GitHub Security Flaw: Authorization Bypass in Analysis & Composite Controllers Enables Data Enumeration

A critical authorization bypass flaw in a GitHub-hosted codebase allows unauthenticated attackers to enumerate valid dataset IDs, exposing a significant data enumeration vulnerability. The security issue stems from contradictory access control configurations in key API controllers, effectively disabling authentication at the middleware level and leaving sensitive data exposed to probing.

The `AnalysisController` is decorated with a class-level `[Authorize]` attribute, but every single HTTP method within it overrides this with `[AllowAnonymous]`. This same pattern appears in the `CompositeController`, where a POST endpoint also incorrectly permits anonymous access. Because authorization is deferred to an internal `IsDataAccessible()` check rather than being enforced upfront, the system leaks critical information. An unauthenticated caller can probe arbitrary data IDs and, based on the response, distinguish between a valid-but-forbidden resource (which returns a `403 Forbid`) and a non-existent one (which returns a `404 NotFound`). This creates a clear, exploitable side channel.

The vulnerability is explicitly documented in the source files `Controllers/AnalysisController.cs` and `Controllers/CompositeController.cs`. The recommended fix is to remove all `[AllowAnonymous]` attributes from endpoints that handle user data, restoring proper authentication enforcement before any data access logic is executed. This flaw represents a classic case of security misconfiguration, where layered defenses are inadvertently disabled, leaving the application's data perimeter vulnerable to simple reconnaissance attacks.