diff --git a/app/proprietary/src/main/java/stirling/software/proprietary/controller/AuditDashboardController.java b/app/proprietary/src/main/java/stirling/software/proprietary/controller/AuditDashboardController.java index 67b71ccd8..e315f444f 100644 --- a/app/proprietary/src/main/java/stirling/software/proprietary/controller/AuditDashboardController.java +++ b/app/proprietary/src/main/java/stirling/software/proprietary/controller/AuditDashboardController.java @@ -48,7 +48,7 @@ import stirling.software.proprietary.security.config.EnterpriseEndpoint; @Slf4j @Controller @RequestMapping("/audit") -@PreAuthorize("hasRole('ADMIN')") +@PreAuthorize("@roleBasedAuthorizationService.canManageAllUsers()") @RequiredArgsConstructor @EnterpriseEndpoint public class AuditDashboardController { diff --git a/app/proprietary/src/main/java/stirling/software/proprietary/security/controller/api/OrgAdminController.java b/app/proprietary/src/main/java/stirling/software/proprietary/security/controller/api/OrgAdminController.java index 9d26308d4..5f6117dd7 100644 --- a/app/proprietary/src/main/java/stirling/software/proprietary/security/controller/api/OrgAdminController.java +++ b/app/proprietary/src/main/java/stirling/software/proprietary/security/controller/api/OrgAdminController.java @@ -5,6 +5,7 @@ import java.util.Optional; import org.springframework.http.HttpStatus; import org.springframework.http.ResponseEntity; +import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.web.bind.annotation.*; import io.swagger.v3.oas.annotations.tags.Tag; @@ -29,6 +30,7 @@ import stirling.software.proprietary.security.service.RoleBasedAuthorizationServ @Slf4j @RequiredArgsConstructor @PremiumEndpoint +@PreAuthorize("@roleBasedAuthorizationService.canManageOrgUsers() or @roleBasedAuthorizationService.canManageOrgTeams()") public class OrgAdminController { private final TeamRepository teamRepository; @@ -37,11 +39,8 @@ public class OrgAdminController { /** Get all teams in the org admin's organization */ @GetMapping("/teams") + @PreAuthorize("@roleBasedAuthorizationService.canManageOrgTeams()") public ResponseEntity> getOrganizationTeams() { - if (!authorizationService.canManageOrgTeams()) { - return ResponseEntity.status(HttpStatus.FORBIDDEN).build(); - } - User currentUser = authorizationService.getCurrentUser(); if (currentUser == null || currentUser.getOrganization() == null) { return ResponseEntity.badRequest().build(); diff --git a/app/proprietary/src/main/java/stirling/software/proprietary/security/controller/api/OrganizationController.java b/app/proprietary/src/main/java/stirling/software/proprietary/security/controller/api/OrganizationController.java index b32082044..7c94d55be 100644 --- a/app/proprietary/src/main/java/stirling/software/proprietary/security/controller/api/OrganizationController.java +++ b/app/proprietary/src/main/java/stirling/software/proprietary/security/controller/api/OrganizationController.java @@ -5,6 +5,7 @@ import java.util.Optional; import org.springframework.http.HttpStatus; import org.springframework.http.ResponseEntity; +import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.web.bind.annotation.*; import lombok.RequiredArgsConstructor; @@ -18,6 +19,7 @@ import stirling.software.proprietary.security.service.RoleBasedAuthorizationServ @RestController @RequestMapping("/api/v1/organizations") @RequiredArgsConstructor +@PreAuthorize("@roleBasedAuthorizationService.canManageOrganizations()") public class OrganizationController { private final OrganizationRepository organizationRepository; @@ -26,15 +28,13 @@ public class OrganizationController { @GetMapping public ResponseEntity> getAllOrganizations() { - if (!authorizationService.canManageOrganizations()) { - return ResponseEntity.status(HttpStatus.FORBIDDEN).build(); - } List organizations = organizationRepository.findAllOrganizationsWithTeamCount(); return ResponseEntity.ok(organizations); } @GetMapping("/{id}") + @PreAuthorize("@roleBasedAuthorizationService.canViewOrganization(@organizationRepository.findById(#id).orElse(null))") public ResponseEntity getOrganization(@PathVariable Long id) { Optional organizationOpt = organizationRepository.findById(id); if (organizationOpt.isEmpty()) { @@ -42,20 +42,11 @@ public class OrganizationController { } Organization organization = organizationOpt.get(); - if (!authorizationService.canViewOrganization(organization)) { - return ResponseEntity.status(HttpStatus.FORBIDDEN).build(); - } - return ResponseEntity.ok(organization); } @PostMapping public ResponseEntity createOrganization(@RequestBody Organization organization) { - if (!authorizationService.canManageOrganizations()) { - return ResponseEntity.status(HttpStatus.FORBIDDEN) - .body("Not authorized to create organizations"); - } - if (organizationRepository.existsByNameIgnoreCase(organization.getName())) { return ResponseEntity.badRequest() .body("Organization with name '" + organization.getName() + "' already exists"); @@ -67,11 +58,6 @@ public class OrganizationController { @PutMapping("/{id}") public ResponseEntity updateOrganization( @PathVariable Long id, @RequestBody Organization organization) { - if (!authorizationService.canManageOrganizations()) { - return ResponseEntity.status(HttpStatus.FORBIDDEN) - .body("Not authorized to update organizations"); - } - Optional existingOrganization = organizationRepository.findById(id); if (existingOrganization.isEmpty()) { return ResponseEntity.notFound().build(); @@ -90,11 +76,6 @@ public class OrganizationController { @DeleteMapping("/{id}") public ResponseEntity deleteOrganization(@PathVariable Long id) { - if (!authorizationService.canManageOrganizations()) { - return ResponseEntity.status(HttpStatus.FORBIDDEN) - .body("Not authorized to delete organizations"); - } - Optional organization = organizationRepository.findById(id); if (organization.isEmpty()) { return ResponseEntity.notFound().build(); diff --git a/app/proprietary/src/main/java/stirling/software/proprietary/security/controller/api/TeamController.java b/app/proprietary/src/main/java/stirling/software/proprietary/security/controller/api/TeamController.java index a0c026105..b77d49c5b 100644 --- a/app/proprietary/src/main/java/stirling/software/proprietary/security/controller/api/TeamController.java +++ b/app/proprietary/src/main/java/stirling/software/proprietary/security/controller/api/TeamController.java @@ -2,6 +2,7 @@ package stirling.software.proprietary.security.controller.api; import java.util.Optional; +import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.stereotype.Controller; import org.springframework.web.bind.annotation.*; import org.springframework.web.servlet.view.RedirectView; @@ -31,6 +32,7 @@ import stirling.software.proprietary.security.service.TeamService; @Slf4j @RequiredArgsConstructor @PremiumEndpoint +@PreAuthorize("@roleBasedAuthorizationService.canManageOrgTeams()") public class TeamController { private final TeamRepository teamRepository; @@ -44,9 +46,6 @@ public class TeamController { public RedirectView createTeam( @RequestParam("name") String name, @RequestParam("organizationId") Long organizationId) { - if (!authorizationService.canManageOrgTeams()) { - return new RedirectView("/teams?messageType=accessDenied"); - } Organization organization = organizationService.getOrCreateDefaultOrganization(); if (organizationId != null) { organization = organizationRepository.findById(organizationId).orElse(organization); @@ -63,6 +62,7 @@ public class TeamController { } @PostMapping("/rename") + @PreAuthorize("@roleBasedAuthorizationService.canManageTeam(@teamRepository.findById(#teamId).orElse(null))") public RedirectView renameTeam( @RequestParam("teamId") Long teamId, @RequestParam("newName") String newName) { Optional existing = teamRepository.findById(teamId); @@ -71,10 +71,6 @@ public class TeamController { } Team team = existing.get(); - if (!authorizationService.canManageTeam(team)) { - return new RedirectView("/teams?messageType=accessDenied"); - } - if (teamRepository.existsByNameIgnoreCaseAndOrganizationId( newName, team.getOrganization().getId())) { return new RedirectView("/teams?messageType=teamNameExists"); @@ -92,6 +88,7 @@ public class TeamController { @PostMapping("/delete") @Transactional + @PreAuthorize("@roleBasedAuthorizationService.canManageTeam(@teamRepository.findById(#teamId).orElse(null))") public RedirectView deleteTeam(@RequestParam("teamId") Long teamId) { Optional teamOpt = teamRepository.findById(teamId); if (teamOpt.isEmpty()) { @@ -100,10 +97,6 @@ public class TeamController { Team team = teamOpt.get(); - if (!authorizationService.canManageTeam(team)) { - return new RedirectView("/teams?messageType=accessDenied"); - } - // Prevent deleting the Internal team if (team.getName().equals(TeamService.INTERNAL_TEAM_NAME)) { return new RedirectView("/teams?messageType=internalTeamNotAccessible"); @@ -120,6 +113,7 @@ public class TeamController { @PostMapping("/addUser") @Transactional + @PreAuthorize("@roleBasedAuthorizationService.canAddUserToTeam(#userId, @teamRepository.findById(#teamId).orElse(null))") public RedirectView addUserToTeam( @RequestParam("teamId") Long teamId, @RequestParam("userId") Long userId) { @@ -129,10 +123,6 @@ public class TeamController { .findById(teamId) .orElseThrow(() -> new RuntimeException("Team not found")); - if (!authorizationService.canAddUserToTeam(userId, team)) { - return new RedirectView("/teams/" + teamId + "?error=accessDenied"); - } - // Prevent adding users to the Internal team if (team.getName().equals(TeamService.INTERNAL_TEAM_NAME)) { return new RedirectView("/teams?error=internalTeamNotAccessible"); diff --git a/app/proprietary/src/main/java/stirling/software/proprietary/security/controller/api/TeamLeadController.java b/app/proprietary/src/main/java/stirling/software/proprietary/security/controller/api/TeamLeadController.java index 5963c3fb1..8f4c90dc9 100644 --- a/app/proprietary/src/main/java/stirling/software/proprietary/security/controller/api/TeamLeadController.java +++ b/app/proprietary/src/main/java/stirling/software/proprietary/security/controller/api/TeamLeadController.java @@ -5,6 +5,7 @@ import java.util.Optional; import org.springframework.http.HttpStatus; import org.springframework.http.ResponseEntity; +import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.web.bind.annotation.*; import io.swagger.v3.oas.annotations.tags.Tag; @@ -28,6 +29,7 @@ import stirling.software.proprietary.security.service.RoleBasedAuthorizationServ @Slf4j @RequiredArgsConstructor @PremiumEndpoint +@PreAuthorize("@roleBasedAuthorizationService.canManageTeamUsers()") public class TeamLeadController { private final TeamRepository teamRepository;