Skip to content
This repository was archived by the owner on May 29, 2026. It is now read-only.

fix: CSRF policy, orphan store removal, test dir consolidation (C2+M1+M3+M4+L1)#95

Merged
rubenvdlinde merged 1 commit into
developmentfrom
fix/pr-b-csrf-store-versions
May 28, 2026
Merged

fix: CSRF policy, orphan store removal, test dir consolidation (C2+M1+M3+M4+L1)#95
rubenvdlinde merged 1 commit into
developmentfrom
fix/pr-b-csrf-store-versions

Conversation

@rubenvdlinde

Copy link
Copy Markdown
Contributor

Summary

  • C2/L1: Drop @NoCSRFRequired from PreferencesController setPreference and getPreference. Per project policy, @NoCSRFRequired is OR-only. Both are user-session endpoints that need CSRF protection.
  • M4: Add @NoCSRFRequired to MetricsController::index with explicit rationale comment — Prometheus scrapers have no CSRF token; admin-auth replaces it per ADR-006. Documented exception to policy.
  • M1: Delete src/store/store.js + src/store/modules/settings.js — orphan files with no importers.
  • M3: Consolidate tests/Unit/ (capital U) into tests/unit/ (lowercase). Both existed simultaneously. phpunit.xml updated to reference only tests/unit/.

Test plan

  • Verify no test regressions (unit tests still discovered and passing)
  • Verify PreferencesController endpoints require CSRF token
  • Metrics endpoint accessible to Prometheus with admin credentials
  • composer check:strict passes

…+M3+M4+L1)

- C2/L1: Drop @NoCSRFRequired from PreferencesController setPreference and
  getPreference — per project policy, @NoCSRFRequired is OR-only. Both methods
  are user-session endpoints with CSRF protection required.
- M4: Add @NoCSRFRequired to MetricsController::index with explicit rationale
  comment — Prometheus scrapers have no CSRF token; admin-auth replaces it per
  ADR-006. This is the documented exception to the policy.
- M1: Delete src/store/store.js and src/store/modules/settings.js — these were
  orphan bespoke Pinia store files with no importers anywhere in the codebase.
- M3: Consolidate tests/Unit/ (capital U) into tests/unit/ (lowercase) — both
  directories existed simultaneously with disjoint content. phpunit.xml updated
  to reference only tests/unit/ going forward.
@rubenvdlinde rubenvdlinde merged commit 1a1aeb3 into development May 28, 2026
rubenvdlinde added a commit that referenced this pull request May 28, 2026
…+M3+M4+L1) (#95)

- C2/L1: Drop @NoCSRFRequired from PreferencesController setPreference and
  getPreference — per project policy, @NoCSRFRequired is OR-only. Both methods
  are user-session endpoints with CSRF protection required.
- M4: Add @NoCSRFRequired to MetricsController::index with explicit rationale
  comment — Prometheus scrapers have no CSRF token; admin-auth replaces it per
  ADR-006. This is the documented exception to the policy.
- M1: Delete src/store/store.js and src/store/modules/settings.js — these were
  orphan bespoke Pinia store files with no importers anywhere in the codebase.
- M3: Consolidate tests/Unit/ (capital U) into tests/unit/ (lowercase) — both
  directories existed simultaneously with disjoint content. phpunit.xml updated
  to reference only tests/unit/ going forward.
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant