refactor(files): Replace security annotations with respective attributes

Signed-off-by: provokateurin <kate@provokateurin.de>
2026-04-26 08:38:11 -04:00 · 2024-07-25 13:14:46 +02:00 · 2024-07-25 13:14:46 +02:00 · 3fde60db85
commit 3fde60db85
parent 212a621697
7 changed files with 56 additions and 73 deletions
--- a/apps/files/lib/Controller/ApiController.php
+++ b/apps/files/lib/Controller/ApiController.php
@ -13,7 +13,11 @@ use OCA\Files\Service\UserConfig;
 use OCA\Files\Service\ViewConfig;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\NoAdminRequired;
+use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
 use OCP\AppFramework\Http\Attribute\OpenAPI;
+use OCP\AppFramework\Http\Attribute\PublicPage;
+use OCP\AppFramework\Http\Attribute\StrictCookiesRequired;
 use OCP\AppFramework\Http\ContentSecurityPolicy;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\Http\FileDisplayResponse;
@ -69,10 +73,6 @@ class ApiController extends Controller {
 	 *
 	 * @since API version 1.0
 	 *
-	 * @NoAdminRequired
-	 * @NoCSRFRequired
-	 * @StrictCookieRequired
-	 *
 	 * @param int $x Width of the thumbnail
 	 * @param int $y Height of the thumbnail
 	 * @param string $file URL-encoded filename
@ -82,6 +82,9 @@ class ApiController extends Controller {
 	 * 400: Getting thumbnail is not possible
 	 * 404: File not found
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
+	#[StrictCookiesRequired]
 	public function getThumbnail($x, $y, $file) {
 		if ($x < 1 || $y < 1) {
 			return new DataResponse(['message' => 'Requested size must be numeric and a positive value.'], Http::STATUS_BAD_REQUEST);
@ -113,12 +116,11 @@ class ApiController extends Controller {
 	 * The passed tags are absolute, which means they will
 	 * replace the actual tag selection.
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @param string $path path
 	 * @param array|string $tags array of tags
 	 * @return DataResponse
 	 */
+	#[NoAdminRequired]
 	public function updateFileTags($path, $tags = null) {
 		$result = [];
 		// if tags specified or empty array, update tags
@ -221,10 +223,9 @@ class ApiController extends Controller {
 	/**
 	 * Returns a list of recently modified files.
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @return DataResponse
 	 */
+	#[NoAdminRequired]
 	public function getRecentFiles() {
 		$nodes = $this->userFolder->getRecent(100);
 		$files = $this->formatNodes($nodes);
@ -235,11 +236,10 @@ class ApiController extends Controller {
 	/**
 	 * Returns the current logged-in user's storage stats.
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @param ?string $dir the directory to get the storage stats from
 	 * @return JSONResponse
 	 */
+	#[NoAdminRequired]
 	public function getStorageStats($dir = '/'): JSONResponse {
 		$storageInfo = \OC_Helper::getStorageInfo($dir ?: '/');
 		$response = new JSONResponse(['message' => 'ok', 'data' => $storageInfo]);
@ -250,13 +250,12 @@ class ApiController extends Controller {
 	/**
 	 * Set a user view config
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @param string $view
 	 * @param string $key
 	 * @param string|bool $value
 	 * @return JSONResponse
 	 */
+	#[NoAdminRequired]
 	public function setViewConfig(string $view, string $key, $value): JSONResponse {
 		try {
 			$this->viewConfig->setConfig($view, $key, (string)$value);
@ -271,10 +270,9 @@ class ApiController extends Controller {
 	/**
 	 * Get the user view config
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @return JSONResponse
 	 */
+	#[NoAdminRequired]
 	public function getViewConfigs(): JSONResponse {
 		return new JSONResponse(['message' => 'ok', 'data' => $this->viewConfig->getConfigs()]);
 	}
@ -282,12 +280,11 @@ class ApiController extends Controller {
 	/**
 	 * Set a user config
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @param string $key
 	 * @param string|bool $value
 	 * @return JSONResponse
 	 */
+	#[NoAdminRequired]
 	public function setConfig(string $key, $value): JSONResponse {
 		try {
 			$this->userConfig->setConfig($key, (string)$value);
@ -302,10 +299,9 @@ class ApiController extends Controller {
 	/**
 	 * Get the user config
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @return JSONResponse
 	 */
+	#[NoAdminRequired]
 	public function getConfigs(): JSONResponse {
 		return new JSONResponse(['message' => 'ok', 'data' => $this->userConfig->getConfigs()]);
 	}
@ -313,12 +309,11 @@ class ApiController extends Controller {
 	/**
 	 * Toggle default for showing/hiding hidden files
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @param bool $value
 	 * @return Response
 	 * @throws \OCP\PreConditionNotMetException
 	 */
+	#[NoAdminRequired]
 	public function showHiddenFiles(bool $value): Response {
 		$this->config->setUserValue($this->userSession->getUser()->getUID(), 'files', 'show_hidden', $value ? '1' : '0');
 		return new Response();
@ -327,12 +322,11 @@ class ApiController extends Controller {
 	/**
 	 * Toggle default for cropping preview images
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @param bool $value
 	 * @return Response
 	 * @throws \OCP\PreConditionNotMetException
 	 */
+	#[NoAdminRequired]
 	public function cropImagePreviews(bool $value): Response {
 		$this->config->setUserValue($this->userSession->getUser()->getUID(), 'files', 'crop_image_previews', $value ? '1' : '0');
 		return new Response();
@ -341,12 +335,11 @@ class ApiController extends Controller {
 	/**
 	 * Toggle default for files grid view
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @param bool $show
 	 * @return Response
 	 * @throws \OCP\PreConditionNotMetException
 	 */
+	#[NoAdminRequired]
 	public function showGridView(bool $show): Response {
 		$this->config->setUserValue($this->userSession->getUser()->getUID(), 'files', 'show_grid', $show ? '1' : '0');
 		return new Response();
@ -354,19 +347,15 @@ class ApiController extends Controller {

