test(stammbaum): prove DELETE and PATCH /family-member return 403 for READ_ALL-only users

Addresses @sara blocker: RelationshipControllerTest now has 6 tests covering the two previously untested @RequirePermission(WRITE_ALL) endpoints. Prevents silent permission regression if the controller is refactored. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-28 11:36:40 +02:00
parent 06ecad5e74
commit e94e9a3573
1 changed files with 16 additions and 0 deletions
--- a/backend/src/test/java/org/raddatz/familienarchiv/relationship/RelationshipControllerTest.java
+++ b/backend/src/test/java/org/raddatz/familienarchiv/relationship/RelationshipControllerTest.java
@@ -66,4 +66,20 @@ class RelationshipControllerTest {
                        .content("{\"relatedPersonId\":\"" + OTHER_ID + "\",\"relationType\":\"PARENT_OF\"}"))
                .andExpect(status().isForbidden());
    }
+
+    @Test
+    @WithMockUser(username = "testuser", authorities = {"READ_ALL"})
+    void deleteRelationship_returns403_for_READ_ALL_only_user() throws Exception {
+        mockMvc.perform(delete("/api/persons/{id}/relationships/{relId}", PERSON_ID, UUID.randomUUID()))
+                .andExpect(status().isForbidden());
+    }
+
+    @Test
+    @WithMockUser(username = "testuser", authorities = {"READ_ALL"})
+    void patchFamilyMember_returns403_for_READ_ALL_only_user() throws Exception {
+        mockMvc.perform(patch("/api/persons/{id}/family-member", PERSON_ID)
+                        .contentType(MediaType.APPLICATION_JSON)
+                        .content("{\"familyMember\":true}"))
+                .andExpect(status().isForbidden());
+    }
 }