From 0c51bf7c3da109e39c3ad388dcf19b3d077bb63b Mon Sep 17 00:00:00 2001
From: Jan <jan.weber@avatic.de>
Date: Tue, 21 Oct 2025 21:34:20 +0200
Subject: [PATCH] Add version to exec-maven-plugin and enforce role-based
 access for user and group endpoints

---
 pom.xml                                                        | 1 +
 .../java/de/avatic/lcc/controller/users/GroupController.java   | 2 ++
 .../java/de/avatic/lcc/controller/users/UserController.java    | 3 +++
 3 files changed, 6 insertions(+)

diff --git a/pom.xml b/pom.xml
index 531ca08..5373598 100644
--- a/pom.xml
+++ b/pom.xml
@@ -178,6 +178,7 @@
             <plugin>
                 <artifactId>exec-maven-plugin</artifactId>
                 <groupId>org.codehaus.mojo</groupId>
+                <version>3.1.0</version>
                 <executions>
                     <execution>
                         <id>npm build the vue app</id>
diff --git a/src/main/java/de/avatic/lcc/controller/users/GroupController.java b/src/main/java/de/avatic/lcc/controller/users/GroupController.java
index f466b0b..c36e741 100644
--- a/src/main/java/de/avatic/lcc/controller/users/GroupController.java
+++ b/src/main/java/de/avatic/lcc/controller/users/GroupController.java
@@ -5,6 +5,7 @@ import de.avatic.lcc.repositories.pagination.SearchQueryResult;
 import de.avatic.lcc.service.users.GroupService;
 import jakarta.validation.constraints.Min;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 
 import java.util.List;
@@ -32,6 +33,7 @@ public class GroupController {
      * @return A ResponseEntity containing the list of groups and pagination headers.
      */
     @GetMapping({"/", ""})
+    @PreAuthorize("hasRole('RIGHT-MANAGMENT')")
     public ResponseEntity<List<GroupDTO>> listGroups(@RequestParam(defaultValue = "20") @Min(1) int limit,
                                                      @RequestParam(defaultValue = "1") @Min(1) int page) {
 
diff --git a/src/main/java/de/avatic/lcc/controller/users/UserController.java b/src/main/java/de/avatic/lcc/controller/users/UserController.java
index 0c90235..de2a1f6 100644
--- a/src/main/java/de/avatic/lcc/controller/users/UserController.java
+++ b/src/main/java/de/avatic/lcc/controller/users/UserController.java
@@ -6,6 +6,7 @@ import de.avatic.lcc.repositories.pagination.SearchQueryResult;
 import de.avatic.lcc.service.users.UserService;
 import jakarta.validation.constraints.Min;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.*;
 
@@ -35,6 +36,7 @@ public class UserController {
      * @return A ResponseEntity containing the list of users, along with pagination headers.
      */
     @GetMapping({"/", ""})
+    @PreAuthorize("hasRole('RIGHT-MANAGMENT')")
     public ResponseEntity<List<UserDTO>> listUsers(
             @RequestParam(defaultValue = "20") @Min(1) int limit,
             @RequestParam(defaultValue = "1") @Min(1) int page) {
@@ -57,6 +59,7 @@ public class UserController {
      * @return A ResponseEntity indicating the operation was successful.
      */
     @PutMapping({"/", ""})
+    @PreAuthorize("hasRole('RIGHT-MANAGMENT')")
     public ResponseEntity<Void> updateUser(UserDTO user) {
         userService.updateUser(user);
         return ResponseEntity.ok().build();