dev en cours

build.gradle

@@ -26,6 +26,7 @@ dependencies {
   implementation 'com.google.guava:guava:33.4.0-jre'
   implementation 'com.twelvemonkeys.imageio:imageio-core:3.12.0'
   implementation 'net.coobird:thumbnailator:0.4.20'
+	implementation 'org.json:json:20250107'
 	
   runtimeOnly 'org.postgresql:postgresql'
 

src/main/java/fr/triplea/demovote/spring/CreateDefaultValues.java → src/main/java/fr/triplea/demovote/CreateDefaultValues.java

@@ -1,4 +1,4 @@
-package fr.triplea.demovote.spring;
+package fr.triplea.demovote;
 
 import java.util.Arrays;
 import java.util.List;

src/main/java/fr/triplea/demovote/persistence/dao/ProductionRepository.java

@@ -11,6 +11,7 @@ import fr.triplea.demovote.persistence.dto.ProductionShort;
 import fr.triplea.demovote.persistence.model.Participant;
 import fr.triplea.demovote.persistence.model.Production;
 
+
 public interface ProductionRepository extends JpaRepository<Production, Integer> 
 {
 

src/main/java/fr/triplea/demovote/persistence/dao/RoleRepository.java

@@ -8,6 +8,7 @@ import org.springframework.data.repository.query.Param;
 
 import fr.triplea.demovote.persistence.model.Role;
 
+
 public interface RoleRepository extends JpaRepository<Role, Integer> 
 {
 

src/main/java/fr/triplea/demovote/persistence/dao/VariableRepository.java

@@ -9,6 +9,7 @@ import org.springframework.data.repository.query.Param;
 import fr.triplea.demovote.persistence.dto.VariableTypeOptionList;
 import fr.triplea.demovote.persistence.model.Variable;
 
+
 public interface VariableRepository extends JpaRepository<Variable, Integer> 
 {
   

src/main/java/fr/triplea/demovote/persistence/dto/UserCredentials.java

@@ -1,5 +1,7 @@
 package fr.triplea.demovote.persistence.dto;
 
+import org.json.JSONObject;
+
 public class UserCredentials
 {
   
@@ -26,6 +28,19 @@ public class UserCredentials
 
   public UserCredentials() {}
   
+  public String toJSONString()
+  {
+    JSONObject jo = new JSONObject();
+    
+    jo.put("username", this.username);
+    jo.put("password", this.password);
+    jo.put("nom", this.nom);
+    jo.put("prenom", this.prenom);
+    jo.put("role", hasRole() ? this.role : null);
+
+    return jo.toString();
+  }
+  
   @Override
   public String toString() 
   {

src/main/java/fr/triplea/demovote/security/SecurityConfig.java

@@ -0,0 +1,70 @@
+package fr.triplea.demovote.security;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.authentication.dao.DaoAuthenticationProvider;
+import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
+import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.http.SessionCreationPolicy;
+import org.springframework.security.core.session.SessionRegistry;
+import org.springframework.security.core.session.SessionRegistryImpl;
+import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
+import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.web.SecurityFilterChain;
+
+@Configuration
+@EnableWebSecurity
+@EnableMethodSecurity
+public class SecurityConfig
+{
+ 
+  // TODO: CSRF-TOKEN, filtrage anti-XSS, filtrage anti-SQL-injection, Header FrameOptions, etc
+  
+  @Autowired
+  private MyUserDetailsService myUserDetailsService;
+
+  @Bean
+  public PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(11); }
+
+  @Bean
+  public AuthenticationManager authenticationManager(AuthenticationConfiguration configuration) throws Exception { return configuration.getAuthenticationManager(); }
+
+  @Bean
+  public DaoAuthenticationProvider authenticationProvider() 
+  {
+    DaoAuthenticationProvider authProvider = new DaoAuthenticationProvider();
+       
+    authProvider.setUserDetailsService(myUserDetailsService);
+    authProvider.setPasswordEncoder(passwordEncoder());
+   
+    return authProvider;
+  }
+  
+  @Bean
+  public SessionRegistry sessionRegistry() { return new SessionRegistryImpl(); }
+
+  @Bean
+  SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception 
+  {
+    http.csrf((csrf) -> csrf.disable())
+        .authenticationProvider(authenticationProvider())
+        .authorizeHttpRequests((authorizeHttpRequests) -> authorizeHttpRequests
+          .requestMatchers("/divers/**", "/sign/**").permitAll()
+          .requestMatchers("/account/**", "/preference/**", "/message/**", "/urne/**", "/resultats/**").permitAll() //.hasRole("USER")
+          .requestMatchers("/variable/**", "/categorie/**", "/production/**", "/presentation/**").permitAll() //.hasRole("ADMIN")
+          .requestMatchers("/participant/**").permitAll() //.hasRole("ORGA")
+          .anyRequest().authenticated()
+          )
+        .sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.ALWAYS).maximumSessions(1).sessionRegistry(sessionRegistry())
+        );
+
+    //http.addFilterBefore(authenticationJwtTokenFilter(), UsernamePasswordAuthenticationFilter.class); // TODO: JWT token
+    
+    return http.build();
+  }
+
+}

