feat(security): annotate inventory + orders list/get/create/update endpoints

Completes the @RequirePermission rollout that started in commit b174cf60. Every non-state-transition endpoint in pbc-inventory (Location CRUD), pbc-orders-sales, and pbc-orders-purchase is now guarded by the pre-declared permission keys from their respective metadata YAMLs. State-transition verbs (confirm/cancel/ship/receive) were annotated in the original P4.3 demo chunk; this one fills in the list/get/create/update gap. Inventory - LocationController: list/get/getByCode → inventory.location.read; create → inventory.location.create; update → inventory.location.update; deactivate → inventory.location.deactivate. - (StockBalanceController.adjust + StockMovementController.record were already annotated with inventory.stock.adjust.) Orders-sales - SalesOrderController: list/get/getByCode → orders.sales.read; create → orders.sales.create; update → orders.sales.update. (confirm/cancel/ship were already annotated.) Orders-purchase - PurchaseOrderController: list/get/getByCode → orders.purchase.read; create → orders.purchase.create; update → orders.purchase.update. (confirm/cancel/receive were already annotated.) No new permission keys. Every key this chunk consumes was already declared in the relevant metadata YAML since the respective PBC was first built — catalog + partners already shipped in this state, and the inventory/orders YAMLs declared their read/create/update keys from day one but the controllers hadn't started using them. Admin happy path still works (bootstrap admin has the wildcard `admin` role, same as after commit b174cf60). 230 unit tests still green — annotations are purely additive, no existing test hits the @RequirePermission path since service-level tests bypass the controller entirely. Combined with b174cf60, the framework now has full @RequirePermission coverage on every PBC controller except pbc-identity's user admin (which is a separate permission surface — user/role administration has its own security story). A minimum-privilege role like "sales-clerk" can now be granted exactly `orders.sales.read` + `orders.sales.create` + `partners.partner.read` and NOT accidentally see catalog admin, inventory movements, finance journals, or contact PII.

feat(security): annotate inventory + orders list/get/create/update endpoints
Completes the @RequirePermission rollout that started in commit b174cf60. Every non-state-transition endpoint in pbc-inventory (Location CRUD), pbc-orders-sales, and pbc-orders-purchase is now guarded by the pre-declared permission keys from their respective metadata YAMLs. State-transition verbs (confirm/cancel/ship/receive) were annotated in the original P4.3 demo chunk; this one fills in the list/get/create/update gap. Inventory - LocationController: list/get/getByCode → inventory.location.read; create → inventory.location.create; update → inventory.location.update; deactivate → inventory.location.deactivate. - (StockBalanceController.adjust + StockMovementController.record were already annotated with inventory.stock.adjust.) Orders-sales - SalesOrderController: list/get/getByCode → orders.sales.read; create → orders.sales.create; update → orders.sales.update. (confirm/cancel/ship were already annotated.) Orders-purchase - PurchaseOrderController: list/get/getByCode → orders.purchase.read; create → orders.purchase.create; update → orders.purchase.update. (confirm/cancel/receive were already annotated.) No new permission keys. Every key this chunk consumes was already declared in the relevant metadata YAML since the respective PBC was first built — catalog + partners already shipped in this state, and the inventory/orders YAMLs declared their read/create/update keys from day one but the controllers hadn't started using them. Admin happy path still works (bootstrap admin has the wildcard `admin` role, same as after commit b174cf60). 230 unit tests still green — annotations are purely additive, no existing test hits the @RequirePermission path since service-level tests bypass the controller entirely. Combined with b174cf60, the framework now has full @RequirePermission coverage on every PBC controller except pbc-identity's user admin (which is a separate permission surface — user/role administration has its own security story). A minimum-privilege role like "sales-clerk" can now be granted exactly `orders.sales.read` + `orders.sales.create` + `partners.partner.read` and NOT accidentally see catalog admin, inventory movements, finance journals, or contact PII.
zichun
1 parent 4f42d270
Showing 3 changed files with 17 additions and 0 deletions
pbc/pbc-inventory/src/main/kotlin/org/vibeerp/pbc/inventory/http/LocationController.kt
pbc/pbc-orders-purchase/src/main/kotlin/org/vibeerp/pbc/orders/purchase/http/PurchaseOrderController.kt
pbc/pbc-orders-sales/src/main/kotlin/org/vibeerp/pbc/orders/sales/http/SalesOrderController.kt
@@ -19,6 +19,7 @@ import org.vibeerp.pbc.inventory.application.LocationService
 import org.vibeerp.pbc.inventory.application.UpdateLocationCommand
 import org.vibeerp.pbc.inventory.domain.Location
 import org.vibeerp.pbc.inventory.domain.LocationType
+import org.vibeerp.platform.security.authz.RequirePermission
 import java.util.UUID
  
 /**
@@ -33,16 +34,19 @@ class LocationController(
 ) {
  
     @GetMapping
+    @RequirePermission("inventory.location.read")
     fun list(): List<LocationResponse> =
         locationService.list().map { it.toResponse(locationService) }
  
