diff --git a/lib/Controller/Api1Controller.php b/lib/Controller/Api1Controller.php
index 9e1276d065..8d86aef18d 100644
--- a/lib/Controller/Api1Controller.php
+++ b/lib/Controller/Api1Controller.php
@@ -30,6 +30,9 @@
 use OCP\AppFramework\Db\DoesNotExistException;
 use OCP\AppFramework\Db\MultipleObjectsReturnedException;
 use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\CORS;
+use OCP\AppFramework\Http\Attribute\NoAdminRequired;
+use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\IL10N;
 use OCP\IRequest;
@@ -96,14 +99,13 @@ public function __construct(
 	/**
 	 * Returns all Tables
 	 *
-	 * @NoAdminRequired
-	 * @CORS
-	 * @NoCSRFRequired
-	 *
 	 * @return DataResponse<Http::STATUS_OK, TablesTable[], array{}>|DataResponse<Http::STATUS_INTERNAL_SERVER_ERROR, array{message: string}, array{}>
 	 *
 	 * 200: Tables returned
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
+	#[CORS]
 	public function index(): DataResponse {
 		try {
 			return new DataResponse($this->tableService->formatTables($this->tableService->findAll($this->userId)));
@@ -117,10 +119,6 @@ public function index(): DataResponse {
 	/**
 	 * Create a new table and return it
 	 *
-	 * @NoAdminRequired
-	 * @CORS
-	 * @NoCSRFRequired
-	 *
 	 * @param string $title Title of the table
 	 * @param string|null $emoji Emoji for the table
 	 * @param string $template Template to use if wanted
@@ -129,6 +127,9 @@ public function index(): DataResponse {
 	 *
 	 * 200: Tables returned
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
+	#[CORS]
 	public function createTable(string $title, ?string $emoji, string $template = 'custom'): DataResponse {
 		try {
 			return new DataResponse($this->tableService->create($title, $template, $emoji)->jsonSerialize());
@@ -142,10 +143,6 @@ public function createTable(string $title, ?string $emoji, string $template = 'c
 	/**
 	 * returns table scheme
 	 *
-	 * @NoAdminRequired
-	 * @CORS
-	 * @NoCSRFRequired
-	 *
 	 * @param int $tableId Table ID
 	 * @return DataResponse<Http::STATUS_OK, TablesTable, array{'Content-Disposition'?:string,'Content-Type'?:string}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_INTERNAL_SERVER_ERROR|Http::STATUS_NOT_FOUND, array{message: string}, array{}>
 	 *
@@ -153,6 +150,10 @@ public function createTable(string $title, ?string $emoji, string $template = 'c
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
+	#[CORS]
+	#[RequirePermission(permission: Application::PERMISSION_READ, type: Application::NODE_TYPE_TABLE, idParam: 'tableId')]
 	public function showScheme(int $tableId): DataResponse {
 		try {
 			$scheme = $this->tableService->getScheme($tableId);
@@ -175,10 +176,6 @@ public function showScheme(int $tableId): DataResponse {
 	/**
 	 * Get a table object
 	 *
-	 * @NoAdminRequired
-	 * @CORS
-	 * @NoCSRFRequired
-	 *
 	 * @param int $tableId Table ID
 	 * @return DataResponse<Http::STATUS_OK, TablesTable, array{}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_INTERNAL_SERVER_ERROR|Http::STATUS_NOT_FOUND, array{message: string}, array{}>
 	 *
@@ -186,6 +183,10 @@ public function showScheme(int $tableId): DataResponse {
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
+	#[CORS]
+	#[RequirePermission(permission: Application::PERMISSION_READ, type: Application::NODE_TYPE_TABLE, idParam: 'tableId')]
 	public function getTable(int $tableId): DataResponse {
 		try {
 			return new DataResponse($this->tableService->find($tableId)->jsonSerialize());
@@ -207,10 +208,6 @@ public function getTable(int $tableId): DataResponse {
 	/**
 	 * Update tables properties
 	 *
-	 * @NoAdminRequired
-	 * @CORS
-	 * @NoCSRFRequired
-	 *
 	 * @param int $tableId Table ID
 	 * @param string|null $title New table title
 	 * @param string|null $emoji New table emoji
@@ -221,6 +218,10 @@ public function getTable(int $tableId): DataResponse {
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
+	#[CORS]
+	#[RequirePermission(permission: Application::PERMISSION_MANAGE, type: Application::NODE_TYPE_TABLE, idParam: 'tableId')]
 	public function updateTable(int $tableId, ?string $title = null, ?string $emoji = null, ?bool $archived = false): DataResponse {
 		try {
 			return new DataResponse($this->tableService->update($tableId, $title, $emoji, null, $archived, $this->userId)->jsonSerialize());
@@ -242,10 +243,6 @@ public function updateTable(int $tableId, ?string $title = null, ?string $emoji
 	/**
 	 * Delete a table
 	 *
-	 * @NoAdminRequired
-	 * @CORS
-	 * @NoCSRFRequired
-	 *
 	 * @param int $tableId Table ID
 	 * @return DataResponse<Http::STATUS_OK, TablesTable, array{}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_INTERNAL_SERVER_ERROR|Http::STATUS_NOT_FOUND, array{message: string}, array{}>
 	 *
@@ -253,6 +250,10 @@ public function updateTable(int $tableId, ?string $title = null, ?string $emoji
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
+	#[CORS]
+	#[RequirePermission(permission: Application::PERMISSION_MANAGE, type: Application::NODE_TYPE_TABLE, idParam: 'tableId')]
 	public function deleteTable(int $tableId): DataResponse {
 		try {
 			return new DataResponse($this->tableService->delete($tableId)->jsonSerialize());
@@ -276,10 +277,6 @@ public function deleteTable(int $tableId): DataResponse {
 	/**
 	 * Get all views for a table
 	 *
-	 * @NoAdminRequired
-	 * @CORS
-	 * @NoCSRFRequired
-	 *
 	 * @param int $tableId Table ID
 	 * @return DataResponse<Http::STATUS_OK, TablesView[], array{}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_INTERNAL_SERVER_ERROR|Http::STATUS_NOT_FOUND, array{message: string}, array{}>
 	 *
@@ -287,6 +284,10 @@ public function deleteTable(int $tableId): DataResponse {
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
+	#[CORS]
+	#[RequirePermission(permission: Application::PERMISSION_READ, type: Application::NODE_TYPE_TABLE, idParam: 'tableId')]
 	public function indexViews(int $tableId): DataResponse {
 		try {
 			return new DataResponse($this->viewService->formatViews($this->viewService->findAll($this->tableService->find($tableId))));
@@ -308,10 +309,6 @@ public function indexViews(int $tableId): DataResponse {
 	/**
 	 * Create a new view for a table
 	 *
-	 * @NoAdminRequired
-	 * @CORS
-	 * @NoCSRFRequired
-	 *
 	 * @param int $tableId Table ID that will hold the view
 	 * @param string $title Title for the view
 	 * @param string|null $emoji Emoji for the view
@@ -322,6 +319,10 @@ public function indexViews(int $tableId): DataResponse {
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
+	#[CORS]
+	#[RequirePermission(permission: Application::PERMISSION_MANAGE, type: Application::NODE_TYPE_TABLE, idParam: 'tableId')]
 	public function createView(int $tableId, string $title, ?string $emoji): DataResponse {
 		try {
 			return new DataResponse($this->viewService->create($title, $emoji, $this->tableService->find($tableId))->jsonSerialize());
@@ -339,10 +340,6 @@ public function createView(int $tableId, string $title, ?string $emoji): DataRes
 	/**
 	 * Get a view object
 	 *
-	 * @NoAdminRequired
-	 * @CORS
-	 * @NoCSRFRequired
-	 *
 	 * @param int $viewId View ID
 	 * @return DataResponse<Http::STATUS_OK, TablesView, array{}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_INTERNAL_SERVER_ERROR|Http::STATUS_NOT_FOUND, array{message: string}, array{}>
 	 *
@@ -350,6 +347,10 @@ public function createView(int $tableId, string $title, ?string $emoji): DataRes
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
+	#[CORS]
+	#[RequirePermission(permission: Application::PERMISSION_READ, type: Application::NODE_TYPE_VIEW, idParam: 'viewId')]
 	public function getView(int $viewId): DataResponse {
 		try {
 			return new DataResponse($this->viewService->find($viewId)->jsonSerialize());
@@ -371,10 +372,6 @@ public function getView(int $viewId): DataResponse {
 	/**
 	 * Update a view via key-value sets
 	 *
-	 * @NoAdminRequired
-	 * @CORS
-	 * @NoCSRFRequired
-	 *
 	 * @param int $viewId View ID
 	 * @param array{key: 'title'|'emoji'|'description', value: string}|array{key: 'columns', value: int[]}|array{key: 'sort', value: array{columnId: int, mode: 'ASC'|'DESC'}}|array{key: 'filter', value: array{columnId: int, operator: 'begins-with'|'ends-with'|'contains'|'is-equal'|'is-greater-than'|'is-greater-than-or-equal'|'is-lower-than'|'is-lower-than-or-equal'|'is-empty', value: string|int|float}} $data key-value pairs
 	 * @return DataResponse<Http::STATUS_OK, TablesView, array{}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_BAD_REQUEST|Http::STATUS_INTERNAL_SERVER_ERROR, array{message: string}, array{}>
@@ -384,6 +381,10 @@ public function getView(int $viewId): DataResponse {
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
+	#[CORS]
+	#[RequirePermission(permission: Application::PERMISSION_MANAGE, type: Application::NODE_TYPE_VIEW, idParam: 'viewId')]
 	public function updateView(int $viewId, array $data): DataResponse {
 		try {
 			return new DataResponse($this->viewService->update($viewId, $data)->jsonSerialize());
@@ -405,10 +406,6 @@ public function updateView(int $viewId, array $data): DataResponse {
 	/**
 	 * Delete a view
 	 *
-	 * @NoAdminRequired
-	 * @CORS
-	 * @NoCSRFRequired
-	 *
 	 * @param int $viewId View ID
 	 * @return DataResponse<Http::STATUS_OK, TablesView, array{}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_INTERNAL_SERVER_ERROR|Http::STATUS_NOT_FOUND, array{message: string}, array{}>
 	 *
@@ -416,6 +413,10 @@ public function updateView(int $viewId, array $data): DataResponse {
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
+	#[CORS]
+	#[RequirePermission(permission: Application::PERMISSION_MANAGE, type: Application::NODE_TYPE_VIEW, idParam: 'viewId')]
 	public function deleteView(int $viewId): DataResponse {
 		try {
 			return new DataResponse($this->viewService->delete($viewId)->jsonSerialize());
@@ -439,10 +440,6 @@ public function deleteView(int $viewId): DataResponse {
 	/**
 	 * Get a share object
 	 *
-	 * @NoAdminRequired
-	 * @CORS
-	 * @NoCSRFRequired
-	 *
 	 * @param int $shareId Share ID
 	 * @return DataResponse<Http::STATUS_OK, TablesShare, array{}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_INTERNAL_SERVER_ERROR|Http::STATUS_NOT_FOUND, array{message: string}, array{}>
 	 *
@@ -450,6 +447,9 @@ public function deleteView(int $viewId): DataResponse {
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
+	#[CORS]
 	public function getShare(int $shareId): DataResponse {
 		try {
 			return new DataResponse($this->shareService->find($shareId)->jsonSerialize());
@@ -472,15 +472,14 @@ public function getShare(int $shareId): DataResponse {
 	 * Get all shares for a view
 	 * Will be empty if view does not exist
 	 *
-	 * @NoAdminRequired
-	 * @CORS
-	 * @NoCSRFRequired
-	 *
 	 * @param int $viewId View ID
 	 * @return DataResponse<Http::STATUS_OK, TablesShare[], array{}>|DataResponse<Http::STATUS_INTERNAL_SERVER_ERROR, array{message: string}, array{}>
 	 *
 	 * 200: Shares returned
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
+	#[CORS]
 	public function indexViewShares(int $viewId): DataResponse {
 		try {
 			return new DataResponse($this->shareService->formatShares($this->shareService->findAll('view', $viewId)));
@@ -495,15 +494,14 @@ public function indexViewShares(int $viewId): DataResponse {
 	 * Get all shares for a table
 	 * Will be empty if table does not exist
 	 *
-	 * @NoAdminRequired
-	 * @CORS
-	 * @NoCSRFRequired
-	 *
 	 * @param int $tableId Table ID
 	 * @return DataResponse<Http::STATUS_OK, TablesShare[], array{}>|DataResponse<Http::STATUS_INTERNAL_SERVER_ERROR, array{message: string}, array{}>
 	 *
 	 * 200: Shares returned
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
+	#[CORS]
 	public function indexTableShares(int $tableId): DataResponse {
 		try {
 			return new DataResponse($this->shareService->formatShares($this->shareService->findAll('table', $tableId)));
@@ -517,10 +515,6 @@ public function indexTableShares(int $tableId): DataResponse {
 	/**
 	 * Create a new share
 	 *
-	 * @NoAdminRequired
-	 * @CORS
-	 * @NoCSRFRequired
-	 *
 	 * @param int $nodeId Node ID
 	 * @param 'table'|'view'|'context' $nodeType Node type
 	 * @param string $receiver Receiver ID
@@ -537,6 +531,9 @@ public function indexTableShares(int $tableId): DataResponse {
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
+	#[CORS]
 	#[RequirePermission(permission: Application::PERMISSION_MANAGE)]
 	public function createShare(
 		int $nodeId,
@@ -570,10 +567,6 @@ public function createShare(
 	/**
 	 * Delete a share
 	 *
-	 * @NoAdminRequired
-	 * @CORS
-	 * @NoCSRFRequired
-	 *
 	 * @param int $shareId Share ID
 	 * @return DataResponse<Http::STATUS_OK, TablesShare, array{}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_INTERNAL_SERVER_ERROR|Http::STATUS_NOT_FOUND, array{message: string}, array{}>
 	 *
@@ -581,6 +574,9 @@ public function createShare(
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
+	#[CORS]
 	public function deleteShare(int $shareId): DataResponse {
 		try {
 			return new DataResponse($this->shareService->delete($shareId)->jsonSerialize());
@@ -602,10 +598,6 @@ public function deleteShare(int $shareId): DataResponse {
 	/**
 	 * Update a share permission
 	 *
-	 * @NoAdminRequired
-	 * @CORS
-	 * @NoCSRFRequired
-	 *
 	 * @param int $shareId Share ID
 	 * @param string $permissionType Permission type that should be changed
 	 * @param bool $permissionValue New permission value
@@ -615,6 +607,9 @@ public function deleteShare(int $shareId): DataResponse {
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
+	#[CORS]
 	public function updateSharePermissions(int $shareId, string $permissionType, bool $permissionValue): DataResponse {
 		try {
 			return new DataResponse($this->shareService->updatePermission($shareId, $permissionType, $permissionValue)->jsonSerialize());
@@ -636,10 +631,6 @@ public function updateSharePermissions(int $shareId, string $permissionType, boo
 	/**
 	 * Updates the display mode of a context share
 	 *
-	 * @NoAdminRequired
-	 * @CORS
-	 * @NoCSRFRequired
-	 *
 	 * @param int $shareId Share ID
 	 * @param int $displayMode The new value for the display mode of the nav bar icon. 0: hidden, 1: visible for recipients, 2: visible for all
 	 * @param string $target "default" to set the default, "self" to set an override for the authenticated user
@@ -653,6 +644,9 @@ public function updateSharePermissions(int $shareId, string $permissionType, boo
 	 * @psalm-param int<0, 2> $displayMode
 	 * @psalm-param ("default"|"self") $target
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
+	#[CORS]
 	public function updateShareDisplayMode(int $shareId, int $displayMode, string $target = 'default'): DataResponse {
 		if ($target === 'default') {
 			$userId = '';
@@ -688,10 +682,6 @@ public function updateShareDisplayMode(int $shareId, int $displayMode, string $t
 	 * Get all columns for a table or a underlying view
 	 * Return an empty array if no columns were found
 	 *
-	 * @NoAdminRequired
-	 * @CORS
-	 * @NoCSRFRequired
-	 *
 	 * @param int $tableId Table ID
 	 * @param int|null $viewId View ID
 	 * @return DataResponse<Http::STATUS_OK, TablesColumn[], array{}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_INTERNAL_SERVER_ERROR|Http::STATUS_NOT_FOUND, array{message: string}, array{}>
@@ -700,6 +690,9 @@ public function updateShareDisplayMode(int $shareId, int $displayMode, string $t
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
+	#[CORS]
 	public function indexTableColumns(int $tableId, ?int $viewId): DataResponse {
 		try {
 			return new DataResponse($this->columnService->formatColumns($this->columnService->findAllByTable($tableId, $viewId)));
@@ -718,10 +711,6 @@ public function indexTableColumns(int $tableId, ?int $viewId): DataResponse {
 	 * Get all columns for a view
 	 * Return an empty array if no columns were found
 	 *
-	 * @NoAdminRequired
-	 * @CORS
-	 * @NoCSRFRequired
-	 *
 	 * @param int $viewId View ID
 	 * @return DataResponse<Http::STATUS_OK, TablesColumn[], array{}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_INTERNAL_SERVER_ERROR|Http::STATUS_NOT_FOUND, array{message: string}, array{}>
 	 *
@@ -729,6 +718,10 @@ public function indexTableColumns(int $tableId, ?int $viewId): DataResponse {
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
+	#[CORS]
+	#[RequirePermission(permission: Application::PERMISSION_READ, type: Application::NODE_TYPE_VIEW, idParam: 'viewId')]
 	public function indexViewColumns(int $viewId): DataResponse {
 		try {
 			return new DataResponse($this->columnService->formatColumns($this->columnService->findAllByView($viewId)));
@@ -750,10 +743,6 @@ public function indexViewColumns(int $viewId): DataResponse {
 	/**
 	 * Create a column
 	 *
-	 * @NoAdminRequired
-	 * @CORS
-	 * @NoCSRFRequired
-	 *
 	 * @param int|null $tableId Table ID
 	 * @param int|null $viewId View ID
 	 * @param string $title Title
@@ -786,6 +775,9 @@ public function indexViewColumns(int $viewId): DataResponse {
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
+	#[CORS]
 	public function createColumn(
 		?int $tableId,
 		?int $viewId,
@@ -867,10 +859,6 @@ public function createColumn(
 	/**
 	 * Update a column
 	 *
-	 * @NoAdminRequired
-	 * @CORS
-	 * @NoCSRFRequired
-	 *
 	 * @param int $columnId Column ID that will be updated
 	 * @param string|null $title Title
 	 * @param string|null $subtype Column sub type
@@ -898,6 +886,9 @@ public function createColumn(
 	 *
 	 * 200: Updated column
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
+	#[CORS]
 	public function updateColumn(
 		int $columnId,
 		?string $title,
@@ -968,10 +959,6 @@ public function updateColumn(
 	/**
 	 * Returns a column object
 	 *
-	 * @NoAdminRequired
-	 * @CORS
-	 * @NoCSRFRequired
-	 *
 	 * @param int $columnId Wanted Column ID
 	 * @return DataResponse<Http::STATUS_OK, TablesColumn, array{}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_INTERNAL_SERVER_ERROR|Http::STATUS_NOT_FOUND, array{message: string}, array{}>
 	 *
@@ -979,6 +966,9 @@ public function updateColumn(
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
+	#[CORS]
 	public function getColumn(int $columnId): DataResponse {
 		try {
 			return new DataResponse($this->columnService->find($columnId)->jsonSerialize());
@@ -1000,10 +990,6 @@ public function getColumn(int $columnId): DataResponse {
 	/**
 	 * Delete a column
 	 *
-	 * @NoAdminRequired
-	 * @CORS
-	 * @NoCSRFRequired
-	 *
 	 * @param int $columnId Wanted Column ID
 	 * @return DataResponse<Http::STATUS_OK, TablesColumn, array{}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_INTERNAL_SERVER_ERROR|Http::STATUS_NOT_FOUND, array{message: string}, array{}>
 	 *
@@ -1011,6 +997,9 @@ public function getColumn(int $columnId): DataResponse {
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
+	#[CORS]
 	public function deleteColumn(int $columnId): DataResponse {
 		try {
 			return new DataResponse($this->columnService->delete($columnId)->jsonSerialize());
@@ -1032,10 +1021,6 @@ public function deleteColumn(int $columnId): DataResponse {
 	/**
 	 * List all rows values for a table, first row are the column titles
 	 *
-	 * @NoAdminRequired
-	 * @CORS
-	 * @NoCSRFRequired
-	 *
 	 * @param int $tableId Table ID
 	 * @param int|null $limit Limit
 	 * @param int|null $offset Offset
@@ -1045,6 +1030,10 @@ public function deleteColumn(int $columnId): DataResponse {
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
+	#[CORS]
+	#[RequirePermission(permission: Application::PERMISSION_READ, type: Application::NODE_TYPE_TABLE, idParam: 'tableId')]
 	public function indexTableRowsSimple(int $tableId, ?int $limit, ?int $offset): DataResponse {
 		try {
 			return new DataResponse($this->v1Api->getData($tableId, $limit, $offset, $this->userId));
@@ -1062,10 +1051,6 @@ public function indexTableRowsSimple(int $tableId, ?int $limit, ?int $offset): D
 	/**
 	 * List all rows for a table
 	 *
-	 * @NoAdminRequired
-	 * @CORS
-	 * @NoCSRFRequired
-	 *
 	 * @param int $tableId Table ID
 	 * @param int|null $limit Limit
 	 * @param int|null $offset Offset
@@ -1075,6 +1060,10 @@ public function indexTableRowsSimple(int $tableId, ?int $limit, ?int $offset): D
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
+	#[CORS]
+	#[RequirePermission(permission: Application::PERMISSION_READ, type: Application::NODE_TYPE_TABLE, idParam: 'tableId')]
 	public function indexTableRows(int $tableId, ?int $limit, ?int $offset): DataResponse {
 		try {
 			return new DataResponse($this->rowService->formatRows($this->rowService->findAllByTable($tableId, $this->userId, $limit, $offset)));
@@ -1092,10 +1081,6 @@ public function indexTableRows(int $tableId, ?int $limit, ?int $offset): DataRes
 	/**
 	 * List all rows for a view
 	 *
-	 * @NoAdminRequired
-	 * @CORS
-	 * @NoCSRFRequired
-	 *
 	 * @param int $viewId View ID
 	 * @param int|null $limit Limit
 	 * @param int|null $offset Offset
@@ -1105,6 +1090,10 @@ public function indexTableRows(int $tableId, ?int $limit, ?int $offset): DataRes
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
+	#[CORS]
+	#[RequirePermission(permission: Application::PERMISSION_READ, type: Application::NODE_TYPE_VIEW, idParam: 'viewId')]
 	public function indexViewRows(int $viewId, ?int $limit, ?int $offset): DataResponse {
 		try {
 			return new DataResponse($this->rowService->formatRows($this->rowService->findAllByView($viewId, $this->userId, $limit, $offset)));
@@ -1122,10 +1111,6 @@ public function indexViewRows(int $viewId, ?int $limit, ?int $offset): DataRespo
 	/**
 	 * Create a row within a view
 	 *
-	 * @NoAdminRequired
-	 * @CORS
-	 * @NoCSRFRequired
-	 *
 	 * @param int $viewId View ID
 	 * @param string|array<string, mixed> $data Data as key - value store
 	 * @return DataResponse<Http::STATUS_OK, TablesRow, array{}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_INTERNAL_SERVER_ERROR, array{message: string}, array{}>
@@ -1133,6 +1118,9 @@ public function indexViewRows(int $viewId, ?int $limit, ?int $offset): DataRespo
 	 * 200: Row returned
 	 * 403: No permissions
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
+	#[CORS]
 	#[RequirePermission(permission: Application::PERMISSION_CREATE, type: Application::NODE_TYPE_VIEW, idParam: 'viewId')]
 	public function createRowInView(int $viewId, $data): DataResponse {
 		if(is_string($data)) {
@@ -1168,10 +1156,6 @@ public function createRowInView(int $viewId, $data): DataResponse {
 	/**
 	 * Create a row within a table
 	 *
-	 * @NoAdminRequired
-	 * @CORS
-	 * @NoCSRFRequired
-	 *
 	 * @param int $tableId Table ID
 	 * @param string|array<string, mixed> $data Data as key - value store
 	 * @return DataResponse<Http::STATUS_OK, TablesRow, array{}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_INTERNAL_SERVER_ERROR, array{message: string}, array{}>
@@ -1180,6 +1164,9 @@ public function createRowInView(int $viewId, $data): DataResponse {
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
+	#[CORS]
 	#[RequirePermission(permission: Application::PERMISSION_CREATE, type: Application::NODE_TYPE_TABLE, idParam: 'tableId')]
 	public function createRowInTable(int $tableId, $data): DataResponse {
 		if(is_string($data)) {
@@ -1215,10 +1202,6 @@ public function createRowInTable(int $tableId, $data): DataResponse {
 	/**
 	 * Get a row
 	 *
-	 * @NoAdminRequired
-	 * @CORS
-	 * @NoCSRFRequired
-	 *
 	 * @param int $rowId Row ID
 	 * @return DataResponse<Http::STATUS_OK, TablesRow, array{}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_INTERNAL_SERVER_ERROR|Http::STATUS_NOT_FOUND, array{message: string}, array{}>
 	 *
@@ -1226,6 +1209,9 @@ public function createRowInTable(int $tableId, $data): DataResponse {
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
+	#[CORS]
 	public function getRow(int $rowId): DataResponse {
 		try {
 			return new DataResponse($this->rowService->find($rowId)->jsonSerialize());
@@ -1247,10 +1233,6 @@ public function getRow(int $rowId): DataResponse {
 	/**
 	 * Update a row
 	 *
-	 * @NoAdminRequired
-	 * @CORS
-	 * @NoCSRFRequired
-	 *
 	 * @param int $rowId Row ID
 	 * @param int|null $viewId View ID
 	 * @param string|array<string, mixed> $data Data as key - value store
@@ -1261,6 +1243,9 @@ public function getRow(int $rowId): DataResponse {
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
+	#[CORS]
 	public function updateRow(int $rowId, ?int $viewId, $data): DataResponse {
 		if(is_string($data)) {
 			$data = json_decode($data, true);
@@ -1290,10 +1275,6 @@ public function updateRow(int $rowId, ?int $viewId, $data): DataResponse {
 	/**
 	 * Delete a row
 	 *
-	 * @NoAdminRequired
-	 * @CORS
-	 * @NoCSRFRequired
-	 *
 	 * @param int $rowId Row ID
 	 *
 	 * @return DataResponse<Http::STATUS_OK, TablesRow, array{}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_INTERNAL_SERVER_ERROR|Http::STATUS_NOT_FOUND, array{message: string}, array{}>
@@ -1302,6 +1283,9 @@ public function updateRow(int $rowId, ?int $viewId, $data): DataResponse {
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
+	#[CORS]
 	public function deleteRow(int $rowId): DataResponse {
 		try {
 			return new DataResponse($this->rowService->delete($rowId, null, $this->userId)->jsonSerialize());
@@ -1323,10 +1307,6 @@ public function deleteRow(int $rowId): DataResponse {
 	/**
 	 * Delete a row within a view
 	 *
-	 * @NoAdminRequired
-	 * @CORS
-	 * @NoCSRFRequired
-	 *
 	 * @param int $rowId Row ID
 	 * @param int $viewId View ID
 	 * @return DataResponse<Http::STATUS_OK, TablesRow, array{}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_INTERNAL_SERVER_ERROR|Http::STATUS_NOT_FOUND, array{message: string}, array{}>
@@ -1335,6 +1315,9 @@ public function deleteRow(int $rowId): DataResponse {
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
+	#[CORS]
 	public function deleteRowByView(int $rowId, int $viewId): DataResponse {
 		try {
 			return new DataResponse($this->rowService->delete($rowId, $viewId, $this->userId)->jsonSerialize());
@@ -1356,9 +1339,6 @@ public function deleteRowByView(int $rowId, int $viewId): DataResponse {
 	/**
 	 * Import from file in to a table
 	 *
-	 * @NoAdminRequired
-	 * @CORS
-	 * @NoCSRFRequired
 	 * @param int $tableId Table ID
 	 * @param string $path Path to file
 	 * @param bool $createMissingColumns Create missing columns
@@ -1368,6 +1348,9 @@ public function deleteRowByView(int $rowId, int $viewId): DataResponse {
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
+	#[CORS]
 	#[RequirePermission(permission: Application::PERMISSION_CREATE, type: Application::NODE_TYPE_TABLE, idParam: 'tableId')]
 	public function importInTable(int $tableId, string $path, bool $createMissingColumns = true): DataResponse {
 		try {
@@ -1391,9 +1374,6 @@ public function importInTable(int $tableId, string $path, bool $createMissingCol
 	/**
 	 * Import from file in to a table
 	 *
-	 * @NoAdminRequired
-	 * @CORS
-	 * @NoCSRFRequired
 	 * @param int $viewId View ID
 	 * @param string $path Path to file
 	 * @param bool $createMissingColumns Create missing columns
@@ -1403,6 +1383,9 @@ public function importInTable(int $tableId, string $path, bool $createMissingCol
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
+	#[CORS]
 	#[RequirePermission(permission: Application::PERMISSION_CREATE, type: Application::NODE_TYPE_VIEW, idParam: 'viewId')]
 	public function importInView(int $viewId, string $path, bool $createMissingColumns = true): DataResponse {
 		try {
@@ -1428,10 +1411,6 @@ public function importInView(int $viewId, string $path, bool $createMissingColum
 	/**
 	 * Create a share for a table
 	 *
-	 * @NoAdminRequired
-	 * @CORS
-	 * @NoCSRFRequired
-	 *
 	 * @param int $tableId Table ID
 	 * @param string $receiver Receiver ID
 	 * @param 'user'|'group' $receiverType Receiver type
@@ -1446,6 +1425,9 @@ public function importInView(int $viewId, string $path, bool $createMissingColum
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
+	#[CORS]
 	#[RequirePermission(permission: Application::PERMISSION_MANAGE, type: Application::NODE_TYPE_TABLE, idParam: 'tableId')]
 	public function createTableShare(int $tableId, string $receiver, string $receiverType, bool $permissionRead, bool $permissionCreate, bool $permissionUpdate, bool $permissionDelete, bool $permissionManage): DataResponse {
 		try {
@@ -1468,10 +1450,6 @@ public function createTableShare(int $tableId, string $receiver, string $receive
 	/**
 	 * Create a new column for a table
 	 *
-	 * @NoAdminRequired
-	 * @CORS
-	 * @NoCSRFRequired
-	 *
 	 * @param int $tableId Table ID
 	 * @param string $title Title
 	 * @param 'text'|'number'|'datetime'|'select'|'usergroup' $type Column main type
@@ -1503,6 +1481,10 @@ public function createTableShare(int $tableId, string $receiver, string $receive
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
+	#[CORS]
+	#[RequirePermission(permission: Application::PERMISSION_MANAGE, type: Application::NODE_TYPE_TABLE, idParam: 'tableId')]
 	public function createTableColumn(
 		int $tableId,
 		string $title,
@@ -1579,8 +1561,5 @@ public function createTableColumn(
 			$message = ['message' => $e->getMessage()];
 			return new DataResponse($message, Http::STATUS_NOT_FOUND);
 		}
-
-
-
 	}
 }
diff --git a/lib/Controller/ApiColumnsController.php b/lib/Controller/ApiColumnsController.php
index d126b833a6..9560dbd26c 100644
--- a/lib/Controller/ApiColumnsController.php
+++ b/lib/Controller/ApiColumnsController.php
@@ -6,13 +6,16 @@
  */
 namespace OCA\Tables\Controller;
 