src/main/java/fr/triplea/demovote/spring/SecurityConfig.java

@@ -1,52 +0,0 @@
-package fr.triplea.demovote.spring;
-
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.ComponentScan;
-import org.springframework.context.annotation.Configuration;
-import org.springframework.security.authentication.AuthenticationManager;
-import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration;
-import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
-import org.springframework.security.config.annotation.web.builders.HttpSecurity;
-import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
-import org.springframework.security.core.session.SessionRegistry;
-import org.springframework.security.core.session.SessionRegistryImpl;
-import org.springframework.security.crypto.bcrypt.BCryptPasswordEncoder;
-import org.springframework.security.crypto.password.PasswordEncoder;
-import org.springframework.security.web.SecurityFilterChain;
-
-@Configuration
-@EnableWebSecurity
-@EnableMethodSecurity
-@ComponentScan("fr.triplea.demovote.security")
-public class SecurityConfig
-{
- 
-
-  @Bean
-  AuthenticationManager authenticationManager(AuthenticationConfiguration authenticationConfiguration) throws Exception { return authenticationConfiguration.getAuthenticationManager(); }
-
-  @Bean
-  PasswordEncoder passwordEncoder() { return new BCryptPasswordEncoder(11); }
-
-  @Bean
-  SessionRegistry sessionRegistry() { return new SessionRegistryImpl(); }
-
-   @Bean
-  SecurityFilterChain securityFilterChain(HttpSecurity http) throws Exception 
-  {
-    http.csrf((csrf) -> csrf.disable());
-    
-    http.authorizeHttpRequests((authorizeHttpRequests) -> authorizeHttpRequests
-      .requestMatchers("/divers/**", "/sign/**").permitAll()
-      .requestMatchers("/account/**", "/preference/**", "/message/**", "/urne/**", "/resultats/**").hasRole("USER")
-      .requestMatchers("/variable/**", "/categorie/**", "/production/**", "/presentation/**").hasRole("ADMIN")
-      .requestMatchers("/participant/**").hasAnyRole("ADMIN", "ORGA")
-      .anyRequest().authenticated()
-    );
-
-    http.sessionManagement((sessionManagement) -> sessionManagement.maximumSessions(2).sessionRegistry(sessionRegistry()));
-
-    return http.build();
-  }
-
-}

src/main/java/fr/triplea/demovote/web/controller/AccountController.java

@@ -1,8 +1,9 @@
 package fr.triplea.demovote.web.controller;
 
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.ResponseEntity;
-import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
 import org.springframework.security.crypto.password.PasswordEncoder;
@@ -23,6 +24,8 @@ import fr.triplea.demovote.persistence.model.Participant;
 @RequestMapping("/account")
 public class AccountController 
 {
+  @SuppressWarnings("unused") 
+  private static final Logger logger = LoggerFactory.getLogger(AccountController.class);
 
   @Autowired
   private ParticipantRepository participantRepository;
@@ -32,7 +35,6 @@ public class AccountController
 
 
   @GetMapping(value = "/form")
-  @PreAuthorize("hasAnyRole('USER')")
   public ResponseEntity<ParticipantTransfer> getForm() 
   { 
     Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
@@ -43,12 +45,11 @@ public class AccountController
       
       if (found != null) { return ResponseEntity.ok(found); }
     }
-    
+   
     return ResponseEntity.notFound().build();
   }
  