     @GetMapping("/{id}")
+    @RequirePermission("inventory.location.read")
     fun get(@PathVariable id: UUID): ResponseEntity<LocationResponse> {
         val location = locationService.findById(id) ?: return ResponseEntity.notFound().build()
         return ResponseEntity.ok(location.toResponse(locationService))
     }
  
     @GetMapping("/by-code/{code}")
+    @RequirePermission("inventory.location.read")
     fun getByCode(@PathVariable code: String): ResponseEntity<LocationResponse> {
         val location = locationService.findByCode(code) ?: return ResponseEntity.notFound().build()
         return ResponseEntity.ok(location.toResponse(locationService))
@@ -50,6 +54,7 @@ class LocationController(
  
     @PostMapping
     @ResponseStatus(HttpStatus.CREATED)
+    @RequirePermission("inventory.location.create")
     fun create(@RequestBody @Valid request: CreateLocationRequest): LocationResponse =
         locationService.create(
             CreateLocationCommand(
@@ -62,6 +67,7 @@ class LocationController(
         ).toResponse(locationService)
  
     @PatchMapping("/{id}")
+    @RequirePermission("inventory.location.update")
     fun update(
         @PathVariable id: UUID,
         @RequestBody @Valid request: UpdateLocationRequest,
@@ -78,6 +84,7 @@ class LocationController(
  
     @DeleteMapping("/{id}")
     @ResponseStatus(HttpStatus.NO_CONTENT)
+    @RequirePermission("inventory.location.deactivate")
     fun deactivate(@PathVariable id: UUID) {
         locationService.deactivate(id)
     }
@@ -43,16 +43,19 @@ class PurchaseOrderController(
 ) {
  
     @GetMapping
+    @RequirePermission("orders.purchase.read")
     fun list(): List<PurchaseOrderResponse> =
         purchaseOrderService.list().map { it.toResponse(purchaseOrderService) }
  
     @GetMapping("/{id}")
+    @RequirePermission("orders.purchase.read")
     fun get(@PathVariable id: UUID): ResponseEntity<PurchaseOrderResponse> {
         val order = purchaseOrderService.findById(id) ?: return ResponseEntity.notFound().build()
         return ResponseEntity.ok(order.toResponse(purchaseOrderService))
     }
  
     @GetMapping("/by-code/{code}")
+    @RequirePermission("orders.purchase.read")
     fun getByCode(@PathVariable code: String): ResponseEntity<PurchaseOrderResponse> {
         val order = purchaseOrderService.findByCode(code) ?: return ResponseEntity.notFound().build()
         return ResponseEntity.ok(order.toResponse(purchaseOrderService))
@@ -60,6 +63,7 @@ class PurchaseOrderController(
  
     @PostMapping
     @ResponseStatus(HttpStatus.CREATED)
+    @RequirePermission("orders.purchase.create")
     fun create(@RequestBody @Valid request: CreatePurchaseOrderRequest): PurchaseOrderResponse =
         purchaseOrderService.create(
             CreatePurchaseOrderCommand(
@@ -74,6 +78,7 @@ class PurchaseOrderController(
         ).toResponse(purchaseOrderService)
  
     @PatchMapping("/{id}")
+    @RequirePermission("orders.purchase.update")
     fun update(
         @PathVariable id: UUID,
         @RequestBody @Valid request: UpdatePurchaseOrderRequest,
@@ -54,16 +54,19 @@ class SalesOrderController(
 ) {
  
     @GetMapping
+    @RequirePermission("orders.sales.read")
     fun list(): List<SalesOrderResponse> =
         salesOrderService.list().map { it.toResponse(salesOrderService) }
  
     @GetMapping("/{id}")
+    @RequirePermission("orders.sales.read")
     fun get(@PathVariable id: UUID): ResponseEntity<SalesOrderResponse> {
         val order = salesOrderService.findById(id) ?: return ResponseEntity.notFound().build()
         return ResponseEntity.ok(order.toResponse(salesOrderService))
     }
  
     @GetMapping("/by-code/{code}")
+    @RequirePermission("orders.sales.read")
     fun getByCode(@PathVariable code: String): ResponseEntity<SalesOrderResponse> {
         val order = salesOrderService.findByCode(code) ?: return ResponseEntity.notFound().build()
         return ResponseEntity.ok(order.toResponse(salesOrderService))
@@ -71,6 +74,7 @@ class SalesOrderController(
  
     @PostMapping
     @ResponseStatus(HttpStatus.CREATED)
+    @RequirePermission("orders.sales.create")
     fun create(@RequestBody @Valid request: CreateSalesOrderRequest): SalesOrderResponse =
         salesOrderService.create(
             CreateSalesOrderCommand(
@@ -84,6 +88,7 @@ class SalesOrderController(
         ).toResponse(salesOrderService)
  
     @PatchMapping("/{id}")
+    @RequirePermission("orders.sales.update")
     fun update(
         @PathVariable id: UUID,
         @RequestBody @Valid request: UpdateSalesOrderRequest,