+use OCA\Tables\AppInfo\Application;
 use OCA\Tables\Dto\Column as ColumnDto;
 use OCA\Tables\Errors\InternalError;
 use OCA\Tables\Errors\NotFoundError;
 use OCA\Tables\Errors\PermissionError;
+use OCA\Tables\Middleware\Attribute\RequirePermission;
 use OCA\Tables\ResponseDefinitions;
 use OCA\Tables\Service\ColumnService;
 use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\NoAdminRequired;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\IL10N;
 use OCP\IRequest;
@@ -39,8 +42,6 @@ public function __construct(
 	 *
 	 * Return an empty array if no columns were found
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @param int $nodeId Node ID
 	 * @param 'table'|'view' $nodeType Node type
 	 * @return DataResponse<Http::STATUS_OK, TablesColumn[], array{}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_INTERNAL_SERVER_ERROR|Http::STATUS_NOT_FOUND, array{message: string}, array{}>
@@ -49,6 +50,8 @@ public function __construct(
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
+	#[RequirePermission(permission: Application::PERMISSION_READ)]
 	public function index(int $nodeId, string $nodeType): DataResponse {
 		try {
 			if($nodeType === 'table') {
@@ -71,8 +74,6 @@ public function index(int $nodeId, string $nodeType): DataResponse {
 	/**
 	 * [api v2] Get a column object
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @param int $id Column ID
 	 * @return DataResponse<Http::STATUS_OK, TablesColumn, array{}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_INTERNAL_SERVER_ERROR|Http::STATUS_NOT_FOUND, array{message: string}, array{}>
 	 *
@@ -80,6 +81,7 @@ public function index(int $nodeId, string $nodeType): DataResponse {
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
 	public function show(int $id): DataResponse {
 		try {
 			return new DataResponse($this->service->find($id)->jsonSerialize());
@@ -97,8 +99,6 @@ public function show(int $id): DataResponse {
 	 *
 	 * Specify a subtype to use any special numbered column
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @param int $baseNodeId Context of the column creation
 	 * @param string $title Title
 	 * @param boolean $mandatory Is mandatory
@@ -121,6 +121,8 @@ public function show(int $id): DataResponse {
 	 * @throws NotFoundError
 	 * @throws PermissionError
 	 */
+	#[NoAdminRequired]
+	#[RequirePermission(permission: Application::PERMISSION_MANAGE, typeParam: 'baseNodeType', idParam: 'baseNodeId')]
 	public function createNumberColumn(int $baseNodeId, string $title, ?float $numberDefault, ?int $numberDecimals, ?string $numberPrefix, ?string $numberSuffix, ?float $numberMin, ?float $numberMax, ?string $subtype = null, ?string $description = null, ?array $selectedViewIds = [], bool $mandatory = false, string $baseNodeType = 'table'): DataResponse {
 		$tableId = $baseNodeType === 'table' ? $baseNodeId : null;
 		$viewId = $baseNodeType === 'view' ? $baseNodeId : null;
@@ -151,8 +153,6 @@ public function createNumberColumn(int $baseNodeId, string $title, ?float $numbe
 	 *
 	 * Specify a subtype to use any special text column
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @param int $baseNodeId Context of the column creation
 	 * @param string $title Title
 	 * @param string|null $textDefault Default
@@ -172,6 +172,8 @@ public function createNumberColumn(int $baseNodeId, string $title, ?float $numbe
 	 * @throws NotFoundError
 	 * @throws PermissionError
 	 */
+	#[NoAdminRequired]
+	#[RequirePermission(permission: Application::PERMISSION_MANAGE, typeParam: 'baseNodeType', idParam: 'baseNodeId')]
 	public function createTextColumn(int $baseNodeId, string $title, ?string $textDefault, ?string $textAllowedPattern, ?int $textMaxLength, ?string $subtype = null, ?string $description = null, ?array $selectedViewIds = [], bool $mandatory = false, string $baseNodeType = 'table'): DataResponse {
 		$tableId = $baseNodeType === 'table' ? $baseNodeId : null;
 		$viewId = $baseNodeType === 'view' ? $baseNodeId : null;
@@ -199,8 +201,6 @@ public function createTextColumn(int $baseNodeId, string $title, ?string $textDe
 	 *
 	 * Specify a subtype to use any special selection column
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @param int $baseNodeId Context of the column creation
 	 * @param string $title Title
 	 * @param string $selectionOptions Json array{id: int, label: string} with options that can be selected, eg [{"id": 1, "label": "first"},{"id": 2, "label": "second"}]
@@ -219,6 +219,8 @@ public function createTextColumn(int $baseNodeId, string $title, ?string $textDe
 	 * @throws NotFoundError
 	 * @throws PermissionError
 	 */
+	#[NoAdminRequired]
+	#[RequirePermission(permission: Application::PERMISSION_MANAGE, typeParam: 'baseNodeType', idParam: 'baseNodeId')]
 	public function createSelectionColumn(int $baseNodeId, string $title, string $selectionOptions, ?string $selectionDefault, ?string $subtype = null, ?string $description = null, ?array $selectedViewIds = [], bool $mandatory = false, string $baseNodeType = 'table'): DataResponse {
 		$tableId = $baseNodeType === 'table' ? $baseNodeId : null;
 		$viewId = $baseNodeType === 'view' ? $baseNodeId : null;
@@ -245,8 +247,6 @@ public function createSelectionColumn(int $baseNodeId, string $title, string $se
 	 *
 	 * Specify a subtype to use any special datetime column
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @param int $baseNodeId Context of the column creation
 	 * @param string $title Title
 	 * @param 'today'|'now'|null $datetimeDefault For a subtype 'date' you can set 'today'. For a main type or subtype 'time' you can set to 'now'.
@@ -264,6 +264,8 @@ public function createSelectionColumn(int $baseNodeId, string $title, string $se
 	 * @throws NotFoundError
 	 * @throws PermissionError
 	 */
+	#[NoAdminRequired]
+	#[RequirePermission(permission: Application::PERMISSION_MANAGE, typeParam: 'baseNodeType', idParam: 'baseNodeId')]
 	public function createDatetimeColumn(int $baseNodeId, string $title, ?string $datetimeDefault, ?string $subtype = null, ?string $description = null, ?array $selectedViewIds = [], bool $mandatory = false, string $baseNodeType = 'table'): DataResponse {
 		$tableId = $baseNodeType === 'table' ? $baseNodeId : null;
 		$viewId = $baseNodeType === 'view' ? $baseNodeId : null;
@@ -287,8 +289,6 @@ public function createDatetimeColumn(int $baseNodeId, string $title, ?string $da
 	/**
 	 * [api v2] Create new usergroup column
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @param int $baseNodeId Context of the column creation
 	 * @param string $title Title
 	 * @param string|null $usergroupDefault Json array{id: string, type: int}, eg [{"id": "admin", "type": 0}, {"id": "user1", "type": 0}]
@@ -309,6 +309,8 @@ public function createDatetimeColumn(int $baseNodeId, string $title, ?string $da
 	 * @throws NotFoundError
 	 * @throws PermissionError
 	 */
+	#[NoAdminRequired]
+	#[RequirePermission(permission: Application::PERMISSION_MANAGE, typeParam: 'baseNodeType', idParam: 'baseNodeId')]
 	public function createUsergroupColumn(int $baseNodeId, string $title, ?string $usergroupDefault, bool $usergroupMultipleItems = null, bool $usergroupSelectUsers = null, bool $usergroupSelectGroups = null, bool $showUserStatus = null, string $description = null, ?array $selectedViewIds = [], bool $mandatory = false, string $baseNodeType = 'table'): DataResponse {
 		$tableId = $baseNodeType === 'table' ? $baseNodeId : null;
 		$viewId = $baseNodeType === 'view' ? $baseNodeId : null;
diff --git a/lib/Controller/ApiFavoriteController.php b/lib/Controller/ApiFavoriteController.php
index f7a76973d0..05271b4cb7 100644
--- a/lib/Controller/ApiFavoriteController.php
+++ b/lib/Controller/ApiFavoriteController.php
@@ -8,12 +8,15 @@
 namespace OCA\Tables\Controller;
 
