[Security] Missing throwIfSecurityUser check in AttachmentController createAttachment

## Description
The `createAttachment` POST endpoint in `AttachmentController` is missing 
`restControllerHelper.throwIfSecurityUser(sw360User)` check.

This check is consistently present in:
- Both GET endpoints of the same `AttachmentController`
- All write methods in `ReleaseController` (10 occurrences)

## Location
File: `rest/resource-server/src/main/java/org/eclipse/sw360/rest/resourceserver/attachment/AttachmentController.java`
Method: `createAttachment()` (~line 145)

## Current Code

```java
final User sw360User = restControllerHelper.getSw360UserFromAuthentication();
List<EntityModel<Attachment>> attachments = new ArrayList<>();
```

## Expected Code

```java
final User sw360User = restControllerHelper.getSw360UserFromAuthentication();
restControllerHelper.throwIfSecurityUser(sw360User);
List<EntityModel<Attachment>> attachments = new ArrayList<>();
```

## Impact
Security users (restricted API token users) can upload attachments
bypassing the intended access restriction enforced on all other endpoints.


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Security] Missing throwIfSecurityUser check in AttachmentController createAttachment #3795

Description

Location

Current Code

Expected Code

Impact

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

[Security] Missing throwIfSecurityUser check in AttachmentController createAttachment #3795

Description

Description

Location

Current Code

Expected Code

Impact

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions