fix(security): ScopesController — add @NoAdminRequired + drop _multitenancy:false

rubenvdlinde · rubenvdlinde · commit a9759fe60317 · 2026-05-07T10:07:32.000+02:00
`/api/scopes` is documented as a discovery endpoint any authed user should be able to call to drive frontend feature gates. But the docblock only carries `@NoCSRFRequired`, so the framework was demanding admin membership before the body ran — defeating the point of self-discovery. Two compounding issues: 1. Add `@NoAdminRequired` so non-admin callers reach the body. The body's anonymous + per-caller permission computation already handles authorization correctly from there. 2. Drop `_multitenancy: false` from the four register/schema lookups. With it set, discovery returned every register/schema slug across every tenant — a complete cross-tenant data-shape map for any tenant user. Only RBAC stays bypassed because the body reduces the actions per-caller downstream. Refs: #1419 review (concern 1) — discussion_r3187494453
diff --git a/lib/Controller/ScopesController.php b/lib/Controller/ScopesController.php
@@ -110,6 +110,7 @@ public function __construct(
      *
      * @return JSONResponse The effective-scope envelope.
      *
+     * @NoAdminRequired
      * @NoCSRFRequired
      */
     public function index(?string $register=null, ?string $schema=null): JSONResponse
@@ -173,10 +174,12 @@ private function resolveRegisters(?string $filter): array
     {
         if ($filter !== null && $filter !== '') {
             try {
+                // SECURITY: keep multitenancy filter on so the discovery
+                // endpoint cannot enumerate registers across tenants. Body
+                // already short-circuits on anonymous + admin paths.
                 $register = $this->registerMapper->find(
                     $filter,
-                    _rbac: false,
-                    _multitenancy: false
+                    _rbac: false
                 );
                 if ($register === null) {
                     return [];
@@ -189,9 +192,11 @@ private function resolveRegisters(?string $filter): array
         }
 
         try {
+            // SECURITY: tenant-scope discovery via the default multitenancy
+            // filter; only RBAC is bypassed because the body computes the
+            // per-caller permission verdict downstream.
             return $this->registerMapper->findAll(
-                _rbac: false,
-                _multitenancy: false
+                _rbac: false
             );
         } catch (\Throwable $e) {
             return [];
@@ -210,10 +215,10 @@ private function resolveSchemas(?string $filter): array
     {
         if ($filter !== null && $filter !== '') {
             try {
+                // SECURITY: see resolveRegisters() — keep multitenancy on.
                 $schema = $this->schemaMapper->find(
                     $filter,
-                    _rbac: false,
-                    _multitenancy: false
+                    _rbac: false
                 );
                 if ($schema === null) {
                     return [];
@@ -226,9 +231,9 @@ private function resolveSchemas(?string $filter): array
         }
 
         try {
+            // SECURITY: see resolveRegisters() — keep multitenancy on.
             return $this->schemaMapper->findAll(
-                _rbac: false,
-                _multitenancy: false
+                _rbac: false
             );
         } catch (\Throwable $e) {
             return [];
