From 5edefdd0827def47cbfbfcd05db90597110f6b70 Mon Sep 17 00:00:00 2001 From: Marcel Date: Sun, 31 May 2026 11:11:17 +0200 Subject: [PATCH] test(document): document READ_ALL -> 403 on document write endpoints (#696) Hiding the header upload button is UI polish; the real control is endpoint authz. Add explicit READ_ALL-only 403 boundary tests for POST /api/documents and POST /api/documents/quick-upload, matching the reader-only convention already used elsewhere in this suite. Co-Authored-By: Claude Sonnet 4.6 --- .../document/DocumentControllerTest.java | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/backend/src/test/java/org/raddatz/familienarchiv/document/DocumentControllerTest.java b/backend/src/test/java/org/raddatz/familienarchiv/document/DocumentControllerTest.java index 7c9b28a1..8a09ed73 100644 --- a/backend/src/test/java/org/raddatz/familienarchiv/document/DocumentControllerTest.java +++ b/backend/src/test/java/org/raddatz/familienarchiv/document/DocumentControllerTest.java @@ -297,6 +297,13 @@ class DocumentControllerTest { .andExpect(status().isForbidden()); } + @Test + @WithMockUser(authorities = "READ_ALL") + void createDocument_returns403_forReaderOnly() throws Exception { + mockMvc.perform(multipart("/api/documents").with(csrf())) + .andExpect(status().isForbidden()); + } + @Test @WithMockUser(authorities = "WRITE_ALL") void createDocument_returns200_whenHasWritePermission() throws Exception { @@ -414,6 +421,13 @@ class DocumentControllerTest { .andExpect(status().isForbidden()); } + @Test + @WithMockUser(authorities = "READ_ALL") + void quickUpload_returns403_forReaderOnly() throws Exception { + mockMvc.perform(multipart("/api/documents/quick-upload").with(csrf())) + .andExpect(status().isForbidden()); + } + @Test @WithMockUser(authorities = "WRITE_ALL") void quickUpload_returns200_withValidPdfFile() throws Exception {