src/main/kotlin/net/halfbinary/scavengerhuntapi/config/SecurityConfig.kt

@@ -4,6 +4,7 @@ import org.springframework.context.annotation.Bean
 import org.springframework.context.annotation.Configuration
 import org.springframework.security.authentication.AuthenticationManager
 import org.springframework.security.config.annotation.authentication.configuration.AuthenticationConfiguration
+import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity
 import org.springframework.security.config.annotation.web.builders.HttpSecurity
 import org.springframework.security.config.annotation.web.configurers.CorsConfigurer
 import org.springframework.security.config.annotation.web.configurers.CsrfConfigurer
@@ -17,7 +18,7 @@ import org.springframework.security.web.authentication.UsernamePasswordAuthentic
 
 
 @Configuration
-//@EnableWebSecurity
+@EnableMethodSecurity
 class SecurityConfig(private val authEntrypointJwt: AuthEntrypointJwt,
     private val authTokenFilter: AuthTokenFilter) {
 

src/main/kotlin/net/halfbinary/scavengerhuntapi/controller/HuntController.kt

@@ -10,6 +10,7 @@ import net.halfbinary.scavengerhuntapi.model.request.HuntStatus
 import net.halfbinary.scavengerhuntapi.model.response.HuntResponse
 import net.halfbinary.scavengerhuntapi.service.HuntService
 import org.springframework.http.ResponseEntity
+import org.springframework.security.access.prepost.PreAuthorize
 import org.springframework.web.bind.annotation.*
 
 @RestController
@@ -21,6 +22,7 @@ class HuntController(private val huntService: HuntService) {
         return ResponseEntity.ok(huntService.getHunt(huntId).toResponse())
     }
 
+    @PreAuthorize("hasRole('ADMIN')")
     @GetMapping()
     fun getAllHunts(@RequestParam status: HuntStatus?): ResponseEntity<List<HuntResponse>> {
         return ResponseEntity.ok(huntService.getAllHunts(status).map { it.toResponse() })