   @PutMapping(value = "/update")
-  @PreAuthorize("hasAnyRole('USER')")
   public ResponseEntity<Object> update(@RequestBody(required = true) ParticipantTransfer participant) 
   { 
     Authentication authentication = SecurityContextHolder.getContext().getAuthentication();

src/main/java/fr/triplea/demovote/web/controller/AuthController.java

@@ -6,11 +6,10 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.ResponseEntity;
-import org.springframework.security.authentication.AuthenticationManager;
 import org.springframework.security.authentication.UsernamePasswordAuthenticationToken;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.context.SecurityContextHolder;
-import org.springframework.security.crypto.password.PasswordEncoder;
+import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.RequestBody;
@@ -21,6 +20,7 @@ import fr.triplea.demovote.persistence.dao.ParticipantRepository;
 import fr.triplea.demovote.persistence.dto.UserCredentials;
 import fr.triplea.demovote.persistence.model.Participant;
 import fr.triplea.demovote.persistence.model.Role;
+import fr.triplea.demovote.security.MyUserDetailsService;
 
 
 @CrossOrigin(origins = "http://localhost:4200")
@@ -28,16 +28,14 @@ import fr.triplea.demovote.persistence.model.Role;
 @RequestMapping("/sign")
 public class AuthController 
 {
+  @SuppressWarnings("unused") 
   private static final Logger logger = LoggerFactory.getLogger(AuthController.class);
   
   @Autowired
-  private AuthenticationManager authenticationManager;
+  private MyUserDetailsService myUserDetailsService;
 
   @Autowired
   private ParticipantRepository participantRepository;
-  
-  @Autowired
-  private PasswordEncoder passwordEncoder;
 
 
   @PostMapping(value = "/in")
@@ -52,40 +50,27 @@ public class AuthController
     
     if (found != null)
     { 
-      logger.info("compte trouvé, passhash=" + found.getMotDePasse());
+      UserDetails userDetails = myUserDetailsService.loadUserByUsername(usrn);
+
+      Authentication authentication= new UsernamePasswordAuthenticationToken(userDetails, null, userDetails.getAuthorities()) ; 
       
-      logger.info("pass=" + passwordEncoder.encode(pass));
+      SecurityContextHolder.getContext().setAuthentication(authentication); // TODO : à fixer, le security-context ne converse pas l'authentification
+                  
+      uc = new UserCredentials();
       
-      if (passwordEncoder.matches(pass, found.getMotDePasse()))
-      {
-        logger.info("mot de passe ok");
+      uc.setUsername(usrn);
+      uc.setPassword("<success@auth>");
+      uc.setNom(found.getNom());
+      uc.setPrenom(found.getPrenom());
 
-        UsernamePasswordAuthenticationToken token = new UsernamePasswordAuthenticationToken(usrn, found.getMotDePasse());
- 
-        //Authentication auth = authenticationManager.authenticate(token); <-- // TODO : doesn't work
+      List<Role> roles = found.getRoles();
        
-        //logger.info("auth");
-
-        //SecurityContextHolder.getContext().setAuthentication(auth);
-        
-        //logger.info("in scholder");
-        
-        uc = new UserCredentials();
-        
-        uc.setUsername(usrn);
-        uc.setPassword("<success@auth>");
-        uc.setNom(found.getNom());
-        uc.setPrenom(found.getPrenom());
-
-        List<Role> roles = found.getRoles();
-         
-        if (!(uc.hasRole())) { for (Role role : roles) { if (role.isRole("ADMIN")) { uc.setRole("ADMIN"); } } }
-        if (!(uc.hasRole())) { for (Role role : roles) { if (role.isRole("ORGA")) { uc.setRole("ORGA"); } } }
-        if (!(uc.hasRole())) { uc.setRole("USER"); }
+      if (!(uc.hasRole())) { for (Role role : roles) { if (role.isRole("ADMIN")) { uc.setRole("ADMIN"); } } }
+      if (!(uc.hasRole())) { for (Role role : roles) { if (role.isRole("ORGA")) { uc.setRole("ORGA"); } } }
+      if (!(uc.hasRole())) { uc.setRole("USER"); }
 
