From 364756e93d866557c8bf5271b702bcc0ea6e1195 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?C=C3=B4me=20Chilliet?= <come.chilliet@nextcloud.com>
Date: Thu, 19 Mar 2026 14:49:11 +0100
Subject: [PATCH] fix: Add missing PasswordConfirmationRequired attributes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Côme Chilliet <come.chilliet@nextcloud.com>
---
 apps/oauth2/lib/Controller/SettingsController.php            | 3 +++
 apps/provisioning_api/lib/Controller/AppsController.php      | 2 +-
 apps/settings/lib/Controller/AppSettingsController.php       | 2 +-
 apps/settings/lib/Controller/AuthorizedGroupController.php   | 2 ++
 apps/settings/lib/Controller/TwoFactorSettingsController.php | 2 ++
 5 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/apps/oauth2/lib/Controller/SettingsController.php b/apps/oauth2/lib/Controller/SettingsController.php
index e16275100f4..37ac26dd3f3 100644
--- a/apps/oauth2/lib/Controller/SettingsController.php
+++ b/apps/oauth2/lib/Controller/SettingsController.php
@@ -13,6 +13,7 @@ use OCA\OAuth2\Db\Client;
 use OCA\OAuth2\Db\ClientMapper;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\PasswordConfirmationRequired;
 use OCP\AppFramework\Http\JSONResponse;
 use OCP\Authentication\Token\IProvider as IAuthTokenProvider;
 use OCP\IL10N;
@@ -40,6 +41,7 @@ class SettingsController extends Controller {
 		parent::__construct($appName, $request);
 	}
 
+	#[PasswordConfirmationRequired(strict: true)]
 	public function addClient(string $name,
 		string $redirectUri): JSONResponse {
 		if (filter_var($redirectUri, FILTER_VALIDATE_URL) === false) {
@@ -66,6 +68,7 @@ class SettingsController extends Controller {
 		return new JSONResponse($result);
 	}
 
+	#[PasswordConfirmationRequired]
 	public function deleteClient(int $id): JSONResponse {
 		$client = $this->clientMapper->getByUid($id);
 
diff --git a/apps/provisioning_api/lib/Controller/AppsController.php b/apps/provisioning_api/lib/Controller/AppsController.php
index d60a85f3740..b214bc82ef2 100644
--- a/apps/provisioning_api/lib/Controller/AppsController.php
+++ b/apps/provisioning_api/lib/Controller/AppsController.php
@@ -93,7 +93,7 @@ class AppsController extends OCSController {
 	 *
 	 * 200: App enabled successfully
 	 */
-	#[PasswordConfirmationRequired]
+	#[PasswordConfirmationRequired(strict: true)]
 	public function enable(string $app): DataResponse {
 		try {
 			$this->appManager->enableApp($app);
diff --git a/apps/settings/lib/Controller/AppSettingsController.php b/apps/settings/lib/Controller/AppSettingsController.php
index 50276bf5540..07d48412a03 100644
--- a/apps/settings/lib/Controller/AppSettingsController.php
+++ b/apps/settings/lib/Controller/AppSettingsController.php
@@ -556,7 +556,7 @@ class AppSettingsController extends Controller {
 	 * @param array $groups
 	 * @return JSONResponse
 	 */
-	#[PasswordConfirmationRequired]
+	#[PasswordConfirmationRequired(strict: true)]
 	public function enableApps(array $appIds, array $groups = []): JSONResponse {
 		try {
 			$updateRequired = false;
diff --git a/apps/settings/lib/Controller/AuthorizedGroupController.php b/apps/settings/lib/Controller/AuthorizedGroupController.php
index f4a018b0555..161374cb858 100644
--- a/apps/settings/lib/Controller/AuthorizedGroupController.php
+++ b/apps/settings/lib/Controller/AuthorizedGroupController.php
@@ -10,6 +10,7 @@ use OC\Settings\AuthorizedGroup;
 use OCA\Settings\Service\AuthorizedGroupService;
 use OCA\Settings\Service\NotFoundException;
 use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http\Attribute\PasswordConfirmationRequired;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\DB\Exception;
 use OCP\IRequest;
@@ -27,6 +28,7 @@ class AuthorizedGroupController extends Controller {
 	 * @throws NotFoundException
 	 * @throws Exception
 	 */
+	#[PasswordConfirmationRequired(strict: true)]
 	public function saveSettings(array $newGroups, string $class): DataResponse {
 		$currentGroups = $this->authorizedGroupService->findExistingGroupsForClass($class);
 
diff --git a/apps/settings/lib/Controller/TwoFactorSettingsController.php b/apps/settings/lib/Controller/TwoFactorSettingsController.php
index e08fca8ec6c..24f052cc490 100644
--- a/apps/settings/lib/Controller/TwoFactorSettingsController.php
+++ b/apps/settings/lib/Controller/TwoFactorSettingsController.php
@@ -11,6 +11,7 @@ namespace OCA\Settings\Controller;
 use OC\Authentication\TwoFactorAuth\EnforcementState;
 use OC\Authentication\TwoFactorAuth\MandatoryTwoFactor;
 use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http\Attribute\PasswordConfirmationRequired;
 use OCP\AppFramework\Http\JSONResponse;
 use OCP\IRequest;
 
@@ -31,6 +32,7 @@ class TwoFactorSettingsController extends Controller {
 		return new JSONResponse($this->mandatoryTwoFactor->getState());
 	}
 
+	#[PasswordConfirmationRequired(strict: true)]
 	public function update(bool $enforced, array $enforcedGroups = [], array $excludedGroups = []): JSONResponse {
 		$this->mandatoryTwoFactor->setState(
 			new EnforcementState($enforced, $enforcedGroups, $excludedGroups)