Allow admin ownership bypass

2026-04-05 16:01:46 -06:00
parent 30b5041ae5
commit c84d817810
6 changed files with 199 additions and 190 deletions
--- a/backend/src/main/java/com/petshop/backend/controller/DropdownController.java
+++ b/backend/src/main/java/com/petshop/backend/controller/DropdownController.java
@@ -80,8 +80,15 @@ public class DropdownController {
    @GetMapping("/appointment-customers")
    @PreAuthorize("hasAnyRole('STAFF', 'ADMIN')")
    public ResponseEntity<List<DropdownOption>> getAppointmentCustomers() {
+        User user = com.petshop.backend.util.AuthenticationHelper.getAuthenticatedUser(userRepository);
+        List<com.petshop.backend.entity.Customer> customers;
+        if (user.getRole() == User.Role.ADMIN) {
+            customers = customerRepository.findAll();
+        } else {
+            customers = customerRepository.findAllWithPets();
+        }
        return ResponseEntity.ok(
-                customerRepository.findAllWithPets().stream()
+                customers.stream()
                        .map(c -> new DropdownOption(c.getCustomerId(), c.getFirstName() + " " + c.getLastName()))
                        .collect(Collectors.toList())
        );
@@ -194,7 +201,7 @@ public class DropdownController {
            return false;
        }
        return userRepository.findById(userId)
-                .filter(user -> user.getRole() == User.Role.STAFF)
+                .filter(user -> user.getRole() == User.Role.STAFF || user.getRole() == User.Role.ADMIN)
                .filter(user -> Boolean.TRUE.equals(user.getActive()))
                .isPresent();
    }
--- a/backend/src/main/java/com/petshop/backend/service/AdoptionService.java
+++ b/backend/src/main/java/com/petshop/backend/service/AdoptionService.java
@@ -173,7 +173,7 @@ public class AdoptionService {
            return false;
        }
        return userRepository.findById(userId)
-                .filter(user -> user.getRole() == User.Role.STAFF)
+                .filter(user -> user.getRole() == User.Role.STAFF || user.getRole() == User.Role.ADMIN)
                .filter(user -> Boolean.TRUE.equals(user.getActive()))
                .isPresent();
    }
--- a/backend/src/main/java/com/petshop/backend/service/AppointmentService.java
+++ b/backend/src/main/java/com/petshop/backend/service/AppointmentService.java
@@ -99,6 +99,8 @@ public class AppointmentService {
    public AppointmentResponse createAppointment(AppointmentRequest request) {
        validateAppointmentRequest(request);

+        User authenticatedUser = AuthenticationHelper.getAuthenticatedUser(userRepository);
+
        Customer customer = customerRepository.findById(request.getCustomerId())
                .orElseThrow(() -> new ResourceNotFoundException("Customer not found with id: " + request.getCustomerId()));

@@ -108,7 +110,7 @@ public class AppointmentService {
        com.petshop.backend.entity.Service service = serviceRepository.findById(request.getServiceId())
                .orElseThrow(() -> new ResourceNotFoundException("Service not found with id: " + request.getServiceId()));

-        validateStoreAccess(store.getStoreId());
+        validateStoreAccess(store.getStoreId(), authenticatedUser);
        validateAvailability(store, service, request.getAppointmentDate(), request.getAppointmentTime(), null);

        boolean hasPetIds = request.getPetIds() != null && !request.getPetIds().isEmpty();
@@ -120,7 +122,7 @@ public class AppointmentService {
        }

        Set<Pet> pets = hasPetIds ? fetchPets(request.getPetIds()) : new HashSet<>();
-        Set<CustomerPet> customerPets = hasCustomerPetIds ? fetchCustomerPets(request.getCustomerPetIds(), customer.getCustomerId()) : new HashSet<>();
+        Set<CustomerPet> customerPets = hasCustomerPetIds ? fetchCustomerPets(request.getCustomerPetIds(), customer.getCustomerId(), authenticatedUser.getRole()) : new HashSet<>();
        Employee employee = resolveAppointmentEmployee(request.getEmployeeId(), store.getStoreId());

        Appointment appointment = new Appointment();
@@ -142,6 +144,8 @@ public class AppointmentService {
    public AppointmentResponse updateAppointment(Long id, AppointmentRequest request) {
        validateAppointmentRequest(request);

+        User authenticatedUser = AuthenticationHelper.getAuthenticatedUser(userRepository);
+
        Appointment appointment = appointmentRepository.findById(id)
                .orElseThrow(() -> new ResourceNotFoundException("Appointment not found with id: " + id));

@@ -154,7 +158,7 @@ public class AppointmentService {
        com.petshop.backend.entity.Service service = serviceRepository.findById(request.getServiceId())
                .orElseThrow(() -> new ResourceNotFoundException("Service not found with id: " + request.getServiceId()));

-        validateStoreAccess(store.getStoreId());
+        validateStoreAccess(store.getStoreId(), authenticatedUser);
        validateAvailability(store, service, request.getAppointmentDate(), request.getAppointmentTime(), id);

        boolean hasPetIds = request.getPetIds() != null && !request.getPetIds().isEmpty();
@@ -166,7 +170,7 @@ public class AppointmentService {
        }

        Set<Pet> pets = hasPetIds ? fetchPets(request.getPetIds()) : new HashSet<>();
-        Set<CustomerPet> customerPets = hasCustomerPetIds ? fetchCustomerPets(request.getCustomerPetIds(), customer.getCustomerId()) : new HashSet<>();
+        Set<CustomerPet> customerPets = hasCustomerPetIds ? fetchCustomerPets(request.getCustomerPetIds(), customer.getCustomerId(), authenticatedUser.getRole()) : new HashSet<>();
        Employee employee = resolveAppointmentEmployee(request.getEmployeeId(), store.getStoreId());

        appointment.setCustomer(customer);
@@ -251,12 +255,12 @@ public class AppointmentService {
        return pets;
    }

-    private Set<CustomerPet> fetchCustomerPets(List<Long> customerPetIds, Long customerId) {
+    private Set<CustomerPet> fetchCustomerPets(List<Long> customerPetIds, Long customerId, User.Role authenticatedRole) {
        Set<CustomerPet> customerPets = new HashSet<>();
        for (Long customerPetId : customerPetIds) {
            CustomerPet customerPet = customerPetRepository.findById(customerPetId)
                    .orElseThrow(() -> new ResourceNotFoundException("Customer pet not found with id: " + customerPetId));
-            if (!customerPet.getCustomer().getCustomerId().equals(customerId)) {
+            if (authenticatedRole != User.Role.ADMIN && !customerPet.getCustomer().getCustomerId().equals(customerId)) {
                throw new IllegalArgumentException("Selected pet does not belong to the selected customer");
            }
            customerPets.add(customerPet);
@@ -333,7 +337,7 @@ public class AppointmentService {
            return false;
        }
        return userRepository.findById(userId)
-                .filter(user -> user.getRole() == User.Role.STAFF)
+                .filter(user -> user.getRole() == User.Role.STAFF || user.getRole() == User.Role.ADMIN)
                .filter(user -> Boolean.TRUE.equals(user.getActive()))
                .isPresent();
    }
@@ -368,8 +372,7 @@ public class AppointmentService {
        return true;
    }

-    private void validateStoreAccess(Long requestedStoreId) {
-        User user = AuthenticationHelper.getAuthenticatedUser(userRepository);
+    private void validateStoreAccess(Long requestedStoreId, User user) {
        if (user.getRole() != User.Role.STAFF) {
            return;
        }