fix(security): AuditTrailController — admin-only on clearAll + export

`clearAll()` and `export()` carried `@NoAdminRequired`. Two paths:

- `clearAll`: any authenticated caller could wipe every row in
  `oc_openregister_audit_trails`, breaking the AVG/GDPR Art 30 audit
  chain that operators rely on for supervisor review.
- `export`: any authenticated caller could dump every audit row in
  bulk (CSV/etc) without an organisation filter — cross-tenant recon
  with one request.

Add a `requireAdmin()` body-level gate (returns 401/403 JSONResponse
or null). Keep `@NoAdminRequired` at the framework level so existing
non-admin UI flows that touch other endpoints (`index`, `show`,
`objects`, hash-chain verification) still load — those don't trip
this gate.

`index` cross-tenant scoping is a deeper RBAC question (audit rows
have an `organisation` column but the existing LogService doesn't
filter by it); left for follow-up.

Refs: #1419 review (off-diff blocker — top-level comment 4378205122)

Author: rubenvdlinde

lib/Controller/AuditTrailController.php

@@ -64,11 +64,45 @@ public function __construct(
         IRequest $request,
         private readonly LogService $logService,
         private readonly AuditTrailMapper $auditTrailMapper,
-        private readonly AuditHashService $auditHashService
+        private readonly AuditHashService $auditHashService,
+        private readonly \OCP\IUserSession $userSession,
+        private readonly \OCP\IGroupManager $groupManager
     ) {
         parent::__construct(appName: $appName, request: $request);
     }//end __construct()
 
+    /**
+     * Gate destructive / bulk-export audit operations on admin membership.
+     *
+     * SECURITY: `clearAll` wipes the entire audit table — a chain of
+     * trust for AVG/GDPR Art 30 reviews. `export` dumps every row in
+     * bulk and is an obvious recon path across tenants. Both surfaces
+     * stay `@NoAdminRequired` at the framework level so the existing
+     * UI keeps loading, but reject non-admin callers in the body.
+     *
+     * @return JSONResponse|null 401/403 response when blocked, null when allowed.
+     */
+    private function requireAdmin(): ?JSONResponse
+    {
+        $user = $this->userSession->getUser();
+        if ($user === null) {
+            return new JSONResponse(
+                data: ['error' => 'Authentication required'],
+                statusCode: 401
+            );
+        }
+
+        if ($this->groupManager->isAdmin($user->getUID()) === false) {
+            return new JSONResponse(
+                data: ['error' => 'Forbidden: this audit-trail operation is admin-only'],
+                statusCode: 403
+            );
+        }
+
+        return null;
+
+    }//end requireAdmin()
+
     /**
      * Extract pagination, filter, and search parameters from request
      *
@@ -345,6 +379,10 @@ public function objects(string $register, string $schema, string $id): JSONRespo
      */
     public function export(): JSONResponse
     {
+        if (($denial = $this->requireAdmin()) !== null) {
+            return $denial;
+        }
+
         // Extract request parameters.
         $params = $this->extractRequestParameters();
 
@@ -453,6 +491,10 @@ public function destroyMultiple(): JSONResponse
      */
     public function clearAll(): JSONResponse
     {
+        if (($denial = $this->requireAdmin()) !== null) {
+            return $denial;
+        }
+
         try {
             // Use the clearAllLogs method from the mapper.
             $result = $this->auditTrailMapper->clearAllLogs();