use OCA\Deck\Service\BoardService;
 use OCA\Deck\Service\ExternalBoardService;
 use OCP\AppFramework\Http\Attribute\NoAdminRequired;
-use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
 use OCP\AppFramework\Http\Attribute\PublicPage;
-use OCP\AppFramework\Http\Attribute\RequestHeader;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\OCSController;
 use OCP\IRequest;
@@ -38,8 +36,6 @@ public function index(): DataResponse {
 
 	#[NoAdminRequired]
 	#[PublicPage]
-	#[NoCSRFRequired]
-	#[RequestHeader(name: 'x-nextcloud-federation', description: 'Set to 1 when the request is performed by another Nextcloud Server to indicate a federation request', indirect: true)]
 	public function read(int $boardId): DataResponse {
 		$localBoard = $this->boardService->find($boardId, true, true);
 		if ($localBoard->getExternalId() !== null) {
@@ -49,19 +45,16 @@ public function read(int $boardId): DataResponse {
 	}
 
 	#[NoAdminRequired]
-	#[NoCSRFRequired]
 	public function create(string $title, string $color): DataResponse {
 		return new DataResponse($this->boardService->create($title, $this->userId, $color));
 	}
 
 	#[NoAdminRequired]
-	#[NoCSRFRequired]
 	public function addAcl(int $boardId, int $type, string $participant, bool $permissionEdit, bool $permissionShare, bool $permissionManage, ?string $remote = null): DataResponse {
 		return new DataResponse($this->boardService->addAcl($boardId, $type, $participant, $permissionEdit, $permissionShare, $permissionManage));
 	}
 
 	#[NoAdminRequired]
-	#[NoCSRFRequired]
 	public function updateAcl(int $id, bool $permissionEdit, bool $permissionShare, bool $permissionManage): DataResponse {
 		return new DataResponse($this->boardService->updateAcl($id, $permissionEdit, $permissionShare, $permissionManage));
 	}

lib/Controller/CardOcsController.php

@@ -14,9 +14,7 @@
 use OCA\Deck\Service\ExternalBoardService;
 use OCA\Deck\Service\StackService;
 use OCP\AppFramework\Http\Attribute\NoAdminRequired;
-use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
 use OCP\AppFramework\Http\Attribute\PublicPage;
-use OCP\AppFramework\Http\Attribute\RequestHeader;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\OCSController;
 use OCP\IRequest;
@@ -37,8 +35,6 @@ public function __construct(
 
 	#[NoAdminRequired]
 	#[PublicPage]
-	#[NoCSRFRequired]
-	#[RequestHeader(name: 'x-nextcloud-federation', description: 'Set to 1 when the request is performed by another Nextcloud Server to indicate a federation request', indirect: true)]
 	public function create(string $title, int $stackId, ?int $boardId = null, ?string $type = 'plain', ?string $owner = null, ?int $order = 999, ?string $description = '', $duedate = null, $startdate = null, ?array $labels = [], ?array $users = []) {
 		if ($boardId) {
 			$board = $this->boardService->find($boardId, false);
@@ -67,7 +63,6 @@ public function create(string $title, int $stackId, ?int $boardId = null, ?strin
 
 	#[NoAdminRequired]
 	#[PublicPage]
-	#[NoCSRFRequired]
 	public function assignLabel(?int $boardId, int $cardId, int $labelId): DataResponse {
 		if ($boardId) {
 			$board = $this->boardService->find($boardId, false);
@@ -81,7 +76,6 @@ public function assignLabel(?int $boardId, int $cardId, int $labelId): DataRespo
 
 	#[NoAdminRequired]
 	#[PublicPage]
-	#[NoCSRFRequired]
 	public function assignUser(?int $boardId, int $cardId, string $userId, int $type = 0): DataResponse {
 		if ($boardId) {
 			$localBoard = $this->boardService->find($boardId, false);
@@ -94,7 +88,6 @@ public function assignUser(?int $boardId, int $cardId, string $userId, int $type
 
 	#[NoAdminRequired]
 	#[PublicPage]
-	#[NoCSRFRequired]
 	public function unAssignUser(?int $boardId, int $cardId, string $userId, int $type = 0): DataResponse {
 		if ($boardId) {
 			$localBoard = $this->boardService->find($boardId, false);
@@ -107,7 +100,6 @@ public function unAssignUser(?int $boardId, int $cardId, string $userId, int $ty
 
