refactor: change PreAuthorize from ServiceLayer to ControllerLayer

src/main/java/com/learning/yasminishop/cart/CartItemController.java

@@ -10,6 +10,7 @@
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.http.HttpStatus;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 
 import java.util.List;
@@ -23,6 +24,7 @@ public class CartItemController {
 
     @PostMapping
     @ResponseStatus(HttpStatus.CREATED)
+    @PreAuthorize("hasRole('USER')")
     public APIResponse<CartItemResponse> createCart(@Valid @RequestBody CartItemRequest cartItemRequest) {
         CartItemResponse cartItemResponse = cartItemService.create(cartItemRequest);
         return APIResponse.<CartItemResponse>builder()
@@ -32,6 +34,7 @@ public APIResponse<CartItemResponse> createCart(@Valid @RequestBody CartItemRequ
 
     @GetMapping
     @ResponseStatus(HttpStatus.OK)
+    @PreAuthorize("hasRole('USER')")
     public APIResponse<List<CartItemResponse>> getAllCarts() {
         List<CartItemResponse> cartItemResponses = cartItemService.getAll();
 
@@ -42,6 +45,7 @@ public APIResponse<List<CartItemResponse>> getAllCarts() {
 
     @PutMapping("/{id}")
     @ResponseStatus(HttpStatus.OK)
+    @PreAuthorize("hasRole('USER')")
     public APIResponse<CartItemResponse> updateCart(@PathVariable String id, @Valid @RequestBody CartItemUpdate cartItemUpdate) {
         CartItemResponse cartItemResponses = cartItemService.update(id, cartItemUpdate);
 
@@ -52,6 +56,7 @@ public APIResponse<CartItemResponse> updateCart(@PathVariable String id, @Valid
 
     @DeleteMapping
     @ResponseStatus(HttpStatus.OK)
+    @PreAuthorize("hasRole('USER')")
     public APIResponse<String> deleteCart(@Valid @RequestBody CartItemIds cartItemIds) {
         cartItemService.delete(cartItemIds.getIds());
 
@@ -62,6 +67,7 @@ public APIResponse<String> deleteCart(@Valid @RequestBody CartItemIds cartItemId
 
     @GetMapping("/get-by-ids")
     @ResponseStatus(HttpStatus.OK)
+    @PreAuthorize("hasRole('USER')")
     public APIResponse<List<CartItemResponse>> getCartItemsByIds(@RequestParam List<String> ids) {
 
         List<CartItemResponse> cartItemResponses = cartItemService.getCartByIds(ids);

src/main/java/com/learning/yasminishop/cart/CartItemService.java

@@ -13,7 +13,6 @@
 import com.learning.yasminishop.user.UserRepository;
 import lombok.RequiredArgsConstructor;
 import lombok.extern.slf4j.Slf4j;
-import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
@@ -33,7 +32,6 @@ public class CartItemService {
     private final UserRepository userRepository;
     private final CartItemMapper cartItemMapper;
 
-    @PreAuthorize("hasRole('USER')")
     @Transactional
     public CartItemResponse create(CartItemRequest cartItemRequest) {
 
@@ -61,7 +59,6 @@ public CartItemResponse create(CartItemRequest cartItemRequest) {
     }
 
 
-    @PreAuthorize("hasRole('USER')")
     public List<CartItemResponse> getAll() {
         String email = SecurityContextHolder.getContext().getAuthentication().getName();
         User user = userRepository.findByEmail(email).orElseThrow(() -> new AppException(ErrorCode.USER_NOT_FOUND));
@@ -73,7 +70,6 @@ public List<CartItemResponse> getAll() {
                 .toList();
     }
 
-    @PreAuthorize("hasRole('USER')")
     @Transactional
     public CartItemResponse update(String cartId, CartItemUpdate cartItemUpdate) {
 
@@ -97,7 +93,6 @@ public CartItemResponse update(String cartId, CartItemUpdate cartItemUpdate) {
         return cartItemMapper.toCartResponse(cartItem);
     }
 
-    @PreAuthorize("hasRole('USER')")
     @Transactional
     public void delete(List<String> cartIds) {
 
@@ -116,7 +111,6 @@ public void delete(List<String> cartIds) {
         cartItemRepository.deleteAll(cartItems);
     }
 