 use Exception;
+use OCA\Tables\AppInfo\Application;
 use OCA\Tables\Errors\InternalError;
 use OCA\Tables\Errors\NotFoundError;
 use OCA\Tables\Errors\PermissionError;
+use OCA\Tables\Middleware\Attribute\RequirePermission;
 use OCA\Tables\ResponseDefinitions;
 use OCA\Tables\Service\FavoritesService;
 use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\NoAdminRequired;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\DB\Exception as DBException;
 use OCP\IL10N;
@@ -39,8 +42,6 @@ public function __construct(
 	/**
 	 * [api v2] Add a node (table or view) to user favorites
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @param int $nodeType any Application::NODE_TYPE_* constant
 	 * @param int $nodeId identifier of the node
 	 * @return DataResponse<Http::STATUS_OK, array{}, array{}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_INTERNAL_SERVER_ERROR|Http::STATUS_NOT_FOUND, array{message: string}, array{}>
@@ -49,6 +50,8 @@ public function __construct(
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
+	#[RequirePermission(permission: Application::PERMISSION_READ)]
 	public function create(int $nodeType, int $nodeId): DataResponse {
 		try {
 			$this->service->addFavorite($nodeType, $nodeId);
@@ -66,8 +69,6 @@ public function create(int $nodeType, int $nodeId): DataResponse {
 	/**
 	 * [api v2] Remove a node (table or view) to from favorites
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @param int $nodeType any Application::NODE_TYPE_* constant
 	 * @param int $nodeId identifier of the node
 	 * @return DataResponse<Http::STATUS_OK, array{}, array{}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_INTERNAL_SERVER_ERROR|Http::STATUS_NOT_FOUND, array{message: string}, array{}>
@@ -76,6 +77,8 @@ public function create(int $nodeType, int $nodeId): DataResponse {
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
+	#[RequirePermission(permission: Application::PERMISSION_READ)]
 	public function destroy(int $nodeType, int $nodeId): DataResponse {
 		try {
 			$this->service->removeFavorite($nodeType, $nodeId);
diff --git a/lib/Controller/ApiGeneralController.php b/lib/Controller/ApiGeneralController.php
index ed8f7ec5a2..5d387d935f 100644
--- a/lib/Controller/ApiGeneralController.php
+++ b/lib/Controller/ApiGeneralController.php
@@ -15,6 +15,7 @@
 use OCA\Tables\Service\TableService;
 use OCA\Tables\Service\ViewService;
 use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\NoAdminRequired;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\IL10N;
 use OCP\IRequest;
@@ -46,12 +47,11 @@ public function __construct(
 	 *
 	 * Tables and views incl. shares
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @return DataResponse<Http::STATUS_OK, TablesIndex, array{}>|DataResponse<Http::STATUS_INTERNAL_SERVER_ERROR, array{message: string}, array{}>
 	 *
 	 * 200: Index returned
 	 */
+	#[NoAdminRequired]
 	public function index(): DataResponse {
 		try {
 			$tables = $this->tableService->formatTables($this->tableService->findAll($this->userId));
diff --git a/lib/Controller/ApiTablesController.php b/lib/Controller/ApiTablesController.php
index 6b8b359be3..9c5ed7ed08 100644
--- a/lib/Controller/ApiTablesController.php
+++ b/lib/Controller/ApiTablesController.php
@@ -8,16 +8,19 @@
 namespace OCA\Tables\Controller;
 
 use Exception;
+use OCA\Tables\AppInfo\Application;
 use OCA\Tables\Dto\Column as ColumnDto;
 use OCA\Tables\Errors\InternalError;
 use OCA\Tables\Errors\NotFoundError;
 use OCA\Tables\Errors\PermissionError;
+use OCA\Tables\Middleware\Attribute\RequirePermission;
 use OCA\Tables\ResponseDefinitions;
 use OCA\Tables\Service\ColumnService;
 use OCA\Tables\Service\TableService;
 use OCA\Tables\Service\ViewService;
 use OCP\App\IAppManager;
 use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\NoAdminRequired;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\IDBConnection;
 use OCP\IL10N;
@@ -57,12 +60,11 @@ public function __construct(
 	/**
 	 * [api v2] Returns all Tables
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @return DataResponse<Http::STATUS_OK, TablesTable[], array{}>|DataResponse<Http::STATUS_INTERNAL_SERVER_ERROR, array{message: string}, array{}>
 	 *
 	 * 200: Tables returned
 	 */
+	#[NoAdminRequired]
 	public function index(): DataResponse {
 		try {
 			return new DataResponse($this->service->formatTables($this->service->findAll($this->userId)));
@@ -74,8 +76,6 @@ public function index(): DataResponse {
 	/**
 	 * [api v2] Get a table object
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @param int $id Table ID
 	 * @return DataResponse<Http::STATUS_OK, TablesTable, array{}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_INTERNAL_SERVER_ERROR|Http::STATUS_NOT_FOUND, array{message: string}, array{}>
 	 *
@@ -83,6 +83,8 @@ public function index(): DataResponse {
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
+	#[RequirePermission(permission: Application::PERMISSION_READ, type: Application::NODE_TYPE_TABLE, idParam: 'id')]
 	public function show(int $id): DataResponse {
 		try {
 			return new DataResponse($this->service->find($id)->jsonSerialize());
@@ -98,8 +100,6 @@ public function show(int $id): DataResponse {
 	/**
 	 * [api v2] Get a table Scheme
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @param int $id Table ID
 	 * @return DataResponse<Http::STATUS_OK, TablesTable, array{}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_INTERNAL_SERVER_ERROR|Http::STATUS_NOT_FOUND, array{message: string}, array{}>
 	 *
@@ -107,6 +107,8 @@ public function show(int $id): DataResponse {
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
+	#[RequirePermission(permission: Application::PERMISSION_READ, type: Application::NODE_TYPE_TABLE, idParam: 'id')]
 	public function showScheme(int $id): DataResponse {
 		try {
 			return new DataResponse($this->service->getScheme($id)->jsonSerialize());
@@ -120,8 +122,6 @@ public function showScheme(int $id): DataResponse {
 	}
 
