From 330f28518c7b1f95a157740d6f0f631caa864f34 Mon Sep 17 00:00:00 2001
From: fatima ezzahra majidi <fatima-ezzahra.majidi.etu@univ-lille.fr>
Date: Fri, 7 Mar 2025 12:16:01 +0000
Subject: [PATCH] =?UTF-8?q?renforcement=20s=C3=A9curit=C3=A9=20Backend?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../config/SecurityConfig.java                | 42 +++++++++++++------
 1 file changed, 30 insertions(+), 12 deletions(-)

diff --git a/src/main/java/com/example/gestionstagesbackend/config/SecurityConfig.java b/src/main/java/com/example/gestionstagesbackend/config/SecurityConfig.java
index 4d5645e..268ac63 100644
--- a/src/main/java/com/example/gestionstagesbackend/config/SecurityConfig.java
+++ b/src/main/java/com/example/gestionstagesbackend/config/SecurityConfig.java
@@ -2,6 +2,7 @@ package com.example.gestionstagesbackend.config;
 
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpMethod;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -42,19 +43,36 @@ public class SecurityConfig {
                         .requestMatchers("/**").permitAll()
 
                         // Role-based access
-                        .requestMatchers("/api/students").hasAuthority("ROLE_ETUDIANT")
-                        .requestMatchers("/api/students/**").hasAuthority("ROLE_ETUDIANT")
-                        .requestMatchers("/api/stages").hasAuthority("ROLE_ETUDIANT")
-                        .requestMatchers("/api/stages/**").hasAuthority("ROLE_ENTREPRISE")
-                        .requestMatchers("/api/students").hasAuthority("ROLE_SUPERVISEUR")
-                        .requestMatchers("/api/students/**").hasAuthority("ROLE_SUPERVISEUR")
-                        .requestMatchers("/api/stages").hasAuthority("ROLE_SUPERVISEUR")
-                        .requestMatchers("/api/stages/**").hasAuthority("ROLE_SUPERVISEUR")
-                        .requestMatchers("/api/enterprises/add").hasAuthority("ROLE_ENTREPRISE")
-                        .requestMatchers("/api/enterprises/update").hasAuthority("ROLE_ENTREPRISE")
-                        .requestMatchers("/api/enterprises/delete").hasAuthority("ROLE_ENTREPRISE")
-                        .requestMatchers("/**").hasAuthority("ROLE_ADMIN")
+                        // 👨‍🎓 STUDENTS (ETUDIANTS) - Can ONLY View Students & Stages
+                        .requestMatchers(HttpMethod.GET, "/api/students").hasAuthority("ROLE_ETUDIANT")
+                        .requestMatchers(HttpMethod.GET, "/api/stages").hasAuthority("ROLE_ETUDIANT")
+
+                        // ENTERPRISES - Can CRUD Stages but NOT Students
+                        .requestMatchers(HttpMethod.POST, "/api/stages/add").hasAuthority("ROLE_ENTREPRISE")
+                        .requestMatchers(HttpMethod.PUT, "/api/stages/update/**").hasAuthority("ROLE_ENTREPRISE")
+                        .requestMatchers(HttpMethod.DELETE, "/api/stages/delete/**").hasAuthority("ROLE_ENTREPRISE")
+
+                        // SUPERVISEURS - Can CRUD Students & View Stages
+                        .requestMatchers(HttpMethod.GET, "/api/students").hasAuthority("ROLE_SUPERVISEUR")
+                        .requestMatchers(HttpMethod.POST, "/api/students/add").hasAuthority("ROLE_SUPERVISEUR")
+                        .requestMatchers(HttpMethod.PUT, "/api/students/update/**").hasAuthority("ROLE_SUPERVISEUR")
+                        .requestMatchers(HttpMethod.DELETE, "/api/students/delete/**").hasAuthority("ROLE_SUPERVISEUR")
+                        .requestMatchers(HttpMethod.GET, "/api/stages").hasAuthority("ROLE_SUPERVISEUR")
 
+                        // ENTERPRISES - Can CRUD their own Enterprise details
+                        .requestMatchers(HttpMethod.POST, "/api/enterprises/add").hasAuthority("ROLE_ENTREPRISE")
+                        .requestMatchers(HttpMethod.PUT, "/api/enterprises/update/**").hasAuthority("ROLE_ENTREPRISE")
+                        .requestMatchers(HttpMethod.DELETE, "/api/enterprises/delete/**").hasAuthority("ROLE_ENTREPRISE")
+
+                        // CANDIDATURES - Students Can Apply, Supervisors & Admins Can View & Manage
+                        .requestMatchers(HttpMethod.POST, "/api/candidacies/add").hasAuthority("ROLE_ETUDIANT") // Students apply
+                        .requestMatchers(HttpMethod.GET, "/api/candidacies").hasAnyAuthority("ROLE_ADMIN", "ROLE_SUPERVISEUR") // Admin & Supervisor can view
+                        .requestMatchers(HttpMethod.PUT, "/api/candidacies/update/**").hasAuthority("ROLE_ADMIN") // Only Admins can update candidacies
+                        .requestMatchers(HttpMethod.DELETE, "/api/candidacies/delete/**").hasAuthority("ROLE_ADMIN") // Only Admins can delete candidacies
+
+                        // ADMIN ACCESS - Has Full Control Over Everything
+                        .requestMatchers("/api/admin/**").hasAuthority("ROLE_ADMIN")
+                        .requestMatchers("/**").hasAuthority("ROLE_ADMIN")
                         // Any other request requires authentication
                         .anyRequest().authenticated()
                 )
-- 
GitLab