From 6b4452d8d8eabe025a67eacd171dbdd56201d779 Mon Sep 17 00:00:00 2001 From: Nick Reuter Date: Sat, 21 Mar 2026 12:03:44 -0400 Subject: [PATCH] Allow retro participants to use focus endpoints --- .../retro/event/RetroEventController.java | 4 ++-- .../retro/event/RetroEventControllerTest.java | 21 ++++++++++++------- 2 files changed, 15 insertions(+), 10 deletions(-) diff --git a/src/main/java/io/nickreuter/retroapi/retro/event/RetroEventController.java b/src/main/java/io/nickreuter/retroapi/retro/event/RetroEventController.java index 84f7fa8..a6aa495 100644 --- a/src/main/java/io/nickreuter/retroapi/retro/event/RetroEventController.java +++ b/src/main/java/io/nickreuter/retroapi/retro/event/RetroEventController.java @@ -30,14 +30,14 @@ public ResponseEntity stopTimer(@PathVariable UUID teamId, @PathVariable U } @PostMapping("/focus") - @PreAuthorize("@userMappingAuthorizationService.isUserMemberOfTeam(authentication, #teamId)") + @PreAuthorize("@retroAuthorizationService.isUserAllowedInRetro(authentication, #retroId)") public ResponseEntity focusThought(@PathVariable UUID teamId, @PathVariable UUID retroId, @RequestBody FocusRequest request) { retroEventService.publishFocus(retroId, request.thoughtId()); return ResponseEntity.ok().build(); } @PostMapping("/focus-clear") - @PreAuthorize("@userMappingAuthorizationService.isUserMemberOfTeam(authentication, #teamId)") + @PreAuthorize("@retroAuthorizationService.isUserAllowedInRetro(authentication, #retroId)") public ResponseEntity clearFocus(@PathVariable UUID teamId, @PathVariable UUID retroId) { retroEventService.publishFocusClear(retroId); return ResponseEntity.ok().build(); diff --git a/src/test/java/io/nickreuter/retroapi/retro/event/RetroEventControllerTest.java b/src/test/java/io/nickreuter/retroapi/retro/event/RetroEventControllerTest.java index ff27ed0..28de7c0 100644 --- a/src/test/java/io/nickreuter/retroapi/retro/event/RetroEventControllerTest.java +++ b/src/test/java/io/nickreuter/retroapi/retro/event/RetroEventControllerTest.java @@ -1,6 +1,7 @@ package io.nickreuter.retroapi.retro.event; import com.fasterxml.jackson.databind.ObjectMapper; +import io.nickreuter.retroapi.retro.RetroAuthorizationService; import io.nickreuter.retroapi.team.usermapping.UserMappingAuthorizationService; import org.junit.jupiter.api.Test; import org.springframework.beans.factory.annotation.Autowired; @@ -28,6 +29,8 @@ class RetroEventControllerTest { private RetroEventService retroEventService; @MockitoBean private UserMappingAuthorizationService userMappingAuthorizationService; + @MockitoBean + private RetroAuthorizationService retroAuthorizationService; @Autowired private MockMvc mockMvc; @@ -110,7 +113,7 @@ void focusThought_Returns200() throws Exception { var teamId = UUID.randomUUID(); var retroId = UUID.randomUUID(); var thoughtId = UUID.randomUUID(); - when(userMappingAuthorizationService.isUserMemberOfTeam(createAuthentication(), teamId)).thenReturn(true); + when(retroAuthorizationService.isUserAllowedInRetro(createAuthentication(), retroId)).thenReturn(true); mockMvc.perform(post((BASE_URL + "/focus").formatted(teamId, retroId)) .with(jwt()) .with(csrf()) @@ -131,10 +134,11 @@ void focusThought_WhenAnonymous_Returns401() throws Exception { } @Test - void focusThought_WhenNotMember_Returns403() throws Exception { + void focusThought_WhenNotAllowedInRetro_Returns403() throws Exception { var teamId = UUID.randomUUID(); - when(userMappingAuthorizationService.isUserMemberOfTeam(createAuthentication(), teamId)).thenReturn(false); - mockMvc.perform(post((BASE_URL + "/focus").formatted(teamId, UUID.randomUUID())) + var retroId = UUID.randomUUID(); + when(retroAuthorizationService.isUserAllowedInRetro(createAuthentication(), retroId)).thenReturn(false); + mockMvc.perform(post((BASE_URL + "/focus").formatted(teamId, retroId)) .with(jwt()) .with(csrf()) .contentType(MediaType.APPLICATION_JSON) @@ -147,7 +151,7 @@ void focusThought_WhenNotMember_Returns403() throws Exception { void clearFocus_Returns200() throws Exception { var teamId = UUID.randomUUID(); var retroId = UUID.randomUUID(); - when(userMappingAuthorizationService.isUserMemberOfTeam(createAuthentication(), teamId)).thenReturn(true); + when(retroAuthorizationService.isUserAllowedInRetro(createAuthentication(), retroId)).thenReturn(true); mockMvc.perform(post((BASE_URL + "/focus-clear").formatted(teamId, retroId)) .with(jwt()) .with(csrf())) @@ -164,10 +168,11 @@ void clearFocus_WhenAnonymous_Returns401() throws Exception { } @Test - void clearFocus_WhenNotMember_Returns403() throws Exception { + void clearFocus_WhenNotAllowedInRetro_Returns403() throws Exception { var teamId = UUID.randomUUID(); - when(userMappingAuthorizationService.isUserMemberOfTeam(createAuthentication(), teamId)).thenReturn(false); - mockMvc.perform(post((BASE_URL + "/focus-clear").formatted(teamId, UUID.randomUUID())) + var retroId = UUID.randomUUID(); + when(retroAuthorizationService.isUserAllowedInRetro(createAuthentication(), retroId)).thenReturn(false); + mockMvc.perform(post((BASE_URL + "/focus-clear").formatted(teamId, retroId)) .with(jwt()) .with(csrf())) .andExpect(status().isForbidden());