fix: allow WRITE_ALL users to post, reply, and edit comments

All five comment write endpoints (post doc comment, reply to doc comment, post annotation comment, reply to annotation comment, edit comment) only listed ANNOTATE_ALL in @RequirePermission. Users with WRITE_ALL received 403 on every comment action. Same pattern as the annotation fix. Tests: CommentControllerTest (+5 RED→GREEN for WRITE_ALL on each method). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-28 15:52:56 +01:00
parent affee407ef
commit 070153a71d
2 changed files with 68 additions and 5 deletions
--- a/backend/src/main/java/org/raddatz/familienarchiv/controller/CommentController.java
+++ b/backend/src/main/java/org/raddatz/familienarchiv/controller/CommentController.java
@@ -33,7 +33,7 @@ public class CommentController {

    @PostMapping("/api/documents/{documentId}/comments")
    @ResponseStatus(HttpStatus.CREATED)
-    @RequirePermission(Permission.ANNOTATE_ALL)
+    @RequirePermission({Permission.ANNOTATE_ALL, Permission.WRITE_ALL})
    public DocumentComment postDocumentComment(
            @PathVariable UUID documentId,
            @RequestBody CreateCommentDTO dto,
@@ -44,7 +44,7 @@ public class CommentController {

    @PostMapping("/api/documents/{documentId}/comments/{commentId}/replies")
    @ResponseStatus(HttpStatus.CREATED)
-    @RequirePermission(Permission.ANNOTATE_ALL)
+    @RequirePermission({Permission.ANNOTATE_ALL, Permission.WRITE_ALL})
    public DocumentComment replyToDocumentComment(
            @PathVariable UUID documentId,
            @PathVariable UUID commentId,
@@ -63,7 +63,7 @@ public class CommentController {

    @PostMapping("/api/documents/{documentId}/annotations/{annotationId}/comments")
    @ResponseStatus(HttpStatus.CREATED)
-    @RequirePermission(Permission.ANNOTATE_ALL)
+    @RequirePermission({Permission.ANNOTATE_ALL, Permission.WRITE_ALL})
    public DocumentComment postAnnotationComment(
            @PathVariable UUID documentId,
            @PathVariable UUID annotationId,
@@ -75,7 +75,7 @@ public class CommentController {

    @PostMapping("/api/documents/{documentId}/annotations/{annotationId}/comments/{commentId}/replies")
    @ResponseStatus(HttpStatus.CREATED)
-    @RequirePermission(Permission.ANNOTATE_ALL)
+    @RequirePermission({Permission.ANNOTATE_ALL, Permission.WRITE_ALL})
    public DocumentComment replyToAnnotationComment(
            @PathVariable UUID documentId,
            @PathVariable UUID commentId,
@@ -88,7 +88,7 @@ public class CommentController {
    // ─── Edit and delete (shared) ─────────────────────────────────────────────

    @PatchMapping("/api/documents/{documentId}/comments/{commentId}")
-    @RequirePermission(Permission.ANNOTATE_ALL)
+    @RequirePermission({Permission.ANNOTATE_ALL, Permission.WRITE_ALL})
    public DocumentComment editComment(
            @PathVariable UUID documentId,
            @PathVariable UUID commentId,