fix: allow WRITE_ALL users to post, reply, and edit comments

All five comment write endpoints (post doc comment, reply to doc comment, post annotation comment, reply to annotation comment, edit comment) only listed ANNOTATE_ALL in @RequirePermission. Users with WRITE_ALL received 403 on every comment action. Same pattern as the annotation fix. Tests: CommentControllerTest (+5 RED→GREEN for WRITE_ALL on each method). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-28 15:52:56 +01:00
parent affee407ef
commit 070153a71d
2 changed files with 68 additions and 5 deletions
--- a/backend/src/main/java/org/raddatz/familienarchiv/controller/CommentController.java
+++ b/backend/src/main/java/org/raddatz/familienarchiv/controller/CommentController.java
@@ -33,7 +33,7 @@ public class CommentController {

    @PostMapping("/api/documents/{documentId}/comments")
    @ResponseStatus(HttpStatus.CREATED)
-    @RequirePermission(Permission.ANNOTATE_ALL)
+    @RequirePermission({Permission.ANNOTATE_ALL, Permission.WRITE_ALL})
    public DocumentComment postDocumentComment(
            @PathVariable UUID documentId,
            @RequestBody CreateCommentDTO dto,
@@ -44,7 +44,7 @@ public class CommentController {

    @PostMapping("/api/documents/{documentId}/comments/{commentId}/replies")
    @ResponseStatus(HttpStatus.CREATED)
-    @RequirePermission(Permission.ANNOTATE_ALL)
+    @RequirePermission({Permission.ANNOTATE_ALL, Permission.WRITE_ALL})
    public DocumentComment replyToDocumentComment(
            @PathVariable UUID documentId,
            @PathVariable UUID commentId,
@@ -63,7 +63,7 @@ public class CommentController {

    @PostMapping("/api/documents/{documentId}/annotations/{annotationId}/comments")
    @ResponseStatus(HttpStatus.CREATED)
-    @RequirePermission(Permission.ANNOTATE_ALL)
+    @RequirePermission({Permission.ANNOTATE_ALL, Permission.WRITE_ALL})
    public DocumentComment postAnnotationComment(
            @PathVariable UUID documentId,
            @PathVariable UUID annotationId,
@@ -75,7 +75,7 @@ public class CommentController {

    @PostMapping("/api/documents/{documentId}/annotations/{annotationId}/comments/{commentId}/replies")
    @ResponseStatus(HttpStatus.CREATED)
-    @RequirePermission(Permission.ANNOTATE_ALL)
+    @RequirePermission({Permission.ANNOTATE_ALL, Permission.WRITE_ALL})
    public DocumentComment replyToAnnotationComment(
            @PathVariable UUID documentId,
            @PathVariable UUID commentId,
@@ -88,7 +88,7 @@ public class CommentController {
    // ─── Edit and delete (shared) ─────────────────────────────────────────────

    @PatchMapping("/api/documents/{documentId}/comments/{commentId}")
-    @RequirePermission(Permission.ANNOTATE_ALL)
+    @RequirePermission({Permission.ANNOTATE_ALL, Permission.WRITE_ALL})
    public DocumentComment editComment(
            @PathVariable UUID documentId,
            @PathVariable UUID commentId,
--- a/backend/src/test/java/org/raddatz/familienarchiv/controller/CommentControllerTest.java
+++ b/backend/src/test/java/org/raddatz/familienarchiv/controller/CommentControllerTest.java
@@ -89,6 +89,18 @@ class CommentControllerTest {
                .andExpect(jsonPath("$.content").value("Test comment"));
    }

+    @Test
+    @WithMockUser(authorities = "WRITE_ALL")
+    void postDocumentComment_returns201_whenHasWriteAllPermission() throws Exception {
+        DocumentComment saved = DocumentComment.builder()
+                .id(COMMENT_ID).documentId(DOC_ID).authorName("Hans").content("Test comment").build();
+        when(commentService.postComment(any(), any(), any(), any(), any())).thenReturn(saved);
+
+        mockMvc.perform(post("/api/documents/" + DOC_ID + "/comments")
+                        .contentType(MediaType.APPLICATION_JSON).content(COMMENT_JSON))
+                .andExpect(status().isCreated());
+    }
+
    // ─── POST /api/documents/{documentId}/comments/{commentId}/replies ────────

