fix(#71,#73): remove class-level permission gate and add annotationId to notifications

- Remove @RequirePermission(READ_ALL) from NotificationController class level so
  authenticated users with any permission (or none) can access their own notifications
- Add V19 migration, annotationId field to Notification entity and NotificationDTO
- NotificationService now stores annotationId from comment on both REPLY and MENTION
- Update controller tests: permission tests now expect 200, DTO constructor includes annotationId

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

backend/src/main/java/org/raddatz/familienarchiv/controller/NotificationController.java

@@ -19,7 +19,6 @@ import java.util.UUID;
 
 @RestController
 @RequiredArgsConstructor
-@RequirePermission(Permission.READ_ALL)
 public class NotificationController {
 
     private final NotificationService notificationService;

backend/src/main/java/org/raddatz/familienarchiv/dto/NotificationDTO.java

@@ -10,6 +10,7 @@ public record NotificationDTO(
         NotificationType type,
         UUID documentId,
         UUID referenceId,
+        UUID annotationId,
         boolean read,
         LocalDateTime createdAt,
         String actorName

backend/src/main/java/org/raddatz/familienarchiv/model/Notification.java

@@ -37,6 +37,9 @@ public class Notification {
     @Column(name = "reference_id")
     private UUID referenceId;
 
+    @Column(name = "annotation_id")
+    private UUID annotationId;
+
     @Column(nullable = false)
     @Builder.Default
     @Schema(requiredMode = Schema.RequiredMode.REQUIRED)

backend/src/main/java/org/raddatz/familienarchiv/service/NotificationService.java

@@ -55,6 +55,7 @@ public class NotificationService {
                     .type(NotificationType.REPLY)
                     .documentId(reply.getDocumentId())
                     .referenceId(reply.getId())
+                    .annotationId(reply.getAnnotationId())
                     .actorName(reply.getAuthorName())
                     .build();
             notificationRepository.save(notification);
@@ -80,6 +81,7 @@ public class NotificationService {
                     .type(NotificationType.MENTION)
                     .documentId(comment.getDocumentId())
                     .referenceId(comment.getId())
+                    .annotationId(comment.getAnnotationId())
                     .actorName(comment.getAuthorName())
                     .build();
             notificationRepository.save(notification);
@@ -129,6 +131,7 @@ public class NotificationService {
                 n.getType(),
                 n.getDocumentId(),
                 n.getReferenceId(),
+                n.getAnnotationId(),
                 n.isRead(),
                 n.getCreatedAt(),
                 n.getActorName()

backend/src/main/resources/db/migration/V19__add_annotation_id_to_notifications.sql

@@ -0,0 +1 @@
+ALTER TABLE notifications ADD COLUMN annotation_id UUID;

backend/src/test/java/org/raddatz/familienarchiv/controller/NotificationControllerTest.java

@@ -53,9 +53,14 @@ class NotificationControllerTest {
 
     @Test
     @WithMockUser(username = "testuser")
-    void getNotifications_returns403_whenUserLacksPermission() throws Exception {
+    void getNotifications_returns200_whenAuthenticatedWithNoPermissions() throws Exception {
+        AppUser user = AppUser.builder().id(USER_ID).username("testuser").build();
+        when(userService.findByUsername("testuser")).thenReturn(user);
+        when(notificationService.getNotifications(eq(USER_ID), any()))
+                .thenReturn(new PageImpl<>(List.of()));
+
         mockMvc.perform(get("/api/notifications"))
-                .andExpect(status().isForbidden());
+                .andExpect(status().isOk());
     }
 
     @Test
@@ -64,7 +69,7 @@ class NotificationControllerTest {
         AppUser user = AppUser.builder().id(USER_ID).username("testuser").build();
         NotificationDTO dto = new NotificationDTO(
                 UUID.randomUUID(), NotificationType.REPLY, UUID.randomUUID(),
-                UUID.randomUUID(), false, LocalDateTime.now(), "Anna Smith");
+                UUID.randomUUID(), null, false, LocalDateTime.now(), "Anna Smith");
 
         when(userService.findByUsername("testuser")).thenReturn(user);
         when(notificationService.getNotifications(eq(USER_ID), any()))
@@ -185,9 +190,14 @@ class NotificationControllerTest {
 
     @Test
     @WithMockUser(username = "testuser", authorities = {"WRITE_ALL"})
-    void getNotifications_returns403_whenUserHasOnlyWriteAll() throws Exception {
+    void getNotifications_returns200_whenUserHasOnlyWriteAll() throws Exception {
+        AppUser user = AppUser.builder().id(USER_ID).username("testuser").build();
+        when(userService.findByUsername("testuser")).thenReturn(user);
+        when(notificationService.getNotifications(eq(USER_ID), any()))
+                .thenReturn(new PageImpl<>(List.of()));
+
         mockMvc.perform(get("/api/notifications"))
-                .andExpect(status().isForbidden());
+                .andExpect(status().isOk());
     }
 
     // ─── PUT /api/users/me/notification-preferences ──────────────────────────