feat(security): ADR-023 action authorization reference (ActionAuthService + admin matrix UI)

[rubenvdlinde]

What

Reference implementation of ADR-023 action-level authorization on MyDash. Ports the kit that lived only in nextcloud-app-template, adds the missing admin matrix UI, and wires requireAction() into the two biggest controllers.

Backend kit (ported from nextcloud-app-template)

• lib/Service/ActionAuthService.php — requireAction() / can() / getMatrix() / setMatrix() / getAllowedGroups() / getActions(); admins always pass, matrix stored in IAppConfig under key actions, default-deny.
• lib/Repair/InitializeActions.php — seeds the matrix on install/upgrade, preserving any admin customization. Registered in appinfo/info.xml <repair-steps> (<install> + <post-migration>).
• lib/actions.seed.json — full 74-action taxonomy generated from the gate-7 scan (every flagged controller method, domain.verb kebab-case), every value defaults to ["admin"] (ADR-023 safe posture).

Admin matrix API + UI

• lib/Controller/ActionMatrixController.php — GET/PUT /api/admin/action-matrix, both gated by #[AuthorizedAdminSetting(mydash)] (admin-only at the middleware layer, no in-body check). GET returns {matrix, actions (union of matrix + seed keys), groups}.
• src/components/admin/ActionAuthMatrix.vue — table editor (one row per action, one column per group, NcCheckboxRadioSwitch per cell; admin column always-on/disabled). Mounted as a new section in AdminSettings.vue. New api.getActionMatrix() / api.updateActionMatrix() helpers.

Wired controllers (the core)

DashboardApiController + WidgetApiController now inject IUserSession + ActionAuthService. Governance/shared mutations are gated via requireAction(); reads + personal-preference writes get an authentication check only (data RBAC scopes them via OpenRegister).

Gated (requireAction):

• Dashboard: update → dashboard.update, delete → dashboard.delete, activate → dashboard.activate, publish → dashboard.publish, unpublish → dashboard.unpublish, schedule → dashboard.schedule
• Widget: addWidget → widget.add-widget, addTile → widget.add-tile, updatePlacement → widget.update-placement, removePlacement → widget.remove-placement

Auth-check only (reads / personal prefs): Dashboard list, visible, getActive, show, tree, byPath, computePath, listGroup, getGroup, setActiveDashboard, setDefaultDashboard, getDefaultDashboard, viewEvent; Widget listAvailable, getItems, newsItems, calendarEvents.

Verification

• composer install ✅; php -l clean on all 5 changed/new PHP files.
• phpcs clean on the 3 new files; the 2 edited controllers match their exact pre-existing baselines (Dashboard 123, Widget 21 — zero net new violations).
• gate-7 (no-admin-idor): 74 → 47 findings; DashboardApiController + WidgetApiController now fully clean (−27).
• npm ci + npm run build ✅ exit 0 (only pre-existing size/floating-vue warnings). No package-lock churn staged.

Follow-up

The matrix defaults admin-only (ADR-023 safe posture); admins broaden via the new UI. Wiring requireAction() into the remaining 17 controllers (47 methods) is a tracked follow-up: DashboardTranslationApiController (6), MetadataAdminController (5), TileApiController (4), RuleApiController (4), DashboardVersionApiController (4), DashboardReactionApiController (4), AnalyticsController (4), ResourceServeController (2), ResourceController (2), DashboardMetadataController (2), DashboardLockApiController (2), DashboardCommentsApiController (2), AdminOrgNavigationController (2), TemplateController (1), PeopleWidgetController (1), ManifestController (1), AdminController (1).

Note: NO Co-Authored-By trailer.

[github-actions]

Quality Report — ConductionNL/mydash @ a5c8178

Check	PHP	Vue	Security	License	Tests
lint	✅
phpcs	❌
phpmd	✅
psalm	✅
phpstan	❌
phpmetrics	✅
eslint		✅
stylelint		✅
composer			✅	✅ 100/100
npm			✅	✅ 414/414
PHPUnit					⏭️
Newman					⏭️
Playwright					⏭️

---

Quality workflow — 2026-05-26 09:57 UTC

Download the full PDF report from the workflow artifacts.