security: enforce CSRF protection on POST/DELETE export endpoints (Closes #171) #187

2026-04-10T18:50:15+02:00

shahondin1624 commented

2026-04-10 18:50:15 +02:00

Summary

Removed #[NoCSRFRequired] from 8 POST/DELETE endpoints across ExportController (5 methods), ReportController (1 method), and DsgvoController (2 methods)
GET (read-only) endpoints retain #[NoCSRFRequired] per Nextcloud conventions
No frontend changes needed: @nextcloud/axios already sends CSRF tokens automatically
Added CsrfProtectionTest that verifies attribute placement via PHP reflection

Affected Endpoints

Controller	Method	Verb	Change
ExportController	membersEncrypted	POST	Removed NoCSRFRequired
ExportController	feesEncrypted	POST	Removed NoCSRFRequired
ExportController	birthdaysEncrypted	POST	Removed NoCSRFRequired
ExportController	bundleSensitive	POST	Removed NoCSRFRequired
ExportController	bankingEncrypted	POST	Removed NoCSRFRequired
ReportController	encrypted	POST	Removed NoCSRFRequired
DsgvoController	export	POST	Removed NoCSRFRequired
DsgvoController	hardDelete	DELETE	Removed NoCSRFRequired

Test plan

All POST/DELETE endpoints no longer have #[NoCSRFRequired]
All GET endpoints still have #[NoCSRFRequired]
CsrfProtectionTest added to verify attribute presence via reflection
Manual: Verify encrypted export download still works from the UI (CSRF token sent by @nextcloud/axios)

Closes #171

## Summary - Removed `#[NoCSRFRequired]` from 8 POST/DELETE endpoints across ExportController (5 methods), ReportController (1 method), and DsgvoController (2 methods) - GET (read-only) endpoints retain `#[NoCSRFRequired]` per Nextcloud conventions - No frontend changes needed: `@nextcloud/axios` already sends CSRF tokens automatically - Added `CsrfProtectionTest` that verifies attribute placement via PHP reflection ## Affected Endpoints | Controller | Method | Verb | Change | |---|---|---|---| | ExportController | membersEncrypted | POST | Removed NoCSRFRequired | | ExportController | feesEncrypted | POST | Removed NoCSRFRequired | | ExportController | birthdaysEncrypted | POST | Removed NoCSRFRequired | | ExportController | bundleSensitive | POST | Removed NoCSRFRequired | | ExportController | bankingEncrypted | POST | Removed NoCSRFRequired | | ReportController | encrypted | POST | Removed NoCSRFRequired | | DsgvoController | export | POST | Removed NoCSRFRequired | | DsgvoController | hardDelete | DELETE | Removed NoCSRFRequired | ## Test plan - [x] All POST/DELETE endpoints no longer have `#[NoCSRFRequired]` - [x] All GET endpoints still have `#[NoCSRFRequired]` - [x] CsrfProtectionTest added to verify attribute presence via reflection - [ ] Manual: Verify encrypted export download still works from the UI (CSRF token sent by @nextcloud/axios) Closes #171

shahondin1624 added 1 commit 2026-04-10 18:50:15 +02:00

security: enforce CSRF protection on POST/DELETE export endpoints (Closes #171 ) 13a85e38e3

Remove #[NoCSRFRequired] from all POST and DELETE endpoints in
ExportController, ReportController, and DsgvoController. GET (read-only)
endpoints retain the attribute as per Nextcloud conventions. The frontend
already sends CSRF tokens via @nextcloud/axios, so no frontend changes
are needed. Add CsrfProtectionTest to verify attribute placement via
reflection.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

shahondin1624 merged commit 58968331eb into main

2026-04-10 18:50:26 +02:00

shahondin1624 deleted branch feature/issue-171-csrf-export-endpoints

2026-04-10 18:50:26 +02:00

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: shahondin1624/Mitgliederverwaltung#187