From a15a596fad8968f3f8cc084f1aa47a0826ea6c53 Mon Sep 17 00:00:00 2001
From: Lars Maronde <Lars.Maronde@Student.reutlingen-university.de>
Date: Mon, 14 Dec 2020 17:50:06 +0100
Subject: [PATCH] =?UTF-8?q?endpunkt=20um=20neue=20apotheke=20registrieren?=
 =?UTF-8?q?=20ge=C3=B6ffnet=20f=C3=BCr=20alle?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../ebdapo/backend/restcontroller/BenutzerController.java | 8 +++++++-
 .../ebdapo/backend/security/SecurityConfiguration.java    | 3 ++-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/Backend/src/main/java/com/ebdapo/backend/restcontroller/BenutzerController.java b/Backend/src/main/java/com/ebdapo/backend/restcontroller/BenutzerController.java
index f68bb61..4303ed3 100644
--- a/Backend/src/main/java/com/ebdapo/backend/restcontroller/BenutzerController.java
+++ b/Backend/src/main/java/com/ebdapo/backend/restcontroller/BenutzerController.java
@@ -57,7 +57,13 @@ public class BenutzerController {
 
     @PostMapping("/apotheke/{apothekeId}/benutzer")
     public ResponseEntity<?> createNewBenutzer(@PathVariable String apothekeId, @RequestBody BenutzerAPIDetails benutzerData) {
-        if(!authController.checkIfAuthorized(authController.getCurrentUsername(), apothekeId)) {
+
+        //first user does not have to be authorized
+        boolean firstUser = apothekeRepo.findById(apothekeId).orElseThrow(InvalidInputException::new)
+                .getBenutzer().size() == 0;
+
+
+        if(!firstUser && !authController.checkIfAuthorized(authController.getCurrentUsername(), apothekeId)) {
             return new ResponseEntity<>(HttpStatus.FORBIDDEN);
         }
 
diff --git a/Backend/src/main/java/com/ebdapo/backend/security/SecurityConfiguration.java b/Backend/src/main/java/com/ebdapo/backend/security/SecurityConfiguration.java
index 0390bdb..066a681 100644
--- a/Backend/src/main/java/com/ebdapo/backend/security/SecurityConfiguration.java
+++ b/Backend/src/main/java/com/ebdapo/backend/security/SecurityConfiguration.java
@@ -38,7 +38,8 @@ public class SecurityConfiguration extends WebSecurityConfigurerAdapter implemen
                 .antMatchers(HttpMethod.DELETE, "/**").hasAnyRole("ADMIN")
                 .antMatchers(HttpMethod.PUT, "​/apotheke​/*​/btmbuchung​/*").hasAnyRole("PRUEFER")
                 .antMatchers(HttpMethod.PUT, "/apotheke/**").hasAnyRole("BENUTZER","ADMIN")
-                .antMatchers(HttpMethod.POST, "/apotheke").hasAnyRole("BENUTZER", "ADMIN")
+                .antMatchers(HttpMethod.POST, "/apotheke").permitAll()
+                .antMatchers(HttpMethod.POST, "/apotheke/*").permitAll()
                 .antMatchers("/login", "/logout").permitAll()
 
                 //disable cross site forgery and disable cors protection
-- 
GitLab