Avoid undefined array key sharing request

[kesselb]

Summary

Avoid an undefined array key warning when sending a malformed share request.

I will send a follow up to integrate with config lexicon.

Checklist

• Code is properly formatted
• Sign-off message is added to all commits
• Tests (unit, integration, api and/or acceptance) are included
• Screenshots before/after for front-end changes
• Documentation (manuals or wiki) has been updated or is not required
• Backports requested where applicable (ex: critical bugfixes)
• Labels added where applicable (ex: bug/enhancement, 3. to review, feature component)
• Milestone added for target branch/version (ex: 32.x for stable32)

AI (if applicable)

• The content of this PR was partly or fully generated using AI

[kesselb]

/backport to stable33

[kesselb]

/backport to stable32

[Copilot]

Pull request overview

Note

Copilot was unable to run its full agentic suite in this review.

This PR hardens DAV share request handling to avoid undefined array key warnings on malformed XML, and adds per-user rate limiting for share requests.

Changes:

• Add RateLimiting service and enforce it in the DAV Sharing Plugin POST handler.
• Validate share requests (must include 1–10 set/remove elements) and reject invalid payloads with BadRequest.
• Update and expand unit tests for sharing and rate limiting; remove redundant CardDAV sharing plugin test.

Reviewed changes

Copilot reviewed 9 out of 9 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
apps/dav/lib/DAV/Sharing/Plugin.php	Adds rate-limit enforcement and request validation for share POSTs.
apps/dav/lib/DAV/Sharing/Xml/ShareRequest.php	Handles null XML element lists and introduces a constant for the share element QName.
apps/dav/lib/DAV/Security/RateLimiting.php	New rate limiting helper for share requests.
apps/dav/lib/Server.php	Injects RateLimiting into the sharing plugin for calendars/addressbooks.
apps/dav/tests/unit/DAV/Sharing/PluginTest.php	Updates plugin construction and adds tests for invalid share requests.
apps/dav/tests/unit/DAV/Security/RateLimitingTest.php	New unit tests for rate limiting behavior.
apps/dav/tests/unit/CardDAV/Sharing/PluginTest.php	Removes an older/redundant test.
apps/dav/composer/composer/autoload_static.php	Adds classmap entry for the new rate limiting class.
apps/dav/composer/composer/autoload_classmap.php	Adds classmap entry for the new rate limiting class.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.