-        return ResponseEntity.ok(uc);
-      }      
-    }
+      return ResponseEntity.ok(uc);
+     }
     
     uc = new UserCredentials();
     

src/main/java/fr/triplea/demovote/web/controller/BulletinController.java

@@ -6,7 +6,6 @@ import java.util.Map;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
-import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.PathVariable;
@@ -43,7 +42,6 @@ public class BulletinController
   private ProductionRepository productionRepository;
 
   @PostMapping(value = "/create")
-  @PreAuthorize("hasRole('USER')")
   public ResponseEntity<Object> add(@RequestParam(required = true) int cat_id, @RequestParam(required = true) int part_id, @RequestParam(required = true) int prod_id) 
   { 
     Bulletin bul = bulletinRepository.findByCategorieAndParticipant(cat_id, part_id);
@@ -127,7 +125,6 @@ public class BulletinController
   }
 
   @DeleteMapping(value = "/delete/{id}")
-  @PreAuthorize("hasRole('USER')")
   public ResponseEntity<Map<String, Boolean>> remove(@PathVariable int id) 
   { 
     if (id > 0) { bulletinRepository.deleteById(id); }

src/main/java/fr/triplea/demovote/web/controller/CategorieController.java

@@ -6,7 +6,6 @@ import java.util.Map;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.ResponseEntity;
-import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -31,14 +30,12 @@ public class CategorieController
 
 
   @GetMapping(value = "/list")
-  @PreAuthorize("hasRole('ADMIN')")
   public List<Categorie> getList() 
   { 
     return categorieRepository.findAll(); 
   }
 
   @GetMapping(value = "/form/{id}")
-  @PreAuthorize("hasRole('ADMIN')")
   public ResponseEntity<Categorie> getForm(@PathVariable int id)
   { 
     Categorie c = categorieRepository.findById(id);
@@ -49,7 +46,6 @@ public class CategorieController
   }
 
   @PostMapping(value = "/create")
-  @PreAuthorize("hasRole('ADMIN')")
   public Categorie create(@RequestBody(required = true) Categorie categorie) 
   { 
     Categorie found = categorieRepository.findById(0);
@@ -62,7 +58,6 @@ public class CategorieController
   }
 
   @PutMapping(value = "/update/{id}")
-  @PreAuthorize("hasRole('ADMIN')")
   public ResponseEntity<Object> update(@PathVariable int id, @RequestBody(required = true) Categorie categorie) 
   { 
     Categorie found = categorieRepository.findById(id);
@@ -88,7 +83,6 @@ public class CategorieController
   }
 
   @DeleteMapping(value = "/delete/{id}")
-  @PreAuthorize("hasRole('ADMIN')")
   public ResponseEntity<Map<String, Boolean>> disableCategorie(@PathVariable int id) 
   { 
     Categorie c = categorieRepository.getReferenceById(id);

src/main/java/fr/triplea/demovote/web/controller/DiversController.java

@@ -3,7 +3,6 @@ package fr.triplea.demovote.web.controller;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.ResponseEntity;
-//import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;

src/main/java/fr/triplea/demovote/web/controller/MessageController.java

@@ -3,7 +3,6 @@ package fr.triplea.demovote.web.controller;
 import java.util.List;
 
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.PathVariable;
@@ -24,7 +23,6 @@ public class MessageController
   
   
   @GetMapping(value = "/list/{id}")
-  @PreAuthorize("hasRole('USER')")
   public List<Message> getList(@PathVariable int id)
   { 
     return messageRepository.findAll(id, id); 

src/main/java/fr/triplea/demovote/web/controller/ParticipantController.java

@@ -9,7 +9,6 @@ import java.util.UUID;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.ResponseEntity;
-import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.DeleteMapping;
@@ -45,7 +44,6 @@ public class ParticipantController
   
 
   @GetMapping(value = "/list")
-  @PreAuthorize("hasAnyRole('ADMIN', 'ORGA')")
   public List<ParticipantList> getList() 
   { 
     return participantRepository.getList(); 
@@ -53,14 +51,12 @@ public class ParticipantController
 
   
   @GetMapping(value = "/option-list")
-  @PreAuthorize("hasAnyRole('ADMIN', 'ORGA')")
   public List<ParticipantOptionList> getOptionList() 
   { 
     return participantRepository.getOptionList(); 
   }
 