 	#[NoAdminRequired]
 	#[PublicPage]
-	#[NoCSRFRequired]
 	public function removeLabel(?int $boardId, int $cardId, int $labelId): DataResponse {
 		if ($boardId) {
 			$board = $this->boardService->find($boardId, false);
@@ -121,8 +113,6 @@ public function removeLabel(?int $boardId, int $cardId, int $labelId): DataRespo
 
 	#[NoAdminRequired]
 	#[PublicPage]
-	#[NoCSRFRequired]
-	#[RequestHeader(name: 'x-nextcloud-federation', description: 'Set to 1 when the request is performed by another Nextcloud Server to indicate a federation request', indirect: true)]
 	public function update(int $id, string $title, int $stackId, string $type, int $order, string $description, $duedate, $deletedAt, int $boardId, array|string|null $owner = null, $archived = null, $startdate = null): DataResponse {
 		$done = array_key_exists('done', $this->request->getParams())
 			? new OptionalNullableValue($this->request->getParam('done', null))
@@ -170,7 +160,6 @@ public function update(int $id, string $title, int $stackId, string $type, int $
 
 	#[NoAdminRequired]
 	#[PublicPage]
-	#[NoCSRFRequired]
 	public function reorder(int $cardId, int $stackId, int $order, ?int $boardId): DataResponse {
 		if ($boardId) {
 			$board = $this->boardService->find($boardId, false);

lib/Controller/StackOcsController.php

@@ -11,9 +11,7 @@
 use OCA\Deck\Service\ExternalBoardService;
 use OCA\Deck\Service\StackService;
 use OCP\AppFramework\Http\Attribute\NoAdminRequired;
-use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
 use OCP\AppFramework\Http\Attribute\PublicPage;
-use OCP\AppFramework\Http\Attribute\RequestHeader;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\OCSController;
 use OCP\IRequest;
@@ -31,8 +29,6 @@ public function __construct(
 
 	#[NoAdminRequired]
 	#[PublicPage]
-	#[NoCSRFRequired]
-	#[RequestHeader(name: 'x-nextcloud-federation', description: 'Set to 1 when the request is performed by another Nextcloud Server to indicate a federation request', indirect: true)]
 	public function index(int $boardId): DataResponse {
 		$localBoard = $this->boardService->find($boardId, true, true);
 		if ($localBoard->getExternalId() !== null) {
@@ -44,8 +40,6 @@ public function index(int $boardId): DataResponse {
 
 	#[NoAdminRequired]
 	#[PublicPage]
-	#[NoCSRFRequired]
-	#[RequestHeader(name: 'x-nextcloud-federation', description: 'Set to 1 when the request is performed by another Nextcloud Server to indicate a federation request', indirect: true)]
 	public function create(string $title, int $boardId, int $order = 0):DataResponse {
 		$board = $this->boardService->find($boardId, false);
 		if ($board->getExternalId()) {
@@ -59,8 +53,6 @@ public function create(string $title, int $boardId, int $order = 0):DataResponse
 
 	#[NoAdminRequired]
 	#[PublicPage]
-	#[NoCSRFRequired]
-	#[RequestHeader(name: 'x-nextcloud-federation', description: 'Set to 1 when the request is performed by another Nextcloud Server to indicate a federation request', indirect: true)]
 	public function setDoneStack(int $stackId, int $boardId, bool $isDone): DataResponse {
 		$board = $this->boardService->find($boardId, false);
 		if ($board->getExternalId()) {
@@ -73,8 +65,6 @@ public function setDoneStack(int $stackId, int $boardId, bool $isDone): DataResp
 
 	#[NoAdminRequired]
 	#[PublicPage]
-	#[NoCSRFRequired]
-	#[RequestHeader(name: 'x-nextcloud-federation', description: 'Set to 1 when the request is performed by another Nextcloud Server to indicate a federation request', indirect: true)]
 	public function delete(int $stackId, ?int $boardId = null):DataResponse {
 		if ($boardId) {
 			$board = $this->boardService->find($boardId, false);
@@ -90,8 +80,6 @@ public function delete(int $stackId, ?int $boardId = null):DataResponse {
 
 	#[NoAdminRequired]
 	#[PublicPage]
-	#[NoCSRFRequired]
-	#[RequestHeader(name: 'x-nextcloud-federation', description: 'Set to 1 when the request is performed by another Nextcloud Server to indicate a federation request', indirect: true)]
 	public function reorder(int $stackId, int $order, ?int $boardId):DataResponse {
 		if ($boardId !== null) {
 			$board = $this->boardService->find($boardId, false);