FEAT : mise en place d'une securite globale via ACL

src/main/java/local/epul4a/fotosharing/controller/AlbumController.java

@@ -6,6 +6,7 @@ import local.epul4a.fotosharing.service.AlbumService;
 import local.epul4a.fotosharing.service.PartageService;
 import local.epul4a.fotosharing.service.PhotoService;
 import org.springframework.data.domain.Page;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.core.Authentication;
 import org.springframework.stereotype.Controller;
 import org.springframework.ui.Model;
@@ -59,6 +60,7 @@ public class AlbumController {
 
     /* ============================ DETAIL ALBUM ============================ */
     @GetMapping("/album/{id}")
+    @PreAuthorize("@securityService.canViewAlbum(authentication, #id)")
     public String viewAlbum(
             @PathVariable Long id,
             Authentication auth,
@@ -79,6 +81,8 @@ public class AlbumController {
 
     /* ============================ AJOUT PHOTO ============================ */
     @PostMapping("/album/{id}/add")
+    @PreAuthorize("@securityService.canViewAlbum(authentication, #id)")
+
     public String addPhoto(
             @PathVariable Long id,
             @RequestParam Long photoId,
@@ -95,6 +99,7 @@ public class AlbumController {
 
     /* ============================ RETIRER PHOTO ============================ */
     @GetMapping("/album/{id}/remove/{photoId}")
+    @PreAuthorize("@securityService.canViewAlbum(authentication, #id)")
     public String removePhoto(
             @PathVariable Long id,
             @PathVariable Long photoId,
@@ -106,6 +111,7 @@ public class AlbumController {
 
     /* ============================ SUPPRESSION ALBUM ============================ */
     @GetMapping("/album/{id}/delete")
+    @PreAuthorize("@securityService.canViewAlbum(authentication, #id)")
     public String deleteAlbum(
             @PathVariable Long id,
             Authentication auth
@@ -116,6 +122,7 @@ public class AlbumController {
 
     /* ============================ PARTAGE ALBUM ============================ */
     @PostMapping("/album/{id}/share")
+    @PreAuthorize("@securityService.canViewAlbum(authentication, #id)")
     public String shareAlbum(
             @PathVariable Long id,
             @RequestParam String email,
@@ -144,6 +151,7 @@ public class AlbumController {
 
     /* ============================ MAJ PARTAGE ALBUM ============================ */
     @PostMapping("/album/{id}/share/update")
+    @PreAuthorize("@securityService.canViewAlbum(authentication, #id)")
     public String updateAlbumShare(
             @PathVariable Long id,
             @RequestParam String email,

src/main/java/local/epul4a/fotosharing/security/SecurityService.java

@@ -20,4 +20,41 @@ public class SecurityService {
         // Vérification basée sur les ACL (READ / COMMENT / ADMIN)
         return partageService.canView(photoId, email);
     }
+    public boolean canCommentPhoto(Authentication authentication, Long photoId) {
+        if (authentication == null || !authentication.isAuthenticated()) {
+            return false;
+        }
+        return partageService.canComment(photoId, authentication.getName());
+    }
+
+    public boolean canAdminPhoto(Authentication authentication, Long photoId) {
+        if (authentication == null || !authentication.isAuthenticated()) {
+            return false;
+        }
+        return partageService.canAdmin(photoId, authentication.getName());
+    }
+
+
+    /* =============================== ALBUMS =============================== */
+
+    public boolean canViewAlbum(Authentication authentication, Long albumId) {
+        if (authentication == null || !authentication.isAuthenticated()) {
+            return false;
+        }
+        return partageService.canViewAlbum(albumId, authentication.getName());
+    }
+
+    public boolean canCommentAlbum(Authentication authentication, Long albumId) {
+        if (authentication == null || !authentication.isAuthenticated()) {
+            return false;
+        }
+        return partageService.canCommentAlbum(albumId, authentication.getName());
+    }
+
+    public boolean canAdminAlbum(Authentication authentication, Long albumId) {
+        if (authentication == null || !authentication.isAuthenticated()) {
+            return false;
+        }
+        return partageService.canAdminAlbum(albumId, authentication.getName());
+    }
 }