Deduplicated PreAuthorize in ProjectController

src/main/kotlin/uk/co/neviyn/projectplanner/HtmlController.kt

@@ -5,11 +5,11 @@ import org.springframework.http.HttpStatus
 import org.springframework.security.access.prepost.PreAuthorize
 import org.springframework.security.core.annotation.AuthenticationPrincipal
 import org.springframework.stereotype.Controller
-import org.springframework.web.bind.annotation.GetMapping
-import org.springframework.web.bind.annotation.PathVariable
 import org.springframework.ui.Model
 import org.springframework.validation.BindingResult
+import org.springframework.web.bind.annotation.GetMapping
 import org.springframework.web.bind.annotation.ModelAttribute
+import org.springframework.web.bind.annotation.PathVariable
 import org.springframework.web.bind.annotation.PostMapping
 import org.springframework.web.bind.annotation.RequestBody
 import org.springframework.web.bind.annotation.RequestMapping
@@ -88,7 +88,7 @@ class HtmlController @Autowired constructor(val userRepository: UserRepository,
 
     @GetMapping("/projects")
     @Transactional
-    fun listUserProjects(model: Model, @AuthenticationPrincipal userDetails: CustomUserDetails) : String {
+    fun listUserProjects(model: Model, @AuthenticationPrincipal userDetails: CustomUserDetails): String {
         val user = entityManager.merge(userDetails.user) // Reattach User entity
         model.addAttribute("projects", user.projects.sortedBy { it.id })
         model.addAttribute("newProject", NewProject(""))
@@ -97,12 +97,16 @@ class HtmlController @Autowired constructor(val userRepository: UserRepository,
 
 }
 
+@Suppress("ELValidationInJSP", "SpringElInspection")
+@PreAuthorize("hasPermission(#id, 'Long', '')")
+annotation class IsProjectMember
+
 @Controller
 @RequestMapping("/project/{id}")
+@IsProjectMember
 class ProjectController @Autowired constructor(val projectRepository: ProjectRepository, val userRepository: UserRepository, val eventRepository: EventRepository, val commentRepository: CommentRepository) {
 
     @GetMapping("")
-    @PreAuthorize("hasPermission(#id, 'Long', '')")
     fun getProject(@PathVariable id: Long, model: Model): String {
         val project = projectRepository.findById(id).get()
         val nonMembers = userRepository.findByIdNotIn(project.members.map { it.id!! })
@@ -112,7 +116,6 @@ class ProjectController @Autowired constructor(val projectRepository: ProjectRep
     }
 
     @GetMapping("/events")
-    @PreAuthorize("hasPermission(#id, 'Long', '')")
     @ResponseBody
     fun getProjectEventsBetween(@PathVariable id: Long, @RequestParam start: Instant?, @RequestParam end: Instant?) : Set<Event> {
         val project = projectRepository.findById(id).get()
@@ -124,7 +127,6 @@ class ProjectController @Autowired constructor(val projectRepository: ProjectRep
 
 
     @PostMapping("/adduser")
-    @PreAuthorize("hasPermission(#id, 'Long', '')")
     fun addUserToProject(@PathVariable id: Long, @RequestParam("uid") uid: Long) : String {
         val user = userRepository.findById(uid).get()
         val project = projectRepository.findById(id).get()
@@ -134,7 +136,6 @@ class ProjectController @Autowired constructor(val projectRepository: ProjectRep
     }
 
     @PostMapping("/removeuser")
-    @PreAuthorize("hasPermission(#id, 'Long', '')")
     fun removeUserFromProject(@PathVariable id: Long, @RequestParam("id") uid: Long) : String{
         val project = projectRepository.findById(id).get()
         // Don't allow projects to have no members
@@ -146,7 +147,6 @@ class ProjectController @Autowired constructor(val projectRepository: ProjectRep
     }
 
     @PostMapping("/addevent")
-    @PreAuthorize("hasPermission(#id, 'Long', '')")
     @ResponseBody
     fun addEventToProject(@PathVariable id: Long, @RequestBody e: NewEvent) {
         val project = projectRepository.findById(id).get()
@@ -155,7 +155,6 @@ class ProjectController @Autowired constructor(val projectRepository: ProjectRep
     }
 
     @PostMapping("/editevent")
-    @PreAuthorize("hasPermission(#id, 'Long', '')")
     @ResponseBody
     fun editEvent(@PathVariable id: Long, @RequestBody e: EditedEvent) {
         val event = eventRepository.findById(e.id).get()
@@ -167,14 +166,12 @@ class ProjectController @Autowired constructor(val projectRepository: ProjectRep
     }
 
     @PostMapping("/deleteevent")
-    @PreAuthorize("hasPermission(#id, 'Long', '')")
     @ResponseBody
     fun deleteEvent(@PathVariable id: Long, @RequestBody e: EventID) {
         eventRepository.deleteById(e.id)
     }
 
     @GetMapping("/eventcomments/{eventID}")
-    @PreAuthorize("hasPermission(#id, 'Long', '')")
     @ResponseBody
     fun getCommentsForEvent(@PathVariable id: Long, @PathVariable eventID: Long): List<FlatComment> {
         val project = projectRepository.findById(id).get()
@@ -184,7 +181,6 @@ class ProjectController @Autowired constructor(val projectRepository: ProjectRep
     }
 
     @PostMapping("/addcomment/{eventID}")
-    @PreAuthorize("hasPermission(#id, 'Long', '')")
     @ResponseBody
     fun addCommentToEvent(@PathVariable id: Long, @PathVariable eventID: Long, @RequestBody c: NewComment, @AuthenticationPrincipal userDetails: CustomUserDetails) {
         val event = eventRepository.findById(eventID).get()