-    @PreAuthorize("hasRole('USER')")
     @Transactional
     public List<CartItemResponse> getCartByIds(List<String> cartIds) {
         List<CartItem> cartItems = cartItemRepository.findAllById(cartIds);

src/main/java/com/learning/yasminishop/category/CategoryController.java

@@ -15,6 +15,7 @@
 import org.springframework.data.domain.PageRequest;
 import org.springframework.data.domain.Pageable;
 import org.springframework.http.HttpStatus;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 
 import java.util.List;
@@ -29,6 +30,7 @@ public class CategoryController {
 
     @PostMapping
     @ResponseStatus(HttpStatus.CREATED)
+    @PreAuthorize("hasRole('ADMIN')")
     public APIResponse<CategoryResponse> createCategory(@Valid @RequestBody CategoryCreation categoryCreation) {
         CategoryResponse categoryResponse = categoryService.create(categoryCreation);
         return APIResponse.<CategoryResponse>builder()
@@ -57,6 +59,7 @@ public APIResponse<CategoryResponse> getCategoryBySlug(@PathVariable String slug
 
     @GetMapping("/{id}")
     @ResponseStatus(HttpStatus.OK)
+    @PreAuthorize("hasRole('ADMIN')")
     public APIResponse<CategoryAdminResponse> getCategory(@PathVariable String id) {
         CategoryAdminResponse categoryAdminResponse = categoryService.getCategory(id);
         return APIResponse.<CategoryAdminResponse>builder()
@@ -66,6 +69,7 @@ public APIResponse<CategoryAdminResponse> getCategory(@PathVariable String id) {
 
     @PatchMapping("/toggle-availability")
     @ResponseStatus(HttpStatus.OK)
+    @PreAuthorize("hasRole('ADMIN')")
     public APIResponse<String> toggleAvailability(@RequestBody CategoryIds categoryIds) {
         categoryService.toggleAvailability(categoryIds.getIds());
         return APIResponse.<String>builder()
@@ -75,6 +79,7 @@ public APIResponse<String> toggleAvailability(@RequestBody CategoryIds categoryI
 
     @DeleteMapping
     @ResponseStatus(HttpStatus.OK)
+    @PreAuthorize("hasRole('ADMIN')")
     public APIResponse<String> deleteCategories(@RequestBody CategoryIds categoryIds) {
         categoryService.delete(categoryIds.getIds());
         return APIResponse.<String>builder()
@@ -85,6 +90,7 @@ public APIResponse<String> deleteCategories(@RequestBody CategoryIds categoryIds
 
     @PutMapping("/{id}")
     @ResponseStatus(HttpStatus.OK)
+    @PreAuthorize("hasRole('ADMIN')")
     public APIResponse<CategoryResponse> updateCategory(@NotNull @NotEmpty @PathVariable String id, @Valid @RequestBody CategoryUpdate categoryUpdate) {
         CategoryResponse categoryResponse = categoryService.update(id, categoryUpdate);
         return APIResponse.<CategoryResponse>builder()
@@ -94,6 +100,7 @@ public APIResponse<CategoryResponse> updateCategory(@NotNull @NotEmpty @PathVari
 
     @GetMapping("/admin")
     @ResponseStatus(HttpStatus.OK)
+    @PreAuthorize("hasRole('ADMIN')")
     public APIResponse<PaginationResponse<CategoryAdminResponse>> getAllCategoriesForAdmin(
             @RequestParam(required = false) String name,
             @RequestParam(required = false) Boolean isAvailable,

src/main/java/com/learning/yasminishop/category/CategoryService.java

@@ -14,7 +14,6 @@
 import org.springframework.data.domain.Page;
 import org.springframework.data.domain.Pageable;
 import org.springframework.data.jpa.domain.Specification;
-import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
 
@@ -31,7 +30,6 @@ public class CategoryService {
 
 
     @Transactional
-    @PreAuthorize("hasRole('ADMIN')")
     public CategoryResponse create(CategoryCreation categoryCreation) {
 
         if (categoryRepository.existsBySlug(categoryCreation.getSlug())) {
@@ -59,7 +57,6 @@ public CategoryResponse getBySlug(String slug) {
         return categoryMapper.toCategoryResponse(category);
     }
 
-    @PreAuthorize("hasRole('ADMIN')")
     public CategoryAdminResponse getCategory(String id) {
         Category category = categoryRepository.findById(id)
                 .orElseThrow(() -> new AppException(ErrorCode.CATEGORY_NOT_FOUND));
@@ -68,7 +65,6 @@ public CategoryAdminResponse getCategory(String id) {
     }
 
     @Transactional
-    @PreAuthorize("hasRole('ADMIN')")
     public void delete(List<String> ids) {
 
         List<Category> categories = categoryRepository.findAllById(ids);
@@ -85,7 +81,6 @@ public void delete(List<String> ids) {
     }
 
     @Transactional
-    @PreAuthorize("hasRole('ADMIN')")
     public void toggleAvailability(List<String> ids) {
         List<Category> categories = categoryRepository.findAllById(ids);
 
@@ -107,7 +102,6 @@ public void toggleAvailability(List<String> ids) {
 
 
     @Transactional
-    @PreAuthorize("hasRole('ADMIN')")
     public CategoryResponse update(String id, CategoryUpdate categoryUpdate) {
         Category category = categoryRepository.findById(id)
                 .orElseThrow(() -> new AppException(ErrorCode.CATEGORY_NOT_FOUND));
@@ -123,7 +117,6 @@ public CategoryResponse update(String id, CategoryUpdate categoryUpdate) {
     }
 
 
-    @PreAuthorize("hasRole('ADMIN')")
     public PaginationResponse<CategoryAdminResponse> getAllCategoriesAdmin(String name, Boolean isAvailable, Pageable pageable) {
 
         Page<Category> categories = categoryRepository.findAll(

src/main/java/com/learning/yasminishop/order/OrderController.java

@@ -12,6 +12,7 @@
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.data.domain.Pageable;
 import org.springframework.http.HttpStatus;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 
 import java.util.List;
@@ -28,6 +29,7 @@ public class OrderController {
 
     @PostMapping
     @ResponseStatus(HttpStatus.CREATED)
+    @PreAuthorize("hasRole('USER')")
     public APIResponse<OrderResponse> createOrder(@Valid @RequestBody OrderRequest orderRequest) {
         OrderResponse orderResponse = orderService.create(orderRequest);
         return APIResponse.<OrderResponse>builder()
@@ -37,6 +39,7 @@ public APIResponse<OrderResponse> createOrder(@Valid @RequestBody OrderRequest o
 
     @GetMapping
     @ResponseStatus(HttpStatus.OK)
+    @PreAuthorize("hasRole('USER')")
     public APIResponse<List<OrderResponse>> getAllOrders() {
         List<OrderResponse> orderResponse = orderService.getAllOrderByUser();
         return APIResponse.<List<OrderResponse>>builder()
@@ -55,6 +58,7 @@ public APIResponse<OrderResponse> getOrderById(@PathVariable String id) {
 
     @GetMapping("/admin")
     @ResponseStatus(HttpStatus.OK)
+    @PreAuthorize("hasRole('ADMIN')")
     public APIResponse<PaginationResponse<OrderAdminResponse>> getAllOrdersForAdmin(@Valid @ModelAttribute OrderFilter orderFilter) {
 
         Pageable pageable = pageSortUtility.createPageable(orderFilter.getPage(),
@@ -71,6 +75,7 @@ public APIResponse<PaginationResponse<OrderAdminResponse>> getAllOrdersForAdmin(
 
     @GetMapping("/{id}/admin")
     @ResponseStatus(HttpStatus.OK)
+    @PreAuthorize("hasRole('ADMIN')")
     public APIResponse<OrderAdminResponse> getOrderByIdForAdmin(@PathVariable String id) {
         OrderAdminResponse orderResponse = orderService.getOrderByIdForAdmin(id);
         return APIResponse.<OrderAdminResponse>builder()
@@ -80,6 +85,7 @@ public APIResponse<OrderAdminResponse> getOrderByIdForAdmin(@PathVariable String
 
     @PatchMapping("/{id}/status")
     @ResponseStatus(HttpStatus.OK)
+    @PreAuthorize("hasRole('ADMIN')")
     public APIResponse<String> updateOrderStatus(@PathVariable String id, @RequestParam String status) {
         orderService.updateOrderStatus(id, status);
         return APIResponse.<String>builder()

src/main/java/com/learning/yasminishop/order/OrderService.java

@@ -43,7 +43,6 @@ public class OrderService {
 
 
     @Transactional
-    @PreAuthorize("hasRole('USER')")
     public OrderResponse create(OrderRequest orderRequest) {
 
         // get the user
@@ -75,7 +74,6 @@ public OrderResponse create(OrderRequest orderRequest) {
     }
 
