LowBudgetMan · LowBudgetMan · Mar 21, 2026 · Mar 21, 2026
diff --git a/src/main/java/io/nickreuter/retroapi/retro/event/RetroEventController.java b/src/main/java/io/nickreuter/retroapi/retro/event/RetroEventController.java
@@ -30,14 +30,14 @@ public ResponseEntity<Void> stopTimer(@PathVariable UUID teamId, @PathVariable U
     }
 
     @PostMapping("/focus")
-    @PreAuthorize("@userMappingAuthorizationService.isUserMemberOfTeam(authentication, #teamId)")
+    @PreAuthorize("@retroAuthorizationService.isUserAllowedInRetro(authentication, #retroId)")
     public ResponseEntity<Void> focusThought(@PathVariable UUID teamId, @PathVariable UUID retroId, @RequestBody FocusRequest request) {
         retroEventService.publishFocus(retroId, request.thoughtId());
         return ResponseEntity.ok().build();
     }
 
     @PostMapping("/focus-clear")
-    @PreAuthorize("@userMappingAuthorizationService.isUserMemberOfTeam(authentication, #teamId)")
+    @PreAuthorize("@retroAuthorizationService.isUserAllowedInRetro(authentication, #retroId)")
     public ResponseEntity<Void> clearFocus(@PathVariable UUID teamId, @PathVariable UUID retroId) {
         retroEventService.publishFocusClear(retroId);
         return ResponseEntity.ok().build();

diff --git a/src/test/java/io/nickreuter/retroapi/retro/event/RetroEventControllerTest.java b/src/test/java/io/nickreuter/retroapi/retro/event/RetroEventControllerTest.java
@@ -1,6 +1,7 @@
 package io.nickreuter.retroapi.retro.event;
 
 import com.fasterxml.jackson.databind.ObjectMapper;
+import io.nickreuter.retroapi.retro.RetroAuthorizationService;
 import io.nickreuter.retroapi.team.usermapping.UserMappingAuthorizationService;
 import org.junit.jupiter.api.Test;
 import org.springframework.beans.factory.annotation.Autowired;
@@ -28,6 +29,8 @@ class RetroEventControllerTest {
     private RetroEventService retroEventService;
     @MockitoBean
     private UserMappingAuthorizationService userMappingAuthorizationService;
+    @MockitoBean
+    private RetroAuthorizationService retroAuthorizationService;
 
     @Autowired
     private MockMvc mockMvc;
@@ -110,7 +113,7 @@ void focusThought_Returns200() throws Exception {
         var teamId = UUID.randomUUID();
         var retroId = UUID.randomUUID();
         var thoughtId = UUID.randomUUID();
-        when(userMappingAuthorizationService.isUserMemberOfTeam(createAuthentication(), teamId)).thenReturn(true);
+        when(retroAuthorizationService.isUserAllowedInRetro(createAuthentication(), retroId)).thenReturn(true);
         mockMvc.perform(post((BASE_URL + "/focus").formatted(teamId, retroId))
                         .with(jwt())
                         .with(csrf())
@@ -131,10 +134,11 @@ void focusThought_WhenAnonymous_Returns401() throws Exception {
     }
 
     @Test
-    void focusThought_WhenNotMember_Returns403() throws Exception {
+    void focusThought_WhenNotAllowedInRetro_Returns403() throws Exception {
         var teamId = UUID.randomUUID();
-        when(userMappingAuthorizationService.isUserMemberOfTeam(createAuthentication(), teamId)).thenReturn(false);
-        mockMvc.perform(post((BASE_URL + "/focus").formatted(teamId, UUID.randomUUID()))
+        var retroId = UUID.randomUUID();
+        when(retroAuthorizationService.isUserAllowedInRetro(createAuthentication(), retroId)).thenReturn(false);
+        mockMvc.perform(post((BASE_URL + "/focus").formatted(teamId, retroId))
                         .with(jwt())
                         .with(csrf())
                         .contentType(MediaType.APPLICATION_JSON)
@@ -147,7 +151,7 @@ void focusThought_WhenNotMember_Returns403() throws Exception {
     void clearFocus_Returns200() throws Exception {
         var teamId = UUID.randomUUID();
         var retroId = UUID.randomUUID();
-        when(userMappingAuthorizationService.isUserMemberOfTeam(createAuthentication(), teamId)).thenReturn(true);
+        when(retroAuthorizationService.isUserAllowedInRetro(createAuthentication(), retroId)).thenReturn(true);
         mockMvc.perform(post((BASE_URL + "/focus-clear").formatted(teamId, retroId))
                         .with(jwt())
                         .with(csrf()))
@@ -164,10 +168,11 @@ void clearFocus_WhenAnonymous_Returns401() throws Exception {
     }
 
     @Test
-    void clearFocus_WhenNotMember_Returns403() throws Exception {
+    void clearFocus_WhenNotAllowedInRetro_Returns403() throws Exception {
         var teamId = UUID.randomUUID();
-        when(userMappingAuthorizationService.isUserMemberOfTeam(createAuthentication(), teamId)).thenReturn(false);
-        mockMvc.perform(post((BASE_URL + "/focus-clear").formatted(teamId, UUID.randomUUID()))
+        var retroId = UUID.randomUUID();
+        when(retroAuthorizationService.isUserAllowedInRetro(createAuthentication(), retroId)).thenReturn(false);
+        mockMvc.perform(post((BASE_URL + "/focus-clear").formatted(teamId, retroId))
                         .with(jwt())
                         .with(csrf()))
                 .andExpect(status().isForbidden());