Merge pull request #71 from Zenfulcode/70-unauthenticated-error-when-creating-order

gustaavik · web-flow · commit 821cfd30b24b · 2024-12-30T15:42:03.000+01:00
fixing unauthenticated users aka guests, could make order requests
diff --git a/src/main/java/com/zenfulcode/commercify/commercify/config/SecurityConfig.java b/src/main/java/com/zenfulcode/commercify/commercify/config/SecurityConfig.java
@@ -35,7 +35,10 @@ public SecurityFilterChain securityFilterChain(HttpSecurity http) throws Excepti
                         .requestMatchers(
                                 "/api/v1/auth/**",
                                 "/api/v1/products/active",
-                                "/api/v1/products/{id}").permitAll()
+                                "/api/v1/products/{id}",
+                                "/api/v1/orders",
+                                "/api/v1/payments/mobilepay/create",
+                                "/api/v1/payments/stripe/create").permitAll()
                         .anyRequest().authenticated()
                 )
                 .sessionManagement(smc -> smc.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
diff --git a/src/main/java/com/zenfulcode/commercify/commercify/controller/OrderController.java b/src/main/java/com/zenfulcode/commercify/commercify/controller/OrderController.java
@@ -37,6 +37,7 @@ public class OrderController {
             "id", "userId", "status", "currency", "totalAmount", "createdAt", "updatedAt"
     );
 
+    @PreAuthorize("hasRole('USER') and #userId == authentication.principal.id")
     @PostMapping("/{userId}")
     public ResponseEntity<?> createOrder(@PathVariable Long userId, @RequestBody CreateOrderRequest orderRequest) {
         try {
diff --git a/src/main/java/com/zenfulcode/commercify/commercify/integration/mobilepay/MobilePayController.java b/src/main/java/com/zenfulcode/commercify/commercify/integration/mobilepay/MobilePayController.java
@@ -5,6 +5,7 @@
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 
 @RestController
@@ -37,6 +38,7 @@ public ResponseEntity<String> handleCallback(
         }
     }
 
+    @PreAuthorize("hasRole('ADMIN')")
     @PostMapping("/webhook")
     public ResponseEntity<String> handleWebhook(
             @RequestParam String paymentReference,

Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,7 @@`
`5`	`5`	`import lombok.RequiredArgsConstructor;`
`6`	`6`	`import lombok.extern.slf4j.Slf4j;`
`7`	`7`	`import org.springframework.http.ResponseEntity;`
	`8`	`+import org.springframework.security.access.prepost.PreAuthorize;`
`8`	`9`	`import org.springframework.web.bind.annotation.*;`
`9`	`10`
`10`	`11`	`@RestController`
`@@ -37,6 +38,7 @@ public ResponseEntity<String> handleCallback(`
`37`	`38`	`}`
`38`	`39`	`}`
`39`	`40`
	`41`	`+ @PreAuthorize("hasRole('ADMIN')")`
`40`	`42`	`@PostMapping("/webhook")`
`41`	`43`	`public ResponseEntity<String> handleWebhook(`
`42`	`44`	`@RequestParam String paymentReference,`