Merge pull request #46805 from nextcloud/refactor/federatedfilesharing/security-attributes

2 files changed, 26 insertions, 30 deletions

diff --git a/apps/federatedfilesharing/lib/Controller/MountPublicLinkController.php b/apps/federatedfilesharing/lib/Controller/MountPublicLinkController.php
index e34ee77a550..b5b5806d335 100644
--- a/apps/federatedfilesharing/lib/Controller/MountPublicLinkController.php
+++ b/apps/federatedfilesharing/lib/Controller/MountPublicLinkController.php
@@ -11,7 +11,11 @@ use OCA\FederatedFileSharing\AddressHandler;
 use OCA\FederatedFileSharing\FederatedShareProvider;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\BruteForceProtection;
+use OCP\AppFramework\Http\Attribute\NoAdminRequired;
+use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
 use OCP\AppFramework\Http\Attribute\OpenAPI;
+use OCP\AppFramework\Http\Attribute\PublicPage;
 use OCP\AppFramework\Http\JSONResponse;
 use OCP\Constants;
 use OCP\Federation\ICloudIdManager;
@@ -56,10 +60,6 @@ class MountPublicLinkController extends Controller {
 	/**
 	 * send federated share to a user of a public link
 	 *
-	 * @NoCSRFRequired
-	 * @PublicPage
-	 * @BruteForceProtection(action=publicLink2FederatedShare)
-	 *
 	 * @param string $shareWith Username to share with
 	 * @param string $token Token of the share
 	 * @param string $password Password of the share
@@ -67,6 +67,9 @@ class MountPublicLinkController extends Controller {
 	 * 200: Remote URL returned
 	 * 400: Creating share is not possible
 	 */
+	#[NoCSRFRequired]
+	#[PublicPage]
+	#[BruteForceProtection(action: 'publicLink2FederatedShare')]
 	public function createFederatedShare($shareWith, $token, $password = '') {
 		if (!$this->federatedShareProvider->isOutgoingServer2serverShareEnabled()) {
 			return new JSONResponse(
@@ -125,8 +128,6 @@ class MountPublicLinkController extends Controller {
 	/**
 	 * ask other server to get a federated share
 	 *
-	 * @NoAdminRequired
-	 *
 	 * @param string $token
 	 * @param string $remote
 	 * @param string $password
@@ -135,6 +136,7 @@ class MountPublicLinkController extends Controller {
 	 * @param string $name (only for legacy reasons, can be removed with legacyMountPublicLink())
 	 * @return JSONResponse
 	 */
+	#[NoAdminRequired]
 	public function askForFederatedShare($token, $remote, $password = '', $owner = '', $ownerDisplayName = '', $name = '') {
 		// check if server admin allows to mount public links from other servers
 		if ($this->federatedShareProvider->isIncomingServer2serverShareEnabled() === false) {
diff --git a/apps/federatedfilesharing/lib/Controller/RequestHandlerController.php b/apps/federatedfilesharing/lib/Controller/RequestHandlerController.php
index c0fc7123a14..5edb80b016b 100644
--- a/apps/federatedfilesharing/lib/Controller/RequestHandlerController.php
+++ b/apps/federatedfilesharing/lib/Controller/RequestHandlerController.php
@@ -12,7 +12,9 @@ use OCA\FederatedFileSharing\FederatedShareProvider;
 use OCA\FederatedFileSharing\Notifications;
 use OCP\App\IAppManager;
 use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
 use OCP\AppFramework\Http\Attribute\OpenAPI;
+use OCP\AppFramework\Http\Attribute\PublicPage;
 use OCP\AppFramework\OCS\OCSBadRequestException;
 use OCP\AppFramework\OCS\OCSException;
 use OCP\AppFramework\OCSController;
@@ -100,9 +102,6 @@ class RequestHandlerController extends OCSController {
 	}
 
 	/**
-	 * @NoCSRFRequired
-	 * @PublicPage
-	 *
 	 * create a new share
 	 *
 	 * @param string|null $remote Address of the remote
@@ -119,6 +118,8 @@ class RequestHandlerController extends OCSController {
 	 *
 	 * 200: Share created successfully
 	 */
+	#[NoCSRFRequired]
+	#[PublicPage]
 	public function createShare(
 		?string $remote = null,
 		?string $token = null,
@@ -173,9 +174,6 @@ class RequestHandlerController extends OCSController {
 	}
 
