From 96a7807ab5448149a1ebf053e9ea9d87d5f3c2fd Mon Sep 17 00:00:00 2001
From: Jesse Brault <jbrault@mac.com>
Date: Mon, 23 Feb 2026 16:50:14 -0600
Subject: [PATCH] MME-20 Move access-denied exception handler and fix security
 config.

---
 .../api/image/ImageController.java              | 17 -----------------
 .../api/security/SecurityConfiguration.java     |  1 +
 .../api/util/ExceptionHandlers.java             | 16 ++++++++++++++++
 3 files changed, 17 insertions(+), 17 deletions(-)

diff --git a/src/main/java/app/mealsmadeeasy/api/image/ImageController.java b/src/main/java/app/mealsmadeeasy/api/image/ImageController.java
index f4ec8ef..1c84deb 100644
--- a/src/main/java/app/mealsmadeeasy/api/image/ImageController.java
+++ b/src/main/java/app/mealsmadeeasy/api/image/ImageController.java
@@ -8,17 +8,13 @@ import app.mealsmadeeasy.api.image.view.ImageView;
 import app.mealsmadeeasy.api.sliceview.SliceViewService;
 import app.mealsmadeeasy.api.user.User;
 import app.mealsmadeeasy.api.user.UserService;
-import app.mealsmadeeasy.api.util.AccessDeniedView;
 import app.mealsmadeeasy.api.util.ResourceExistsView;
 import lombok.RequiredArgsConstructor;
 import org.springframework.core.io.InputStreamResource;
 import org.springframework.data.domain.Pageable;
 import org.springframework.data.domain.Slice;
-import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
-import org.springframework.security.access.AccessDeniedException;
-import org.springframework.security.authorization.AuthorizationDeniedException;
 import org.springframework.security.core.annotation.AuthenticationPrincipal;
 import org.springframework.web.bind.annotation.*;
 import org.springframework.web.multipart.MultipartFile;
@@ -40,19 +36,6 @@ public class ImageController {
     private final ImageUpdateBodyToSpecConverter imageUpdateBodyToSpecConverter;
     private final SliceViewService sliceViewService;
 
-    @ExceptionHandler
-    public ResponseEntity<AccessDeniedView> onAccessDenied(AccessDeniedException e) {
-        if (e instanceof AuthorizationDeniedException) {
-            return ResponseEntity.status(HttpStatus.FORBIDDEN)
-                    .contentType(MediaType.APPLICATION_JSON)
-                    .body(new AccessDeniedView(HttpStatus.FORBIDDEN.value(), e.getMessage()));
-        } else {
-            return ResponseEntity.status(HttpStatus.UNAUTHORIZED)
-                    .contentType(MediaType.APPLICATION_JSON)
-                    .body(new AccessDeniedView(HttpStatus.UNAUTHORIZED.value(), e.getMessage()));
-        }
-    }
-
     @GetMapping
     public ResponseEntity<Object> getOwnedImages(
             @AuthenticationPrincipal User principal,
diff --git a/src/main/java/app/mealsmadeeasy/api/security/SecurityConfiguration.java b/src/main/java/app/mealsmadeeasy/api/security/SecurityConfiguration.java
index d454800..974ba02 100644
--- a/src/main/java/app/mealsmadeeasy/api/security/SecurityConfiguration.java
+++ b/src/main/java/app/mealsmadeeasy/api/security/SecurityConfiguration.java
@@ -46,6 +46,7 @@ public class SecurityConfiguration {
             this.endpointAuthConfigurators.forEach(endpointAuthConfigurator -> {
                 endpointAuthConfigurator.configure(requests);
             });
+            requests.requestMatchers("/error").permitAll();
         });
         httpSecurity.csrf(AbstractHttpConfigurer::disable);
         httpSecurity.cors(Customizer.withDefaults());
diff --git a/src/main/java/app/mealsmadeeasy/api/util/ExceptionHandlers.java b/src/main/java/app/mealsmadeeasy/api/util/ExceptionHandlers.java
index 2b1851c..eb73bd4 100644
--- a/src/main/java/app/mealsmadeeasy/api/util/ExceptionHandlers.java
+++ b/src/main/java/app/mealsmadeeasy/api/util/ExceptionHandlers.java
@@ -1,7 +1,10 @@
 package app.mealsmadeeasy.api.util;
 
 import org.springframework.http.HttpStatus;
+import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
+import org.springframework.security.access.AccessDeniedException;
+import org.springframework.security.authorization.AuthorizationDeniedException;
 import org.springframework.web.bind.annotation.ControllerAdvice;
 import org.springframework.web.bind.annotation.ExceptionHandler;
 
@@ -70,4 +73,17 @@ public class ExceptionHandlers {
         ));
     }
 
+    @ExceptionHandler(AccessDeniedException.class)
+    public ResponseEntity<AccessDeniedView> onAccessDenied(AccessDeniedException e) {
+        if (e instanceof AuthorizationDeniedException) {
+            return ResponseEntity.status(HttpStatus.FORBIDDEN)
+                    .contentType(MediaType.APPLICATION_JSON)
+                    .body(new AccessDeniedView(HttpStatus.FORBIDDEN.value(), e.getMessage()));
+        } else {
+            return ResponseEntity.status(HttpStatus.UNAUTHORIZED)
+                    .contentType(MediaType.APPLICATION_JSON)
+                    .body(new AccessDeniedView(HttpStatus.UNAUTHORIZED.value(), e.getMessage()));
+        }
+    }
+
 }