From 0eb3276ddec8cce9735c98eab78b8d0ff3d471dd Mon Sep 17 00:00:00 2001 From: Simon Bruder Date: Thu, 7 Dec 2023 19:12:55 +0100 Subject: [PATCH] Use class-wide PreAuthorize for InventoryController This should protect against accidentally forgetting it for one method. --- .../java/catering/inventory/InventoryController.java | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) diff --git a/src/main/java/catering/inventory/InventoryController.java b/src/main/java/catering/inventory/InventoryController.java index e6ed1df..679595d 100644 --- a/src/main/java/catering/inventory/InventoryController.java +++ b/src/main/java/catering/inventory/InventoryController.java @@ -58,6 +58,7 @@ import jakarta.validation.Valid; */ @Controller +@PreAuthorize("hasRole('ADMIN')") class InventoryController { private final UniqueInventory inventory; private final CateringCatalog cateringCatalog; @@ -69,7 +70,6 @@ class InventoryController { this.cateringCatalog = cateringCatalog; } - @PreAuthorize("hasRole('ADMIN')") @GetMapping("/inventory") String list(Model model) { model.addAttribute("inventory", inventory.findAll()); @@ -77,7 +77,6 @@ class InventoryController { return "inventory"; } - @PreAuthorize("hasRole('ADMIN')") @GetMapping("/inventory/edit/{pid}") String edit(Model model, @PathVariable Product pid) { UniqueInventoryItem item = inventory.findByProduct(pid).get(); @@ -93,14 +92,12 @@ class InventoryController { return "inventory-mutate"; } - @PreAuthorize("hasRole('ADMIN')") @PostMapping(path = "/inventory/edit/{pid}", params = "type=Consumable") String editConsumable(@Valid @ModelAttribute("form") ConsumableMutateForm form, Errors result, @PathVariable Product pid, Model model) { return edit(form, result, pid, model); } - @PreAuthorize("hasRole('ADMIN')") @PostMapping(path = "/inventory/edit/{pid}", params = "type=Rentable") String editRentable(@Valid @ModelAttribute("form") RentableMutateForm form, Errors result, @PathVariable Product pid, Model model) { @@ -122,7 +119,6 @@ class InventoryController { return "redirect:/inventory"; } - @PreAuthorize("hasRole('ADMIN')") @GetMapping(path = "/inventory/add") String add(Model model, @RequestParam String type) { switch (type) { @@ -142,13 +138,11 @@ class InventoryController { return "inventory-mutate"; } - @PreAuthorize("hasRole('ADMIN')") @PostMapping(path = "/inventory/add", params = "type=Consumable") String addConsumable(@Valid @ModelAttribute("form") ConsumableMutateForm form, Errors result, Model model) { return add(form, result, model); } - @PreAuthorize("hasRole('ADMIN')") @PostMapping(path = "/inventory/add", params = "type=Rentable") String addRentable(@Valid @ModelAttribute("form") ConsumableMutateForm form, Errors result, Model model) { return add(form, result, model); @@ -162,7 +156,6 @@ class InventoryController { return "redirect:/inventory"; } - @PreAuthorize("hasRole('ADMIN')") @GetMapping("/inventory/delete/{pid}") String delete(@PathVariable Product pid) { UniqueInventoryItem item = inventory.findByProduct(pid).get();