Skip to content
This repository was archived by the owner on May 29, 2026. It is now read-only.

fix(security): clear Bucket-B (ADR-023 + auth/routing)#627

Merged
rubenvdlinde merged 1 commit into
developmentfrom
fix/bucket-b-adr023
May 26, 2026
Merged

fix(security): clear Bucket-B (ADR-023 + auth/routing)#627
rubenvdlinde merged 1 commit into
developmentfrom
fix/bucket-b-adr023

Conversation

@rubenvdlinde

Copy link
Copy Markdown
Contributor

Summary

Clears Bucket-B security gates for procest per ADR-022/ADR-023. Fixes gates 5, 6, 7, 9, 14 only. Gate-17 (redundant-controller) passed as a bonus.

Closes #625


Gate-by-gate before → after

Gate Before After
5 route-auth FAIL PASS
6 orphan-auth FAIL PASS
7 no-admin-idor FAIL PASS
9 semantic-auth FAIL PASS
14 route-reachability FAIL PASS
17 redundant-controller (not targeted) PASS (bonus)

Pre-existing failures not in scope (left red): gate-3 stub-scan (BerichtenboxReadStatusJob), gate-8 unsafe-auth-resolver (2 sites in ZgwService).


Auth posture summary (ADR-023)

Posture Controllers Pattern applied
Admin plumbing / credentials AiController, CaseDefinitionController, ParafeerRouteController, SettingsController, TenantController, ZgwMappingController #[AuthorizedAdminSetting(Application::APP_ID)]
Public / system-to-system AcController, BrcController, DrcController, NrcController, ZrcController, ZtcController, StufController Removed redundant @NoAdminRequired from @PublicPage methods
User action / read All remaining user controllers @NoAdminRequired + Http::STATUS_UNAUTHORIZED guard

Routes changed

  • Renamed 9 snake_case controller slugs to camelCase to align with gate-14 expected names: parafeer_actie→parafeerActie, zgw_mapping→zgwMapping, case_definition→caseDefinition, gis_proxy→gisProxy, wms_wfs→wmsWfs, parafeer_route→parafeerRoute, parafering_audit_export→paraferingAuditExport, status_transition→statusTransition, public_appointment→publicAppointment
  • Added missing route blocks for 5 unrouted controllers: BerichtenboxController, ConsultationController, EmailController, TemplateController, MilestoneController

Gate-6 orphan removal

Three truly-orphaned methods with zero callers were removed entirely (rather than made private to avoid PHPStan unused-method errors):

  • ChecklistService::validateCompletion
  • TenantService::isUserInTenant
  • WmsWfsService::validateLayer (and its private isUrlAllowed helper)

PHPStan

Baseline regenerated to suppress the known fleet FP (AuthorizedAdminSetting class-string — Application::APP_ID is a string not a class-string<IDelegatedSettings>; same FP as all other fleet apps).

Result: [OK] No errors

@rubenvdlinde rubenvdlinde merged commit 375c47a into development May 26, 2026
@rubenvdlinde rubenvdlinde deleted the fix/bucket-b-adr023 branch May 26, 2026 15:09
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant