Description

AttachmentCleanUpController exposes a destructive DELETE /api/attachmentCleanUp/deleteAll
endpoint without any authorization check. Any authenticated user, regardless of role can
call this endpoint and trigger bulk deletion of all unused attachments from the database.

The sibling admin controller FossologyAdminController correctly restricts access with
@PreAuthorize("hasAuthority('ADMIN')") at the class level. AttachmentCleanUpController
was authored in the same package and around the same time but is missing this guard entirely.

Affected file:
rest/resource-server/src/main/java/org/eclipse/sw360/rest/resourceserver/admin/attachment/AttachmentCleanUpController.java

How to reproduce

1. Authenticate to the SW360 REST API as a non-admin user (any valid account).
2. Send DELETE /api/attachmentCleanUp/deleteAll.
3. The request is accepted and all unused attachments are deleted, no admin role required.

Root cause

AttachmentCleanUpController is missing three annotations that are present on
FossologyAdminController (the intended pattern for admin-only endpoints):