Export submit returns 403 for the seeded hello-world app — isAuthorisedForApplication RBAC fallback can't resolve a published slug

[rubenvdlinde]

POST /apps/openbuilt/api/applications/hello-world/exports returns 403 {"error":"Forbidden."} for the admin user against the seeded hello-world Application (both in the dev container and CI).

Root cause: ExportsController::isAuthorisedForApplication() — when OCA\OpenBuilt\Service\RbacService is absent (it is — spec #7 shipped no such class) — falls back to ObjectService::find($applicationSlug) without register/schema context. OR's ObjectService::find() uses $this->currentRegister/$this->currentSchema (null here), so a slug-only lookup against the openbuilt/application schema returns null, and the controller denies.

The manifest endpoint resolves the same slug fine because it goes through the built-app-route lookup. The export authz fallback should do the same — resolve {slug} via built-app-route (or pass register: 'openbuilt', schema: 'application' to find() and filter by slug) before deciding access.

Found while fixing the Newman chain collections (#33). The openbuilt-export-to-real-app collection currently accepts 403 as a documented (buggy) outcome with a comment pointing here; once this is fixed it should flip to asserting 202 strictly.

[rubenvdlinde]

Fixed in #48 (commit c8bf155).

ExportsController::isAuthorisedForApplication()'s fallback now passes register: 'openbuilt' + schema: 'application' explicitly to ObjectService::find() (positional 4th + 5th args). Also catches the Multiple objects found with same identifier exception — when a dev DB has duplicate seed rows, the existence of ≥1 matching row is enough for the IDOR guard.

Browser-verified on the dev container:

• POST /api/applications/hello-world/exports → 202 with {uuid} ✅
• POST /api/applications/does-not-exist-xyz/exports → 403 (guessed-slug IDOR still blocked) ✅