nextcloud · ChristophWurst · Feb 17, 2026 · Feb 17, 2026
@@ -41,6 +41,10 @@ public function __construct(
 	 */
 	#[TrapError]
 	public function setAddress(string $address, string $type): JsonResponse {
+		if ($this->uid === null) {
+			return JsonResponse::error('User not found', Http::STATUS_UNAUTHORIZED);
+		}
+
 		$address = $this->internalAddressService->add(
 			$this->uid,
 			$address,

@@ -54,6 +54,10 @@ public function __construct(IRequest $request,
 	 * @UserRateThrottle(limit=10, period=3600)
 	 */
 	public function unsubscribe(int $id): JsonResponse {
+		if ($this->currentUserId === null) {
+			return JsonResponse::fail([], Http::STATUS_UNAUTHORIZED);
+		}
+
 		try {
 			$message = $this->mailManager->getMessage($this->currentUserId, $id);
 			$mailbox = $this->mailManager->getMailbox($this->currentUserId, $message->getMailboxId());

@@ -44,6 +44,10 @@ public function __construct(string $appName,
 	 */
 	#[TrapError]
 	public function index(): JsonResponse {
+		if ($this->userId === null) {
+			return JsonResponse::fail([], Http::STATUS_UNAUTHORIZED);
+		}
+
 		$certificates = $this->certificateService->findAllCertificates($this->userId);
 		$certificates = array_map(fn (SmimeCertificate $certificate) => $this->certificateService->enrichCertificate($certificate), $certificates);
 		return JsonResponse::success($certificates);
@@ -59,6 +63,10 @@ public function index(): JsonResponse {
 	 */
 	#[TrapError]
 	public function destroy(int $id): JsonResponse {
+		if ($this->userId === null) {
+			return JsonResponse::fail([], Http::STATUS_UNAUTHORIZED);
+		}
+
 		$this->certificateService->deleteCertificate($id, $this->userId);
 		return JsonResponse::success();
 	}
@@ -73,6 +81,10 @@ public function destroy(int $id): JsonResponse {
 	 */
 	#[TrapError]
 	public function create(): JsonResponse {
+		if ($this->userId === null) {
+			return JsonResponse::fail([], Http::STATUS_UNAUTHORIZED);
+		}
+
 		// TODO: What about PKCS12 certificates?
 		// They need to be decrypted by the client because they are protected by a password.
 		// We could use

@@ -41,6 +41,10 @@ public function __construct(IRequest $request,
 	 */
 	#[TrapError]
 	public function setTrusted(string $email, string $type): JsonResponse {
+		if ($this->uid === null) {
+			return JsonResponse::fail([], Http::STATUS_UNAUTHORIZED);
+		}
+
 		$this->trustedSenderService->trust(
 			$this->uid,
 			$email,
@@ -59,6 +63,10 @@ public function setTrusted(string $email, string $type): JsonResponse {
 	 */
 	#[TrapError]
 	public function removeTrust(string $email, string $type): JsonResponse {
+		if ($this->uid === null) {
+			return JsonResponse::fail([], Http::STATUS_UNAUTHORIZED);
+		}
+
 		$this->trustedSenderService->trust(
 			$this->uid,
 			$email,
@@ -75,6 +83,10 @@ public function removeTrust(string $email, string $type): JsonResponse {
 	 */
 	#[TrapError]
 	public function list(): JsonResponse {
+		if ($this->uid === null) {
+			return JsonResponse::fail([], Http::STATUS_UNAUTHORIZED);
+		}
+
 		$list = $this->trustedSenderService->getTrusted(
 			$this->uid
 		);

@@ -0,0 +1,26 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\Mail\Tests\Unit\Controller;
+
+use ChristophWurst\Nextcloud\Testing\TestCase;
+use OCA\Mail\Controller\InternalAddressController;
+use OCP\AppFramework\Http;
+
+class InternalAddressControllerTest extends TestCase {
+	public function testSetAddressNullUser(): void {
+		$serviceMock = $this->createServiceMock(InternalAddressController::class, [
+			'userId' => null,
+		]);
+
+		$response = $serviceMock->getService()->setAddress('test@example.com', 'individual');
+
+		self::assertEquals(Http::STATUS_UNAUTHORIZED, $response->getStatus());
+	}
+}
@@ -37,6 +37,17 @@ protected function setUp(): void {
 		$this->controller = $this->serviceMock->getService();
 	}
 
