From c56fb9ab00389d8ed12007bce6c0a1b94cc96941 Mon Sep 17 00:00:00 2001
From: Harkamal Randhawa <harkamalsr@gmail.com>
Date: Tue, 10 Mar 2026 16:05:05 -0600
Subject: [PATCH] Backend fixes

---
 .../controller/AdoptionController.java        | 13 ++++++++++++
 .../controller/AppointmentController.java     | 13 ++++++++++++
 .../exception/GlobalExceptionHandler.java     | 20 +++++++++++++++++++
 3 files changed, 46 insertions(+)

diff --git a/src/main/java/com/petshop/backend/controller/AdoptionController.java b/src/main/java/com/petshop/backend/controller/AdoptionController.java
index 17790070..a3f67002 100644
--- a/src/main/java/com/petshop/backend/controller/AdoptionController.java
+++ b/src/main/java/com/petshop/backend/controller/AdoptionController.java
@@ -73,6 +73,19 @@ public class AdoptionController {
     @PostMapping
     @PreAuthorize("hasAnyRole('CUSTOMER', 'STAFF', 'ADMIN')")
     public ResponseEntity<AdoptionResponse> createAdoption(@Valid @RequestBody AdoptionRequest request) {
+        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+        String role = authentication.getAuthorities().stream()
+                .findFirst()
+                .map(authority -> authority.getAuthority().replace("ROLE_", ""))
+                .orElse(null);
+
+        if (role != null && role.equals("CUSTOMER")) {
+            Customer customer = AuthenticationHelper.getAuthenticatedCustomer(userRepository, customerRepository);
+            if (!request.getCustomerId().equals(customer.getCustomerId())) {
+                throw new org.springframework.security.access.AccessDeniedException("You can only create adoptions for yourself");
+            }
+        }
+
         return ResponseEntity.status(HttpStatus.CREATED).body(adoptionService.createAdoption(request));
     }
 
diff --git a/src/main/java/com/petshop/backend/controller/AppointmentController.java b/src/main/java/com/petshop/backend/controller/AppointmentController.java
index 20e0c83d..35246e05 100644
--- a/src/main/java/com/petshop/backend/controller/AppointmentController.java
+++ b/src/main/java/com/petshop/backend/controller/AppointmentController.java
@@ -76,6 +76,19 @@ public class AppointmentController {
     @PostMapping
     @PreAuthorize("hasAnyRole('CUSTOMER', 'STAFF', 'ADMIN')")
     public ResponseEntity<AppointmentResponse> createAppointment(@Valid @RequestBody AppointmentRequest request) {
+        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+        String role = authentication.getAuthorities().stream()
+                .findFirst()
+                .map(authority -> authority.getAuthority().replace("ROLE_", ""))
+                .orElse(null);
+
+        if (role != null && role.equals("CUSTOMER")) {
+            Customer customer = AuthenticationHelper.getAuthenticatedCustomer(userRepository, customerRepository);
+            if (!request.getCustomerId().equals(customer.getCustomerId())) {
+                throw new org.springframework.security.access.AccessDeniedException("You can only create appointments for yourself");
+            }
+        }
+
         return ResponseEntity.status(HttpStatus.CREATED).body(appointmentService.createAppointment(request));
     }
 
diff --git a/src/main/java/com/petshop/backend/exception/GlobalExceptionHandler.java b/src/main/java/com/petshop/backend/exception/GlobalExceptionHandler.java
index 290752dd..40e95bbc 100644
--- a/src/main/java/com/petshop/backend/exception/GlobalExceptionHandler.java
+++ b/src/main/java/com/petshop/backend/exception/GlobalExceptionHandler.java
@@ -51,6 +51,26 @@ public class GlobalExceptionHandler {
         return ResponseEntity.status(HttpStatus.BAD_REQUEST).body(response);
     }
 
+    @ExceptionHandler(org.springframework.security.access.AccessDeniedException.class)
+    public ResponseEntity<ErrorResponse> handleAccessDeniedException(org.springframework.security.access.AccessDeniedException ex) {
+        ErrorResponse error = new ErrorResponse(
+                HttpStatus.FORBIDDEN.value(),
+                ex.getMessage(),
+                LocalDateTime.now()
+        );
+        return ResponseEntity.status(HttpStatus.FORBIDDEN).body(error);
+    }
+
+    @ExceptionHandler(IllegalArgumentException.class)
+    public ResponseEntity<ErrorResponse> handleIllegalArgumentException(IllegalArgumentException ex) {
+        ErrorResponse error = new ErrorResponse(
+                HttpStatus.BAD_REQUEST.value(),
+                ex.getMessage(),
+                LocalDateTime.now()
+        );
+        return ResponseEntity.status(HttpStatus.BAD_REQUEST).body(error);
+    }
+
     @ExceptionHandler(Exception.class)
     public ResponseEntity<ErrorResponse> handleGenericException(Exception ex) {
         ErrorResponse error = new ErrorResponse(