From 6074ac396f59dad20f58c9d76fd05bd1fcf3d094 Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Tue, 28 Apr 2026 11:38:28 +0200
Subject: [PATCH] docs(stammbaum): document intentional auth design on
 RelationshipController GET endpoints
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Addresses @markus/@nora suggestion: makes explicit that the missing
@RequirePermission on read endpoints is intentional — all authenticated
family members may read the family graph; unauthenticated access is still
blocked by Spring Security's anyRequest().authenticated() rule.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .../familienarchiv/relationship/RelationshipController.java    | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/backend/src/main/java/org/raddatz/familienarchiv/relationship/RelationshipController.java b/backend/src/main/java/org/raddatz/familienarchiv/relationship/RelationshipController.java
index 210ad41e..80f2faaa 100644
--- a/backend/src/main/java/org/raddatz/familienarchiv/relationship/RelationshipController.java
+++ b/backend/src/main/java/org/raddatz/familienarchiv/relationship/RelationshipController.java
@@ -34,6 +34,9 @@ public class RelationshipController {
 
     private final RelationshipService relationshipService;
 
+    // READ endpoints carry no @RequirePermission: all authenticated users may read the family graph.
+    // Unauthenticated requests are rejected by Spring Security's anyRequest().authenticated() rule.
+
     @GetMapping("/api/network")
     public NetworkDTO getNetwork() {
         return relationshipService.getFamilyNetwork();