Fix security, resource leaks, and code quality issues from deep review

P1 fixes:
- Add @PreAuthorize("isAuthenticated()") to DataExportController
- Reserve anonymizedAt for full anonymization only (not set in soft
  deletion where name/files are preserved for retention)
- Explicitly delete ApplicationReviewer records before deleting expired
  rejected applications to avoid reliance on DB cascade behavior

P2 fixes:
- Prevent duplicate export processing in multi-instance deployments
  via atomic claimForProcessing() JPQL update
- Fix resource leak: wrap InputStream in try-with-resources in
  addUserFile during data export ZIP creation
- Change UserDeletionPreviewDto boolean fields to Boolean wrappers
  so false values are not omitted by @JsonInclude(NON_EMPTY)
- Collect user IDs before processing deferred deletions to safely
  handle entityManager.clear() within the loop
- Move application activity check into findInactiveStudentCandidates
  JPQL query to eliminate N+1 queries in disableInactiveUsers

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: krusche

server/src/main/java/de/tum/cit/aet/thesis/controller/DataExportController.java

@@ -23,6 +23,7 @@
 
 @RestController
 @RequestMapping("/v2/data-exports")
+@org.springframework.security.access.prepost.PreAuthorize("isAuthenticated()")
 public class DataExportController {
 	private final DataExportService dataExportService;
 	private final ObjectProvider<CurrentUserProvider> currentUserProviderProvider;

server/src/main/java/de/tum/cit/aet/thesis/dto/UserDeletionPreviewDto.java

@@ -6,11 +6,11 @@
 
 @JsonInclude(JsonInclude.Include.NON_EMPTY)
 public record UserDeletionPreviewDto(
-		boolean canBeFullyDeleted,
-		boolean hasActiveTheses,
+		Boolean canBeFullyDeleted,
+		Boolean hasActiveTheses,
 		int retentionBlockedThesisCount,
 		Instant earliestFullDeletionDate,
-		boolean isResearchGroupHead,
+		Boolean isResearchGroupHead,
 		String message
 ) {
 }

server/src/main/java/de/tum/cit/aet/thesis/repository/DataExportRepository.java

@@ -4,9 +4,11 @@
 import de.tum.cit.aet.thesis.entity.DataExport;
 import de.tum.cit.aet.thesis.entity.User;
 import org.springframework.data.jpa.repository.JpaRepository;
+import org.springframework.data.jpa.repository.Modifying;
 import org.springframework.data.jpa.repository.Query;
 import org.springframework.data.repository.query.Param;
 import org.springframework.stereotype.Repository;
+import org.springframework.transaction.annotation.Transactional;
 
 import java.time.Instant;
 import java.util.List;
@@ -18,6 +20,11 @@ public interface DataExportRepository extends JpaRepository<DataExport, UUID> {
 
 	List<DataExport> findAllByStateIn(List<DataExportState> states);
 
+	@Modifying
+	@Transactional
+	@Query("UPDATE DataExport e SET e.state = 'IN_CREATION' WHERE e.id = :id AND e.state = :expectedState")
+	int claimForProcessing(@Param("id") UUID id, @Param("expectedState") DataExportState expectedState);
+
 	@Query("""
 			SELECT e FROM DataExport e
 			WHERE e.creationFinishedAt < :cutoff

server/src/main/java/de/tum/cit/aet/thesis/repository/UserRepository.java

@@ -100,6 +100,10 @@ AND NOT EXISTS (
 					de.tum.cit.aet.thesis.constants.ThesisState.DROPPED_OUT
 				)
 			)
+			AND NOT EXISTS (
+				SELECT 1 FROM Application a
+				WHERE a.user.id = u.id AND a.createdAt >= :cutoff
+			)
 			""")
 	List<User> findInactiveStudentCandidates(@Param("cutoff") Instant cutoff);
 }

server/src/main/java/de/tum/cit/aet/thesis/service/DataExportService.java

@@ -175,6 +175,13 @@ public void processAllPendingExports() {
 				List.of(DataExportState.REQUESTED));
 
 		for (DataExport export : pending) {
+			// Atomically claim this export to prevent duplicate processing
+			// in multi-instance deployments.
+			int updated = dataExportRepository.claimForProcessing(export.getId(), DataExportState.REQUESTED);
+			if (updated == 0) {
+				continue; // Another instance already claimed it
+			}
+
 			try {
 				createDataExport(export);
 			} catch (Exception e) {
@@ -188,7 +195,6 @@ public void processAllPendingExports() {
 
 	private void createDataExport(DataExport export) throws IOException {
 		export.setState(DataExportState.IN_CREATION);
-		dataExportRepository.save(export);
 
 		User user = export.getUser();
 		String filename = String.format("export_%s_%d.zip", user.getId(), System.currentTimeMillis());
@@ -392,7 +398,9 @@ private void addUserFile(ZipOutputStream zos, String filename, String entryPrefi
 					extension = filename.substring(dotIndex);
 				}
 				zos.putNextEntry(new ZipEntry(entryPrefix + extension));
-				resource.getInputStream().transferTo(zos);
+				try (java.io.InputStream is = resource.getInputStream()) {
+					is.transferTo(zos);
+				}
 				zos.closeEntry();
 			}
 		} catch (Exception e) {

server/src/main/java/de/tum/cit/aet/thesis/service/DataRetentionService.java

@@ -2,6 +2,7 @@
 
 import de.tum.cit.aet.thesis.entity.User;
 import de.tum.cit.aet.thesis.repository.ApplicationRepository;
+import de.tum.cit.aet.thesis.repository.ApplicationReviewerRepository;
 import de.tum.cit.aet.thesis.repository.UserRepository;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -19,19 +20,22 @@ public class DataRetentionService {
 	private static final Logger log = LoggerFactory.getLogger(DataRetentionService.class);
 
