fix(security): RealtimeController — add @NoAdminRequired + per-org cursor

Two issues, one commit:

1. Both `events()` and `cursor()` only carried `@NoCSRFRequired`. The
   docblock contract assumes non-admins can poll, but without
   `@NoAdminRequired` the framework gate would have blocked them
   before the body ran.
2. `cursor()` returned `getMaxId()` — the global head pointer across
   every tenant. Any authed caller could observe the global write
   rate (and infer other tenants' activity) by polling.

Add `@NoAdminRequired` to both methods. Replace `getMaxId()` with a
new `getMaxIdForOrganisation()` mapper method scoped to the active
organisation. Active org `null` ⇒ cursor `0` (fail-closed).

Refs: #1419 review (concern 2) — discussion_r3187494457

Author: rubenvdlinde

lib/Controller/RealtimeController.php

@@ -72,6 +72,7 @@ public function __construct(
      *
      * @return JSONResponse JSON response with events, cursor, and hasMore.
      *
+     * @NoAdminRequired
      * @NoCSRFRequired
      */
     public function events(
@@ -136,13 +137,31 @@ public function events(
      *
      * @return JSONResponse JSON response containing the current head cursor.
      *
+     * @NoAdminRequired
      * @NoCSRFRequired
      */
     public function cursor(): JSONResponse
     {
+        // SECURITY: scope the cursor to the caller's active organisation.
+        // Returning the global head pointer let any authed caller observe
+        // the global write rate by polling — small but real cross-tenant
+        // side channel. With no active org, return 0 (fail-closed) so
+        // there is no head pointer to mine.
+        $orgUuid = null;
+        try {
+            $activeOrg = $this->organisationService->getActiveOrganisation();
+            $orgUuid   = $activeOrg?->getUuid();
+        } catch (\Throwable $e) {
+            $orgUuid = null;
+        }
+
+        if ($orgUuid === null) {
+            return new JSONResponse(['cursor' => 0]);
+        }
+
         return new JSONResponse(
                 [
-                    'cursor' => $this->eventMapper->getMaxId(),
+                    'cursor' => $this->eventMapper->getMaxIdForOrganisation($orgUuid),
                 ]
                 );
     }//end cursor()

lib/Db/RealtimeEventMapper.php

@@ -115,6 +115,33 @@ public function getMaxId(): int
         return (int) ($result['max_id'] ?? 0);
     }//end getMaxId()
 
+    /**
+     * Get the highest event id scoped to a specific organisation.
+     *
+     * SECURITY: the unfiltered `getMaxId()` returns the global head
+     * pointer, which lets any caller observe the global write rate by
+     * polling. Per-organisation cursors prevent that side-channel.
+     *
+     * @param string $organisationUuid Organisation UUID.
+     *
+     * @return int Highest event id for the organisation, or 0 when none.
+     */
+    public function getMaxIdForOrganisation(string $organisationUuid): int
+    {
+        $qb = $this->db->getQueryBuilder();
+        $qb->select($qb->createFunction('MAX(id) AS max_id'))
+            ->from('openregister_realtime_events')
+            ->where(
+                $qb->expr()->eq(
+                    'organisation',
+                    $qb->createNamedParameter($organisationUuid)
+                )
+            );
+        $result = $qb->executeQuery()->fetch();
+        return (int) ($result['max_id'] ?? 0);
+
+    }//end getMaxIdForOrganisation()
+
     /**
      * Prune events older than `$retentionSeconds`. Used by a daily TimedJob
      * to keep the event log bounded.