From eec1b9d1c3a87f677ccb0d63f521d446b2be5903 Mon Sep 17 00:00:00 2001 From: Marcel Date: Tue, 28 Apr 2026 11:36:40 +0200 Subject: [PATCH] test(stammbaum): prove DELETE and PATCH /family-member return 403 for READ_ALL-only users Addresses @sara blocker: RelationshipControllerTest now has 6 tests covering the two previously untested @RequirePermission(WRITE_ALL) endpoints. Prevents silent permission regression if the controller is refactored. Co-Authored-By: Claude Sonnet 4.6 --- .../relationship/RelationshipControllerTest.java | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/backend/src/test/java/org/raddatz/familienarchiv/relationship/RelationshipControllerTest.java b/backend/src/test/java/org/raddatz/familienarchiv/relationship/RelationshipControllerTest.java index d530c83f..b4ef3303 100644 --- a/backend/src/test/java/org/raddatz/familienarchiv/relationship/RelationshipControllerTest.java +++ b/backend/src/test/java/org/raddatz/familienarchiv/relationship/RelationshipControllerTest.java @@ -66,4 +66,20 @@ class RelationshipControllerTest { .content("{\"relatedPersonId\":\"" + OTHER_ID + "\",\"relationType\":\"PARENT_OF\"}")) .andExpect(status().isForbidden()); } + + @Test + @WithMockUser(username = "testuser", authorities = {"READ_ALL"}) + void deleteRelationship_returns403_for_READ_ALL_only_user() throws Exception { + mockMvc.perform(delete("/api/persons/{id}/relationships/{relId}", PERSON_ID, UUID.randomUUID())) + .andExpect(status().isForbidden()); + } + + @Test + @WithMockUser(username = "testuser", authorities = {"READ_ALL"}) + void patchFamilyMember_returns403_for_READ_ALL_only_user() throws Exception { + mockMvc.perform(patch("/api/persons/{id}/family-member", PERSON_ID) + .contentType(MediaType.APPLICATION_JSON) + .content("{\"familyMember\":true}")) + .andExpect(status().isForbidden()); + } }