 	/**
 	 * Get default settings for the grid view
-	 *
-	 * @NoAdminRequired
 	 */
+	#[NoAdminRequired]
 	public function getGridView() {
 		$status = $this->config->getUserValue($this->userSession->getUser()->getUID(), 'files', 'show_grid', '0') === '1';
 		return new JSONResponse(['gridview' => $status]);
 	}

-	/**
-	 * @NoAdminRequired
-	 * @NoCSRFRequired
-	 * @PublicPage
-	 */
+	#[PublicPage]
+	#[NoCSRFRequired]
 	#[OpenAPI(scope: OpenAPI::SCOPE_IGNORE)]
 	public function serviceWorker(): StreamResponse {
 		$response = new StreamResponse(__DIR__ . '/../../../../dist/preview-service-worker.js');
--- a/apps/files/lib/Controller/DirectEditingController.php
+++ b/apps/files/lib/Controller/DirectEditingController.php
@ -8,6 +8,7 @@ namespace OCA\Files\Controller;
 use Exception;
 use OCA\Files\Service\DirectEditingService;
 use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\NoAdminRequired;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\OCSController;
 use OCP\DirectEditing\IManager;
@ -34,13 +35,12 @@ class DirectEditingController extends OCSController {
 	}

 	/**
-	 * @NoAdminRequired
-	 *
 	 * Get the direct editing capabilities
 	 * @return DataResponse<Http::STATUS_OK, array{editors: array<string, array{id: string, name: string, mimetypes: string[], optionalMimetypes: string[], secure: bool}>, creators: array<string, array{id: string, editor: string, name: string, extension: string, templates: bool, mimetypes: string[]}>}, array{}>
 	 *
 	 * 200: Direct editing capabilities returned
 	 */
+	#[NoAdminRequired]
 	public function info(): DataResponse {
 		$response = new DataResponse($this->directEditingService->getDirectEditingCapabilitites());
 		$response->setETag($this->directEditingService->getDirectEditingETag());
@ -48,8 +48,6 @@ class DirectEditingController extends OCSController {
 	}

 	/**
-	 * @NoAdminRequired
-	 *
 	 * Create a file for direct editing
 	 *
 	 * @param string $path Path of the file
@ -62,6 +60,7 @@ class DirectEditingController extends OCSController {
 	 * 200: URL for direct editing returned
 	 * 403: Opening file is not allowed
 	 */
+	#[NoAdminRequired]
 	public function create(string $path, string $editorId, string $creatorId, ?string $templateId = null): DataResponse {
 		if (!$this->directEditingManager->isEnabled()) {
 			return new DataResponse(['message' => 'Direct editing is not enabled'], Http::STATUS_INTERNAL_SERVER_ERROR);
@ -85,8 +84,6 @@ class DirectEditingController extends OCSController {
 	}

 	/**
-	 * @NoAdminRequired
-	 *
 	 * Open a file for direct editing
 	 *
 	 * @param string $path Path of the file
@ -98,6 +95,7 @@ class DirectEditingController extends OCSController {
 	 * 200: URL for direct editing returned
 	 * 403: Opening file is not allowed
 	 */
+	#[NoAdminRequired]
 	public function open(string $path, ?string $editorId = null, ?int $fileId = null): DataResponse {
 		if (!$this->directEditingManager->isEnabled()) {
 			return new DataResponse(['message' => 'Direct editing is not enabled'], Http::STATUS_INTERNAL_SERVER_ERROR);
@ -123,8 +121,6 @@ class DirectEditingController extends OCSController {


 	/**
-	 * @NoAdminRequired
-	 *
 	 * Get the templates for direct editing
 	 *
 	 * @param string $editorId ID of the editor
@ -134,6 +130,7 @@ class DirectEditingController extends OCSController {
 	 *
 	 * 200: Templates returned
 	 */
+	#[NoAdminRequired]
 	public function templates(string $editorId, string $creatorId): DataResponse {
 		if (!$this->directEditingManager->isEnabled()) {
 			return new DataResponse(['message' => 'Direct editing is not enabled'], Http::STATUS_INTERNAL_SERVER_ERROR);
--- a/apps/files/lib/Controller/DirectEditingViewController.php
+++ b/apps/files/lib/Controller/DirectEditingViewController.php
@ -7,7 +7,10 @@ namespace OCA\Files\Controller;

 use Exception;
 use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
 use OCP\AppFramework\Http\Attribute\OpenAPI;
+use OCP\AppFramework\Http\Attribute\PublicPage;
+use OCP\AppFramework\Http\Attribute\UseSession;
 use OCP\AppFramework\Http\NotFoundResponse;
 use OCP\AppFramework\Http\Response;
 use OCP\DirectEditing\IManager;
@ -29,13 +32,12 @@ class DirectEditingViewController extends Controller {
 	}

 	/**
-	 * @PublicPage
-	 * @NoCSRFRequired
-	 * @UseSession
-	 *
 	 * @param string $token
 	 * @return Response
 	 */
+	#[PublicPage]
+	#[NoCSRFRequired]
+	#[UseSession]
 	public function edit(string $token): Response {
 		$this->eventDispatcher->dispatchTyped(new RegisterDirectEditorEvent($this->directEditingManager));
 		try {
--- a/apps/files/lib/Controller/OpenLocalEditorController.php
+++ b/apps/files/lib/Controller/OpenLocalEditorController.php
@ -13,6 +13,9 @@ use OCA\Files\Db\OpenLocalEditor;
 use OCA\Files\Db\OpenLocalEditorMapper;
 use OCP\AppFramework\Db\DoesNotExistException;
 use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\BruteForceProtection;
+use OCP\AppFramework\Http\Attribute\NoAdminRequired;
+use OCP\AppFramework\Http\Attribute\UserRateLimit;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\OCSController;
 use OCP\AppFramework\Utility\ITimeFactory;
@ -51,9 +54,6 @@ class OpenLocalEditorController extends OCSController {
 	}

