Merge pull request #54702 from nextcloud/backport/54690/stable31

[stable31] fix(TaskProcessingApiController): Don't allow anonymous access anymore
2025-08-29 10:37:00 +07:00 · 2025-08-29 10:37:00 +07:00 · 7d87717d5c
parent 777c295195 a9610db902
commit 7d87717d5c
3 changed files with 3 additions and 12 deletions
--- a/core/Controller/TaskProcessingApiController.php
+++ b/core/Controller/TaskProcessingApiController.php
@ -13,11 +13,9 @@ namespace OC\Core\Controller;
 use OC\Core\ResponseDefinitions;
 use OC\Files\SimpleFS\SimpleFile;
 use OCP\AppFramework\Http;
-use OCP\AppFramework\Http\Attribute\AnonRateLimit;
 use OCP\AppFramework\Http\Attribute\ApiRoute;
 use OCP\AppFramework\Http\Attribute\ExAppRequired;
 use OCP\AppFramework\Http\Attribute\NoAdminRequired;
-use OCP\AppFramework\Http\Attribute\PublicPage;
 use OCP\AppFramework\Http\Attribute\UserRateLimit;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\Http\StreamResponse;
@ -66,7 +64,7 @@ class TaskProcessingApiController extends \OCP\AppFramework\OCSController {
 	 *
 	 * 200: Task types returned
 	 */
-	#[PublicPage]
+	#[NoAdminRequired]
 	#[ApiRoute(verb: 'GET', url: '/tasktypes', root: '/taskprocessing')]
 	public function taskTypes(): DataResponse {
 		/** @var array<string, CoreTaskProcessingTaskType> $taskTypes */
@ -156,9 +154,8 @@ class TaskProcessingApiController extends \OCP\AppFramework\OCSController {
 	 * 412: Scheduling task is not possible
 	 * 401: Cannot schedule task because it references files in its input that the user doesn't have access to
 	 */
-	#[PublicPage]
 	#[UserRateLimit(limit: 20, period: 120)]
-	#[AnonRateLimit(limit: 5, period: 120)]
+	#[NoAdminRequired]
 	#[ApiRoute(verb: 'POST', url: '/schedule', root: '/taskprocessing')]
 	public function schedule(
 		array $input, string $type, string $appId, string $customId = '',
@ -199,7 +196,7 @@ class TaskProcessingApiController extends \OCP\AppFramework\OCSController {
 	 * 200: Task returned
 	 * 404: Task not found
 	 */
-	#[PublicPage]
+	#[NoAdminRequired]
 	#[ApiRoute(verb: 'GET', url: '/task/{id}', root: '/taskprocessing')]
 	public function getTask(int $id): DataResponse {
 		try {
--- a/core/openapi-full.json
+++ b/core/openapi-full.json
@ -4079,7 +4079,6 @@
                    "task_processing_api"
                ],
                "security": [
-                    {},
                    {
                        "bearer_auth": []
                    },
@ -4152,7 +4151,6 @@
                    "task_processing_api"
                ],
                "security": [
-                    {},
                    {
                        "bearer_auth": []
                    },
@ -4422,7 +4420,6 @@
                    "task_processing_api"
                ],
                "security": [
-                    {},
                    {
                        "bearer_auth": []
                    },
--- a/core/openapi.json
+++ b/core/openapi.json
@ -4079,7 +4079,6 @@
                    "task_processing_api"
                ],
                "security": [
-                    {},
                    {
                        "bearer_auth": []
                    },
@ -4152,7 +4151,6 @@
                    "task_processing_api"
                ],
                "security": [
-                    {},
                    {
                        "bearer_auth": []
                    },
@ -4422,7 +4420,6 @@
                    "task_processing_api"
                ],
                "security": [
-                    {},
                    {
                        "bearer_auth": []
                    },