renforcement sécurité Backend

330f2851 · Fatima Ezzahra Majidi · d8dab518 · 330f2851
Commit 330f2851 authored 2 months ago by Fatima Ezzahra Majidi
--- a/src/main/java/com/example/gestionstagesbackend/config/SecurityConfig.java
+++ b/src/main/java/com/example/gestionstagesbackend/config/SecurityConfig.java
@@ -2,6 +2,7 @@ package com.example.gestionstagesbackend.config;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpMethod;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -42,19 +43,36 @@ public class SecurityConfig {
                        .requestMatchers("/**").permitAll()
                        // Role-based access
-                        .requestMatchers("/api/students").hasAuthority("ROLE_ETUDIANT")
+                        // 👨‍🎓 STUDENTS (ETUDIANTS) - Can ONLY View Students & Stages
-                        .requestMatchers("/api/students/**").hasAuthority("ROLE_ETUDIANT")
+                        .requestMatchers(HttpMethod.GET, "/api/students").hasAuthority("ROLE_ETUDIANT")
-                        .requestMatchers("/api/stages").hasAuthority("ROLE_ETUDIANT")
+                        .requestMatchers(HttpMethod.GET, "/api/stages").hasAuthority("ROLE_ETUDIANT")
-                        .requestMatchers("/api/stages/**").hasAuthority("ROLE_ENTREPRISE")
-                        .requestMatchers("/api/students").hasAuthority("ROLE_SUPERVISEUR")
+                        // ENTERPRISES - Can CRUD Stages but NOT Students
-                        .requestMatchers("/api/students/**").hasAuthority("ROLE_SUPERVISEUR")
+                        .requestMatchers(HttpMethod.POST, "/api/stages/add").hasAuthority("ROLE_ENTREPRISE")
-                        .requestMatchers("/api/stages").hasAuthority("ROLE_SUPERVISEUR")
+                        .requestMatchers(HttpMethod.PUT, "/api/stages/update/**").hasAuthority("ROLE_ENTREPRISE")
-                        .requestMatchers("/api/stages/**").hasAuthority("ROLE_SUPERVISEUR")
+                        .requestMatchers(HttpMethod.DELETE, "/api/stages/delete/**").hasAuthority("ROLE_ENTREPRISE")
-                        .requestMatchers("/api/enterprises/add").hasAuthority("ROLE_ENTREPRISE")
-                        .requestMatchers("/api/enterprises/update").hasAuthority("ROLE_ENTREPRISE")
+                        // SUPERVISEURS - Can CRUD Students & View Stages
-                        .requestMatchers("/api/enterprises/delete").hasAuthority("ROLE_ENTREPRISE")
+                        .requestMatchers(HttpMethod.GET, "/api/students").hasAuthority("ROLE_SUPERVISEUR")
-                        .requestMatchers("/**").hasAuthority("ROLE_ADMIN")
+                        .requestMatchers(HttpMethod.POST, "/api/students/add").hasAuthority("ROLE_SUPERVISEUR")
+                        .requestMatchers(HttpMethod.PUT, "/api/students/update/**").hasAuthority("ROLE_SUPERVISEUR")
+                        .requestMatchers(HttpMethod.DELETE, "/api/students/delete/**").hasAuthority("ROLE_SUPERVISEUR")
+                        .requestMatchers(HttpMethod.GET, "/api/stages").hasAuthority("ROLE_SUPERVISEUR")
+                        // ENTERPRISES - Can CRUD their own Enterprise details
+                        .requestMatchers(HttpMethod.POST, "/api/enterprises/add").hasAuthority("ROLE_ENTREPRISE")
+                        .requestMatchers(HttpMethod.PUT, "/api/enterprises/update/**").hasAuthority("ROLE_ENTREPRISE")
+                        .requestMatchers(HttpMethod.DELETE, "/api/enterprises/delete/**").hasAuthority("ROLE_ENTREPRISE")
+                        // CANDIDATURES - Students Can Apply, Supervisors & Admins Can View & Manage
+                        .requestMatchers(HttpMethod.POST, "/api/candidacies/add").hasAuthority("ROLE_ETUDIANT") // Students apply
+                        .requestMatchers(HttpMethod.GET, "/api/candidacies").hasAnyAuthority("ROLE_ADMIN", "ROLE_SUPERVISEUR") // Admin & Supervisor can view
+                        .requestMatchers(HttpMethod.PUT, "/api/candidacies/update/**").hasAuthority("ROLE_ADMIN") // Only Admins can update candidacies
+                        .requestMatchers(HttpMethod.DELETE, "/api/candidacies/delete/**").hasAuthority("ROLE_ADMIN") // Only Admins can delete candidacies
+                        // ADMIN ACCESS - Has Full Control Over Everything
+                        .requestMatchers("/api/admin/**").hasAuthority("ROLE_ADMIN")
+                        .requestMatchers("/**").hasAuthority("ROLE_ADMIN")
                        // Any other request requires authentication
                        .anyRequest().authenticated()
                )