Bugfix/security is broken
This merge request "fixes" the broken security. Many methods were effectively unsecured because our top-level
CRUDService had a
@PreAuthorize("permitAll") annotation. If the sub-interface or implementation didn't override that (the specific example that launched this whole investigation was
ProjectService#update, any user could change any project name by the REST API).
The majority of the changes are removing overriding permissions from the interfaces and moving them directly to the classes (so we don't have to double up on code). I avoided changing tests because I didn't want to affect the behaviour that we were testing out.
The major exception to changing tests is
UserServiceImplIT, where I ported it to use the
@WithMockUser annotation, and where I deleted tests because I removed otherwise unused methods on service classes.