 
-    @PreAuthorize("hasRole('USER')")
     public List<OrderResponse> getAllOrderByUser() {
         String email = SecurityContextHolder.getContext().getAuthentication().getName();
         User user = userRepository.findByEmail(email).orElseThrow(() -> new AppException(ErrorCode.USER_NOT_FOUND));
@@ -86,7 +84,6 @@ public List<OrderResponse> getAllOrderByUser() {
                 .toList();
     }
 
-    @PreAuthorize("hasRole('ADMIN')")
     public PaginationResponse<OrderAdminResponse> getAllOrders(OrderFilter orderFilter, Pageable pageable) {
 
         Page<Order> orders = orderRepository.findAll(
@@ -113,7 +110,6 @@ public OrderResponse getOrderById(String id) {
         return orderMapper.toOrderResponse(order);
     }
 
-    @PreAuthorize("hasRole('ADMIN')")
     public OrderAdminResponse getOrderByIdForAdmin(String id) {
         Order order = orderRepository.findById(id).orElseThrow(
                 () -> new AppException(ErrorCode.ORDER_NOT_FOUND)
@@ -122,7 +118,6 @@ public OrderAdminResponse getOrderByIdForAdmin(String id) {
     }
 
     @Transactional
-    @PreAuthorize("hasRole('ADMIN')")
     public void updateOrderStatus(String id, String status) {
         Order order = orderRepository.findById(id).orElseThrow(
                 () -> new AppException(ErrorCode.ORDER_NOT_FOUND)

src/main/java/com/learning/yasminishop/product/ProductController.java

@@ -13,6 +13,7 @@
 import lombok.extern.slf4j.Slf4j;
 import org.springframework.data.domain.Pageable;
 import org.springframework.http.HttpStatus;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 
 
@@ -28,6 +29,7 @@ public class ProductController {
 
     @PostMapping
     @ResponseStatus(HttpStatus.CREATED)
+    @PreAuthorize("hasRole('ADMIN')")
     public APIResponse<ProductAdminResponse> createProduct(@Valid @RequestBody ProductRequest productCreation) {
         ProductAdminResponse productResponse = productService.create(productCreation);
         return APIResponse.<ProductAdminResponse>builder()
@@ -47,6 +49,7 @@ public APIResponse<ProductResponse> getBySlug(@PathVariable String slug) {
 
     @GetMapping("/id/{id}")
     @ResponseStatus(HttpStatus.OK)
+    @PreAuthorize("hasRole('ADMIN')")
     public APIResponse<ProductAdminResponse> getById(@PathVariable String id) {
         log.info("Getting product by id: {}", id);
         ProductAdminResponse productResponse = productService.getById(id);
@@ -57,6 +60,7 @@ public APIResponse<ProductAdminResponse> getById(@PathVariable String id) {
 
     @GetMapping("/admin")
     @ResponseStatus(HttpStatus.OK)
+    @PreAuthorize("hasRole('ADMIN')")
     public APIResponse<PaginationResponse<ProductAdminResponse>> getAllForAdmin(
             @Valid @ModelAttribute ProductFilter productFilter) {
 
@@ -91,6 +95,7 @@ public APIResponse<PaginationResponse<ProductResponse>> getAll(
 
     @PutMapping("/{id}")
     @ResponseStatus(HttpStatus.OK)
+    @PreAuthorize("hasRole('ADMIN')")
     public APIResponse<ProductAdminResponse> updateProduct(@PathVariable String id, @Valid @RequestBody ProductRequest productUpdate) {
         log.info("Updating product with id: {}", id);
         ProductAdminResponse productResponse = productService.update(id, productUpdate);
@@ -101,6 +106,7 @@ public APIResponse<ProductAdminResponse> updateProduct(@PathVariable String id,
 
     @PatchMapping("/toggle-availability")
     @ResponseStatus(HttpStatus.OK)
+    @PreAuthorize("hasRole('ADMIN')")
     public APIResponse<String> toggleAvailability(@RequestBody ProductIds productIds) {
         productService.toggleAvailability(productIds.getIds());
 
@@ -111,6 +117,7 @@ public APIResponse<String> toggleAvailability(@RequestBody ProductIds productIds
 
     @DeleteMapping
     @ResponseStatus(HttpStatus.OK)
+    @PreAuthorize("hasRole('ADMIN')")
     public APIResponse<String> deleteProducts(@RequestBody ProductIds productIds) {
         productService.delete(productIds.getIds());
         return APIResponse.<String>builder()