 	/**
-	 * @NoAdminRequired
-	 * @UserRateThrottle(limit=10, period=120)
-	 *
 	 * Create a local editor
 	 *
 	 * @param string $path Path of the file
@ -62,6 +62,8 @@ class OpenLocalEditorController extends OCSController {
 	 *
 	 * 200: Local editor returned
 	 */
+	#[NoAdminRequired]
+	#[UserRateLimit(limit: 10, period: 120)]
 	public function create(string $path): DataResponse {
 		$pathHash = sha1($path);

@ -96,9 +98,6 @@ class OpenLocalEditorController extends OCSController {
 	}

 	/**
-	 * @NoAdminRequired
-	 * @BruteForceProtection(action=openLocalEditor)
-	 *
 	 * Validate a local editor
 	 *
 	 * @param string $path Path of the file
@ -109,6 +108,8 @@ class OpenLocalEditorController extends OCSController {
 	 * 200: Local editor validated successfully
 	 * 404: Local editor not found
 	 */
+	#[NoAdminRequired]
+	#[BruteForceProtection(action: 'openLocalEditor')]
 	public function validate(string $path, string $token): DataResponse {
 		$pathHash = sha1($path);

--- a/apps/files/lib/Controller/TemplateController.php
+++ b/apps/files/lib/Controller/TemplateController.php
@ -10,6 +10,7 @@ namespace OCA\Files\Controller;

 use OCA\Files\ResponseDefinitions;
 use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\NoAdminRequired;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\OCS\OCSForbiddenException;
 use OCP\AppFramework\OCSController;
@ -32,21 +33,18 @@ class TemplateController extends OCSController {
 	}

 	/**
-	 * @NoAdminRequired
-	 *
 	 * List the available templates
 	 *
 	 * @return DataResponse<Http::STATUS_OK, array<FilesTemplateFileCreator>, array{}>
 	 *
 	 * 200: Available templates returned
 	 */
+	#[NoAdminRequired]
 	public function list(): DataResponse {
 		return new DataResponse($this->templateManager->listTemplates());
 	}

 	/**
-	 * @NoAdminRequired
-	 *
 	 * Create a template
 	 *
 	 * @param string $filePath Path of the file
@ -59,6 +57,7 @@ class TemplateController extends OCSController {
 	 *
 	 * 200: Template created successfully
 	 */
+	#[NoAdminRequired]
 	public function create(
 		string $filePath,
 		string $templatePath = '',
@ -77,8 +76,6 @@ class TemplateController extends OCSController {
 	}

 	/**
-	 * @NoAdminRequired
-	 *
 	 * Initialize the template directory
 	 *
 	 * @param string $templatePath Path of the template directory
@ -89,6 +86,7 @@ class TemplateController extends OCSController {
 	 *
 	 * 200: Template directory initialized successfully
 	 */
+	#[NoAdminRequired]
 	public function path(string $templatePath = '', bool $copySystemTemplates = false) {
 		try {
 			/** @var string $templatePath */
--- a/apps/files/lib/Controller/TransferOwnershipController.php
+++ b/apps/files/lib/Controller/TransferOwnershipController.php
@ -13,6 +13,7 @@ use OCA\Files\Db\TransferOwnership as TransferOwnershipEntity;
 use OCA\Files\Db\TransferOwnershipMapper;
 use OCP\AppFramework\Db\DoesNotExistException;
 use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\NoAdminRequired;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\OCSController;
 use OCP\AppFramework\Utility\ITimeFactory;
@ -62,8 +63,6 @@ class TransferOwnershipController extends OCSController {


