From da386cc7480a3e48a360f938602d7cf42150fc46 Mon Sep 17 00:00:00 2001
From: zichun <zhuzichunhogan@gmail.com>
Date: Thu, 9 Apr 2026 00:24:45 +0800
Subject: [PATCH] feat(security): annotate inventory + orders list/get/create/update endpoints

---
 pbc/pbc-inventory/src/main/kotlin/org/vibeerp/pbc/inventory/http/LocationController.kt                  | 7 +++++++
 pbc/pbc-orders-purchase/src/main/kotlin/org/vibeerp/pbc/orders/purchase/http/PurchaseOrderController.kt | 5 +++++
 pbc/pbc-orders-sales/src/main/kotlin/org/vibeerp/pbc/orders/sales/http/SalesOrderController.kt          | 5 +++++
 3 files changed, 17 insertions(+), 0 deletions(-)

diff --git a/pbc/pbc-inventory/src/main/kotlin/org/vibeerp/pbc/inventory/http/LocationController.kt b/pbc/pbc-inventory/src/main/kotlin/org/vibeerp/pbc/inventory/http/LocationController.kt
index 940f29a..ac6b457 100644
--- a/pbc/pbc-inventory/src/main/kotlin/org/vibeerp/pbc/inventory/http/LocationController.kt
+++ b/pbc/pbc-inventory/src/main/kotlin/org/vibeerp/pbc/inventory/http/LocationController.kt
@@ -19,6 +19,7 @@ import org.vibeerp.pbc.inventory.application.LocationService
 import org.vibeerp.pbc.inventory.application.UpdateLocationCommand
 import org.vibeerp.pbc.inventory.domain.Location
 import org.vibeerp.pbc.inventory.domain.LocationType
+import org.vibeerp.platform.security.authz.RequirePermission
 import java.util.UUID
 
 /**
@@ -33,16 +34,19 @@ class LocationController(
 ) {
 
     @GetMapping
+    @RequirePermission("inventory.location.read")
     fun list(): List<LocationResponse> =
         locationService.list().map { it.toResponse(locationService) }
 
     @GetMapping("/{id}")
+    @RequirePermission("inventory.location.read")
     fun get(@PathVariable id: UUID): ResponseEntity<LocationResponse> {
         val location = locationService.findById(id) ?: return ResponseEntity.notFound().build()
         return ResponseEntity.ok(location.toResponse(locationService))
     }
 
     @GetMapping("/by-code/{code}")
+    @RequirePermission("inventory.location.read")
     fun getByCode(@PathVariable code: String): ResponseEntity<LocationResponse> {
         val location = locationService.findByCode(code) ?: return ResponseEntity.notFound().build()
         return ResponseEntity.ok(location.toResponse(locationService))
@@ -50,6 +54,7 @@ class LocationController(
 
     @PostMapping
     @ResponseStatus(HttpStatus.CREATED)
+    @RequirePermission("inventory.location.create")
     fun create(@RequestBody @Valid request: CreateLocationRequest): LocationResponse =
         locationService.create(
             CreateLocationCommand(
@@ -62,6 +67,7 @@ class LocationController(
         ).toResponse(locationService)
 
     @PatchMapping("/{id}")
+    @RequirePermission("inventory.location.update")
     fun update(
         @PathVariable id: UUID,
         @RequestBody @Valid request: UpdateLocationRequest,
@@ -78,6 +84,7 @@ class LocationController(
 
     @DeleteMapping("/{id}")
     @ResponseStatus(HttpStatus.NO_CONTENT)
+    @RequirePermission("inventory.location.deactivate")
     fun deactivate(@PathVariable id: UUID) {
         locationService.deactivate(id)
     }
diff --git a/pbc/pbc-orders-purchase/src/main/kotlin/org/vibeerp/pbc/orders/purchase/http/PurchaseOrderController.kt b/pbc/pbc-orders-purchase/src/main/kotlin/org/vibeerp/pbc/orders/purchase/http/PurchaseOrderController.kt
index b5fe9d9..8502b1c 100644
--- a/pbc/pbc-orders-purchase/src/main/kotlin/org/vibeerp/pbc/orders/purchase/http/PurchaseOrderController.kt
+++ b/pbc/pbc-orders-purchase/src/main/kotlin/org/vibeerp/pbc/orders/purchase/http/PurchaseOrderController.kt
@@ -43,16 +43,19 @@ class PurchaseOrderController(
 ) {
 
