Marcel 5ebe1f1a5a feat(person): require READ_ALL permission on GET /api/persons and /api/persons/{id} ...

Defense in depth: until now both list and single-person reads only required
authentication, while the write endpoints (POST/PUT/DELETE) were already
gated with @RequirePermission. The hover-card and typeahead introduced in
issue #362 expose person details (life dates, notes, family relationships)
to anyone who can authenticate — adding READ_ALL aligns the GETs with the
write endpoints and matches the access tier already enforced for documents
and transcription blocks.

Two new controller-slice tests assert 403 when an authenticated user lacks
READ_ALL; existing 200-path tests now stipulate `authorities = "READ_ALL"`
explicitly.

Refs #362

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

2026-04-28 21:02:29 +02:00

..

.mvn/wrapper

build: add mvn properties

2026-03-17 13:33:02 +00:00

api_tests

feat(transcription): add "Alle als fertig markieren" bulk action (#345) (#352)

2026-04-28 08:34:26 +02:00

src

feat(person): require READ_ALL permission on GET /api/persons and /api/persons/{id}

2026-04-28 21:02:29 +02:00

.dockerignore

devops(backend): add .dockerignore to exclude target/ from build context

2026-04-15 11:33:03 +02:00

.gitignore

restructure: flatten workspace nesting, move devcontainer to root

2026-03-15 11:47:58 +01:00

Dockerfile

devops(backend): pin eclipse-temurin tags, skip test compilation, document jar glob

2026-04-15 11:33:03 +02:00

HELP.md

restructure: flatten workspace nesting, move devcontainer to root

2026-03-15 11:47:58 +01:00

mvnw

restructure: flatten workspace nesting, move devcontainer to root

2026-03-15 11:47:58 +01:00

mvnw.cmd

build: add mvn properties

2026-03-17 13:33:02 +00:00

pom.xml

build: add twelvemonkeys-imageio-tiff for thumbnail TIFF support

2026-04-22 21:37:05 +02:00