Use class-wide PreAuthorize for InventoryController

This should protect against accidentally forgetting it for one method.
2024-07-19 21:04:36 +02:00 · 2023-12-07 19:12:55 +01:00 · 2023-12-07 19:12:55 +01:00 · 0eb3276dde
parent 3e2cc3d0b2
commit 0eb3276dde
1 changed files with 1 additions and 8 deletions
--- a/src/main/java/catering/inventory/InventoryController.java
+++ b/src/main/java/catering/inventory/InventoryController.java
@ -58,6 +58,7 @@ import jakarta.validation.Valid;
 */

@Controller
+@PreAuthorize("hasRole('ADMIN')")
 class InventoryController {
 	private final UniqueInventory<UniqueInventoryItem> inventory;
 	private final CateringCatalog cateringCatalog;
@ -69,7 +70,6 @@ class InventoryController {
 		this.cateringCatalog = cateringCatalog;
 	}

-	@PreAuthorize("hasRole('ADMIN')")
 	@GetMapping("/inventory")
 	String list(Model model) {
 		model.addAttribute("inventory", inventory.findAll());
@ -77,7 +77,6 @@ class InventoryController {
 		return "inventory";
 	}

-	@PreAuthorize("hasRole('ADMIN')")
 	@GetMapping("/inventory/edit/{pid}")
 	String edit(Model model, @PathVariable Product pid) {
 		UniqueInventoryItem item = inventory.findByProduct(pid).get();
@ -93,14 +92,12 @@ class InventoryController {
 		return "inventory-mutate";
 	}

-	@PreAuthorize("hasRole('ADMIN')")
 	@PostMapping(path = "/inventory/edit/{pid}", params = "type=Consumable")
 	String editConsumable(@Valid @ModelAttribute("form") ConsumableMutateForm form, Errors result,
 			@PathVariable Product pid, Model model) {
 		return edit(form, result, pid, model);
 	}

-	@PreAuthorize("hasRole('ADMIN')")
 	@PostMapping(path = "/inventory/edit/{pid}", params = "type=Rentable")
 	String editRentable(@Valid @ModelAttribute("form") RentableMutateForm form, Errors result,
 			@PathVariable Product pid, Model model) {
@ -122,7 +119,6 @@ class InventoryController {
 		return "redirect:/inventory";
 	}

-	@PreAuthorize("hasRole('ADMIN')")
 	@GetMapping(path = "/inventory/add")
 	String add(Model model, @RequestParam String type) {
 		switch (type) {
@ -142,13 +138,11 @@ class InventoryController {
 		return "inventory-mutate";
 	}

-	@PreAuthorize("hasRole('ADMIN')")
 	@PostMapping(path = "/inventory/add", params = "type=Consumable")
 	String addConsumable(@Valid @ModelAttribute("form") ConsumableMutateForm form, Errors result, Model model) {
 		return add(form, result, model);
 	}

-	@PreAuthorize("hasRole('ADMIN')")
 	@PostMapping(path = "/inventory/add", params = "type=Rentable")
 	String addRentable(@Valid @ModelAttribute("form") ConsumableMutateForm form, Errors result, Model model) {
 		return add(form, result, model);
@ -162,7 +156,6 @@ class InventoryController {
 		return "redirect:/inventory";
 	}

-	@PreAuthorize("hasRole('ADMIN')")
 	@GetMapping("/inventory/delete/{pid}")
 	String delete(@PathVariable Product pid) {
 		UniqueInventoryItem item = inventory.findByProduct(pid).get();