fix(#71-#73): address all review findings from Markus and Sara
BLOCKERs: - Remove direct AppUserRepository/CommentRepository access from CommentService and NotificationService — replaced with UserService.findAllById() and UserService (fixes layering contract from CLAUDE.md) - Switch Optional<JavaMailSender> constructor injection — removes @Autowired(required=false) field and ReflectionTestUtils hack in tests - Add @RequirePermission(READ_ALL) to UserSearchController — prevents user enumeration without read access Data bug: - Promote actorName from @Transient to persisted VARCHAR column (V18 migration) - Set actorName in notifyReply and notifyMentions from comment.getAuthorName() Architecture: - Add @RequirePermission(READ_ALL) to NotificationController - Introduce NotificationDTO — controller returns DTO instead of Notification entity, eliminating lazy-load N+1 and AppUser field leakage - Change mentions FetchType to EAGER — fixes LazyInitializationException outside transaction - Add @Transactional(propagation=REQUIRES_NEW) to notifyReply/notifyMentions so a notification failure cannot roll back the parent comment - N+1 fix: replace per-ID findById loops with single findAllById bulk fetch - Move collectParticipantIds to CommentService; notifyReply accepts Set<UUID> directly Security: - Escape displayName before injecting into renderBody HTML span - Replace <a href="#"> with <span class="mention"> — no profile page to link to, and the anchor's scroll-to-top behaviour is harmful Tests added/fixed: - markRead_throwsNotFound, markAllRead_delegatesToRepository, countUnread_delegatesToRepository - markOneRead_returns401, @RequirePermission 403 coverage for both controllers - postComment/replyToComment_triggersNotifyMentions_whenMentionedUserIdsProvided - search_returnsAtMostTenResults now asserts $.length() <= 10 - XSS regression test for escaped displayName in mention.spec.ts Frontend minors: - relativeTime() uses Intl.RelativeTimeFormat (locale-aware, not German-hardcoded) - aria-label uses m.notification_unread() Paraglide key (de/en/es added) - <div role="button"> replaced with <button> (native Enter+Space handling) - onDestroy clears debounceTimer in MentionEditor - setTimeout(100) replaced with await tick() + requestAnimationFrame in CommentThread - Notification prefs form uses checkbox name attributes + formData.has() pattern Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Marcel
@@ -1,9 +1,11 @@
|
||||
package org.raddatz.familienarchiv.controller;
|
||||
|
||||
import lombok.RequiredArgsConstructor;
|
||||
import org.raddatz.familienarchiv.dto.NotificationDTO;
|
||||
import org.raddatz.familienarchiv.dto.NotificationPreferenceDTO;
|
||||
import org.raddatz.familienarchiv.model.AppUser;
|
||||
import org.raddatz.familienarchiv.model.Notification;
|
||||
import org.raddatz.familienarchiv.security.Permission;
|
||||
import org.raddatz.familienarchiv.security.RequirePermission;
|
||||
import org.raddatz.familienarchiv.service.NotificationService;
|
||||
import org.raddatz.familienarchiv.service.UserService;
|
||||
import org.springframework.data.domain.Page;
|
||||
@@ -17,13 +19,14 @@ import java.util.UUID;
|
||||
|
||||
@RestController
|
||||
@RequiredArgsConstructor
|
||||
@RequirePermission(Permission.READ_ALL)
|
||||
public class NotificationController {
|
||||
|
||||
private final NotificationService notificationService;
|
||||
private final UserService userService;
|
||||
|
||||
@GetMapping("/api/notifications")
|
||||
public Page<Notification> getNotifications(
|
||||
public Page<NotificationDTO> getNotifications(
|
||||
@RequestParam(defaultValue = "0") int page,
|
||||
@RequestParam(defaultValue = "10") int size,
|
||||
Authentication authentication) {
|
||||
@@ -40,7 +43,7 @@ public class NotificationController {
|
||||
}
|
||||
|
||||
@PatchMapping("/api/notifications/{id}/read")
|
||||
public Notification markOneRead(
|
||||
public NotificationDTO markOneRead(
|
||||
@PathVariable UUID id,
|
||||
Authentication authentication) {
|
||||
AppUser user = resolveUser(authentication);
|
||||
|
||||
@@ -3,6 +3,8 @@ package org.raddatz.familienarchiv.controller;
|
||||