 	private final ApplicationRepository applicationRepository;
+	private final ApplicationReviewerRepository applicationReviewerRepository;
 	private final UserRepository userRepository;
 	private final DataExportService dataExportService;
 	private final UserDeletionService userDeletionService;
 	private final int retentionDays;
 	private final int inactiveUserDays;
 
 	public DataRetentionService(ApplicationRepository applicationRepository,
+			ApplicationReviewerRepository applicationReviewerRepository,
 			UserRepository userRepository,
 			DataExportService dataExportService,
 			UserDeletionService userDeletionService,
 			@Value("${thesis-management.data-retention.rejected-application-retention-days}") int retentionDays,
 			@Value("${thesis-management.data-retention.inactive-user-days}") int inactiveUserDays) {
 		this.applicationRepository = applicationRepository;
+		this.applicationReviewerRepository = applicationReviewerRepository;
 		this.userRepository = userRepository;
 		this.dataExportService = dataExportService;
 		this.userDeletionService = userDeletionService;
@@ -51,11 +55,7 @@ public void runNightlyCleanup() {
 	public int disableInactiveUsers() {
 		Instant cutoff = Instant.now().minus(inactiveUserDays, ChronoUnit.DAYS);
 
-		List<User> candidates = userRepository.findInactiveStudentCandidates(cutoff);
-
-		List<User> toDisable = candidates.stream()
-				.filter(user -> hasNoRecentActivity(user, cutoff))
-				.toList();
+		List<User> toDisable = userRepository.findInactiveStudentCandidates(cutoff);
 
 		if (toDisable.isEmpty()) {
 			return 0;
@@ -71,13 +71,6 @@ public int disableInactiveUsers() {
 		return toDisable.size();
 	}
 
-	private boolean hasNoRecentActivity(User user, Instant cutoff) {
-		boolean hasRecentApplication = applicationRepository.findAllByUser(user).stream()
-				.anyMatch(app -> app.getCreatedAt().isAfter(cutoff));
-
-		return !hasRecentApplication;
-	}
-
 	public int deleteExpiredRejectedApplications() {
 		Instant cutoffDate = Instant.now().minus(retentionDays, ChronoUnit.DAYS);
 
@@ -92,6 +85,7 @@ public int deleteExpiredRejectedApplications() {
 
 		for (UUID id : expiredIds) {
 			try {
+				applicationReviewerRepository.deleteByApplicationId(id);
 				applicationRepository.deleteApplicationById(id);
 				totalDeleted++;
 			} catch (Exception e) {

server/src/main/java/de/tum/cit/aet/thesis/service/UserDeletionService.java

@@ -169,32 +169,40 @@ public UserDeletionResultDto deleteOrAnonymizeUser(UUID userId) {
 	}
 
 	public void processDeferredDeletions() {
-		List<User> pendingUsers = userRepository.findAllByDeletionScheduledForIsNotNull();
+		// Collect IDs first because anonymizeUser() clears the persistence context,
+		// which would detach entities loaded in the same session.
+		List<UUID> pendingUserIds = userRepository.findAllByDeletionScheduledForIsNotNull()
+				.stream().map(User::getId).toList();
+
+		for (UUID userId : pendingUserIds) {
+			User user = userRepository.findById(userId).orElse(null);
+			if (user == null) {
+				continue;
+			}
 
-		for (User user : pendingUsers) {
-			List<ThesisRole> retentionBlocked = getRetentionBlockedThesisRoles(user.getId());
+			List<ThesisRole> retentionBlocked = getRetentionBlockedThesisRoles(userId);
 			if (retentionBlocked.isEmpty()) {
-				log.info("Retention expired for user {}, performing full cleanup", user.getId());
+				log.info("Retention expired for user {}, performing full cleanup", userId);
 
 				// Collect file paths before DB changes
 				List<String> exportFilePaths = collectExportFilePaths(user);
 				List<String> userFilePaths = collectUserFilePaths(user);
 
 				// Delete all remaining related data
 				deleteDataExportRecords(user);
-				List<Application> remainingApps = applicationRepository.findAllByUserId(user.getId());
+				List<Application> remainingApps = applicationRepository.findAllByUserId(userId);
 				for (Application app : remainingApps) {
 					applicationReviewerRepository.deleteByApplicationId(app.getId());
 				}
-				applicationRepository.deleteAllByUserId(user.getId());
-				topicRoleRepository.deleteAllByIdUserId(user.getId());
-				thesisRoleRepository.deleteAllByIdUserId(user.getId());
+				applicationRepository.deleteAllByUserId(userId);
+				topicRoleRepository.deleteAllByIdUserId(userId);
+				thesisRoleRepository.deleteAllByIdUserId(userId);
 
 				// Fully anonymize the tombstone (clear name + file references)
 				// anonymizeUser clears the persistence context and re-fetches,
 				// so we must set deletionScheduledFor via a separate query.
 				anonymizeUser(user);
-				userRepository.clearDeletionScheduledFor(user.getId());
+				userRepository.clearDeletionScheduledFor(userId);
 
 				// Delete files after DB operations succeeded
 				deleteFilePaths(userFilePaths);
@@ -239,8 +247,9 @@ private UserDeletionResultDto performSoftDeletion(User user, List<ThesisRole> re
 
 		// Deactivate the account but keep name and thesis-related files intact
 		// so thesis records remain searchable during the legal retention period.
+		// Note: anonymizedAt is NOT set here because the user is not fully anonymized
+		// (name, matriculation number, and thesis files are preserved for retention).
 		user.setDisabled(true);
-		user.setAnonymizedAt(now);
 		user.setDeletionRequestedAt(now);
 		user.setDeletionScheduledFor(earliestDeletion);