Backend fixes

src/main/java/com/petshop/backend/controller/AdoptionController.java

@@ -73,6 +73,19 @@ public class AdoptionController {
     @PostMapping
     @PreAuthorize("hasAnyRole('CUSTOMER', 'STAFF', 'ADMIN')")
     public ResponseEntity<AdoptionResponse> createAdoption(@Valid @RequestBody AdoptionRequest request) {
+        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+        String role = authentication.getAuthorities().stream()
+                .findFirst()
+                .map(authority -> authority.getAuthority().replace("ROLE_", ""))
+                .orElse(null);
+
+        if (role != null && role.equals("CUSTOMER")) {
+            Customer customer = AuthenticationHelper.getAuthenticatedCustomer(userRepository, customerRepository);
+            if (!request.getCustomerId().equals(customer.getCustomerId())) {
+                throw new org.springframework.security.access.AccessDeniedException("You can only create adoptions for yourself");
+            }
+        }
+
         return ResponseEntity.status(HttpStatus.CREATED).body(adoptionService.createAdoption(request));
     }
 

src/main/java/com/petshop/backend/controller/AppointmentController.java

@@ -76,6 +76,19 @@ public class AppointmentController {
     @PostMapping
     @PreAuthorize("hasAnyRole('CUSTOMER', 'STAFF', 'ADMIN')")
     public ResponseEntity<AppointmentResponse> createAppointment(@Valid @RequestBody AppointmentRequest request) {
+        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+        String role = authentication.getAuthorities().stream()
+                .findFirst()
+                .map(authority -> authority.getAuthority().replace("ROLE_", ""))
+                .orElse(null);
+
+        if (role != null && role.equals("CUSTOMER")) {
+            Customer customer = AuthenticationHelper.getAuthenticatedCustomer(userRepository, customerRepository);
+            if (!request.getCustomerId().equals(customer.getCustomerId())) {
+                throw new org.springframework.security.access.AccessDeniedException("You can only create appointments for yourself");
+            }
+        }
+
         return ResponseEntity.status(HttpStatus.CREATED).body(appointmentService.createAppointment(request));
     }
 

src/main/java/com/petshop/backend/exception/GlobalExceptionHandler.java

@@ -51,6 +51,26 @@ public class GlobalExceptionHandler {
         return ResponseEntity.status(HttpStatus.BAD_REQUEST).body(response);
     }
 
+    @ExceptionHandler(org.springframework.security.access.AccessDeniedException.class)
+    public ResponseEntity<ErrorResponse> handleAccessDeniedException(org.springframework.security.access.AccessDeniedException ex) {
+        ErrorResponse error = new ErrorResponse(
+                HttpStatus.FORBIDDEN.value(),
+                ex.getMessage(),
+                LocalDateTime.now()
+        );
+        return ResponseEntity.status(HttpStatus.FORBIDDEN).body(error);
+    }
+
+    @ExceptionHandler(IllegalArgumentException.class)
+    public ResponseEntity<ErrorResponse> handleIllegalArgumentException(IllegalArgumentException ex) {
+        ErrorResponse error = new ErrorResponse(
+                HttpStatus.BAD_REQUEST.value(),
+                ex.getMessage(),
+                LocalDateTime.now()
+        );
+        return ResponseEntity.status(HttpStatus.BAD_REQUEST).body(error);
+    }
+
     @ExceptionHandler(Exception.class)
     public ResponseEntity<ErrorResponse> handleGenericException(Exception ex) {
         ErrorResponse error = new ErrorResponse(