     @GetMapping
+    @RequirePermission("orders.purchase.read")
     fun list(): List<PurchaseOrderResponse> =
         purchaseOrderService.list().map { it.toResponse(purchaseOrderService) }
 
     @GetMapping("/{id}")
+    @RequirePermission("orders.purchase.read")
     fun get(@PathVariable id: UUID): ResponseEntity<PurchaseOrderResponse> {
         val order = purchaseOrderService.findById(id) ?: return ResponseEntity.notFound().build()
         return ResponseEntity.ok(order.toResponse(purchaseOrderService))
     }
 
     @GetMapping("/by-code/{code}")
+    @RequirePermission("orders.purchase.read")
     fun getByCode(@PathVariable code: String): ResponseEntity<PurchaseOrderResponse> {
         val order = purchaseOrderService.findByCode(code) ?: return ResponseEntity.notFound().build()
         return ResponseEntity.ok(order.toResponse(purchaseOrderService))
@@ -60,6 +63,7 @@ class PurchaseOrderController(
 
     @PostMapping
     @ResponseStatus(HttpStatus.CREATED)
+    @RequirePermission("orders.purchase.create")
     fun create(@RequestBody @Valid request: CreatePurchaseOrderRequest): PurchaseOrderResponse =
         purchaseOrderService.create(
             CreatePurchaseOrderCommand(
@@ -74,6 +78,7 @@ class PurchaseOrderController(
         ).toResponse(purchaseOrderService)
 
     @PatchMapping("/{id}")
+    @RequirePermission("orders.purchase.update")
     fun update(
         @PathVariable id: UUID,
         @RequestBody @Valid request: UpdatePurchaseOrderRequest,
diff --git a/pbc/pbc-orders-sales/src/main/kotlin/org/vibeerp/pbc/orders/sales/http/SalesOrderController.kt b/pbc/pbc-orders-sales/src/main/kotlin/org/vibeerp/pbc/orders/sales/http/SalesOrderController.kt
index 9df9669..a16c81a 100644
--- a/pbc/pbc-orders-sales/src/main/kotlin/org/vibeerp/pbc/orders/sales/http/SalesOrderController.kt
+++ b/pbc/pbc-orders-sales/src/main/kotlin/org/vibeerp/pbc/orders/sales/http/SalesOrderController.kt
@@ -54,16 +54,19 @@ class SalesOrderController(
 ) {
 
     @GetMapping
+    @RequirePermission("orders.sales.read")
     fun list(): List<SalesOrderResponse> =
         salesOrderService.list().map { it.toResponse(salesOrderService) }
 
     @GetMapping("/{id}")
+    @RequirePermission("orders.sales.read")
     fun get(@PathVariable id: UUID): ResponseEntity<SalesOrderResponse> {
         val order = salesOrderService.findById(id) ?: return ResponseEntity.notFound().build()
         return ResponseEntity.ok(order.toResponse(salesOrderService))
     }
 
     @GetMapping("/by-code/{code}")
+    @RequirePermission("orders.sales.read")
     fun getByCode(@PathVariable code: String): ResponseEntity<SalesOrderResponse> {
         val order = salesOrderService.findByCode(code) ?: return ResponseEntity.notFound().build()
         return ResponseEntity.ok(order.toResponse(salesOrderService))
@@ -71,6 +74,7 @@ class SalesOrderController(
 
     @PostMapping
     @ResponseStatus(HttpStatus.CREATED)
+    @RequirePermission("orders.sales.create")
     fun create(@RequestBody @Valid request: CreateSalesOrderRequest): SalesOrderResponse =
         salesOrderService.create(
             CreateSalesOrderCommand(
@@ -84,6 +88,7 @@ class SalesOrderController(
         ).toResponse(salesOrderService)
 
     @PatchMapping("/{id}")
+    @RequirePermission("orders.sales.update")
     fun update(
         @PathVariable id: UUID,
         @RequestBody @Valid request: UpdateSalesOrderRequest,
--
libgit2 0.22.2