marcel/familienarchiv
1
0
Fork 0
Code Issues 115 Pull Requests Actions Packages Projects Releases Wiki Activity

refactor(stats): introduce StatsService and require READ_ALL

Browse Source 
StatsController previously injected PersonRepository and DocumentRepository
directly, violating the controller→service→repository layering rule. Move the
two count() calls into a thin StatsService that delegates to PersonService.count
and DocumentService.count. While here, add the missing @RequirePermission(READ_ALL)
flagged by AUDIT-2 §7 — anonymous callers were able to read aggregate document/
person counts.

Refs #417 (C6.1 violation #1).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This commit is contained in:
Marcel
2026-05-04 22:20:14 +02:00
parent eedf5e3ac1
commit d5e0e969ef
6 changed files with 86 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
backend/src/main/java/org/raddatz/familienarchiv/controller/StatsController.java
View File

@@ -1,25 +1,25 @@
package org.raddatz.familienarchiv.controller;
import lombok.RequiredArgsConstructor;
import org.raddatz.familienarchiv.dto.StatsDTO;
import org.raddatz.familienarchiv.repository.DocumentRepository;
import org.raddatz.familienarchiv.repository.PersonRepository;
import org.raddatz.familienarchiv.security.Permission;
import org.raddatz.familienarchiv.security.RequirePermission;
import org.raddatz.familienarchiv.service.StatsService;
import org.springframework.http.ResponseEntity;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
import lombok.RequiredArgsConstructor;
@RestController
@RequestMapping("/api/stats")
@RequiredArgsConstructor
public class StatsController {
private final PersonRepository personRepository;
private final DocumentRepository documentRepository;
private final StatsService statsService;
@RequirePermission(Permission.READ_ALL)
@GetMapping
public ResponseEntity<StatsDTO> getStats() {
return ResponseEntity.ok(new StatsDTO(personRepository.count(), documentRepository.count()));
return ResponseEntity.ok(statsService.getStats());
}
}

4
backend/src/main/java/org/raddatz/familienarchiv/service/DocumentService.java
View File

@@ -73,6 +73,10 @@ public class DocumentService {
public record StoreResult(Document document, boolean isNew) {}
public long count() {
return documentRepository.count();
}
public Map<UUID, String> findTitlesByIds(Collection<UUID> ids) {
if (ids.isEmpty()) return Map.of();
Map<UUID, String> titles = new HashMap<>();

4
backend/src/main/java/org/raddatz/familienarchiv/service/PersonService.java
View File

@@ -46,6 +46,10 @@ public class PersonService {
.orElseThrow(() -> DomainException.notFound(ErrorCode.PERSON_NOT_FOUND, "Person not found: " + id));
}
public long count() {
return personRepository.count();
}
public List<Person> findCorrespondents(UUID personId, String q) {
if (q != null && !q.isBlank()) {
return personRepository.findCorrespondentsWithFilter(personId, q);

17
backend/src/main/java/org/raddatz/familienarchiv/service/StatsService.java Normal file
View File

@@ -0,0 +1,17 @@
package org.raddatz.familienarchiv.service;
import lombok.RequiredArgsConstructor;
import org.raddatz.familienarchiv.dto.StatsDTO;
import org.springframework.stereotype.Service;
@Service
@RequiredArgsConstructor
public class StatsService {
private final PersonService personService;
private final DocumentService documentService;
public StatsDTO getStats() {
return new StatsDTO(personService.count(), documentService.count());
}
}