Skip to content
This repository was archived by the owner on May 29, 2026. It is now read-only.

fix(quality): enumeration guard, value cap, attribute migration, concurrency lock, group-resolution — M3, M6, M7, M8, L5#348

Merged
rubenvdlinde merged 2 commits into
developmentfrom
fix/misc-quality
May 27, 2026
Merged

fix(quality): enumeration guard, value cap, attribute migration, concurrency lock, group-resolution — M3, M6, M7, M8, L5#348
rubenvdlinde merged 2 commits into
developmentfrom
fix/misc-quality

Conversation

@rubenvdlinde

Copy link
Copy Markdown
Contributor

Summary

Test plan

  • searchSharees?query=a → empty result (was returning matches)
  • searchSharees?query=ab → matches as before
  • setPreference with value >8192 bytes → HTTP 400
  • getPreference / setPreference still work for non-admin users (attributes in effect)
  • Concurrent admin calls to POST /admin/showcases/{id}/install → second call gets error, no duplicate dashboards
  • DashboardMetadataController group-share membership still checked correctly

🤖 Generated with Claude Code

… concurrency lock, group-resolution unification — M3, M6, M7, M8, L5

M3 (#331): raise searchSharees minimum query length from 1 to 2
characters — limits single-character a..z user/group directory sweeps
consistent with NC's own share-autocomplete threshold.

M6 (#334): PreferencesController::setPreference now rejects values
longer than 8192 bytes (HTTP 400) to prevent unbounded oc_preferences
row growth from malicious callers.

M7 (#335): PreferencesController @NoAdminRequired / @NoCSRFRequired
docblock annotations converted to PHP 8 attribute form
(#[NoAdminRequired], #[NoCSRFRequired]) for forward-compatibility with
NC 30+ strict-attribute mode.

M8 (#336): DemoShowcasesService::installShowcase acquires an exclusive
ILockingProvider advisory lock before the existence check, preventing
duplicate dashboard rows from concurrent installs of the same showcase.

L5 (#341): DashboardMetadataController::canRead and canWrite now call
AdminTemplateService::getUserGroupIdsFor (REQ-TMPL-013 — single source
of truth) instead of IGroupManager::isInGroup directly, keeping virtual
group resolution consistent with the service layer.
…etadataController conflict

PRs 345-347 merged to development first; DashboardMetadataController was
touched by both #345 (H5: delegate to PermissionService) and this branch
(L5: use AdminTemplateService). Taking development's version as it already
applies the stronger H5+L5 combined fix via PermissionService.
@rubenvdlinde rubenvdlinde merged commit 02b58a4 into development May 27, 2026
@rubenvdlinde rubenvdlinde deleted the fix/misc-quality branch May 27, 2026 17:23
This was referenced May 27, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant