Integration test to verify securing findById(…) generally works.

Issue: #2070.

Author: odrotbohm

spring-data-rest-tests/spring-data-rest-tests-security/src/test/java/org/springframework/data/rest/tests/security/PreAuthorizedOrderRepository.java

@@ -15,6 +15,7 @@
  */
 package org.springframework.data.rest.tests.security;
 
+import java.util.Optional;
 import java.util.UUID;
 
 import org.springframework.data.repository.CrudRepository;
@@ -28,6 +29,10 @@
 @PreAuthorize("hasRole('ROLE_USER')") // <1>
 public interface PreAuthorizedOrderRepository extends CrudRepository<Order, UUID> {
 
+	@PreAuthorize("hasRole('ROLE_ADMIN')")
+	@Override
+	Optional<Order> findById(UUID id);
+
 	@PreAuthorize("hasRole('ROLE_ADMIN')") // <2>
 	@Override
 	void deleteById(UUID aLong);

spring-data-rest-tests/spring-data-rest-tests-security/src/test/java/org/springframework/data/rest/tests/security/SecurityIntegrationTests.java

@@ -37,6 +37,7 @@
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.test.context.ContextConfiguration;
 import org.springframework.test.context.junit4.SpringRunner;
+import org.springframework.test.web.servlet.result.MockMvcResultHandlers;
 import org.springframework.test.web.servlet.setup.MockMvcBuilders;
 import org.springframework.web.context.WebApplicationContext;
 
@@ -229,4 +230,17 @@ public void findAllOrdersAccessGrantedForAdmins() throws Throwable {
 				with(user("user").roles("USER", "ADMIN"))).//
 				andExpect(status().isOk());
 	}
+
+	@Test // #2070
+	public void rejectsAccessToItemResourceIfNotAuthorized() throws Exception {
+
+		MockHttpServletResponse response = mvc.perform(get(client.discoverUnique("orders").expand().getHref()).//
+				with(user("user").roles("USER"))).//
+				andReturn().getResponse();
+		String href = assertHasJsonPathValue("$._embedded.orders[0]._links.self.href", response);
+
+		mvc.perform(get(href).with(user("user").roles("USER")))
+				.andDo(MockMvcResultHandlers.print())
+				.andExpect(status().isForbidden());
+	}
 }