   @GetMapping(value = "/form/{id}")
-  @PreAuthorize("hasAnyRole('ADMIN', 'ORGA')")
   public ResponseEntity<ParticipantTransfer> getForm(@PathVariable int id) 
   { 
     ParticipantTransfer p = participantRepository.searchById(id);
@@ -71,7 +67,6 @@ public class ParticipantController
   }
 
   @PostMapping(value = "/create")
-  @PreAuthorize("hasAnyRole('ADMIN', 'ORGA')")
   public ResponseEntity<Object> create(@RequestBody(required = true) ParticipantTransfer participant) 
   { 
     Participant found = participantRepository.findById(0);
@@ -143,7 +138,6 @@ public class ParticipantController
   }
 
   @PutMapping(value = "/update/{id}")
-  @PreAuthorize("hasAnyRole('ADMIN', 'ORGA')")
   public ResponseEntity<Object> update(@PathVariable int id, @RequestBody(required = true) ParticipantTransfer participant) 
   { 
     Participant found = participantRepository.findById(id);
@@ -207,7 +201,6 @@ public class ParticipantController
   }
 
   @DeleteMapping(value = "/delete/{id}")
-  @PreAuthorize("hasAnyRole('ADMIN', 'ORGA')")
   public ResponseEntity<Map<String, Boolean>> disableParticipant(@PathVariable int id) 
   { 
     Participant found = participantRepository.getReferenceById(id);

src/main/java/fr/triplea/demovote/web/controller/PreferenceController.java

@@ -4,7 +4,6 @@ import java.util.List;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.ResponseEntity;
-import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.PathVariable;
 import org.springframework.web.bind.annotation.PostMapping;
@@ -29,14 +28,12 @@ public class PreferenceController
 
   
   @PostMapping(value = "/list")
-  @PreAuthorize("hasRole('USER')")
   public List<Preference> get(@RequestParam(required = true) Participant numParticipant, @RequestParam(required = false) int numTraitement) 
   { 
     return preferenceRepository.findByParticipantAndTraitement(numParticipant, numTraitement); 
   }
 
   @PostMapping(value = "/create")
-  @PreAuthorize("hasRole('USER')")
   public Preference create(@RequestBody(required = true) Preference preference) 
   { 
     Preference found = preferenceRepository.findById(0);
@@ -47,7 +44,6 @@ public class PreferenceController
   }
 
   @PutMapping(value = "/update/{id}")
-  @PreAuthorize("hasRole('USER')")
   public ResponseEntity<Preference> update(@PathVariable int id, @RequestBody(required = true) Preference preference) 
   { 
     Preference found = preferenceRepository.findById(id);

src/main/java/fr/triplea/demovote/web/controller/PresentationController.java

@@ -4,7 +4,6 @@ package fr.triplea.demovote.web.controller;
 import java.util.List;
 
 import org.springframework.beans.factory.annotation.Autowired;
-import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.GetMapping;
 import org.springframework.web.bind.annotation.RequestMapping;
@@ -23,7 +22,6 @@ public class PresentationController
   private PresentationRepository presentationRepository;
  
   @GetMapping(value = "/list")
-  @PreAuthorize("hasRole('ADMIN')")
   public List<Presentation> getList() 
   {
     return presentationRepository.findAll(); 

src/main/java/fr/triplea/demovote/web/controller/ProductionController.java

@@ -11,7 +11,6 @@ import org.springframework.core.io.ByteArrayResource;
 import org.springframework.core.io.Resource;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.ResponseEntity;
-import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -48,12 +47,8 @@ public class ProductionController
   @Autowired
   private ParticipantRepository participantRepository;
 
-  @Autowired 
-  private HttpServletRequest request;
-
-  
+ 
   @GetMapping(value = "/list")
-  @PreAuthorize("hasRole('ADMIN')")
   public List<Production> getList(@RequestParam(required = false) String type) 
   { 
     List<ProductionShort> prods = productionRepository.findAllWithoutArchive();
@@ -66,7 +61,6 @@ public class ProductionController
   }
 
   @GetMapping(value = "/file/{id}")
-  @PreAuthorize("hasRole('ADMIN')")
   @ResponseBody
   public ResponseEntity<Resource> getFile(@PathVariable int id) 
   {
@@ -87,7 +81,6 @@ public class ProductionController
   }
 
