From f1842f5a07d4f776b29b5ae89092228f8a0ab6b9 Mon Sep 17 00:00:00 2001 From: zichun Date: Thu, 9 Apr 2026 10:05:56 +0800 Subject: [PATCH] feat(security): annotate pbc-identity user endpoints with @RequirePermission --- PROGRESS.md | 4 ++-- pbc/pbc-identity/src/main/kotlin/org/vibeerp/pbc/identity/http/UserController.kt | 15 +++++++++++++-- 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/PROGRESS.md b/PROGRESS.md index af086c2..c05661c 100644 --- a/PROGRESS.md +++ b/PROGRESS.md @@ -10,8 +10,8 @@ | | | |---|---| -| **Latest version** | v0.19.1 (HasExt marker interface + ExtJsonValidator helpers) | -| **Latest commit** | `986f02c refactor(metadata): HasExt marker + applyTo/parseExt helpers on ExtJsonValidator` | +| **Latest version** | v0.19.2 (pbc-identity @RequirePermission rollout — P4.3 complete) | +| **Latest commit** | `TBD feat(security): annotate pbc-identity user endpoints with @RequirePermission` | | **Repo** | https://github.com/reporkey/vibe-erp | | **Modules** | 18 | | **Unit tests** | 246, all green | diff --git a/pbc/pbc-identity/src/main/kotlin/org/vibeerp/pbc/identity/http/UserController.kt b/pbc/pbc-identity/src/main/kotlin/org/vibeerp/pbc/identity/http/UserController.kt index 0c8b6a8..2fd6378 100644 --- a/pbc/pbc-identity/src/main/kotlin/org/vibeerp/pbc/identity/http/UserController.kt +++ b/pbc/pbc-identity/src/main/kotlin/org/vibeerp/pbc/identity/http/UserController.kt @@ -19,6 +19,7 @@ import org.vibeerp.pbc.identity.application.CreateUserCommand import org.vibeerp.pbc.identity.application.UpdateUserCommand import org.vibeerp.pbc.identity.application.UserService import org.vibeerp.pbc.identity.domain.User +import org.vibeerp.platform.security.authz.RequirePermission import java.util.UUID /** @@ -34,8 +35,13 @@ import java.util.UUID * filtering and exposes no `tenantId` parameter. Customer isolation happens * at the deployment level (one running instance per customer). * - * Authentication is deferred to v0.2 (pbc-identity's auth flow). For v0.1 - * the controller answers any request. + * **Authorization.** Every endpoint is annotated with `@RequirePermission`. + * The identity-PBC permission keys are declared in + * `META-INF/vibe-erp/metadata/identity.yml` and enforced by the same + * `PermissionEvaluator` AOP aspect that covers every other PBC. Login / + * refresh endpoints are deliberately NOT here — they live on + * [AuthController] and are public (they can't require a token to issue + * a token). */ @RestController @RequestMapping("/api/v1/identity/users") @@ -44,10 +50,12 @@ class UserController( ) { @GetMapping + @RequirePermission("identity.user.read") fun list(): List = userService.list().map { it.toResponse() } @GetMapping("/{id}") + @RequirePermission("identity.user.read") fun get(@PathVariable id: UUID): ResponseEntity { val user = userService.findById(id) ?: return ResponseEntity.notFound().build() return ResponseEntity.ok(user.toResponse()) @@ -55,6 +63,7 @@ class UserController( @PostMapping @ResponseStatus(HttpStatus.CREATED) + @RequirePermission("identity.user.create") fun create(@RequestBody @Valid request: CreateUserRequest): UserResponse = userService.create( CreateUserCommand( @@ -66,6 +75,7 @@ class UserController( ).toResponse() @PatchMapping("/{id}") + @RequirePermission("identity.user.update") fun update( @PathVariable id: UUID, @RequestBody @Valid request: UpdateUserRequest, @@ -81,6 +91,7 @@ class UserController( @DeleteMapping("/{id}") @ResponseStatus(HttpStatus.NO_CONTENT) + @RequirePermission("identity.user.disable") fun disable(@PathVariable id: UUID) { userService.disable(id) } -- libgit2 0.22.2