[SHIBUI-1058]

Added permissions checks to user controller endpoints (except for the
getCurrentUser).

backend/src/main/java/edu/internet2/tier/shibboleth/admin/ui/security/controller/UsersController.java

@@ -10,6 +10,7 @@
 import org.slf4j.LoggerFactory;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.annotation.Secured;
 import org.springframework.security.crypto.bcrypt.BCrypt;
 import org.springframework.transaction.annotation.Transactional;
 import org.springframework.web.bind.annotation.DeleteMapping;
@@ -48,6 +49,7 @@ public UsersController(UserRepository userRepository, RoleRepository roleReposit
         this.userService = userService;
     }
 
+    @Secured("ROLE_ADMIN")
     @Transactional(readOnly = true)
     @GetMapping
     public List<User> getAll() {
@@ -65,12 +67,14 @@ public ResponseEntity<?> getCurrentUser() {
         }
     }
 
+    @Secured("ROLE_ADMIN")
     @Transactional(readOnly = true)
     @GetMapping("/{username}")
     public ResponseEntity<?> getOne(@PathVariable String username) {
         return ResponseEntity.ok(findUserOrThrowHttp404(username));
     }
 
+    @Secured("ROLE_ADMIN")
     @Transactional
     @DeleteMapping("/{username}")
     public ResponseEntity<?> deleteOne(@PathVariable String username) {
@@ -79,6 +83,7 @@ public ResponseEntity<?> deleteOne(@PathVariable String username) {
         return ResponseEntity.noContent().build();
     }
 
+    @Secured("ROLE_ADMIN")
     @Transactional
     @PostMapping
     ResponseEntity<?> saveOne(@RequestBody User user) {
@@ -96,6 +101,7 @@ ResponseEntity<?> saveOne(@RequestBody User user) {
         return ResponseEntity.ok(savedUser);
     }
 
+    @Secured("ROLE_ADMIN")
     @Transactional
     @PatchMapping("/{username}")
     ResponseEntity<?> updateOne(@PathVariable(value = "username") String username, @RequestBody User user) {