import lombok.RequiredArgsConstructor;
|
||||
import org.raddatz.familienarchiv.dto.MentionDTO;
|
||||
import org.raddatz.familienarchiv.model.AppUser;
|
||||
import org.raddatz.familienarchiv.security.Permission;
|
||||
import org.raddatz.familienarchiv.security.RequirePermission;
|
||||
import org.raddatz.familienarchiv.service.UserSearchService;
|
||||
import org.springframework.web.bind.annotation.GetMapping;
|
||||
import org.springframework.web.bind.annotation.RequestParam;
|
||||
@@ -12,6 +14,7 @@ import java.util.List;
|
||||
|
||||
@RestController
|
||||
@RequiredArgsConstructor
|
||||
@RequirePermission(Permission.READ_ALL)
|
||||
public class UserSearchController {
|
||||
|
||||
private final UserSearchService userSearchService;
|
||||
|
||||
@@ -0,0 +1,16 @@
|
||||
package org.raddatz.familienarchiv.dto;
|
||||
|
||||
import org.raddatz.familienarchiv.model.NotificationType;
|
||||
|
||||
import java.time.LocalDateTime;
|
||||
import java.util.UUID;
|
||||
|
||||
public record NotificationDTO(
|
||||
UUID id,
|
||||
NotificationType type,
|
||||
UUID documentId,
|
||||
UUID referenceId,
|
||||
boolean read,
|
||||
LocalDateTime createdAt,
|
||||
String actorName
|
||||
) {}
|
||||
@@ -64,7 +64,7 @@ public class DocumentComment {
|
||||
private List<DocumentComment> replies = new ArrayList<>();
|
||||
|
||||
// JPA join table for structured mention references — not serialized directly
|
||||
@ManyToMany(fetch = FetchType.LAZY)
|
||||
@ManyToMany(fetch = FetchType.EAGER)
|
||||
@JoinTable(
|
||||
name = "comment_mentions",
|
||||
joinColumns = @JoinColumn(name = "comment_id"),
|
||||
|
||||
@@ -46,8 +46,7 @@ public class Notification {
|
||||
@Schema(requiredMode = Schema.RequiredMode.REQUIRED)
|
||||
private LocalDateTime createdAt;
|
||||
|
||||
// Populated by NotificationService before serialization — not persisted.
|
||||
@Transient
|
||||
@Column(name = "actor_name")
|
||||
@Schema(requiredMode = Schema.RequiredMode.REQUIRED)
|
||||
private String actorName;
|
||||
}
|
||||
|
||||
@@ -8,7 +8,6 @@ import org.springframework.data.jpa.repository.Modifying;
|
||||
import org.springframework.data.jpa.repository.Query;
|
||||
import org.springframework.data.repository.query.Param;
|
||||
|
||||
import java.util.List;
|
||||
import java.util.UUID;
|
||||
|
||||
public interface NotificationRepository extends JpaRepository<Notification, UUID> {
|
||||
@@ -20,6 +19,4 @@ public interface NotificationRepository extends JpaRepository<Notification, UUID
|
||||
@Modifying
|
||||
@Query("UPDATE Notification n SET n.read = true WHERE n.recipient.id = :userId")
|
||||
void markAllReadByRecipientId(@Param("userId") UUID userId);
|
||||
|
||||
List<Notification> findByRecipientIdOrderByCreatedAtDesc(UUID recipientId);
|
||||
}
|
||||
|
||||
@@ -6,12 +6,13 @@ import org.raddatz.familienarchiv.exception.DomainException;
|
||||
import org.raddatz.familienarchiv.exception.ErrorCode;
|
||||
import org.raddatz.familienarchiv.model.AppUser;
|
||||
import org.raddatz.familienarchiv.model.DocumentComment;
|
||||
import org.raddatz.familienarchiv.repository.AppUserRepository;
|
||||
import org.raddatz.familienarchiv.repository.CommentRepository;
|
||||
import org.springframework.stereotype.Service;
|
||||
import org.springframework.transaction.annotation.Transactional;
|
||||
|
||||
import java.util.LinkedHashSet;
|
||||
import java.util.List;
|
||||
import java.util.Set;
|
||||
import java.util.UUID;
|
||||
|
||||
@Service
|
||||
@@ -19,7 +20,7 @@ import java.util.UUID;
|
||||
public class CommentService {
|
||||
|
||||
private final CommentRepository commentRepository;
|
||||
private final AppUserRepository userRepository;
|
||||
private final UserService userService;
|
||||
private final NotificationService notificationService;
|
||||
|
||||
public List<DocumentComment> getCommentsForDocument(UUID documentId) {
|
||||
@@ -73,7 +74,10 @@ public class CommentService {
|
||||
saveMentions(reply, mentionedUserIds);
|
||||
DocumentComment saved = commentRepository.save(reply);
|
||||
withMentionDTOs(saved);
|
||||
notificationService.notifyReply(saved, root);
|
||||
|
||||
