marcel/familienarchiv
1
0
Fork 0
Code Issues 126 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix: remove spring-boot-starter-data-rest (security vulnerability)

Browse Source 
Data REST was auto-exposing raw JPA repository endpoints (/appUsers,
/documents, /persons, /userGroups, etc.) that completely bypass the
@RequirePermission AOP checks — effectively making the entire database
readable and writable without authentication.

All API needs are covered by the custom controllers. The generated
api.ts is reverted to the stub until npm run generate:api is re-run
against the cleaned backend.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Marcel
2026-03-15 14:22:41 +01:00
parent 0cfbf8d695
commit 6c723aeb8c
1 changed files with 0 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
backend/pom.xml
View File

@@ -38,10 +38,6 @@
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-jpa</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-rest</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-jdbc</artifactId>
@@ -79,11 +75,6 @@
<artifactId>spring-boot-starter-data-jpa-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-data-rest-test</artifactId>
<scope>test</scope>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-jdbc-test</artifactId>