 	/**
-	 * @NoCSRFRequired
-	 * @PublicPage
-	 *
 	 * create re-share on behalf of another user
 	 *
 	 * @param int $id ID of the share
@@ -188,6 +186,8 @@ class RequestHandlerController extends OCSController {
 	 *
 	 * 200: Remote share returned
 	 */
+	#[NoCSRFRequired]
+	#[PublicPage]
 	public function reShare(int $id, ?string $token = null, ?string $shareWith = null, ?int $remoteId = 0) {
 		if ($token === null ||
 			$shareWith === null ||
@@ -223,9 +223,6 @@ class RequestHandlerController extends OCSController {
 
 
 	/**
-	 * @NoCSRFRequired
-	 * @PublicPage
-	 *
 	 * accept server-to-server share
 	 *
 	 * @param int $id ID of the remote share
@@ -237,6 +234,8 @@ class RequestHandlerController extends OCSController {
 	 *
 	 * 200: Share accepted successfully
 	 */
+	#[NoCSRFRequired]
+	#[PublicPage]
 	public function acceptShare(int $id, ?string $token = null) {
 		$notification = [
 			'sharedSecret' => $token,
@@ -259,9 +258,6 @@ class RequestHandlerController extends OCSController {
 	}
 
 	/**
-	 * @NoCSRFRequired
-	 * @PublicPage
-	 *
 	 * decline server-to-server share
 	 *
 	 * @param int $id ID of the remote share
@@ -271,6 +267,8 @@ class RequestHandlerController extends OCSController {
 	 *
 	 * 200: Share declined successfully
 	 */
+	#[NoCSRFRequired]
+	#[PublicPage]
 	public function declineShare(int $id, ?string $token = null) {
 		$notification = [
 			'sharedSecret' => $token,
@@ -293,9 +291,6 @@ class RequestHandlerController extends OCSController {
 	}
 
 	/**
-	 * @NoCSRFRequired
-	 * @PublicPage
-	 *
 	 * remove server-to-server share if it was unshared by the owner
 	 *
 	 * @param int $id ID of the share
@@ -305,6 +300,8 @@ class RequestHandlerController extends OCSController {
 	 *
 	 * 200: Share unshared successfully
 	 */
+	#[NoCSRFRequired]
+	#[PublicPage]
 	public function unshare(int $id, ?string $token = null) {
 		if (!$this->isS2SEnabled()) {
 			throw new OCSException('Server does not support federated cloud sharing', 503);
@@ -330,9 +327,6 @@ class RequestHandlerController extends OCSController {
 
 
 	/**
-	 * @NoCSRFRequired
-	 * @PublicPage
-	 *
 	 * federated share was revoked, either by the owner or the re-sharer
 	 *
 	 * @param int $id ID of the share
@@ -342,6 +336,8 @@ class RequestHandlerController extends OCSController {
 	 *
 	 * 200: Share revoked successfully
 	 */
+	#[NoCSRFRequired]
+	#[PublicPage]
 	public function revoke(int $id, ?string $token = null) {
 		try {
 			$provider = $this->cloudFederationProviderManager->getCloudFederationProvider('file');
@@ -372,9 +368,6 @@ class RequestHandlerController extends OCSController {
 	}
 
 	/**
-	 * @NoCSRFRequired
-	 * @PublicPage
-	 *
 	 * update share information to keep federated re-shares in sync
 	 *
 	 * @param int $id ID of the share
@@ -385,6 +378,8 @@ class RequestHandlerController extends OCSController {
 	 *
 	 * 200: Permissions updated successfully
 	 */
+	#[NoCSRFRequired]
+	#[PublicPage]
 	public function updatePermissions(int $id, ?string $token = null, ?int $permissions = null) {
 		$ncPermissions = $permissions;
 
@@ -428,9 +423,6 @@ class RequestHandlerController extends OCSController {
 	}
 
 	/**
-	 * @NoCSRFRequired
-	 * @PublicPage
-	 *
 	 * change the owner of a server-to-server share
 	 *
 	 * @param int $id ID of the share
@@ -442,6 +434,8 @@ class RequestHandlerController extends OCSController {
 	 *
 	 * 200: Share moved successfully
 	 */
+	#[NoCSRFRequired]
+	#[PublicPage]
 	public function move(int $id, ?string $token = null, ?string $remote = null, ?string $remote_id = null) {
 		if (!$this->isS2SEnabled()) {
 			throw new OCSException('Server does not support federated cloud sharing', 503);