 	/**
-	 * @NoAdminRequired
-	 *
 	 * creates table from scheme
 	 *
 	 * @param string $title title of new table
@@ -133,6 +133,7 @@ public function showScheme(int $id): DataResponse {
 	 *
 	 * 200: Tables returned
 	 */
+	#[NoAdminRequired]
 	public function createFromScheme(string $title, string $emoji, string $description, array $columns, array $views): DataResponse {
 		try {
 			$this->db->beginTransaction();
@@ -191,8 +192,6 @@ public function createFromScheme(string $title, string $emoji, string $descripti
 	/**
 	 * [api v2] Create a new table and return it
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @param string $title Title of the table
 	 * @param string|null $emoji Emoji for the table
 	 * @param string|null $description Description for the table
@@ -202,6 +201,7 @@ public function createFromScheme(string $title, string $emoji, string $descripti
 	 *
 	 * 200: Tables returned
 	 */
+	#[NoAdminRequired]
 	public function create(string $title, ?string $emoji, ?string $description, string $template = 'custom'): DataResponse {
 		try {
 			return new DataResponse($this->service->create($title, $template, $emoji, $description)->jsonSerialize());
@@ -213,8 +213,6 @@ public function create(string $title, ?string $emoji, ?string $description, stri
 	/**
 	 * [api v2] Update tables properties
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @param int $id Table ID
 	 * @param string|null $title New table title
 	 * @param string|null $emoji New table emoji
@@ -226,6 +224,8 @@ public function create(string $title, ?string $emoji, ?string $description, stri
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
+	#[RequirePermission(permission: Application::PERMISSION_MANAGE, type: Application::NODE_TYPE_TABLE, idParam: 'id')]
 	public function update(int $id, ?string $title = null, ?string $emoji = null, ?string $description = null, ?bool $archived = null): DataResponse {
 		try {
 			return new DataResponse($this->service->update($id, $title, $emoji, $description, $archived, $this->userId)->jsonSerialize());
@@ -241,8 +241,6 @@ public function update(int $id, ?string $title = null, ?string $emoji = null, ?s
 	/**
 	 * [api v2] Delete a table
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @param int $id Table ID
 	 * @return DataResponse<Http::STATUS_OK, TablesTable, array{}>|DataResponse<Http::STATUS_FORBIDDEN|Http::STATUS_INTERNAL_SERVER_ERROR|Http::STATUS_NOT_FOUND, array{message: string}, array{}>
 	 *
@@ -250,6 +248,8 @@ public function update(int $id, ?string $title = null, ?string $emoji = null, ?s
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
+	#[RequirePermission(permission: Application::PERMISSION_MANAGE, type: Application::NODE_TYPE_TABLE, idParam: 'id')]
 	public function destroy(int $id): DataResponse {
 		try {
 			return new DataResponse($this->service->delete($id)->jsonSerialize());
@@ -267,8 +267,6 @@ public function destroy(int $id): DataResponse {
 	 *
 	 * Transfer table from one user to another
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @param int $id Table ID
 	 * @param string $newOwnerUserId New user ID
 	 *
@@ -278,6 +276,7 @@ public function destroy(int $id): DataResponse {
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
 	public function transfer(int $id, string $newOwnerUserId): DataResponse {
 		try {
 			return new DataResponse($this->service->setOwner($id, $newOwnerUserId)->jsonSerialize());
diff --git a/lib/Controller/ColumnController.php b/lib/Controller/ColumnController.php
index 42f760cad7..df1a9509d7 100644
--- a/lib/Controller/ColumnController.php
+++ b/lib/Controller/ColumnController.php
@@ -9,8 +9,10 @@
 
 use OCA\Tables\AppInfo\Application;
 use OCA\Tables\Dto\Column as ColumnDto;
+use OCA\Tables\Middleware\Attribute\RequirePermission;
 use OCA\Tables\Service\ColumnService;
 use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http\Attribute\NoAdminRequired;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\IRequest;
 use Psr\Log\LoggerInterface;
@@ -35,45 +37,36 @@ public function __construct(
 		$this->userId = $userId;
 	}
 
-	/**
-	 * @NoAdminRequired
-	 */
+	#[NoAdminRequired]
 	public function index(int $tableId, ?int $viewId): DataResponse {
 		return $this->handleError(function () use ($tableId, $viewId) {
 			return $this->service->findAllByTable($tableId, $viewId);
 		});
 	}
 
-	/**
-	 * @NoAdminRequired
-	 */
+	#[NoAdminRequired]
 	public function indexTableByView(int $tableId, ?int $viewId): DataResponse {
 		return $this->handleError(function () use ($tableId, $viewId) {
 			return $this->service->findAllByTable($tableId, $viewId);
 		});
 	}
 
-	/**
-	 * @NoAdminRequired
-	 */
+	#[NoAdminRequired]
+	#[RequirePermission(permission: Application::PERMISSION_READ, type: Application::NODE_TYPE_VIEW, idParam: 'viewId')]
 	public function indexView(int $viewId): DataResponse {
 		return $this->handleError(function () use ($viewId) {
 			return $this->service->findAllByView($viewId);
 		});
 	}
 
-	/**
-	 * @NoAdminRequired
-	 */
+	#[NoAdminRequired]
 	public function show(int $id): DataResponse {
 		return $this->handleError(function () use ($id) {
 			return $this->service->find($id);
 		});
 	}
 
-	/**
-	 * @NoAdminRequired
-	 */
+	#[NoAdminRequired]
 	public function create(
 		?int $tableId,
 		?int $viewId,
@@ -172,9 +165,7 @@ public function create(
 		});
 	}
 
-	/**
-	 * @NoAdminRequired
-	 */
+	#[NoAdminRequired]
 	public function update(
 		int $id,
 		?int $tableId,
@@ -269,9 +260,7 @@ public function update(
 		});
 	}
 
-	/**
-	 * @NoAdminRequired
-	 */
+	#[NoAdminRequired]
 	public function destroy(int $id): DataResponse {
 		return $this->handleError(function () use ($id) {
 			return $this->service->delete($id, false, $this->userId);
diff --git a/lib/Controller/ContextController.php b/lib/Controller/ContextController.php
index ec7742d9a1..4a2e60a751 100644
--- a/lib/Controller/ContextController.php
+++ b/lib/Controller/ContextController.php
@@ -18,6 +18,7 @@
 use OCP\AppFramework\Db\DoesNotExistException;
 use OCP\AppFramework\Db\MultipleObjectsReturnedException;
 use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\NoAdminRequired;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\DB\Exception;
 use OCP\IL10N;
@@ -51,9 +52,8 @@ public function __construct(
 	 * @return DataResponse<Http::STATUS_OK, TablesContext[], array{}>|DataResponse<Http::STATUS_INTERNAL_SERVER_ERROR, array{message: string}, array{}>
 	 *
 	 * 200: reporting in available contexts
-	 *
-	 * @NoAdminRequired
 	 */
+	#[NoAdminRequired]
 	public function index(): DataResponse {
 		try {
 			$contexts = $this->contextService->findAll($this->userId);
@@ -72,8 +72,8 @@ public function index(): DataResponse {
 	 * 200: returning the full context information
 	 * 404: context not found or not available anymore
 	 *
-	 * @NoAdminRequired
 	 */
+	#[NoAdminRequired]
 	public function show(int $contextId): DataResponse {
 		try {
 			$context = $this->contextService->findById($contextId, $this->userId);
@@ -88,8 +88,6 @@ public function show(int $contextId): DataResponse {
 	/**
 	 * [api v2] Create a new context and return it
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @param string $name Name of the context
 	 * @param string $iconName Material design icon name of the context
 	 * @param string $description Descriptive text of the context
@@ -101,6 +99,7 @@ public function show(int $contextId): DataResponse {
 	 * 400: invalid parameters were supplied
 	 * 403: lacking permissions on a resource
 	 */
+	#[NoAdminRequired]
 	public function create(string $name, string $iconName, string $description = '', array $nodes = []): DataResponse {
 		try {
 			return new DataResponse($this->contextService->create(
@@ -135,9 +134,9 @@ public function create(string $name, string $iconName, string $description = '',
 	 * 403: No permissions
 	 * 404: Not found
 	 *
-	 * @NoAdminRequired
 	 * @CanManageContext
 	 */
+	#[NoAdminRequired]
 	public function update(int $contextId, ?string $name, ?string $iconName, ?string $description, ?array $nodes): DataResponse {
 		try {
 			$nodes = $nodes !== null ? $this->sanitizeInputNodes($nodes) : null;
@@ -195,9 +194,9 @@ protected function sanitizeInputNodes(array $nodes): array {
 	 * 403: No permissions
 	 * 404: Not found
 	 *
-	 * @NoAdminRequired
 	 * @CanManageContext
 	 */
+	#[NoAdminRequired]
 	public function destroy(int $contextId): DataResponse {
 		try {
 			return new DataResponse($this->contextService->delete($contextId, $this->userId)->jsonSerialize());
@@ -222,12 +221,12 @@ public function destroy(int $contextId): DataResponse {
 	 * 403: No permissions
 	 * 404: Not found
 	 *
-	 * @NoAdminRequired
 	 * @CanManageContext
 	 *
 	 * @psalm-param int<0, max> $contextId
 	 * @psalm-param int<0, 0> $newOwnerType
 	 */
+	#[NoAdminRequired]
 	public function transfer(int $contextId, string $newOwnerId, int $newOwnerType = 0): DataResponse {
 		try {
 			return new DataResponse($this->contextService->transfer($contextId, $newOwnerId, $newOwnerType)->jsonSerialize());
@@ -249,7 +248,6 @@ public function transfer(int $contextId, string $newOwnerId, int $newOwnerType =
 	 *
 	 * @return DataResponse<Http::STATUS_OK, TablesContext, array{}>|DataResponse<Http::STATUS_INTERNAL_SERVER_ERROR|Http::STATUS_NOT_FOUND|Http::STATUS_BAD_REQUEST, array{message: string}, array{}>
 	 *
-	 * @NoAdminRequired
 	 * @CanManageContext
 	 *
 	 * 200: content updated successfully
@@ -257,6 +255,7 @@ public function transfer(int $contextId, string $newOwnerId, int $newOwnerType =
 	 * 403: No permissions
 	 * 404: Not found
 	 */
+	#[NoAdminRequired]
 	public function updateContentOrder(int $contextId, int $pageId, array $content): DataResponse {
 		try {
 			$context = $this->contextService->findById($contextId, $this->userId);
diff --git a/lib/Controller/ImportController.php b/lib/Controller/ImportController.php
index 2fd1ffe213..5cf53a3773 100644
--- a/lib/Controller/ImportController.php
+++ b/lib/Controller/ImportController.php
@@ -13,6 +13,7 @@
 use OCA\Tables\UploadException;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\NoAdminRequired;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\Files\NotPermittedException;
 use OCP\IL10N;
@@ -54,18 +55,15 @@ public function __construct(
 		$this->l10n = $l10n;
 	}
 
-	/**
-	 * @NoAdminRequired
-	 */
+	#[NoAdminRequired]
+	#[RequirePermission(permission: Application::PERMISSION_READ, type: Application::NODE_TYPE_TABLE, idParam: 'tableId')]
 	public function previewImportTable(int $tableId, String $path): DataResponse {
 		return $this->handleError(function () use ($tableId, $path) {
 			return $this->service->previewImport($tableId, null, $path);
 		});
 	}
 
-	/**
-	 * @NoAdminRequired
-	 */
+	#[NoAdminRequired]
 	#[RequirePermission(permission: Application::PERMISSION_CREATE, type: Application::NODE_TYPE_TABLE, idParam: 'tableId')]
 	public function importInTable(int $tableId, String $path, bool $createMissingColumns = true, array $columnsConfig = []): DataResponse {
 		return $this->handleError(function () use ($tableId, $path, $createMissingColumns, $columnsConfig) {
@@ -74,18 +72,15 @@ public function importInTable(int $tableId, String $path, bool $createMissingCol
 		});
 	}
 
-	/**
-	 * @NoAdminRequired
-	 */
+	#[NoAdminRequired]
+	#[RequirePermission(permission: Application::PERMISSION_CREATE, type: Application::NODE_TYPE_VIEW, idParam: 'viewId')]
 	public function previewImportView(int $viewId, String $path): DataResponse {
 		return $this->handleError(function () use ($viewId, $path) {
 			return $this->service->previewImport(null, $viewId, $path);
 		});
 	}
 
-	/**
-	 * @NoAdminRequired
-	 */
+	#[NoAdminRequired]
 	#[RequirePermission(permission: Application::PERMISSION_CREATE, type: Application::NODE_TYPE_VIEW, idParam: 'viewId')]
 	public function importInView(int $viewId, String $path, bool $createMissingColumns = true, array $columnsConfig = []): DataResponse {
 		return $this->handleError(function () use ($viewId, $path, $createMissingColumns, $columnsConfig) {
@@ -94,9 +89,8 @@ public function importInView(int $viewId, String $path, bool $createMissingColum
 		});
 	}
 
-	/**
-	 * @NoAdminRequired
-	 */
+	#[NoAdminRequired]
+	#[RequirePermission(permission: Application::PERMISSION_CREATE, type: Application::NODE_TYPE_TABLE, idParam: 'tableId')]
 	public function previewUploadImportTable(int $tableId): DataResponse {
 		try {
 			$file = $this->getUploadedFile('uploadfile');
@@ -109,9 +103,7 @@ public function previewUploadImportTable(int $tableId): DataResponse {
 		}
 	}
 
-	/**
-	 * @NoAdminRequired
-	 */
+	#[NoAdminRequired]
 	#[RequirePermission(permission: Application::PERMISSION_CREATE, type: Application::NODE_TYPE_TABLE, idParam: 'tableId')]
 	public function importUploadInTable(int $tableId, bool $createMissingColumns = true, string $columnsConfig = ''): DataResponse {
 		try {
@@ -127,9 +119,8 @@ public function importUploadInTable(int $tableId, bool $createMissingColumns = t
 		}
 	}
 
-	/**
-	 * @NoAdminRequired
-	 */
+	#[NoAdminRequired]
+	#[RequirePermission(permission: Application::PERMISSION_CREATE, type: Application::NODE_TYPE_VIEW, idParam: 'viewId')]
 	public function previewUploadImportView(int $viewId): DataResponse {
 		try {
 			$file = $this->getUploadedFile('uploadfile');
@@ -142,9 +133,7 @@ public function previewUploadImportView(int $viewId): DataResponse {
 		}
 	}
 
-	/**
-	 * @NoAdminRequired
-	 */
+	#[NoAdminRequired]
 	#[RequirePermission(permission: Application::PERMISSION_CREATE, type: Application::NODE_TYPE_VIEW, idParam: 'viewId')]
 	public function importUploadInView(int $viewId, bool $createMissingColumns = true, string $columnsConfig = ''): DataResponse {
 		try {
diff --git a/lib/Controller/PageController.php b/lib/Controller/PageController.php
index 72a6d678b5..5643d1b264 100644
--- a/lib/Controller/PageController.php
+++ b/lib/Controller/PageController.php
@@ -10,6 +10,9 @@
 use OCA\Tables\AppInfo\Application;
 use OCA\Text\Event\LoadEditor;
 use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http\Attribute\NoAdminRequired;
+use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
+use OCP\AppFramework\Http\Attribute\OpenAPI;
 use OCP\AppFramework\Http\TemplateResponse;
 use OCP\AppFramework\Services\IInitialState;
 use OCP\EventDispatcher\IEventDispatcher;
@@ -29,12 +32,11 @@ public function __construct(
 	}
 
 	/**
-	 * @NoAdminRequired
-	 * @NoCSRFRequired
-	 * @IgnoreOpenAPI
-	 *
 	 * Render default template
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
+	#[OpenAPI(scope: OpenAPI::SCOPE_IGNORE)]
 	public function index(): TemplateResponse {
 		Util::addScript(Application::APP_ID, 'tables-main');
 		Util::addStyle(Application::APP_ID, 'grid');
@@ -49,14 +51,13 @@ public function index(): TemplateResponse {
 	}
 
 	/**
-	 * @NoAdminRequired
-	 * @NoCSRFRequired
-	 * @IgnoreOpenAPI
-	 *
 	 * Render default template
 	 *
 	 * @psalm-param int<0, max> $appId
 	 */
+	#[NoAdminRequired]
+	#[NoCSRFRequired]
+	#[OpenAPI(scope: OpenAPI::SCOPE_IGNORE)]
 	public function context(int $contextId): TemplateResponse {
 		$navId = Application::APP_ID . '_application_' . $contextId;
 		$this->navigationManager->setActiveEntry($navId);
diff --git a/lib/Controller/RowController.php b/lib/Controller/RowController.php
index 64084f8bb1..27dd9a5cf6 100644
--- a/lib/Controller/RowController.php
+++ b/lib/Controller/RowController.php
@@ -8,8 +8,10 @@
 namespace OCA\Tables\Controller;
 
 use OCA\Tables\AppInfo\Application;
+use OCA\Tables\Middleware\Attribute\RequirePermission;
 use OCA\Tables\Service\RowService;
 use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http\Attribute\NoAdminRequired;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\IRequest;
 use Psr\Log\LoggerInterface;
@@ -36,36 +38,30 @@ public function __construct(
 		$this->userId = $userId;
 	}
 
-	/**
-	 * @NoAdminRequired
-	 */
+	#[NoAdminRequired]
+	#[RequirePermission(permission: Application::PERMISSION_READ, type: Application::NODE_TYPE_TABLE, idParam: 'tableId')]
 	public function index(int $tableId): DataResponse {
 		return $this->handleError(function () use ($tableId) {
 			return $this->service->findAllByTable($tableId, $this->userId);
 		});
 	}
 
-	/**
-	 * @NoAdminRequired
-	 */
+	#[NoAdminRequired]
+	#[RequirePermission(permission: Application::PERMISSION_READ, type: Application::NODE_TYPE_VIEW, idParam: 'viewId')]
 	public function indexView(int $viewId): DataResponse {
 		return $this->handleError(function () use ($viewId) {
 			return $this->service->findAllByView($viewId, $this->userId);
 		});
 	}
 
-	/**
-	 * @NoAdminRequired
-	 */
+	#[NoAdminRequired]
 	public function show(int $id): DataResponse {
 		return $this->handleError(function () use ($id) {
 			return $this->service->find($id);
 		});
 	}
 
-	/**
-	 * @NoAdminRequired
-	 */
+	#[NoAdminRequired]
 	public function update(
 		int $id,
 		int $columnId,
@@ -84,9 +80,7 @@ public function update(
 		});
 	}
 
-	/**
-	 * @NoAdminRequired
-	 */
+	#[NoAdminRequired]
 	public function updateSet(
 		int $id,
 		?int $viewId,
@@ -106,17 +100,13 @@ public function updateSet(
 		});
 	}
 
-	/**
-	 * @NoAdminRequired
-	 */
+	#[NoAdminRequired]
 	public function destroy(int $id): DataResponse {
 		return $this->handleError(function () use ($id) {
 			return $this->service->delete($id, null, $this->userId);
 		});
 	}
-	/**
-	 * @NoAdminRequired
-	 */
+	#[NoAdminRequired]
 	public function destroyByView(int $id, int $viewId): DataResponse {
 		return $this->handleError(function () use ($id, $viewId) {
 			return $this->service->delete($id, $viewId, $this->userId);
diff --git a/lib/Controller/SearchController.php b/lib/Controller/SearchController.php
index c719760ff2..297e4d1334 100644
--- a/lib/Controller/SearchController.php
+++ b/lib/Controller/SearchController.php
@@ -10,6 +10,7 @@
 use OCA\Tables\AppInfo\Application;
 use OCA\Tables\Service\SearchService;
 use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http\Attribute\NoAdminRequired;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\IRequest;
 use Psr\Log\LoggerInterface;
@@ -34,9 +35,7 @@ public function __construct(
 	}
 
 
-	/**
-	 * @NoAdminRequired
-	 */
+	#[NoAdminRequired]
 	public function all(string $term = ''): DataResponse {
 		return $this->handleError(function () use ($term) {
 			return $this->service->all($term);
diff --git a/lib/Controller/ShareController.php b/lib/Controller/ShareController.php
index 544875a284..40475a030b 100644
--- a/lib/Controller/ShareController.php
+++ b/lib/Controller/ShareController.php
@@ -11,6 +11,7 @@
 use OCA\Tables\Middleware\Attribute\RequirePermission;
 use OCA\Tables\Service\ShareService;
 use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http\Attribute\NoAdminRequired;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\IRequest;
 use Psr\Log\LoggerInterface;
@@ -37,36 +38,30 @@ public function __construct(
 	}
 
 
-	/**
-	 * @NoAdminRequired
-	 */
+	#[NoAdminRequired]
+	#[RequirePermission(permission: Application::PERMISSION_READ, type: Application::NODE_TYPE_TABLE, idParam: 'tableId')]
 	public function index(int $tableId): DataResponse {
 		return $this->handleError(function () use ($tableId) {
 			return $this->service->findAll('table', $tableId);
 		});
 	}
 
-	/**
-	 * @NoAdminRequired
-	 */
+	#[NoAdminRequired]
+	#[RequirePermission(permission: Application::PERMISSION_READ, type: Application::NODE_TYPE_VIEW, idParam: 'viewId')]
 	public function indexView(int $viewId): DataResponse {
 		return $this->handleError(function () use ($viewId) {
 			return $this->service->findAll('view', $viewId);
 		});
 	}
 
