restrict activity logging to admin and staff only

2026-04-11 23:29:23 -06:00
parent 79b4f7a3e8
commit a3e1f67779
2 changed files with 8 additions and 3 deletions
--- a/backend/src/main/java/com/petshop/backend/config/ActivityLoggingFilter.java
+++ b/backend/src/main/java/com/petshop/backend/config/ActivityLoggingFilter.java
@@ -1,5 +1,6 @@
 package com.petshop.backend.config;

+import com.petshop.backend.entity.User;
 import com.petshop.backend.security.AppPrincipal;
 import com.petshop.backend.service.ActivityLogService;
 import jakarta.servlet.FilterChain;
@@ -57,15 +58,18 @@ import java.io.IOException;
        }

        Long userId = null;
+        User.Role role = null;
        Object principal = authentication.getPrincipal();
        if (principal instanceof AppPrincipal appPrincipal) {
            userId = appPrincipal.getUserId();
+            role = appPrincipal.getRole();
        } else if (authentication instanceof UsernamePasswordAuthenticationToken token
                && token.getPrincipal() instanceof AppPrincipal appPrincipal) {
            userId = appPrincipal.getUserId();
+            role = appPrincipal.getRole();
        }

-        if (userId == null) {
+        if (userId == null || role == null || role == User.Role.CUSTOMER) {
            return;
        }

--- a/backend/src/main/java/com/petshop/backend/controller/AuthController.java
+++ b/backend/src/main/java/com/petshop/backend/controller/AuthController.java
@@ -101,7 +101,6 @@ public class AuthController {
        User savedUser = userRepository.save(user);

        String token = jwtUtil.generateToken(savedUser);
-        activityLogService.record(savedUser.getId(), "POST /api/v1/auth/register -> 201");

        return ResponseEntity.status(HttpStatus.CREATED).body(new RegisterResponse(
                savedUser.getId(),
@@ -124,7 +123,9 @@ public class AuthController {
                    .orElseThrow(() -> new UsernameNotFoundException("User not found"));

            String token = jwtUtil.generateToken(user);
-            activityLogService.record(user.getId(), "POST /api/v1/auth/login -> 200");
+            if (user.getRole() != User.Role.CUSTOMER) {
+                activityLogService.record(user.getId(), "POST /api/v1/auth/login -> 200");
+            }

            return ResponseEntity.ok(new LoginResponse(
                    token,