+	public function testUnsubscribeNullUser(): void {
+		$serviceMock = $this->createServiceMock(ListController::class, [
+			'userId' => null,
+		]);
+		$controller = $serviceMock->getService();
+
+		$response = $controller->unsubscribe(123);
+
+		self::assertEquals(Http::STATUS_UNAUTHORIZED, $response->getStatus());
+	}
+
 	public function testMessageNotFound(): void {
 		$this->serviceMock->getParameter('mailManager')
 			->expects(self::once())

@@ -0,0 +1,49 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\Mail\Tests\Unit\Controller;
+
+use ChristophWurst\Nextcloud\Testing\TestCase;
+use OCA\Mail\Controller\SmimeCertificatesController;
+use OCP\AppFramework\Http;
+
+class SmimeCertificatesControllerTest extends TestCase {
+	public function testIndexNullUser(): void {
+		$serviceMock = $this->createServiceMock(SmimeCertificatesController::class, [
+			'appName' => 'mail',
+			'userId' => null,
+		]);
+
+		$response = $serviceMock->getService()->index();
+
+		self::assertEquals(Http::STATUS_UNAUTHORIZED, $response->getStatus());
+	}
+
+	public function testDestroyNullUser(): void {
+		$serviceMock = $this->createServiceMock(SmimeCertificatesController::class, [
+			'appName' => 'mail',
+			'userId' => null,
+		]);
+
+		$response = $serviceMock->getService()->destroy(1);
+
+		self::assertEquals(Http::STATUS_UNAUTHORIZED, $response->getStatus());
+	}
+
+	public function testCreateNullUser(): void {
+		$serviceMock = $this->createServiceMock(SmimeCertificatesController::class, [
+			'appName' => 'mail',
+			'userId' => null,
+		]);
+
+		$response = $serviceMock->getService()->create();
+
+		self::assertEquals(Http::STATUS_UNAUTHORIZED, $response->getStatus());
+	}
+}
@@ -0,0 +1,46 @@
+<?php
+
+declare(strict_types=1);
+
+/**
+ * SPDX-FileCopyrightText: 2026 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\Mail\Tests\Unit\Controller;
+
+use ChristophWurst\Nextcloud\Testing\TestCase;
+use OCA\Mail\Controller\TrustedSendersController;
+use OCP\AppFramework\Http;
+
+class TrustedSendersControllerTest extends TestCase {
+	public function testSetTrustedNullUser(): void {
+		$serviceMock = $this->createServiceMock(TrustedSendersController::class, [
+			'UserId' => null,
+		]);
+
+		$response = $serviceMock->getService()->setTrusted('sender@example.com', 'individual');
+
+		self::assertEquals(Http::STATUS_UNAUTHORIZED, $response->getStatus());
+	}
+
+	public function testRemoveTrustNullUser(): void {
+		$serviceMock = $this->createServiceMock(TrustedSendersController::class, [
+			'UserId' => null,
+		]);
+
+		$response = $serviceMock->getService()->removeTrust('sender@example.com', 'individual');
+
+		self::assertEquals(Http::STATUS_UNAUTHORIZED, $response->getStatus());
+	}
+
+	public function testListNullUser(): void {
+		$serviceMock = $this->createServiceMock(TrustedSendersController::class, [
+			'UserId' => null,
+		]);
+
+		$response = $serviceMock->getService()->list();
+
+		self::assertEquals(Http::STATUS_UNAUTHORIZED, $response->getStatus());
+	}
+}
@@ -5,7 +5,7 @@
 		},
 		"sort-packages": true
 	},
-    "require-dev": {
-        "christophwurst/nextcloud_testing": "^1.1.0"
-    }
+	"require-dev": {
+		"christophwurst/nextcloud_testing": "^1.1.1"
+	}
 }