-	/**
-	 * @NoAdminRequired
-	 */
+	#[NoAdminRequired]
 	public function show(int $id): DataResponse {
 		return $this->handleError(function () use ($id) {
 			return $this->service->find($id);
 		});
 	}
 
-	/**
-	 * @NoAdminRequired
-	 */
+	#[NoAdminRequired]
 	#[RequirePermission(permission: Application::PERMISSION_MANAGE)]
 	public function create(
 		int $nodeId,
@@ -85,9 +80,7 @@ public function create(
 		});
 	}
 
-	/**
-	 * @NoAdminRequired
-	 */
+	#[NoAdminRequired]
 	public function updatePermission(int $id, string $permission, bool $value): DataResponse {
 		return $this->handleError(function () use ($id, $permission, $value) {
 			return $this->service->updatePermission($id, $permission, $value);
@@ -95,10 +88,10 @@ public function updatePermission(int $id, string $permission, bool $value): Data
 	}
 
 	/**
-	 * @NoAdminRequired
 	 * @psalm-param int<0, 2> $displayMode
 	 * @psalm-param ("default"|"self") $target
 	 */
+	#[NoAdminRequired]
 	public function updateDisplayMode(int $id, int $displayMode, string $target = 'default') {
 		return $this->handleError(function () use ($id, $displayMode, $target) {
 			if ($target === 'default') {
@@ -113,9 +106,7 @@ public function updateDisplayMode(int $id, int $displayMode, string $target = 'd
 		});
 	}
 
-	/**
-	 * @NoAdminRequired
-	 */
+	#[NoAdminRequired]
 	public function destroy(int $id): DataResponse {
 		return $this->handleError(function () use ($id) {
 			return $this->service->delete($id);
diff --git a/lib/Controller/TableController.php b/lib/Controller/TableController.php
index e7fe9e1d07..e22057d658 100644
--- a/lib/Controller/TableController.php
+++ b/lib/Controller/TableController.php
@@ -8,8 +8,10 @@
 namespace OCA\Tables\Controller;
 
 use OCA\Tables\AppInfo\Application;
+use OCA\Tables\Middleware\Attribute\RequirePermission;
 use OCA\Tables\Service\TableService;
 use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http\Attribute\NoAdminRequired;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\IRequest;
 use Psr\Log\LoggerInterface;
@@ -36,45 +38,38 @@ public function __construct(
 	}
 
 
-	/**
-	 * @NoAdminRequired
-	 */
+	#[NoAdminRequired]
 	public function index(): DataResponse {
 		return $this->handleError(function () {
 			return $this->service->findAll($this->userId);
 		});
 	}
 
-	/**
-	 * @NoAdminRequired
-	 */
+	#[NoAdminRequired]
+	#[RequirePermission(permission: Application::PERMISSION_READ, type: Application::NODE_TYPE_TABLE, idParam: 'id')]
 	public function show(int $id): DataResponse {
 		return $this->handleError(function () use ($id) {
 			return $this->service->find($id);
 		});
 	}
 
-	/**
-	 * @NoAdminRequired
-	 */
+	#[NoAdminRequired]
 	public function create(string $title, string $template, string $emoji): DataResponse {
 		return $this->handleError(function () use ($title, $template, $emoji) {
 			return $this->service->create($title, $template, $emoji);
 		});
 	}
 
-	/**
-	 * @NoAdminRequired
-	 */
+	#[NoAdminRequired]
+	#[RequirePermission(permission: Application::PERMISSION_MANAGE, type: Application::NODE_TYPE_TABLE, idParam: 'id')]
 	public function destroy(int $id): DataResponse {
 		return $this->handleError(function () use ($id) {
 			return $this->service->delete($id);
 		});
 	}
 
-	/**
-	 * @NoAdminRequired
-	 */
+	#[NoAdminRequired]
+	#[RequirePermission(permission: Application::PERMISSION_MANAGE, type: Application::NODE_TYPE_TABLE, idParam: 'id')]
 	public function update(int $id, ?string $title = null, ?string $emoji = null, ?bool $archived = null): DataResponse {
 		return $this->handleError(function () use ($id, $title, $emoji, $archived) {
 			return $this->service->update($id, $title, $emoji, null, $archived, $this->userId);
diff --git a/lib/Controller/TableTemplateController.php b/lib/Controller/TableTemplateController.php
index 7e37b434d6..52bfc295a9 100644
--- a/lib/Controller/TableTemplateController.php
+++ b/lib/Controller/TableTemplateController.php
@@ -10,6 +10,7 @@
 use OCA\Tables\AppInfo\Application;
 use OCA\Tables\Service\TableTemplateService;
 use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http\Attribute\NoAdminRequired;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\IRequest;
 use Psr\Log\LoggerInterface;
@@ -30,9 +31,7 @@ public function __construct(
 		$this->service = $service;
 	}
 
-	/**
-	 * @NoAdminRequired
-	 */
+	#[NoAdminRequired]
 	public function list(): DataResponse {
 		return $this->handleError(function () {
 			return $this->service->getTemplateList();
diff --git a/lib/Controller/ViewController.php b/lib/Controller/ViewController.php
index 5587297ddf..65f460503e 100644
--- a/lib/Controller/ViewController.php
+++ b/lib/Controller/ViewController.php
@@ -13,9 +13,11 @@
 use OCA\Tables\Errors\InternalError;
 use OCA\Tables\Errors\NotFoundError;
 use OCA\Tables\Errors\PermissionError;
+use OCA\Tables\Middleware\Attribute\RequirePermission;
 use OCA\Tables\Service\TableService;
 use OCA\Tables\Service\ViewService;
 use OCP\AppFramework\Controller;
+use OCP\AppFramework\Http\Attribute\NoAdminRequired;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\IRequest;
 use Psr\Log\LoggerInterface;
@@ -50,61 +52,53 @@ public function __construct(
 	}
 
 
-	/**
-	 * @NoAdminRequired
-	 */
+	#[NoAdminRequired]
+	#[RequirePermission(permission: Application::PERMISSION_READ, type: Application::NODE_TYPE_TABLE, idParam: 'tableId')]
 	public function index(int $tableId): DataResponse {
 		return $this->handleError(function () use ($tableId) {
 			return $this->service->findAll($this->getTable($tableId), $this->userId);
 		});
 	}
 
-	/**
-	 * @NoAdminRequired
-	 */
+	#[NoAdminRequired]
 	public function indexSharedWithMe(): DataResponse {
 		return $this->handleError(function () {
 			return $this->service->findSharedViewsWithMe($this->userId);
 		});
 	}
 
-	/**
-	 * @NoAdminRequired
-	 */
+	#[NoAdminRequired]
+	#[RequirePermission(permission: Application::PERMISSION_READ, type: Application::NODE_TYPE_VIEW, idParam: 'id')]
 	public function show(int $id): DataResponse {
 		return $this->handleError(function () use ($id) {
 			return $this->service->find($id);
 		});
 	}
 
-	/**
-	 * @NoAdminRequired
-	 */
+	#[NoAdminRequired]
+	#[RequirePermission(permission: Application::PERMISSION_MANAGE, type: Application::NODE_TYPE_TABLE, idParam: 'tableId')]
 	public function create(int $tableId, string $title, ?string $emoji): DataResponse {
 		return $this->handleError(function () use ($tableId, $title, $emoji) {
 			return $this->service->create($title, $emoji, $this->getTable($tableId, true));
 		});
 	}
 
-	/**
-	 * @NoAdminRequired
-	 */
+	#[NoAdminRequired]
+	#[RequirePermission(permission: Application::PERMISSION_MANAGE, type: Application::NODE_TYPE_VIEW, idParam: 'id')]
 	public function update(int $id, array $data): DataResponse {
 		return $this->handleError(function () use ($id, $data) {
 			return $this->service->update($id, $data, $this->userId);
 		});
 	}
 
-	/**
-	 * @NoAdminRequired
-	 */
+	#[NoAdminRequired]
+	#[RequirePermission(permission: Application::PERMISSION_MANAGE, type: Application::NODE_TYPE_VIEW, idParam: 'id')]
 	public function destroy(int $id): DataResponse {
 		return $this->handleError(function () use ($id) {
 			return $this->service->delete($id);
 		});
 	}
 
-
 	/**
 	 * @param int $tableId
 	 * @param bool $skipTableEnhancement
diff --git a/lib/Middleware/PermissionMiddleware.php b/lib/Middleware/PermissionMiddleware.php
index 2848a0f6c8..c16d958cc6 100644
--- a/lib/Middleware/PermissionMiddleware.php
+++ b/lib/Middleware/PermissionMiddleware.php
@@ -106,6 +106,7 @@ protected function checkPermission(RequirePermission $attribute): void {
 		}
 
 		match ($attribute->getPermission()) {
+			Application::PERMISSION_READ => true, // this is guaranteed in the pre-test ^
 			Application::PERMISSION_MANAGE => $this->assertManagePermission($isContext, $nodeType, $nodeId),
 			Application::PERMISSION_CREATE => $this->assertCreatePermissions($nodeType, $nodeId),
 			Application::PERMISSION_UPDATE => $this->assertUpdatePermissions($nodeType, $nodeId),
diff --git a/tests/integration/features/APIv2.feature b/tests/integration/features/APIv2.feature
index 62ff7f1ae5..bc43fc76b2 100644
--- a/tests/integration/features/APIv2.feature
+++ b/tests/integration/features/APIv2.feature
@@ -45,9 +45,7 @@ Feature: APIv2
     And user "participant1-v2" sees the following table attributes on table "t1"
       | favorite | 0 |
     When user "participant3-v2" adds the table "t1" to favorites
-    Then the last response should have a "403" status code
-
-
+    Then the last response should have a "404" status code
 
   @api2
   Scenario: Basic column actions