   @GetMapping(value = "/form/{id}")
-  @PreAuthorize("hasRole('ADMIN')")
   public ResponseEntity<Production> getForm(@PathVariable int id)
   { 
     ProductionShort p = productionRepository.findByIdWithoutArchive(id);
@@ -98,7 +91,6 @@ public class ProductionController
   }
 
   @GetMapping(value = "/formfile/{id}")
-  @PreAuthorize("hasRole('ADMIN')")
   public ResponseEntity<ProductionFile> getFormFile(@PathVariable int id)
   { 
     ProductionFile p = productionRepository.findByIdForUpload(id);
@@ -109,7 +101,6 @@ public class ProductionController
   }
 
   @PostMapping(value = "/create")
-  @PreAuthorize("hasRole('ADMIN')")
   public ResponseEntity<Map<String, Boolean>> create(@RequestBody(required = true) ProductionTransfer production, HttpServletRequest request) 
   { 
     Participant participant = participantRepository.findById(production.numeroParticipant());
@@ -153,8 +144,7 @@ public class ProductionController
   }
  
   @PutMapping(value = "/update/{id}")
-  @PreAuthorize("hasRole('ADMIN')")
-  public ResponseEntity<Map<String, Boolean>> update(@PathVariable int id, @RequestBody(required = true) ProductionUpdate production) 
+  public ResponseEntity<Map<String, Boolean>> update(HttpServletRequest request, @PathVariable int id, @RequestBody(required = true) ProductionUpdate production) 
   { 
     Production found = productionRepository.findById(id);
     
@@ -198,7 +188,6 @@ public class ProductionController
   }
   
   @PutMapping(value = "/upload/{id}")
-  @PreAuthorize("hasRole('ADMIN')")
   public ResponseEntity<Map<String, Boolean>> update(@PathVariable int id, @RequestBody(required = true) ProductionFile production) 
   { 
     Production found = productionRepository.findById(id);
@@ -235,7 +224,6 @@ public class ProductionController
   }
 
   @DeleteMapping(value = "/delete/{id}")
-  @PreAuthorize("hasRole('ADMIN')")
   public ResponseEntity<Map<String, Boolean>> disableProduction(@PathVariable int id) 
   { 
     Production found = productionRepository.getReferenceById(id);

src/main/java/fr/triplea/demovote/web/controller/VariableController.java

@@ -7,7 +7,6 @@ import java.util.Map;
 
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.http.ResponseEntity;
-import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.CrossOrigin;
 import org.springframework.web.bind.annotation.DeleteMapping;
 import org.springframework.web.bind.annotation.GetMapping;
@@ -34,7 +33,6 @@ public class VariableController
 
 
   @GetMapping(value = "/list")
-  @PreAuthorize("hasRole('ADMIN')")
   public List<Variable> getList(@RequestParam(required = false) String type) 
   { 
     if (type == null) { return variableRepository.findAll(); }
@@ -45,14 +43,12 @@ public class VariableController
   }
   
   @GetMapping(value = "/option-list")
-  @PreAuthorize("hasRole('ADMIN')")
   public List<VariableTypeOptionList> getOptionList() 
   { 
     return variableRepository.getTypes(); 
   }
  
   @GetMapping(value = "/form/{id}")
-  @PreAuthorize("hasRole('ADMIN')")
   public ResponseEntity<Variable> getForm(@PathVariable int id) 
   { 
     Variable v = variableRepository.findById(id);
@@ -63,7 +59,6 @@ public class VariableController
   }
 
   @PostMapping(value = "/create")
-  @PreAuthorize("hasRole('ADMIN')")
   public Variable create(@RequestBody(required = true) Variable variable) 
   { 
     Variable found = variableRepository.findById(0);
@@ -76,7 +71,6 @@ public class VariableController
   }
  
   @PutMapping(value = "/update/{id}")
-  @PreAuthorize("hasRole('ADMIN')")
   public ResponseEntity<Variable> update(@PathVariable int id, @RequestBody(required = true) Variable variable) 
   { 
     Variable found = variableRepository.findById(id);
@@ -97,7 +91,6 @@ public class VariableController
   }
 
   @DeleteMapping(value = "/delete/{id}")
-  @PreAuthorize("hasRole('ADMIN')")
   public ResponseEntity<Map<String, Boolean>> deleteVariable(@PathVariable int id) 
   { 
     Variable found = variableRepository.findById(id);