perf(security): deleteUser autorizado solo a ADMIN

903bc074 · Alba María Álvarez · 8e4cdf5e · 903bc074
Commit 903bc074 authored Jun 19, 2025 by Alba María Álvarez
Showing with 5 additions and 0 deletions
src/main/java/com/example/apprecetas/security/config/SecurityConfig.java
--- a/src/main/java/com/example/apprecetas/security/config/SecurityConfig.java
+++ b/src/main/java/com/example/apprecetas/security/config/SecurityConfig.java
@@ -30,8 +30,13 @@ public class SecurityConfig {
                .headers(AbstractHttpConfigurer::disable)  // necesario para h2-console
                .httpBasic(AbstractHttpConfigurer::disable)
                .authorizeHttpRequests(request -> request
+                        // Para autenticación todos permitidos
                        .requestMatchers("/auth/**").permitAll()
+                        // Para ver todos los usuarios, solo ADMIN
                        .requestMatchers(HttpMethod.GET, "/user").hasRole("ADMIN")
+                        // Para eliminar un usuario, solo ADMIN
+                        .requestMatchers(HttpMethod.DELETE, "/user").hasRole("ADMIN")
+                        // Todo lo demás, autenticados
                        .anyRequest().authenticated()
                )
                .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))