diff --git a/src/main/java/com/example/gestionstagesbackend/config/SecurityConfig.java b/src/main/java/com/example/gestionstagesbackend/config/SecurityConfig.java
index 4d5645ed1e597eeb3070abde7a2eea7067ad8b8e..268ac63faa6d844e487f204c8a212e9a56fbe81d 100644
--- a/src/main/java/com/example/gestionstagesbackend/config/SecurityConfig.java
+++ b/src/main/java/com/example/gestionstagesbackend/config/SecurityConfig.java
@@ -2,6 +2,7 @@ package com.example.gestionstagesbackend.config;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpMethod;
import org.springframework.security.authentication.AuthenticationManager;
import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -42,19 +43,36 @@ public class SecurityConfig {
.requestMatchers("/**").permitAll()
// Role-based access
- .requestMatchers("/api/students").hasAuthority("ROLE_ETUDIANT")
- .requestMatchers("/api/students/**").hasAuthority("ROLE_ETUDIANT")
- .requestMatchers("/api/stages").hasAuthority("ROLE_ETUDIANT")
- .requestMatchers("/api/stages/**").hasAuthority("ROLE_ENTREPRISE")
- .requestMatchers("/api/students").hasAuthority("ROLE_SUPERVISEUR")
- .requestMatchers("/api/students/**").hasAuthority("ROLE_SUPERVISEUR")
- .requestMatchers("/api/stages").hasAuthority("ROLE_SUPERVISEUR")
- .requestMatchers("/api/stages/**").hasAuthority("ROLE_SUPERVISEUR")
- .requestMatchers("/api/enterprises/add").hasAuthority("ROLE_ENTREPRISE")
- .requestMatchers("/api/enterprises/update").hasAuthority("ROLE_ENTREPRISE")
- .requestMatchers("/api/enterprises/delete").hasAuthority("ROLE_ENTREPRISE")
- .requestMatchers("/**").hasAuthority("ROLE_ADMIN")
+ // 👨🎓 STUDENTS (ETUDIANTS) - Can ONLY View Students & Stages
+ .requestMatchers(HttpMethod.GET, "/api/students").hasAuthority("ROLE_ETUDIANT")
+ .requestMatchers(HttpMethod.GET, "/api/stages").hasAuthority("ROLE_ETUDIANT")
+
+ // ENTERPRISES - Can CRUD Stages but NOT Students
+ .requestMatchers(HttpMethod.POST, "/api/stages/add").hasAuthority("ROLE_ENTREPRISE")
+ .requestMatchers(HttpMethod.PUT, "/api/stages/update/**").hasAuthority("ROLE_ENTREPRISE")
+ .requestMatchers(HttpMethod.DELETE, "/api/stages/delete/**").hasAuthority("ROLE_ENTREPRISE")
+
+ // SUPERVISEURS - Can CRUD Students & View Stages
+ .requestMatchers(HttpMethod.GET, "/api/students").hasAuthority("ROLE_SUPERVISEUR")
+ .requestMatchers(HttpMethod.POST, "/api/students/add").hasAuthority("ROLE_SUPERVISEUR")
+ .requestMatchers(HttpMethod.PUT, "/api/students/update/**").hasAuthority("ROLE_SUPERVISEUR")
+ .requestMatchers(HttpMethod.DELETE, "/api/students/delete/**").hasAuthority("ROLE_SUPERVISEUR")
+ .requestMatchers(HttpMethod.GET, "/api/stages").hasAuthority("ROLE_SUPERVISEUR")
+ // ENTERPRISES - Can CRUD their own Enterprise details
+ .requestMatchers(HttpMethod.POST, "/api/enterprises/add").hasAuthority("ROLE_ENTREPRISE")
+ .requestMatchers(HttpMethod.PUT, "/api/enterprises/update/**").hasAuthority("ROLE_ENTREPRISE")
+ .requestMatchers(HttpMethod.DELETE, "/api/enterprises/delete/**").hasAuthority("ROLE_ENTREPRISE")
+
+ // CANDIDATURES - Students Can Apply, Supervisors & Admins Can View & Manage
+ .requestMatchers(HttpMethod.POST, "/api/candidacies/add").hasAuthority("ROLE_ETUDIANT") // Students apply
+ .requestMatchers(HttpMethod.GET, "/api/candidacies").hasAnyAuthority("ROLE_ADMIN", "ROLE_SUPERVISEUR") // Admin & Supervisor can view
+ .requestMatchers(HttpMethod.PUT, "/api/candidacies/update/**").hasAuthority("ROLE_ADMIN") // Only Admins can update candidacies
+ .requestMatchers(HttpMethod.DELETE, "/api/candidacies/delete/**").hasAuthority("ROLE_ADMIN") // Only Admins can delete candidacies
+
+ // ADMIN ACCESS - Has Full Control Over Everything
+ .requestMatchers("/api/admin/**").hasAuthority("ROLE_ADMIN")
+ .requestMatchers("/**").hasAuthority("ROLE_ADMIN")
// Any other request requires authentication
.anyRequest().authenticated()
)