Set<UUID> participantIds = collectParticipantIds(root);
|
||||
participantIds.remove(author.getId());
|
||||
notificationService.notifyReply(saved, participantIds);
|
||||
notificationService.notifyMentions(mentionedUserIds, saved);
|
||||
return saved;
|
||||
}
|
||||
@@ -99,6 +103,10 @@ public class CommentService {
|
||||
commentRepository.delete(comment);
|
||||
}
|
||||
|
||||
public List<DocumentComment> findReplies(UUID parentId) {
|
||||
return commentRepository.findByParentId(parentId);
|
||||
}
|
||||
|
||||
// ─── private helpers ──────────────────────────────────────────────────────
|
||||
|
||||
private List<DocumentComment> withRepliesAndMentions(List<DocumentComment> roots) {
|
||||
@@ -113,7 +121,7 @@ public class CommentService {
|
||||
|
||||
private void saveMentions(DocumentComment comment, List<UUID> mentionedUserIds) {
|
||||
if (mentionedUserIds == null || mentionedUserIds.isEmpty()) return;
|
||||
List<AppUser> users = userRepository.findAllById(mentionedUserIds);
|
||||
List<AppUser> users = userService.findAllById(mentionedUserIds);
|
||||
comment.setMentions(users);
|
||||
}
|
||||
|
||||
@@ -124,6 +132,16 @@ public class CommentService {
|
||||
comment.setMentionDTOs(dtos);
|
||||
}
|
||||
|
||||
private Set<UUID> collectParticipantIds(DocumentComment root) {
|
||||
Set<UUID> ids = new LinkedHashSet<>();
|
||||
if (root.getAuthorId() != null) ids.add(root.getAuthorId());
|
||||
commentRepository.findByParentId(root.getId())
|
||||
.forEach(reply -> {
|
||||
if (reply.getAuthorId() != null) ids.add(reply.getAuthorId());
|
||||
});
|
||||
return ids;
|
||||
}
|
||||
|
||||
private DocumentComment findComment(UUID documentId, UUID commentId) {
|
||||
return commentRepository.findById(commentId)
|
||||
.filter(c -> documentId.equals(c.getDocumentId()))
|
||||
|
||||
@@ -2,16 +2,14 @@ package org.raddatz.familienarchiv.service;
|
||||
|
||||
import lombok.RequiredArgsConstructor;
|
||||
import lombok.extern.slf4j.Slf4j;
|
||||
import org.raddatz.familienarchiv.dto.NotificationDTO;
|
||||
import org.raddatz.familienarchiv.exception.DomainException;
|
||||
import org.raddatz.familienarchiv.exception.ErrorCode;
|
||||
import org.raddatz.familienarchiv.model.AppUser;
|
||||
import org.raddatz.familienarchiv.model.DocumentComment;
|
||||
import org.raddatz.familienarchiv.model.Notification;
|
||||
import org.raddatz.familienarchiv.model.NotificationType;
|
||||
import org.raddatz.familienarchiv.repository.AppUserRepository;
|
||||
import org.raddatz.familienarchiv.repository.CommentRepository;
|
||||
import org.raddatz.familienarchiv.repository.NotificationRepository;
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.beans.factory.annotation.Value;
|
||||
import org.springframework.data.domain.Page;
|
||||
import org.springframework.data.domain.Pageable;
|
||||
@@ -19,9 +17,9 @@ import org.springframework.mail.MailException;
|
||||
import org.springframework.mail.SimpleMailMessage;
|
||||
import org.springframework.mail.javamail.JavaMailSender;
|
||||
import org.springframework.stereotype.Service;
|
||||
import org.springframework.transaction.annotation.Propagation;
|
||||
import org.springframework.transaction.annotation.Transactional;
|
||||
|
||||
import java.util.LinkedHashSet;
|
||||
import java.util.List;
|
||||
import java.util.Optional;
|
||||
import java.util.Set;
|
||||
@@ -33,11 +31,8 @@ import java.util.UUID;
|
||||
public class NotificationService {
|
||||
|
||||
private final NotificationRepository notificationRepository;
|
||||
private final CommentRepository commentRepository;
|
||||
private final AppUserRepository userRepository;
|
||||
|
||||
@Autowired(required = false)
|
||||
private JavaMailSender mailSender;
|
||||
private final UserService userService;
|
||||
private final Optional<JavaMailSender> mailSender;
|
||||
|
||||
@Value("${app.mail.from:noreply@familienarchiv.local}")
|
||||
private String mailFrom;
|
||||
@@ -46,24 +41,21 @@ public class NotificationService {
|
||||
private String baseUrl;
|
||||
|
||||
/**
|
||||
* Creates REPLY notifications for all participants in the thread that the given reply belongs to,
|
||||
* excluding the replier themselves.
