prevent non admin users from receiving info about others

src/main/java/com/example/nto/controller/EmployeeController.java

@@ -28,7 +28,9 @@ public class EmployeeController {
 
     @GetMapping("/info")
     public EmployeeDTO info(@RequestParam final String login) {
-        return employeeService.getEmployeeDTO(login);
+        Authentication authentication = SecurityContextHolder.getContext().getAuthentication();
+        String recipientLogin = authentication.getName();
+        return employeeService.getEmployeeDTO(login, recipientLogin);
     }
 
     @PatchMapping("/open")

src/main/java/com/example/nto/service/EmployeeService.java

@@ -6,7 +6,7 @@ import org.springframework.security.core.userdetails.UserDetails;
 
 public interface EmployeeService {
 
-    EmployeeDTO getEmployeeDTO(String login);
+    EmployeeDTO getEmployeeDTO(String login, final String recipientLogin);
 
     void updateVisit(String login, long value);
 

src/main/java/com/example/nto/service/exception/NotAnAdminException.java

@@ -0,0 +1,7 @@
+package com.example.nto.service.exception;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.web.bind.annotation.ResponseStatus;
+
+@ResponseStatus(HttpStatus.FORBIDDEN)
+public class NotAnAdminException extends RuntimeException {}

src/main/java/com/example/nto/service/impl/EmployeeServiceImpl.java

@@ -1,6 +1,7 @@
 package com.example.nto.service.impl;
 
 import com.example.nto.mapper.EmployeeDTOMapper;
+import com.example.nto.model.EmployeeRoleType;
 import com.example.nto.model.dto.EmployeeDTO;
 import com.example.nto.model.entity.Employee;
 import com.example.nto.repository.CodeRepository;
@@ -9,11 +10,13 @@ import com.example.nto.service.EmployeeService;
 import com.example.nto.service.exception.CodeNotFoundException;
 import com.example.nto.service.exception.EmployeeBannedException;
 import com.example.nto.service.exception.EmployeeNotFoundException;
+import com.example.nto.service.exception.NotAnAdminException;
 import lombok.RequiredArgsConstructor;
 import org.springframework.security.crypto.password.PasswordEncoder;
 import org.springframework.stereotype.Service;
 
 import java.time.LocalDateTime;
+import java.util.Objects;
 
 @Service
 @RequiredArgsConstructor
@@ -34,30 +37,30 @@ public class EmployeeServiceImpl implements EmployeeService {
     }
 
     @Override
-    public EmployeeDTO getEmployeeDTO(final String login) {
-        if (!employeeRepository.existsByLogin(login)) {
-            throw new EmployeeNotFoundException();
-        }
+    public EmployeeDTO getEmployeeDTO(final String login, final String recipientLogin) {
+        employeeExists(login);
         var e = employeeRepository.findEmployeeByLogin(login);
+        if (!Objects.equals(e.getLogin(), recipientLogin)) {
+            var recipient = getEmployee(recipientLogin);
+            if (recipient.getRole() != EmployeeRoleType.ADMIN) {
+                throw new NotAnAdminException();
+            }
+        }
         return employeeDTOMapper.map(e);
     }
 
     private Employee getEmployee(final String login) {
-        if (!employeeRepository.existsByLogin(login)) {
-            throw new EmployeeNotFoundException();
-        }
+        employeeExists(login);
         return employeeRepository.findEmployeeByLogin(login);
     }
 
     @Override
     public void updateVisit(final String login, final long value) {
-        if (!employeeRepository.existsByLogin(login)) {
-            throw new EmployeeNotFoundException();
-        }
+        employeeExists(login);
         if (!codeRepository.existsByValue(value)) {
             throw new CodeNotFoundException();
         }
-        final Employee employee = employeeRepository.findEmployeeByLogin(login);
+        final Employee employee = getEmployee(login);
         if (employee.getIsBanned()) {
             throw new EmployeeBannedException();
         }