test(security): lock READ_ALL -> 403 on comment-write endpoints (#697)

Round out the "read-only users can't write anything" boundary: a READ_ALL
principal is forbidden from posting a block comment, replying, and editing a
comment (the prior tests only used a no-authority principal for create).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

backend/src/main/java/org/raddatz/familienarchiv/document/DocumentController.java

@@ -138,7 +138,7 @@ public class DocumentController {
     // --- METADATA ---
     @GetMapping("/{id}")
     public Document getDocument(@PathVariable UUID id) {
-        return documentService.getDocumentById(id);
+        return documentService.getDocumentDetail(id);
     }
 
     @PostMapping(consumes = MediaType.MULTIPART_FORM_DATA_VALUE)

backend/src/main/java/org/raddatz/familienarchiv/document/DocumentService.java

@@ -943,6 +943,18 @@ public class DocumentService {
         Document doc = documentRepository.findById(id)
                 .orElseThrow(() -> DomainException.notFound(ErrorCode.DOCUMENT_NOT_FOUND, "Document not found: " + id));
         tagService.resolveEffectiveColors(doc.getTags());
+        return doc;
+    }
+
+    /**
+     * Loads a document for the detail view, additionally flagging whether it has any
+     * transcription to read. Kept separate from {@link #getDocumentById} so the cheap
+     * existence query only runs for the single-document detail endpoint, not for the
+     * many internal callers that never read the flag.
+     */
+    @Transactional(readOnly = true)
+    public Document getDocumentDetail(UUID id) {
+        Document doc = getDocumentById(id);
         doc.setHasTranscription(transcriptionBlockQueryService.hasBlocks(id));
         return doc;
     }

backend/src/test/java/org/raddatz/familienarchiv/document/DocumentServiceTest.java

@@ -119,23 +119,34 @@ class DocumentServiceTest {
     }
 
     @Test
-    void getDocumentById_setsHasTranscriptionTrue_whenBlocksExist() {
+    void getDocumentById_doesNotQueryTranscription() {
+        UUID id = UUID.randomUUID();
+        Document doc = Document.builder().id(id).title("Test").build();
+        when(documentRepository.findById(id)).thenReturn(Optional.of(doc));
+
+        documentService.getDocumentById(id);
+
+        verifyNoInteractions(transcriptionBlockQueryService);
+    }
+
+    @Test
+    void getDocumentDetail_setsHasTranscriptionTrue_whenBlocksExist() {
         UUID id = UUID.randomUUID();
         Document doc = Document.builder().id(id).title("Test").build();
         when(documentRepository.findById(id)).thenReturn(Optional.of(doc));
         when(transcriptionBlockQueryService.hasBlocks(id)).thenReturn(true);
 
-        assertThat(documentService.getDocumentById(id).isHasTranscription()).isTrue();
+        assertThat(documentService.getDocumentDetail(id).isHasTranscription()).isTrue();
     }
 
     @Test
-    void getDocumentById_setsHasTranscriptionFalse_whenNoBlocksExist() {
+    void getDocumentDetail_setsHasTranscriptionFalse_whenNoBlocksExist() {
         UUID id = UUID.randomUUID();
         Document doc = Document.builder().id(id).title("Test").build();
         when(documentRepository.findById(id)).thenReturn(Optional.of(doc));
         when(transcriptionBlockQueryService.hasBlocks(id)).thenReturn(false);
 
-        assertThat(documentService.getDocumentById(id).isHasTranscription()).isFalse();
+        assertThat(documentService.getDocumentDetail(id).isHasTranscription()).isFalse();
     }
 
     // ─── updateDocument ───────────────────────────────────────────────────────

backend/src/test/java/org/raddatz/familienarchiv/document/comment/CommentControllerTest.java

@@ -94,6 +94,15 @@ class CommentControllerTest {
                 .andExpect(status().isForbidden());
     }
 
+    @Test
+    @WithMockUser(authorities = "READ_ALL")
+    void postBlockComment_returns403_whenUserHasOnlyReadAllPermission() throws Exception {
+        UUID blockId = UUID.randomUUID();
+        mockMvc.perform(post("/api/documents/" + DOC_ID + "/transcription-blocks/" + blockId + "/comments").with(csrf())
+                        .contentType(MediaType.APPLICATION_JSON).content(COMMENT_JSON))
+                .andExpect(status().isForbidden());
+    }
+
     @Test
     @WithMockUser(authorities = "ANNOTATE_ALL")
     void postBlockComment_returns201_whenHasAnnotatePermission() throws Exception {
@@ -142,6 +151,16 @@ class CommentControllerTest {
                 .andExpect(status().isUnauthorized());
     }
 
+    @Test
+    @WithMockUser(authorities = "READ_ALL")
+    void replyToBlockComment_returns403_whenUserHasOnlyReadAllPermission() throws Exception {
+        UUID blockId = UUID.randomUUID();
+        mockMvc.perform(post("/api/documents/" + DOC_ID + "/transcription-blocks/" + blockId
+                                + "/comments/" + COMMENT_ID + "/replies").with(csrf())
+                        .contentType(MediaType.APPLICATION_JSON).content(COMMENT_JSON))
+                .andExpect(status().isForbidden());
+    }
+
     @Test
     @WithMockUser(authorities = "ANNOTATE_ALL")
     void replyToBlockComment_returns201_whenHasPermission() throws Exception {
@@ -181,6 +200,14 @@ class CommentControllerTest {
                 .andExpect(status().isUnauthorized());
     }
 
+    @Test
+    @WithMockUser(authorities = "READ_ALL")
+    void editComment_returns403_whenUserHasOnlyReadAllPermission() throws Exception {
+        mockMvc.perform(patch("/api/documents/" + DOC_ID + "/comments/" + COMMENT_ID).with(csrf())
+                        .contentType(MediaType.APPLICATION_JSON).content(COMMENT_JSON))
+                .andExpect(status().isForbidden());
+    }
+
     @Test
     @WithMockUser(authorities = "ANNOTATE_ALL")
     void editComment_returns200_whenHasPermission() throws Exception {