|
||||
* Creates REPLY notifications for all participants in the thread, excluding the replier.
|
||||
* Runs in a separate transaction so a notification failure cannot roll back the parent comment.
|
||||
*/
|
||||
@Transactional
|
||||
public void notifyReply(DocumentComment reply, DocumentComment root) {
|
||||
Set<UUID> participantIds = collectParticipantIds(root);
|
||||
participantIds.remove(reply.getAuthorId());
|
||||
@Transactional(propagation = Propagation.REQUIRES_NEW)
|
||||
public void notifyReply(DocumentComment reply, Set<UUID> participantIds) {
|
||||
if (participantIds.isEmpty()) return;
|
||||
|
||||
for (UUID participantId : participantIds) {
|
||||
Optional<AppUser> recipientOpt = userRepository.findById(participantId);
|
||||
if (recipientOpt.isEmpty()) continue;
|
||||
|
||||
AppUser recipient = recipientOpt.get();
|
||||
List<AppUser> recipients = userService.findAllById(participantIds);
|
||||
for (AppUser recipient : recipients) {
|
||||
Notification notification = Notification.builder()
|
||||
.recipient(recipient)
|
||||
.type(NotificationType.REPLY)
|
||||
.documentId(reply.getDocumentId())
|
||||
.referenceId(reply.getId())
|
||||
.actorName(reply.getAuthorName())
|
||||
.build();
|
||||
notificationRepository.save(notification);
|
||||
|
||||
@@ -75,19 +67,20 @@ public class NotificationService {
|
||||
|
||||
/**
|
||||
* Creates MENTION notifications for each mentioned user.
|
||||
* Runs in a separate transaction so a notification failure cannot roll back the parent comment.
|
||||
*/
|
||||
@Transactional
|
||||
@Transactional(propagation = Propagation.REQUIRES_NEW)
|
||||
public void notifyMentions(List<UUID> mentionedUserIds, DocumentComment comment) {
|
||||
for (UUID mentionedUserId : mentionedUserIds) {
|
||||
Optional<AppUser> recipientOpt = userRepository.findById(mentionedUserId);
|
||||
if (recipientOpt.isEmpty()) continue;
|
||||
if (mentionedUserIds == null || mentionedUserIds.isEmpty()) return;
|
||||
|
||||
AppUser recipient = recipientOpt.get();
|
||||
List<AppUser> recipients = userService.findAllById(mentionedUserIds);
|
||||
for (AppUser recipient : recipients) {
|
||||
Notification notification = Notification.builder()
|
||||
.recipient(recipient)
|
||||
.type(NotificationType.MENTION)
|
||||
.documentId(comment.getDocumentId())
|
||||
.referenceId(comment.getId())
|
||||
.actorName(comment.getAuthorName())
|
||||
.build();
|
||||
notificationRepository.save(notification);
|
||||
|
||||
@@ -97,8 +90,9 @@ public class NotificationService {
|
||||
}
|
||||
}
|
||||
|
||||
public Page<Notification> getNotifications(UUID userId, Pageable pageable) {
|
||||
return notificationRepository.findByRecipientIdOrderByCreatedAtDesc(userId, pageable);
|
||||
public Page<NotificationDTO> getNotifications(UUID userId, Pageable pageable) {
|
||||
return notificationRepository.findByRecipientIdOrderByCreatedAtDesc(userId, pageable)
|
||||
.map(this::toDTO);
|
||||
}
|
||||
|
||||
public long countUnread(UUID userId) {
|
||||
@@ -111,7 +105,7 @@ public class NotificationService {
|
||||
}
|
||||
|
||||
@Transactional
|
||||
public Notification markRead(UUID notificationId, UUID userId) {
|
||||
public NotificationDTO markRead(UUID notificationId, UUID userId) {
|
||||
Notification notification = notificationRepository.findById(notificationId)
|
||||
.orElseThrow(() -> DomainException.notFound(
|
||||
ErrorCode.NOTIFICATION_NOT_FOUND, "Notification not found: " + notificationId));
|
||||
@@ -119,29 +113,26 @@ public class NotificationService {
|
||||
