From 2c5cfcedbc53be5c998370edeedfdf737c5996e7 Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Mon, 20 Apr 2026 21:05:35 +0200
Subject: [PATCH] feat(documents): gate /incomplete behind WRITE_ALL permission

Only users who can enrich documents should see the queue.
Mirrors the frontend guard in enrich/+page.server.ts and closes the
CWE-285 gap Nora flagged on issue #296.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../familienarchiv/controller/DocumentController.java      | 1 +
 .../familienarchiv/controller/DocumentControllerTest.java  | 7 +++++++
 2 files changed, 8 insertions(+)

diff --git a/backend/src/main/java/org/raddatz/familienarchiv/controller/DocumentController.java b/backend/src/main/java/org/raddatz/familienarchiv/controller/DocumentController.java
index 7d591c3f..359e8355 100644
--- a/backend/src/main/java/org/raddatz/familienarchiv/controller/DocumentController.java
+++ b/backend/src/main/java/org/raddatz/familienarchiv/controller/DocumentController.java
@@ -199,6 +199,7 @@ public class DocumentController {
     }
 
     @GetMapping("/incomplete")
+    @RequirePermission(Permission.WRITE_ALL)
     public List<IncompleteDocumentDTO> getIncomplete(
             @Parameter(description = "Maximum number of results (server caps at 200)")
             @RequestParam(defaultValue = "50") int size) {
diff --git a/backend/src/test/java/org/raddatz/familienarchiv/controller/DocumentControllerTest.java b/backend/src/test/java/org/raddatz/familienarchiv/controller/DocumentControllerTest.java
index 842fe43b..4e6c9c04 100644
--- a/backend/src/test/java/org/raddatz/familienarchiv/controller/DocumentControllerTest.java
+++ b/backend/src/test/java/org/raddatz/familienarchiv/controller/DocumentControllerTest.java
@@ -414,6 +414,13 @@ class DocumentControllerTest {
                 .andExpect(jsonPath("$[0].uploadedAt").exists());
     }
 
+    @Test
+    @WithMockUser(authorities = "READ_ALL")
+    void getIncomplete_returns403_forReaderOnly() throws Exception {
+        mockMvc.perform(get("/api/documents/incomplete"))
+                .andExpect(status().isForbidden());
+    }
+
     // ─── GET /api/documents/incomplete/next ──────────────────────────────────
 
     @Test