feat(planning): enforce planner role on slot mutation endpoints

PATCH, DELETE, and POST slot endpoints now return 403 Forbidden when called by a household member. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-08 22:34:28 +02:00
parent f6265efa92
commit a52b0a9d24
2 changed files with 68 additions and 0 deletions
--- a/backend/src/main/java/com/recipeapp/planning/WeekPlanController.java
+++ b/backend/src/main/java/com/recipeapp/planning/WeekPlanController.java
@@ -1,5 +1,6 @@
 package com.recipeapp.planning;

+import com.recipeapp.common.RequiresHouseholdRole;
 import com.recipeapp.planning.dto.*;
 import com.recipeapp.recipe.HouseholdResolver;
 import jakarta.validation.Valid;
@@ -40,6 +41,7 @@ public class WeekPlanController {
    }

    @PostMapping("/{id}/slots")
+    @RequiresHouseholdRole("planner")
    public ResponseEntity<SlotResponse> addSlot(
            Principal principal,
            @PathVariable UUID id,
@@ -50,6 +52,7 @@ public class WeekPlanController {
    }

    @PatchMapping("/{planId}/slots/{slotId}")
+    @RequiresHouseholdRole("planner")
    public SlotResponse updateSlot(
            Principal principal,
            @PathVariable UUID planId,
@@ -61,6 +64,7 @@ public class WeekPlanController {

    @DeleteMapping("/{planId}/slots/{slotId}")
    @ResponseStatus(HttpStatus.NO_CONTENT)
+    @RequiresHouseholdRole("planner")
    public void deleteSlot(
            Principal principal,
            @PathVariable UUID planId,