fix(security): NotificationSubscriptionsController — verify register/schema access

`create()` forwarded `registerId` / `schemaId` straight to the mapper.
The mapper validated only that at least one was non-null; never that
the caller has read access to the referenced register/schema, or that
they exist at all. Two issues:

1. A user could subscribe to any (register, schema) tuple in any
   tenant. Whether the downstream notification dispatcher re-checks
   permissions before sending is irrelevant — the subscription rows
   leak existence and let an attacker probe the schema namespace.
2. The mapper's success/404 distinction was a confirmed-existence
   channel for arbitrary integer IDs.

Inject `RegisterMapper` + `SchemaMapper` and call `find()` (with
default RBAC + multitenancy filters on) before insert. 404 on miss.

Refs: #1419 review (concern 7) — discussion_r3187494490

Author: rubenvdlinde

lib/Controller/NotificationSubscriptionsController.php

@@ -37,23 +37,29 @@
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http\JSONResponse;
 use OCP\IRequest;
+use OCA\OpenRegister\Db\RegisterMapper;
+use OCA\OpenRegister\Db\SchemaMapper;
 use OCP\IUserSession;
 
 class NotificationSubscriptionsController extends Controller
 {
     /**
      * Constructor.
      *
-     * @param string                         $appName     App name.
-     * @param IRequest                       $request     Request.
-     * @param NotificationSubscriptionMapper $mapper      Subscription mapper.
-     * @param IUserSession                   $userSession Current-user session.
+     * @param string                         $appName        App name.
+     * @param IRequest                       $request        Request.
+     * @param NotificationSubscriptionMapper $mapper         Subscription mapper.
+     * @param IUserSession                   $userSession    Current-user session.
+     * @param RegisterMapper                 $registerMapper Register mapper for permission check.
+     * @param SchemaMapper                   $schemaMapper   Schema mapper for permission check.
      */
     public function __construct(
         string $appName,
         IRequest $request,
         private readonly NotificationSubscriptionMapper $mapper,
-        private readonly IUserSession $userSession
+        private readonly IUserSession $userSession,
+        private readonly RegisterMapper $registerMapper,
+        private readonly SchemaMapper $schemaMapper
     ) {
         parent::__construct(appName: $appName, request: $request);
 
@@ -105,6 +111,34 @@ public function create(): JSONResponse
         $registerId = $this->coerceNullableInt(value: ($params['registerId'] ?? null));
         $schemaId   = $this->coerceNullableInt(value: ($params['schemaId'] ?? null));
 
+        // SECURITY: load the referenced register/schema through the
+        // standard RBAC + multitenancy filter before persisting the
+        // subscription. Without this gate the mapper accepted any
+        // (registerId, schemaId) pair — letting a caller subscribe
+        // themselves to objects in other tenants and confirming the
+        // existence of arbitrary IDs via the success/404 channel.
+        if ($registerId !== null) {
+            try {
+                $this->registerMapper->find($registerId);
+            } catch (\Throwable $e) {
+                return new JSONResponse(
+                    data: ['error' => 'Register not found or not accessible'],
+                    statusCode: 404
+                );
+            }
+        }
+
+        if ($schemaId !== null) {
+            try {
+                $this->schemaMapper->find($schemaId);
+            } catch (\Throwable $e) {
+                return new JSONResponse(
+                    data: ['error' => 'Schema not found or not accessible'],
+                    statusCode: 404
+                );
+            }
+        }
+
         try {
             $entity = $this->mapper->subscribe(
                 userId: $userId,