From 566c564a6a8809a70ee385e46e562e21c64b7258 Mon Sep 17 00:00:00 2001 From: Marcel Klehr Date: Thu, 28 Aug 2025 09:15:48 +0200 Subject: [PATCH 1/3] fix(TaskProcessingApiController): Don't allow anonymous access anymore Signed-off-by: Marcel Klehr [skip ci] --- core/Controller/TaskProcessingApiController.php | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/core/Controller/TaskProcessingApiController.php b/core/Controller/TaskProcessingApiController.php index 029293a5cbc86..1cfc2650a32a9 100644 --- a/core/Controller/TaskProcessingApiController.php +++ b/core/Controller/TaskProcessingApiController.php @@ -13,7 +13,6 @@ use OC\Core\ResponseDefinitions; use OC\Files\SimpleFS\SimpleFile; use OCP\AppFramework\Http; -use OCP\AppFramework\Http\Attribute\AnonRateLimit; use OCP\AppFramework\Http\Attribute\ApiRoute; use OCP\AppFramework\Http\Attribute\ExAppRequired; use OCP\AppFramework\Http\Attribute\NoAdminRequired; @@ -66,7 +65,7 @@ public function __construct( * * 200: Task types returned */ - #[PublicPage] + #[NoAdminRequired] #[ApiRoute(verb: 'GET', url: '/tasktypes', root: '/taskprocessing')] public function taskTypes(): DataResponse { /** @var array $taskTypes */ @@ -156,9 +155,8 @@ public function taskTypes(): DataResponse { * 412: Scheduling task is not possible * 401: Cannot schedule task because it references files in its input that the user doesn't have access to */ - #[PublicPage] #[UserRateLimit(limit: 20, period: 120)] - #[AnonRateLimit(limit: 5, period: 120)] + #[NoAdminRequired] #[ApiRoute(verb: 'POST', url: '/schedule', root: '/taskprocessing')] public function schedule( array $input, string $type, string $appId, string $customId = '', @@ -199,7 +197,7 @@ public function schedule( * 200: Task returned * 404: Task not found */ - #[PublicPage] + #[NoAdminRequired] #[ApiRoute(verb: 'GET', url: '/task/{id}', root: '/taskprocessing')] public function getTask(int $id): DataResponse { try { From ec529e7fc46a80a431e5b51b9299d95fd8fa9ab2 Mon Sep 17 00:00:00 2001 From: Marcel Klehr Date: Fri, 29 Aug 2025 09:40:03 +0200 Subject: [PATCH 2/3] fix: Update openapi specs Signed-off-by: Marcel Klehr --- core/openapi-full.json | 3 --- core/openapi.json | 3 --- 2 files changed, 6 deletions(-) diff --git a/core/openapi-full.json b/core/openapi-full.json index 3d6a28f925148..a92583d33c077 100644 --- a/core/openapi-full.json +++ b/core/openapi-full.json @@ -4079,7 +4079,6 @@ "task_processing_api" ], "security": [ - {}, { "bearer_auth": [] }, @@ -4152,7 +4151,6 @@ "task_processing_api" ], "security": [ - {}, { "bearer_auth": [] }, @@ -4422,7 +4420,6 @@ "task_processing_api" ], "security": [ - {}, { "bearer_auth": [] }, diff --git a/core/openapi.json b/core/openapi.json index 9a381da7e224b..16838329a4f51 100644 --- a/core/openapi.json +++ b/core/openapi.json @@ -4079,7 +4079,6 @@ "task_processing_api" ], "security": [ - {}, { "bearer_auth": [] }, @@ -4152,7 +4151,6 @@ "task_processing_api" ], "security": [ - {}, { "bearer_auth": [] }, @@ -4422,7 +4420,6 @@ "task_processing_api" ], "security": [ - {}, { "bearer_auth": [] }, From a9610db9026f211cb23936c9d4d6254c0ad0ab22 Mon Sep 17 00:00:00 2001 From: Marcel Klehr Date: Fri, 29 Aug 2025 09:48:12 +0200 Subject: [PATCH 3/3] fix: Run cs:fix Signed-off-by: Marcel Klehr --- core/Controller/TaskProcessingApiController.php | 1 - 1 file changed, 1 deletion(-) diff --git a/core/Controller/TaskProcessingApiController.php b/core/Controller/TaskProcessingApiController.php index 1cfc2650a32a9..6f8c27b3f460f 100644 --- a/core/Controller/TaskProcessingApiController.php +++ b/core/Controller/TaskProcessingApiController.php @@ -16,7 +16,6 @@ use OCP\AppFramework\Http\Attribute\ApiRoute; use OCP\AppFramework\Http\Attribute\ExAppRequired; use OCP\AppFramework\Http\Attribute\NoAdminRequired; -use OCP\AppFramework\Http\Attribute\PublicPage; use OCP\AppFramework\Http\Attribute\UserRateLimit; use OCP\AppFramework\Http\DataResponse; use OCP\AppFramework\Http\StreamResponse;