Make inventory only accessible for administrator

Fixes #33

src/main/java/catering/inventory/InventoryController.java

@@ -19,6 +19,7 @@ package catering.inventory;
 import org.salespointframework.catalog.Product;
 import org.salespointframework.inventory.UniqueInventory;
 import org.salespointframework.inventory.UniqueInventoryItem;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
 import org.springframework.util.Assert;
@@ -43,6 +44,7 @@ class InventoryController {
 		this.cateringCatalog = cateringCatalog;
 	}
 
+	@PreAuthorize("hasRole('ADMIN')")
 	@GetMapping("/inventory")
 	String list(Model model) {
 		model.addAttribute("inventory", inventory.findAll());
@@ -50,6 +52,7 @@ class InventoryController {
 		return "inventory";
 	}
 
+	@PreAuthorize("hasRole('ADMIN')")
 	@GetMapping("/inventory/edit/{pid}")
 	String edit(Model model, @PathVariable Product pid) {
 		model.addAttribute("product", pid);
@@ -58,6 +61,7 @@ class InventoryController {
 		return "inventory-mutate";
 	}
 
+	@PreAuthorize("hasRole('ADMIN')")
 	@PostMapping("/inventory/edit/{pid}")
 	String edit(@Valid InventoryMutateForm form, Errors result, @PathVariable Product pid) {
 		if (result.hasErrors()) {
@@ -80,11 +84,13 @@ class InventoryController {
 		return "redirect:/inventory";
 	}
 
+	@PreAuthorize("hasRole('ADMIN')")
 	@GetMapping("/inventory/add")
 	String add() {
 		return "inventory-mutate";
 	}
 
+	@PreAuthorize("hasRole('ADMIN')")
 	@PostMapping("/inventory/add")
 	String add(@Valid InventoryMutateForm form, Errors result) {
 		if (result.hasErrors()) {
@@ -97,6 +103,7 @@ class InventoryController {
 		return "redirect:/inventory";
 	}
 
+	@PreAuthorize("hasRole('ADMIN')")
 	@GetMapping("/inventory/delete/{pid}")
 	String delete(@PathVariable Product pid) {
 		UniqueInventoryItem item = inventory.findByProduct(pid).get();