 	/**
-	 * @NoAdminRequired
-	 *
 	 * Transfer the ownership to another user
 	 *
 	 * @param string $recipient Username of the recipient
@ -75,6 +74,7 @@ class TransferOwnershipController extends OCSController {
 	 * 400: Transferring ownership is not possible
 	 * 403: Transferring ownership is not allowed
 	 */
+	#[NoAdminRequired]
 	public function transfer(string $recipient, string $path): DataResponse {
 		$recipientUser = $this->userManager->get($recipient);

@ -118,8 +118,6 @@ class TransferOwnershipController extends OCSController {
 	}

 	/**
-	 * @NoAdminRequired
-	 *
 	 * Accept an ownership transfer
 	 *
 	 * @param int $id ID of the ownership transfer
@ -130,6 +128,7 @@ class TransferOwnershipController extends OCSController {
 	 * 403: Accepting ownership transfer is not allowed
 	 * 404: Ownership transfer not found
 	 */
+	#[NoAdminRequired]
 	public function accept(int $id): DataResponse {
 		try {
 			$transferOwnership = $this->mapper->getById($id);
@ -161,8 +160,6 @@ class TransferOwnershipController extends OCSController {
 	}

 	/**
-	 * @NoAdminRequired
-	 *
 	 * Reject an ownership transfer
 	 *
 	 * @param int $id ID of the ownership transfer
@ -173,6 +170,7 @@ class TransferOwnershipController extends OCSController {
 	 * 403: Rejecting ownership transfer is not allowed
 	 * 404: Ownership transfer not found
 	 */
+	#[NoAdminRequired]
 	public function reject(int $id): DataResponse {
 		try {
 			$transferOwnership = $this->mapper->getById($id);
--- a/apps/files/lib/Controller/ViewController.php
+++ b/apps/files/lib/Controller/ViewController.php
@ -18,6 +18,8 @@ use OCA\Files\Service\ViewConfig;
 use OCA\Viewer\Event\LoadViewer;
 use OCP\App\IAppManager;
 use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http\Attribute\NoAdminRequired;
+use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
 use OCP\AppFramework\Http\Attribute\OpenAPI;
 use OCP\AppFramework\Http\ContentSecurityPolicy;
 use OCP\AppFramework\Http\RedirectResponse;
@ -75,12 +77,11 @@ class ViewController extends Controller {
 	}

 	/**
-	 * @NoCSRFRequired
-	 * @NoAdminRequired
-	 *
 	 * @param string $fileid
 	 * @return TemplateResponse|RedirectResponse
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
 	public function showFile(?string $fileid = null): Response {
 		if (!$fileid) {
 			return new RedirectResponse($this->urlGenerator->linkToRoute('files.view.index'));
@ -96,43 +97,40 @@ class ViewController extends Controller {


 	/**
-	 * @NoCSRFRequired
-	 * @NoAdminRequired
-	 *
 	 * @param string $dir
 	 * @param string $view
 	 * @param string $fileid
 	 * @param bool $fileNotFound
 	 * @return TemplateResponse|RedirectResponse
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
 	public function indexView($dir = '', $view = '', $fileid = null, $fileNotFound = false) {
 		return $this->index($dir, $view, $fileid, $fileNotFound);
 	}

 	/**
-	 * @NoCSRFRequired
-	 * @NoAdminRequired
-	 *
 	 * @param string $dir
 	 * @param string $view
 	 * @param string $fileid
 	 * @param bool $fileNotFound
 	 * @return TemplateResponse|RedirectResponse
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
 	public function indexViewFileid($dir = '', $view = '', $fileid = null, $fileNotFound = false) {
 		return $this->index($dir, $view, $fileid, $fileNotFound);
 	}

 	/**
-	 * @NoCSRFRequired
-	 * @NoAdminRequired
-	 *
 	 * @param string $dir
 	 * @param string $view
 	 * @param string $fileid
 	 * @param bool $fileNotFound
 	 * @return TemplateResponse|RedirectResponse
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
 	public function index($dir = '', $view = '', $fileid = null, $fileNotFound = false) {
 		if ($fileid !== null && $view !== 'trashbin') {
 			try {