From 06ecad5e74a7be656e3581a7561e58777a88a780 Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Tue, 28 Apr 2026 11:35:39 +0200
Subject: [PATCH] test(stammbaum): prove GET /api/network and GET
 /api/persons/{id}/relationships reject unauthenticated requests (401)

Addresses @sara blocker: documents that Spring Security's anyRequest().authenticated()
guards these read endpoints and provides regression protection against accidental
@PermitAll additions in future.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../relationship/RelationshipControllerTest.java     | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/backend/src/test/java/org/raddatz/familienarchiv/relationship/RelationshipControllerTest.java b/backend/src/test/java/org/raddatz/familienarchiv/relationship/RelationshipControllerTest.java
index 0036c415..d530c83f 100644
--- a/backend/src/test/java/org/raddatz/familienarchiv/relationship/RelationshipControllerTest.java
+++ b/backend/src/test/java/org/raddatz/familienarchiv/relationship/RelationshipControllerTest.java
@@ -46,6 +46,18 @@ class RelationshipControllerTest {
                 .andExpect(jsonPath("$.code").value(ErrorCode.RELATIONSHIP_NOT_FOUND.name()));
     }
 
+    @Test
+    void getRelationships_returns401_whenUnauthenticated() throws Exception {
+        mockMvc.perform(get("/api/persons/{id}/relationships", PERSON_ID))
+                .andExpect(status().isUnauthorized());
+    }
+
+    @Test
+    void getNetwork_returns401_whenUnauthenticated() throws Exception {
+        mockMvc.perform(get("/api/network"))
+                .andExpect(status().isUnauthorized());
+    }
+
     @Test
     @WithMockUser(username = "testuser", authorities = {"READ_ALL"})
     void addRelationship_returns403_for_user_with_READ_ALL_only() throws Exception {