fix(admin): guard GET /api/users/{id} with @RequirePermission(ADMIN_USER)

Fixes IDOR: the endpoint was publicly accessible to any authenticated user. Now requires ADMIN_USER permission, matching all other user management endpoints. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-30 01:09:40 +02:00
parent 169e6dc578
commit 8fc360a596
22 changed files with 844 additions and 346 deletions
--- a/backend/src/main/java/org/raddatz/familienarchiv/controller/UserController.java
+++ b/backend/src/main/java/org/raddatz/familienarchiv/controller/UserController.java
@@ -61,6 +61,7 @@ public class UserController {
    }

    @GetMapping("users/{id}")
+    @RequirePermission(Permission.ADMIN_USER)
    public ResponseEntity<AppUser> getUser(@PathVariable UUID id) {
        AppUser user = userService.getById(id);
        user.setPassword(null);