Add check that student can only view own courses

gavlyukovskiy · gavlyukovskiy · commit cc89da401b83 · 2025-09-18T20:06:09.000+02:00
diff --git a/src/main/java/net/hackyourfuture/coursehub/web/StudentController.java b/src/main/java/net/hackyourfuture/coursehub/web/StudentController.java
@@ -1,12 +1,19 @@
 package net.hackyourfuture.coursehub.web;
 
 import jakarta.validation.constraints.Positive;
+import net.hackyourfuture.coursehub.data.AuthenticatedUser;
 import net.hackyourfuture.coursehub.service.CourseService;
 import net.hackyourfuture.coursehub.web.model.CourseListResponse;
+import org.springframework.http.HttpStatus;
+import org.springframework.http.HttpStatusCode;
+import org.springframework.security.core.annotation.AuthenticationPrincipal;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.RequestMapping;
 import org.springframework.web.bind.annotation.RestController;
+import org.springframework.web.client.HttpClientErrorException;
+import org.springframework.web.client.HttpServerErrorException;
+import org.springframework.web.client.HttpStatusCodeException;
 
 @RestController
 @RequestMapping("/students")
@@ -19,7 +26,11 @@ public StudentController(CourseService courseService) {
     }
 
     @GetMapping("/{studentId}/courses")
-    public CourseListResponse getCoursesForStudent(@PathVariable @Positive Integer studentId) {
+    public CourseListResponse getCoursesForStudent(
+            @PathVariable @Positive Integer studentId, @AuthenticationPrincipal AuthenticatedUser user) {
+        if (!user.getUserId().equals(studentId)) {
+            throw new HttpClientErrorException(HttpStatus.FORBIDDEN);
+        }
         var courses = courseService.getCoursesForStudent(studentId);
         return new CourseListResponse(courses);
     }