    @Test
@@ -111,6 +123,19 @@ class CommentControllerTest {
                .andExpect(status().isCreated());
    }

+    @Test
+    @WithMockUser(authorities = "WRITE_ALL")
+    void replyToComment_returns201_whenHasWriteAllPermission() throws Exception {
+        DocumentComment saved = DocumentComment.builder()
+                .id(UUID.randomUUID()).documentId(DOC_ID).parentId(COMMENT_ID)
+                .authorName("Anna").content("Test comment").build();
+        when(commentService.replyToComment(any(), any(), any(), any(), any())).thenReturn(saved);
+
+        mockMvc.perform(post("/api/documents/" + DOC_ID + "/comments/" + COMMENT_ID + "/replies")
+                        .contentType(MediaType.APPLICATION_JSON).content(COMMENT_JSON))
+                .andExpect(status().isCreated());
+    }
+
    // ─── PATCH /api/documents/{documentId}/comments/{commentId} ──────────────

    @Test
@@ -163,6 +188,18 @@ class CommentControllerTest {
                .andExpect(status().isOk());
    }

+    @Test
+    @WithMockUser(authorities = "WRITE_ALL")
+    void editComment_returns200_whenHasWriteAllPermission() throws Exception {
+        DocumentComment updated = DocumentComment.builder()
+                .id(COMMENT_ID).documentId(DOC_ID).authorName("Hans").content("Test comment").build();
+        when(commentService.editComment(any(), any(), any(), any())).thenReturn(updated);
+
+        mockMvc.perform(patch("/api/documents/" + DOC_ID + "/comments/" + COMMENT_ID)
+                        .contentType(MediaType.APPLICATION_JSON).content(COMMENT_JSON))
+                .andExpect(status().isOk());
+    }
+
    // ─── POST /api/documents/{documentId}/annotations/{annId}/comments ────────

    @Test
@@ -186,6 +223,19 @@ class CommentControllerTest {
                .andExpect(status().isCreated());
    }

+    @Test
+    @WithMockUser(authorities = "WRITE_ALL")
+    void postAnnotationComment_returns201_whenHasWriteAllPermission() throws Exception {
+        DocumentComment saved = DocumentComment.builder()
+                .id(UUID.randomUUID()).documentId(DOC_ID).annotationId(ANN_ID)
+                .authorName("Hans").content("Test comment").build();
+        when(commentService.postComment(any(), any(), any(), any(), any())).thenReturn(saved);
+
+        mockMvc.perform(post("/api/documents/" + DOC_ID + "/annotations/" + ANN_ID + "/comments")
+                        .contentType(MediaType.APPLICATION_JSON).content(COMMENT_JSON))
+                .andExpect(status().isCreated());
+    }
+
    // ─── POST /api/documents/{documentId}/annotations/{annId}/comments/{commentId}/replies ─

    @Test
@@ -200,4 +250,17 @@ class CommentControllerTest {
                        .contentType(MediaType.APPLICATION_JSON).content(COMMENT_JSON))
                .andExpect(status().isCreated());
    }
+
+    @Test
+    @WithMockUser(authorities = "WRITE_ALL")
+    void replyToAnnotationComment_returns201_whenHasWriteAllPermission() throws Exception {
+        DocumentComment saved = DocumentComment.builder()
+                .id(UUID.randomUUID()).documentId(DOC_ID).annotationId(ANN_ID)
+                .parentId(COMMENT_ID).authorName("Anna").content("Test comment").build();
+        when(commentService.replyToComment(any(), any(), any(), any(), any())).thenReturn(saved);
+
+        mockMvc.perform(post("/api/documents/" + DOC_ID + "/annotations/" + ANN_ID + "/comments/" + COMMENT_ID + "/replies")
+                        .contentType(MediaType.APPLICATION_JSON).content(COMMENT_JSON))
+                .andExpect(status().isCreated());
+    }
 }