854: protector to protected

[naanci]

854

Description of changes

• Replace all Protector calls with the @Protected annotation

Checklist before review

• I have done a thorough self-review of the PR
• Copilot has reviewed my latest changes, and all comments have been fixed and/or closed.
• If I have made database changes, I have made sure I followed all the db repo rules listed in the wiki here. (check if no db changes)
• All tests have passed
• I have successfully deployed this PR to staging
• I have done manual QA in both dev (and staging if possible) and attached screenshots below.

Screenshots

Dev

Staging

[github-actions]

Available PR Commands

• /ai - Triggers all AI review commands at once
• /review - AI review of the PR changes
• /describe - AI-powered description of the PR
• /improve - AI-powered suggestions
• /deploy - Deploy to staging

See: https://github.com/tahminator/codebloom/wiki/CI-Commands

[github-actions]

Title

854: protector to protected

---

PR Type

Enhancement, Refactoring

---

Description

• Replaced Protector class with @Protected annotation.

• Updated controller methods to receive AuthenticationObject.

• Removed HttpServletRequest from protected endpoint signatures.

• Refactored unit tests to align with new security annotation.

---

Diagram Walkthrough

flowchart LR
  A[Protector Class] --> B{API Controller Methods}
  C[HttpServletRequest] --> B
  A -- "Replaced with" --> D[@Protected Annotation]
  C -- "Removed from" --> B
  B -- "Now accept" --> E[AuthenticationObject]
  D --> B

Loading

File Walkthrough

	Relevant files
Refactoring	5 files AdminController.java Replaced Protector dependency with @Protected annotation for admin endpoints +15/-19  AnnouncementController.java Removed `Protector` dependency from announcement controller +1/-4      AuthController.java Updated `enrollSchool` to use `@Protected` annotation        +2/-2      LeaderboardController.java Migrated leaderboard endpoints to use `@Protected` annotation +2/-6      SubmissionController.java Refactored submission endpoints to use `@Protected` annotation +8/-12
Tests	2 files AdminControllerTest.java Updated admin controller tests to remove Protector and HttpServletRequest mocks +24/-73  AuthControllerTest.java Adjusted auth controller tests for `@Protected` annotation usage +4/-18

---

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

🎫 Ticket compliance analysis ✅ 854 - PR Code Verified Compliant requirements: All Protector calls have been replaced with the @Protected annotation across various controllers. Requires further human verification: Verify that the @Protected annotation correctly enforces the intended security policies (admin or authenticated user) for all endpoints where it was applied. Confirm that the removal of HttpServletRequest and Protector from controller methods does not introduce any unintended side effects or break existing functionality.

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪

🧪 PR contains tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Security Logic The PR replaces direct calls to Protector.validateAdminSession() and Protector.validateSession() with the @Protected annotation. It's crucial to ensure that the underlying implementation of the @Protected annotation (which is not part of this PR's diff) correctly replicates all the security checks and logic previously handled by the Protector class. Any discrepancy could lead to unauthorized access. @Protected(admin = true) final AuthenticationObject authenticationObject, @Valid @RequestBody final NewLeaderboardBody newLeaderboardBody) {

[github-actions]

Title

854: protector to protected

---

PR Type

Enhancement

---

Description

• Replaced Protector class with @Protected annotation.

• Simplified controller methods by removing HttpServletRequest.

• Injected AuthenticationObject directly into protected endpoints.

• Updated unit tests to reflect security refactoring.

---

Diagram Walkthrough

flowchart LR
  A[API Controllers] --> B{Authentication Logic};
  B -- "Before: Explicit Protector.validateSession(request)" --> C[Protector Class];
  B -- "After: @Protected Annotation" --> D[AuthenticationObject];
  C -- "Removed" --> B;
  D -- "Injected" --> B;

Loading

File Walkthrough

	Relevant files
Refactoring	5 files AdminController.java Replaced Protector class with @Protected annotation for admin endpoints +15/-19  AnnouncementController.java Removed Protector dependency from announcement controller +1/-4      AuthController.java Replaced Protector class with @Protected annotation for school enrollment +1/-2      LeaderboardController.java Replaced Protector class with @Protected annotation for leaderboard endpoints +2/-6      SubmissionController.java Replaced Protector class with @Protected annotation for submission endpoints +8/-12
Tests	2 files AdminControllerTest.java Updated AdminController tests to remove Protector and HttpServletRequest mocks +24/-74  AuthControllerTest.java Updated AuthController tests to remove Protector and HttpServletRequest mocks +4/-18

---

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

**🎫 Ticket compliance analysis **

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪

🧪 PR contains tests

🔒 No security concerns identified

⚡ No major issues detected

[naanci]

/deploy