throw DomainException.forbidden("Notification belongs to a different user");
|
||||
}
|
||||
notification.setRead(true);
|
||||
return notificationRepository.save(notification);
|
||||
return toDTO(notificationRepository.save(notification));
|
||||
}
|
||||
|
||||
@Transactional
|
||||
public AppUser updatePreferences(UUID userId, boolean notifyOnReply, boolean notifyOnMention) {
|
||||
AppUser user = userRepository.findById(userId)
|
||||
.orElseThrow(() -> DomainException.notFound(ErrorCode.USER_NOT_FOUND, "User not found: " + userId));
|
||||
user.setNotifyOnReply(notifyOnReply);
|
||||
user.setNotifyOnMention(notifyOnMention);
|
||||
return userRepository.save(user);
|
||||
return userService.updateNotificationPreferences(userId, notifyOnReply, notifyOnMention);
|
||||
}
|
||||
|
||||
// ─── private helpers ──────────────────────────────────────────────────────
|
||||
|
||||
private Set<UUID> collectParticipantIds(DocumentComment root) {
|
||||
Set<UUID> ids = new LinkedHashSet<>();
|
||||
if (root.getAuthorId() != null) ids.add(root.getAuthorId());
|
||||
|
||||
commentRepository.findByParentId(root.getId())
|
||||
.forEach(reply -> {
|
||||
if (reply.getAuthorId() != null) ids.add(reply.getAuthorId());
|
||||
});
|
||||
return ids;
|
||||
private NotificationDTO toDTO(Notification n) {
|
||||
return new NotificationDTO(
|
||||
n.getId(),
|
||||
n.getType(),
|
||||
n.getDocumentId(),
|
||||
n.getReferenceId(),
|
||||
n.isRead(),
|
||||
n.getCreatedAt(),
|
||||
n.getActorName()
|
||||
);
|
||||
}
|
||||
|
||||
private void buildCommentPath(DocumentComment comment, StringBuilder sb) {
|
||||
@@ -152,7 +143,7 @@ public class NotificationService {
|
||||
}
|
||||
|
||||
private void sendNotificationEmail(AppUser recipient, DocumentComment comment, NotificationType type) {
|
||||
if (mailSender == null) {
|
||||
if (mailSender.isEmpty()) {
|
||||
log.warn("Mail sender not configured — skipping notification email to {}", recipient.getEmail());
|
||||
return;
|
||||
}
|
||||
@@ -179,7 +170,7 @@ public class NotificationService {
|
||||
message.setText(body);
|
||||
|
||||
try {
|
||||
mailSender.send(message);
|
||||
mailSender.get().send(message);
|
||||
} catch (MailException e) {
|
||||
log.error("Failed to send notification email to {}: {}", recipient.getEmail(), e.getMessage());
|
||||
}
|
||||
|
||||
@@ -18,6 +18,7 @@ import org.springframework.security.crypto.password.PasswordEncoder;
|
||||
import org.springframework.stereotype.Service;
|
||||
import org.springframework.transaction.annotation.Transactional;
|
||||
|
||||
import java.util.Collection;
|
||||
import java.util.HashSet;
|
||||
import java.util.List;
|
||||
import java.util.Optional;
|
||||
@@ -78,6 +79,18 @@ public class UserService {
|
||||
.orElseThrow(() -> DomainException.notFound(ErrorCode.USER_NOT_FOUND, "No user found for id: " + id));
|
||||
}
|
||||
|
||||
public List<AppUser> findAllById(Collection<UUID> ids) {
|
||||
return userRepository.findAllById(ids);
|
||||
}
|
||||
|
||||
@Transactional
|
||||
public AppUser updateNotificationPreferences(UUID userId, boolean notifyOnReply, boolean notifyOnMention) {
|
||||
AppUser user = getById(userId);
|
||||
user.setNotifyOnReply(notifyOnReply);
|
||||
user.setNotifyOnMention(notifyOnMention);
|
||||
return userRepository.save(user);
|
||||
}
|
||||
|
||||
@Transactional
|
||||
public AppUser updateProfile(UUID userId, UpdateProfileDTO dto) {
|
||||
AppUser user = getById(userId);
|
||||
|
||||
@@ -0,0 +1 @@
|
||||
ALTER TABLE notifications ADD COLUMN actor_name VARCHAR(255);
|
||||
Reference in New Issue
Block a user