test(document): document READ_ALL -> 403 on document write endpoints (#696)

Hiding the header upload button is UI polish; the real control is endpoint authz. Add explicit READ_ALL-only 403 boundary tests for POST /api/documents and POST /api/documents/quick-upload, matching the reader-only convention already used elsewhere in this suite. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-05-31 11:11:17 +02:00
parent 97274beba0
commit 5edefdd082
1 changed files with 14 additions and 0 deletions
--- a/backend/src/test/java/org/raddatz/familienarchiv/document/DocumentControllerTest.java
+++ b/backend/src/test/java/org/raddatz/familienarchiv/document/DocumentControllerTest.java
@@ -297,6 +297,13 @@ class DocumentControllerTest {
                .andExpect(status().isForbidden());
    }

+    @Test
+    @WithMockUser(authorities = "READ_ALL")
+    void createDocument_returns403_forReaderOnly() throws Exception {
+        mockMvc.perform(multipart("/api/documents").with(csrf()))
+                .andExpect(status().isForbidden());
+    }
+
    @Test
    @WithMockUser(authorities = "WRITE_ALL")
    void createDocument_returns200_whenHasWritePermission() throws Exception {
@@ -414,6 +421,13 @@ class DocumentControllerTest {
                .andExpect(status().isForbidden());
    }

+    @Test
+    @WithMockUser(authorities = "READ_ALL")
+    void quickUpload_returns403_forReaderOnly() throws Exception {
+        mockMvc.perform(multipart("/api/documents/quick-upload").with(csrf()))
+                .andExpect(status().isForbidden());
+    }
+
    @Test
    @WithMockUser(authorities = "WRITE_ALL")
    void quickUpload_returns200_withValidPdfFile() throws Exception {