Use class-wide PreAuthorize for InventoryController

This should protect against accidentally forgetting it for one method.
This commit is contained in:
Simon Bruder 2023-12-07 19:12:55 +01:00
parent 3e2cc3d0b2
commit 0eb3276dde
Signed by: simon
GPG key ID: 8D3C82F9F309F8EC

View file

@ -58,6 +58,7 @@ import jakarta.validation.Valid;
*/
@Controller
@PreAuthorize("hasRole('ADMIN')")
class InventoryController {
private final UniqueInventory<UniqueInventoryItem> inventory;
private final CateringCatalog cateringCatalog;
@ -69,7 +70,6 @@ class InventoryController {
this.cateringCatalog = cateringCatalog;
}
@PreAuthorize("hasRole('ADMIN')")
@GetMapping("/inventory")
String list(Model model) {
model.addAttribute("inventory", inventory.findAll());
@ -77,7 +77,6 @@ class InventoryController {
return "inventory";
}
@PreAuthorize("hasRole('ADMIN')")
@GetMapping("/inventory/edit/{pid}")
String edit(Model model, @PathVariable Product pid) {
UniqueInventoryItem item = inventory.findByProduct(pid).get();
@ -93,14 +92,12 @@ class InventoryController {
return "inventory-mutate";
}
@PreAuthorize("hasRole('ADMIN')")
@PostMapping(path = "/inventory/edit/{pid}", params = "type=Consumable")
String editConsumable(@Valid @ModelAttribute("form") ConsumableMutateForm form, Errors result,
@PathVariable Product pid, Model model) {
return edit(form, result, pid, model);
}
@PreAuthorize("hasRole('ADMIN')")
@PostMapping(path = "/inventory/edit/{pid}", params = "type=Rentable")
String editRentable(@Valid @ModelAttribute("form") RentableMutateForm form, Errors result,
@PathVariable Product pid, Model model) {
@ -122,7 +119,6 @@ class InventoryController {
return "redirect:/inventory";
}
@PreAuthorize("hasRole('ADMIN')")
@GetMapping(path = "/inventory/add")
String add(Model model, @RequestParam String type) {
switch (type) {
@ -142,13 +138,11 @@ class InventoryController {
return "inventory-mutate";
}
@PreAuthorize("hasRole('ADMIN')")
@PostMapping(path = "/inventory/add", params = "type=Consumable")
String addConsumable(@Valid @ModelAttribute("form") ConsumableMutateForm form, Errors result, Model model) {
return add(form, result, model);
}
@PreAuthorize("hasRole('ADMIN')")
@PostMapping(path = "/inventory/add", params = "type=Rentable")
String addRentable(@Valid @ModelAttribute("form") ConsumableMutateForm form, Errors result, Model model) {
return add(form, result, model);
@ -162,7 +156,6 @@ class InventoryController {
return "redirect:/inventory";
}
@PreAuthorize("hasRole('ADMIN')")
@GetMapping("/inventory/delete/{pid}")
String delete(@PathVariable Product pid) {
UniqueInventoryItem item = inventory.findByProduct(pid).get();