Merge branch 'master' into 'main'

renforcement sécurité Backend See merge request !10

Merge branch 'master' into 'main'
dd69abf9 · Fatima Ezzahra Majidi · f4a54d25 · 330f2851 · dd69abf9
Commit dd69abf9 authored 2 months ago by Fatima Ezzahra Majidi
--- a/src/main/java/com/example/gestionstagesbackend/config/SecurityConfig.java
+++ b/src/main/java/com/example/gestionstagesbackend/config/SecurityConfig.java
@@ -2,6 +2,7 @@ package com.example.gestionstagesbackend.config;

 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
+import org.springframework.http.HttpMethod;
 import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
@@ -42,19 +43,36 @@ public class SecurityConfig {
                        .requestMatchers("/**").permitAll()

                        // Role-based access
-                        .requestMatchers("/api/students").hasAuthority("ROLE_ETUDIANT")
-                        .requestMatchers("/api/students/**").hasAuthority("ROLE_ETUDIANT")
-                        .requestMatchers("/api/stages").hasAuthority("ROLE_ETUDIANT")
-                        .requestMatchers("/api/stages/**").hasAuthority("ROLE_ENTREPRISE")
-                        .requestMatchers("/api/students").hasAuthority("ROLE_SUPERVISEUR")
-                        .requestMatchers("/api/students/**").hasAuthority("ROLE_SUPERVISEUR")
-                        .requestMatchers("/api/stages").hasAuthority("ROLE_SUPERVISEUR")
-                        .requestMatchers("/api/stages/**").hasAuthority("ROLE_SUPERVISEUR")
-                        .requestMatchers("/api/enterprises/add").hasAuthority("ROLE_ENTREPRISE")
-                        .requestMatchers("/api/enterprises/update").hasAuthority("ROLE_ENTREPRISE")
-                        .requestMatchers("/api/enterprises/delete").hasAuthority("ROLE_ENTREPRISE")
-                        .requestMatchers("/**").hasAuthority("ROLE_ADMIN")
+                        // 👨‍🎓 STUDENTS (ETUDIANTS) - Can ONLY View Students & Stages
+                        .requestMatchers(HttpMethod.GET, "/api/students").hasAuthority("ROLE_ETUDIANT")
+                        .requestMatchers(HttpMethod.GET, "/api/stages").hasAuthority("ROLE_ETUDIANT")
+
+                        // ENTERPRISES - Can CRUD Stages but NOT Students
+                        .requestMatchers(HttpMethod.POST, "/api/stages/add").hasAuthority("ROLE_ENTREPRISE")
+                        .requestMatchers(HttpMethod.PUT, "/api/stages/update/**").hasAuthority("ROLE_ENTREPRISE")
+                        .requestMatchers(HttpMethod.DELETE, "/api/stages/delete/**").hasAuthority("ROLE_ENTREPRISE")
+
+                        // SUPERVISEURS - Can CRUD Students & View Stages
+                        .requestMatchers(HttpMethod.GET, "/api/students").hasAuthority("ROLE_SUPERVISEUR")
+                        .requestMatchers(HttpMethod.POST, "/api/students/add").hasAuthority("ROLE_SUPERVISEUR")
+                        .requestMatchers(HttpMethod.PUT, "/api/students/update/**").hasAuthority("ROLE_SUPERVISEUR")
+                        .requestMatchers(HttpMethod.DELETE, "/api/students/delete/**").hasAuthority("ROLE_SUPERVISEUR")
+                        .requestMatchers(HttpMethod.GET, "/api/stages").hasAuthority("ROLE_SUPERVISEUR")

+                        // ENTERPRISES - Can CRUD their own Enterprise details
+                        .requestMatchers(HttpMethod.POST, "/api/enterprises/add").hasAuthority("ROLE_ENTREPRISE")
+                        .requestMatchers(HttpMethod.PUT, "/api/enterprises/update/**").hasAuthority("ROLE_ENTREPRISE")
+                        .requestMatchers(HttpMethod.DELETE, "/api/enterprises/delete/**").hasAuthority("ROLE_ENTREPRISE")
+
+                        // CANDIDATURES - Students Can Apply, Supervisors & Admins Can View & Manage
+                        .requestMatchers(HttpMethod.POST, "/api/candidacies/add").hasAuthority("ROLE_ETUDIANT") // Students apply
+                        .requestMatchers(HttpMethod.GET, "/api/candidacies").hasAnyAuthority("ROLE_ADMIN", "ROLE_SUPERVISEUR") // Admin & Supervisor can view
+                        .requestMatchers(HttpMethod.PUT, "/api/candidacies/update/**").hasAuthority("ROLE_ADMIN") // Only Admins can update candidacies
+                        .requestMatchers(HttpMethod.DELETE, "/api/candidacies/delete/**").hasAuthority("ROLE_ADMIN") // Only Admins can delete candidacies
+
+                        // ADMIN ACCESS - Has Full Control Over Everything
+                        .requestMatchers("/api/admin/**").hasAuthority("ROLE_ADMIN")
+                        .requestMatchers("/**").hasAuthority("ROLE_ADMIN")
                        // Any other request requires authentication
                        .anyRequest().authenticated()
                )