preauth

app/proprietary/src/main/java/stirling/software/proprietary/controller/AuditDashboardController.java

@@ -48,7 +48,7 @@ import stirling.software.proprietary.security.config.EnterpriseEndpoint;
 @Slf4j
 @Controller
 @RequestMapping("/audit")
-@PreAuthorize("hasRole('ADMIN')")
+@PreAuthorize("@roleBasedAuthorizationService.canManageAllUsers()")
 @RequiredArgsConstructor
 @EnterpriseEndpoint
 public class AuditDashboardController {

app/proprietary/src/main/java/stirling/software/proprietary/security/controller/api/OrgAdminController.java

@@ -5,6 +5,7 @@ import java.util.Optional;
 
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 
 import io.swagger.v3.oas.annotations.tags.Tag;
@@ -29,6 +30,7 @@ import stirling.software.proprietary.security.service.RoleBasedAuthorizationServ
 @Slf4j
 @RequiredArgsConstructor
 @PremiumEndpoint
+@PreAuthorize("@roleBasedAuthorizationService.canManageOrgUsers() or @roleBasedAuthorizationService.canManageOrgTeams()")
 public class OrgAdminController {
 
     private final TeamRepository teamRepository;
@@ -37,11 +39,8 @@ public class OrgAdminController {
 
     /** Get all teams in the org admin's organization */
     @GetMapping("/teams")
+    @PreAuthorize("@roleBasedAuthorizationService.canManageOrgTeams()")
     public ResponseEntity<List<Team>> getOrganizationTeams() {
-        if (!authorizationService.canManageOrgTeams()) {
-            return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
-        }
-
         User currentUser = authorizationService.getCurrentUser();
         if (currentUser == null || currentUser.getOrganization() == null) {
             return ResponseEntity.badRequest().build();

app/proprietary/src/main/java/stirling/software/proprietary/security/controller/api/OrganizationController.java

@@ -5,6 +5,7 @@ import java.util.Optional;
 
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 
 import lombok.RequiredArgsConstructor;
@@ -18,6 +19,7 @@ import stirling.software.proprietary.security.service.RoleBasedAuthorizationServ
 @RestController
 @RequestMapping("/api/v1/organizations")
 @RequiredArgsConstructor
+@PreAuthorize("@roleBasedAuthorizationService.canManageOrganizations()")
 public class OrganizationController {
 
     private final OrganizationRepository organizationRepository;
@@ -26,15 +28,13 @@ public class OrganizationController {
 
     @GetMapping
     public ResponseEntity<List<OrganizationWithTeamCountDTO>> getAllOrganizations() {
-        if (!authorizationService.canManageOrganizations()) {
-            return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
-        }
         List<OrganizationWithTeamCountDTO> organizations =
                 organizationRepository.findAllOrganizationsWithTeamCount();
         return ResponseEntity.ok(organizations);
     }
 
     @GetMapping("/{id}")
+    @PreAuthorize("@roleBasedAuthorizationService.canViewOrganization(@organizationRepository.findById(#id).orElse(null))")
     public ResponseEntity<Organization> getOrganization(@PathVariable Long id) {
         Optional<Organization> organizationOpt = organizationRepository.findById(id);
         if (organizationOpt.isEmpty()) {
@@ -42,20 +42,11 @@ public class OrganizationController {
         }
 
         Organization organization = organizationOpt.get();
-        if (!authorizationService.canViewOrganization(organization)) {
-            return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
-        }
-
         return ResponseEntity.ok(organization);
     }
 
     @PostMapping
     public ResponseEntity<?> createOrganization(@RequestBody Organization organization) {
-        if (!authorizationService.canManageOrganizations()) {
-            return ResponseEntity.status(HttpStatus.FORBIDDEN)
-                    .body("Not authorized to create organizations");
-        }
-
         if (organizationRepository.existsByNameIgnoreCase(organization.getName())) {
             return ResponseEntity.badRequest()
                     .body("Organization with name '" + organization.getName() + "' already exists");
@@ -67,11 +58,6 @@ public class OrganizationController {
     @PutMapping("/{id}")
     public ResponseEntity<?> updateOrganization(
             @PathVariable Long id, @RequestBody Organization organization) {
-        if (!authorizationService.canManageOrganizations()) {
-            return ResponseEntity.status(HttpStatus.FORBIDDEN)
-                    .body("Not authorized to update organizations");
-        }
-
         Optional<Organization> existingOrganization = organizationRepository.findById(id);
         if (existingOrganization.isEmpty()) {
             return ResponseEntity.notFound().build();
@@ -90,11 +76,6 @@ public class OrganizationController {
 
