Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/alvarezlautaro/BancoAlimentos/llms.txt

Use this file to discover all available pages before exploring further.

Banco Alimentos enforces a two-layer access control model. At the coarse level, Spring Security’s SecurityConfig gates entire URL prefixes by role — for example, /api/donaciones/** is only reachable by users who hold ROLE_USER_DEPOSITO. At the fine-grained level, individual controller methods are annotated with @PreAuthorize("hasAuthority('PERMISSION_NAME')"), meaning a user must also possess the specific permission for the operation they are attempting. Roles and their associated permissions are seeded into the database on every application startup by DataInitializer.

The three roles

USER_DEPOSITO

Warehouse operations. Manages the full donation lifecycle: registering donor companies, recording donations and their line items, tracking products, generating remittances and delivery notes, issuing invoices, and reviewing donation audit history.

USER_TESORERIA

Treasury & billing. Focused on financial oversight: can view institutions and is the only role that can modify payment statuses (ESTADO_PAGO_MODIFICAR).

USER_INSTITUCIONAL

Institution management. Creates, views, updates, and removes beneficiary institutions, and can review institution audit history.

Role-to-responsibility mapping

RoleSpring Security nameTypical responsibilities
USER_DEPOSITOROLE_USER_DEPOSITODonor & donation management, products, inventory, remittances, invoices
USER_TESORERIAROLE_USER_TESORERIAPayment status updates, institution overview
USER_INSTITUCIONALROLE_USER_INSTITUCIONALBeneficiary institution CRUD, institution audit log

Authorities: roles and permissions combined

When a user authenticates, CredentialsEntity.getAuthorities() builds the full authority set that Spring Security uses for every access decision. For each role the user holds, two kinds of authorities are added:
  • A role authority prefixed with ROLE_ — e.g. ROLE_USER_DEPOSITO. Used by hasRole(...) checks in SecurityConfig.
  • One permission authority for every PermitEntity associated with that role — e.g. DONACION_CREAR. Used by @PreAuthorize("hasAuthority('...')") on individual endpoints.
// CredentialsEntity.getAuthorities() — actual source
roles.forEach(rol -> {
    authorities.add(new SimpleGrantedAuthority("ROLE_" + rol.getRole().name()));
    rol.getPermits().forEach(permit ->
            authorities.add(new SimpleGrantedAuthority(permit.getPermit().name()))
    );
});

All 35 permissions

The table below lists every value from the Permits enum, grouped by the resource it governs.

Empresa (donor companies)

PermissionGranted to
EMPRESA_CREARUSER_DEPOSITO
EMPRESA_VERUSER_DEPOSITO
EMPRESA_ACTUALIZARUSER_DEPOSITO
EMPRESA_ELIMINARUSER_DEPOSITO

Donación (donations)

PermissionGranted to
DONACION_CREARUSER_DEPOSITO
DONACION_VERUSER_DEPOSITO
DONACION_ACTUALIZARUSER_DEPOSITO
DONACION_ELIMINARUSER_DEPOSITO

Producto (products)

PermissionGranted to
PRODUCTO_CREARUSER_DEPOSITO
PRODUCTO_VERUSER_DEPOSITO
PRODUCTO_ACTUALIZARUSER_DEPOSITO
PRODUCTO_ELIMINARUSER_DEPOSITO

Item Donación (donation line items)

PermissionGranted to
ITEM_DONACION_CREARUSER_DEPOSITO
ITEM_DONACION_VERUSER_DEPOSITO
ITEM_DONACION_ACTUALIZARUSER_DEPOSITO
ITEM_DONACION_ELIMINARUSER_DEPOSITO

Institución (beneficiary institutions)

PermissionGranted to
INSTITUCION_CREARUSER_INSTITUCIONAL
INSTITUCION_VERUSER_DEPOSITO, USER_TESORERIA, USER_INSTITUCIONAL
INSTITUCION_ACTUALIZARUSER_INSTITUCIONAL
INSTITUCION_ELIMINARUSER_INSTITUCIONAL

Estado de pago (payment status)

PermissionGranted to
ESTADO_PAGO_MODIFICARUSER_TESORERIA

Remito (remittances)

PermissionGranted to
REMITO_CREARUSER_DEPOSITO
REMITO_VERUSER_DEPOSITO
REMITO_ACTUALIZARUSER_DEPOSITO
REMITO_ELIMINARUSER_DEPOSITO

Detalle Remito (remittance line items)

PermissionGranted to
DETALLE_REMITO_CREARUSER_DEPOSITO
DETALLE_REMITO_VERUSER_DEPOSITO
DETALLE_REMITO_ACTUALIZARUSER_DEPOSITO
DETALLE_REMITO_ELIMINARUSER_DEPOSITO

Factura (invoices)

PermissionGranted to
FACTURA_CREARUSER_DEPOSITO
FACTURA_VERUSER_DEPOSITO
FACTURA_ACTUALIZARUSER_DEPOSITO
FACTURA_ELIMINARUSER_DEPOSITO

Auditoría (audit history)

PermissionGranted to
AUDITORIA_DONACION_VERUSER_DEPOSITO
AUDITORIA_INSTITUCION_VERUSER_INSTITUCIONAL

Seed users created by DataInitializer

On every application startup, DataInitializer wipes and re-seeds the credentials, roles, and permissions tables. Three users are always available for development:
UsernamePasswordRole
depositodeposito123USER_DEPOSITO
tesoreriatesoreria123USER_TESORERIA
institucionalinstitucional123USER_INSTITUCIONAL
Because DataInitializer calls credentialsRepository.deleteAll() on startup and application.yaml sets ddl-auto: create-drop, all data is reset every time the application restarts. Do not use this configuration in a production environment.

Institutions endpoint and role-level access

The /api/instituciones/** path is configured in SecurityConfig as authenticated() rather than locked to a single role. This means any user with a valid JWT — regardless of their role — can reach the endpoint at the HTTP routing level. Fine-grained permission checks (@PreAuthorize) on individual controller methods then enforce the exact INSTITUCION_* permission required for each operation.

Permission check example

When a controller method is annotated with @PreAuthorize, Spring evaluates the authority set that was populated by JwtAuthenticationFilter at request time:
// Example: only a user whose role carries DONACION_CREAR can call this method
@PreAuthorize("hasAuthority('DONACION_CREAR')")
@PostMapping
public ResponseEntity<DonacionResponse> create(@RequestBody DonacionRequest request) { ... }
If the authenticated user does not hold the required authority, Spring Security returns 403 Forbidden before the method body executes.
To extend the system with a new role, add a value to the Roles enum, assign the desired PermitEntity entries to a new RoleEntity in DataInitializer, and create a CredentialsEntity linked to that role. The authority derivation in CredentialsEntity.getAuthorities() handles everything else automatically.

Build docs developers (and LLMs) love