test(security): add 403 permission test for annotation DELETE endpoint

Confirms that DELETE /api/documents/{id}/annotations/{id} requires at least ANNOTATE_ALL; a user with only READ_ALL receives 403 Forbidden. Closes the permission audit raised during PR review. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
fix(viewer): move delete button inside annotation bounds to prevent edge clipping
2026-04-26 21:37:41 +02:00 · 2026-04-26 21:37:17 +02:00 · 2026-04-26 21:36:51 +02:00 · 2026-04-26 21:36:27 +02:00
4 changed files with 35 additions and 3 deletions
--- a/backend/src/test/java/org/raddatz/familienarchiv/controller/AnnotationControllerTest.java
+++ b/backend/src/test/java/org/raddatz/familienarchiv/controller/AnnotationControllerTest.java
@@ -154,6 +154,13 @@ class AnnotationControllerTest {
                .andExpect(status().isForbidden());
    }

+    @Test
+    @WithMockUser(authorities = "READ_ALL")
+    void deleteAnnotation_returns403_whenUserHasOnlyReadAllPermission() throws Exception {
+        mockMvc.perform(delete("/api/documents/" + UUID.randomUUID() + "/annotations/" + UUID.randomUUID()))
+                .andExpect(status().isForbidden());
+    }
+
    @Test
    @WithMockUser(authorities = "ANNOTATE_ALL")
    void deleteAnnotation_returns204_whenHasAnnotatePermission() throws Exception {
--- a/frontend/src/lib/components/AnnotationShape.svelte
+++ b/frontend/src/lib/components/AnnotationShape.svelte
@@ -130,8 +130,8 @@ let shapeStyle = $derived(
 			}}
 			style="
 				position: absolute;
-				top: -8px;
-				right: -8px;
+				top: 4px;
+				right: 4px;
 				min-width: 44px;
 				min-height: 44px;
 				display: flex;
--- a/frontend/src/lib/components/AnnotationShape.svelte.spec.ts
+++ b/frontend/src/lib/components/AnnotationShape.svelte.spec.ts
@@ -113,6 +113,28 @@ describe('AnnotationShape', () => {
 		expect(onDeleteRequest).toHaveBeenCalledOnce();
 	});

+	it('does not call onclick when delete button is clicked', async () => {
+		const onclick = vi.fn();
+		const onDeleteRequest = vi.fn();
+
+		render(AnnotationShape, {
+			annotation: makeAnnotation(),
+			isHovered: true,
+			isActive: false,
+			showDelete: true,
+			onDeleteRequest,
+			onclick,
+			onpointerenter: () => {},
+			onpointerleave: () => {}
+		});
+
+		const deleteBtn = page.getByTestId('annotation-delete-ann-1');
+		await deleteBtn.click();
+
+		expect(onclick).not.toHaveBeenCalled();
+		expect(onDeleteRequest).toHaveBeenCalledOnce();
+	});
+
 	it('calls onDeleteRequest when Delete key is pressed on the annotation', async () => {
 		const onDeleteRequest = vi.fn();

--- a/frontend/src/routes/documents/[id]/+page.svelte
+++ b/frontend/src/routes/documents/[id]/+page.svelte
@@ -120,7 +120,10 @@ async function handleAnnotationDeleteRequest(annotationId: string) {
 		await deleteBlock(block.id);
 	} else {
 		// Annotation has no linked block — delete the annotation directly
-		await fetch(`/api/documents/${doc.id}/annotations/${annotationId}`, { method: 'DELETE' });
+		const res = await fetch(`/api/documents/${doc.id}/annotations/${annotationId}`, {
+			method: 'DELETE'
+		});
+		if (!res.ok) throw new Error('Delete annotation failed');
 		annotationReloadKey++;
 	}
 }
Author	SHA1	Message	Date
Marcel	251b5503a2	test(security): add 403 permission test for annotation DELETE endpoint Some checks failed CI / Unit & Component Tests (push) Failing after 3m0s Details CI / OCR Service Tests (push) Successful in 29s Details CI / Backend Unit Tests (push) Failing after 2m51s Details CI / Unit & Component Tests (pull_request) Failing after 3m26s Details CI / OCR Service Tests (pull_request) Successful in 38s Details CI / Backend Unit Tests (pull_request) Failing after 2m54s Details Confirms that DELETE /api/documents/{id}/annotations/{id} requires at least ANNOTATE_ALL; a user with only READ_ALL receives 403 Forbidden. Closes the permission audit raised during PR review. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-26 21:37:41 +02:00
Marcel	007ec65dbd	fix(viewer): move delete button inside annotation bounds to prevent edge clipping Repositioning from top:-8px/right:-8px to top:4px/right:4px ensures the 44px touch target stays fully within the annotation shape. Annotations drawn near the top or right edge of the PDF page no longer risk the button being obscured or inaccessible. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-26 21:37:17 +02:00
Marcel	e95a9312e8	test(viewer): verify delete button click does not bubble to onclick Documents the stopPropagation guarantee: clicking the trash button must not trigger the annotation's onclick (which opens the block detail panel) while the delete confirm is in progress. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-26 21:36:51 +02:00
Marcel	f22596a29d	fix(viewer): check res.ok on orphaned annotation DELETE to surface errors Without the guard, a failed DELETE (4xx/5xx) was silently swallowed and annotationReloadKey was incremented anyway, leaving the annotation visible and the user with no feedback. Now matches the deleteBlock() pattern immediately above. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-04-26 21:36:27 +02:00