     @DeleteMapping("/{id}")
     public ResponseEntity<?> deleteOrganization(@PathVariable Long id) {
-        if (!authorizationService.canManageOrganizations()) {
-            return ResponseEntity.status(HttpStatus.FORBIDDEN)
-                    .body("Not authorized to delete organizations");
-        }
-
         Optional<Organization> organization = organizationRepository.findById(id);
         if (organization.isEmpty()) {
             return ResponseEntity.notFound().build();

app/proprietary/src/main/java/stirling/software/proprietary/security/controller/api/TeamController.java

@@ -2,6 +2,7 @@ package stirling.software.proprietary.security.controller.api;
 
 import java.util.Optional;
 
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.*;
 import org.springframework.web.servlet.view.RedirectView;
@@ -31,6 +32,7 @@ import stirling.software.proprietary.security.service.TeamService;
 @Slf4j
 @RequiredArgsConstructor
 @PremiumEndpoint
+@PreAuthorize("@roleBasedAuthorizationService.canManageOrgTeams()")
 public class TeamController {
 
     private final TeamRepository teamRepository;
@@ -44,9 +46,6 @@ public class TeamController {
     public RedirectView createTeam(
             @RequestParam("name") String name,
             @RequestParam("organizationId") Long organizationId) {
-        if (!authorizationService.canManageOrgTeams()) {
-            return new RedirectView("/teams?messageType=accessDenied");
-        }
         Organization organization = organizationService.getOrCreateDefaultOrganization();
         if (organizationId != null) {
             organization = organizationRepository.findById(organizationId).orElse(organization);
@@ -63,6 +62,7 @@ public class TeamController {
     }
 
     @PostMapping("/rename")
+    @PreAuthorize("@roleBasedAuthorizationService.canManageTeam(@teamRepository.findById(#teamId).orElse(null))")
     public RedirectView renameTeam(
             @RequestParam("teamId") Long teamId, @RequestParam("newName") String newName) {
         Optional<Team> existing = teamRepository.findById(teamId);
@@ -71,10 +71,6 @@ public class TeamController {
         }
         Team team = existing.get();
 
-        if (!authorizationService.canManageTeam(team)) {
-            return new RedirectView("/teams?messageType=accessDenied");
-        }
-
         if (teamRepository.existsByNameIgnoreCaseAndOrganizationId(
                 newName, team.getOrganization().getId())) {
             return new RedirectView("/teams?messageType=teamNameExists");
@@ -92,6 +88,7 @@ public class TeamController {
 
     @PostMapping("/delete")
     @Transactional
+    @PreAuthorize("@roleBasedAuthorizationService.canManageTeam(@teamRepository.findById(#teamId).orElse(null))")
     public RedirectView deleteTeam(@RequestParam("teamId") Long teamId) {
         Optional<Team> teamOpt = teamRepository.findById(teamId);
         if (teamOpt.isEmpty()) {
@@ -100,10 +97,6 @@ public class TeamController {
 
         Team team = teamOpt.get();
 
-        if (!authorizationService.canManageTeam(team)) {
-            return new RedirectView("/teams?messageType=accessDenied");
-        }
-
         // Prevent deleting the Internal team
         if (team.getName().equals(TeamService.INTERNAL_TEAM_NAME)) {
             return new RedirectView("/teams?messageType=internalTeamNotAccessible");
@@ -120,6 +113,7 @@ public class TeamController {
 
     @PostMapping("/addUser")
     @Transactional
+    @PreAuthorize("@roleBasedAuthorizationService.canAddUserToTeam(#userId, @teamRepository.findById(#teamId).orElse(null))")
     public RedirectView addUserToTeam(
             @RequestParam("teamId") Long teamId, @RequestParam("userId") Long userId) {
 
@@ -129,10 +123,6 @@ public class TeamController {
                         .findById(teamId)
                         .orElseThrow(() -> new RuntimeException("Team not found"));
 
-        if (!authorizationService.canAddUserToTeam(userId, team)) {
-            return new RedirectView("/teams/" + teamId + "?error=accessDenied");
-        }
-
         // Prevent adding users to the Internal team
         if (team.getName().equals(TeamService.INTERNAL_TEAM_NAME)) {
             return new RedirectView("/teams?error=internalTeamNotAccessible");

app/proprietary/src/main/java/stirling/software/proprietary/security/controller/api/TeamLeadController.java

@@ -5,6 +5,7 @@ import java.util.Optional;
 
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 
 import io.swagger.v3.oas.annotations.tags.Tag;
@@ -28,6 +29,7 @@ import stirling.software.proprietary.security.service.RoleBasedAuthorizationServ
 @Slf4j
 @RequiredArgsConstructor
 @PremiumEndpoint
+@PreAuthorize("@roleBasedAuthorizationService.canManageTeamUsers()")
 public class TeamLeadController {
 
     private final TeamRepository teamRepository;