Merge branch 'bugfix/275-fix-authorites-of-group-members' into 'main'

Resolve "fix authorites of group members" Closes #275 See merge request idatt2106-v23-03/backend!225

Merge branch 'bugfix/275-fix-authorites-of-group-members' into 'main'
48088386 · Birk Øvstetun Narvhus · ff37cd89 · 9fb47f87 · 48088386 · 48088386
Commit 48088386 authored 2 years ago by Birk Øvstetun Narvhus
--- a/src/main/java/ntnu/idatt2016/v233/SmartMat/controller/ShoppingListController.java
+++ b/src/main/java/ntnu/idatt2016/v233/SmartMat/controller/ShoppingListController.java
@@ -50,9 +50,11 @@ public class ShoppingListController {
     */
    @GetMapping("/{id}")
    public ResponseEntity<ShoppingList> getShoppingListById(@PathVariable("id") long id, Authentication auth) {
-        if(!shoppingListService.isUserInShoppinglist(id, auth.getName()) &&
-                auth.getAuthorities().stream().noneMatch(role -> role.getAuthority().equals(Authority.ADMIN.name())))
-            return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
+        if(auth.getAuthorities().stream().noneMatch(role -> role.getAuthority().equals(Authority.ADMIN.name()))){
+            if(!shoppingListService.isUserInShoppinglist(id, auth.getName())){
+                return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
+            }
+        }

        Optional<ShoppingList> shoppingList = shoppingListService.getShoppingListById(id);
        return shoppingList.map(list -> ResponseEntity.status(HttpStatus.OK).body(list))
@@ -67,9 +69,11 @@ public class ShoppingListController {
     */
    @GetMapping("/group/{groupId}")
    public ResponseEntity<ShoppingList> getAllShoppingListsByGroupId(@PathVariable("groupId") long id, Authentication auth) {
-        if(!groupService.isUserAssociatedWithGroup(auth.getName(), id) &&
-                auth.getAuthorities().stream().noneMatch(role -> role.getAuthority().equals(Authority.ADMIN.name())))
-            return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
+        if(auth.getAuthorities().stream().noneMatch(role -> role.getAuthority().equals(Authority.ADMIN.name()))){
+            if(!groupService.isUserAssociatedWithGroup(auth.getName(), id)){
+                return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
+            }
+        }

        Optional<ShoppingList> shoppingList = shoppingListService.getShoppingListByGroupId(id);
        return shoppingList.map(list -> ResponseEntity.status(HttpStatus.OK).body(list))
@@ -87,9 +91,19 @@ public class ShoppingListController {
    public ResponseEntity<?> addItemToShoppingList(@PathVariable("shoppingListId") long shoppingListId,
                                                              @PathVariable("ean") String ean, Authentication auth){

-        if(!shoppingListService.isUserInShoppinglist(shoppingListId, auth.getName()) &&
-                auth.getAuthorities().stream().noneMatch(role -> role.getAuthority().equals(Authority.ADMIN.name())))
-            return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
+        if(auth.getAuthorities().stream().noneMatch(role -> role.getAuthority().equals(Authority.ADMIN.name()))){
+            if(!shoppingListService.isUserInShoppinglist(shoppingListId, auth.getName())){
+                return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
+            }
+            long groupId = shoppingListService.getGroupIdByShoppingListId(shoppingListId);
+
+            if(groupId == -1)
+                return ResponseEntity.status(HttpStatus.NOT_FOUND).build();
+
+            if (groupService.getUserGroupAssoAuthority(auth.getName(), groupId).equalsIgnoreCase("RESTRICTED"))
+                return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
+
+        }

        Optional<ShoppingList> shoppingList = shoppingListService.getShoppingListById(shoppingListId);

@@ -142,9 +156,20 @@ public class ShoppingListController {
    public ResponseEntity<ShoppingList> removeProductFromShoppingList(@PathVariable("shoppingListId") String shoppingListId,
                                                                      @PathVariable("ean") String ean, Authentication auth) {

-        if(!shoppingListService.isUserInShoppinglist(Long.parseLong(shoppingListId), auth.getName()) &&
-                auth.getAuthorities().stream().noneMatch(role -> role.getAuthority().equals(Authority.ADMIN.name())))
-            return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
+        if(auth.getAuthorities().stream().noneMatch(role -> role.getAuthority().equals(Authority.ADMIN.name()))){
+            if(!shoppingListService.isUserInShoppinglist(Long.parseLong(shoppingListId), auth.getName())){
+                return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
+            }
+            long groupId = shoppingListService.getGroupIdByShoppingListId(Long.parseLong(shoppingListId));
+
+            if(groupId == -1)
+                return ResponseEntity.status(HttpStatus.NOT_FOUND).build();
+
+            if (groupService.getUserGroupAssoAuthority(auth.getName(), groupId).equalsIgnoreCase("RESTRICTED"))
+                return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
+
+        }
+


        Optional<ShoppingList> shoppingList = shoppingListService.getShoppingListById(Long.parseLong(shoppingListId));

--- a/src/main/java/ntnu/idatt2016/v233/SmartMat/controller/group/FridgeController.java
+++ b/src/main/java/ntnu/idatt2016/v233/SmartMat/controller/group/FridgeController.java
@@ -7,6 +7,7 @@ import ntnu.idatt2016.v233.SmartMat.entity.fridgeProduct.FridgeProductAsso;
 import ntnu.idatt2016.v233.SmartMat.entity.group.Fridge;
 import ntnu.idatt2016.v233.SmartMat.entity.product.Product;
 import ntnu.idatt2016.v233.SmartMat.service.group.FridgeService;
+import ntnu.idatt2016.v233.SmartMat.service.group.GroupService;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.core.Authentication;
@@ -21,7 +22,7 @@ import java.util.Optional;
 *
 * @author Anders Austlid & Birk
 * @version 2.0
- * @since 3.05.2023
+ * @since 5.05.2023
 */
 @AllArgsConstructor
 @RestController
@@ -30,6 +31,8 @@ public class FridgeController {

    private final FridgeService fridgeService;

+    private final GroupService groupService;
+

    /**
     * Gets the fridge of a group
@@ -87,10 +90,10 @@ public class FridgeController {
        if (fridge.isEmpty()) {
            return ResponseEntity.notFound().build();
        }
-
-        if (!fridgeService.isUserInFridge(authentication.getName(), fridge.get().getFridgeId()) &&
-                !authentication.getAuthorities().contains(new SimpleGrantedAuthority(Authority.ADMIN.name()))) {
-            return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
+        if(authentication.getAuthorities().stream().noneMatch(a -> a.getAuthority().equals(Authority.ADMIN.name()))){
+            if (!fridgeService.isUserInFridge(authentication.getName(), fridge.get().getFridgeId())) {
+                return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
+            }
        }

        try {
@@ -116,11 +119,15 @@ public class FridgeController {
            return ResponseEntity.notFound().build();
        }

-        if (!fridgeService.isUserInFridge(authentication.getName(), fridge.get().getFridgeId()) &&
-                !authentication.getAuthorities().contains(new SimpleGrantedAuthority(Authority.ADMIN.name()))) {
-            return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
-        }
+        if(authentication.getAuthorities().stream().noneMatch(a -> a.getAuthority().equals(Authority.ADMIN.name()))){
+            if (!fridgeService.isUserInFridge(authentication.getName(), fridge.get().getFridgeId())) {
+                return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
+            }

+            if(groupService.getUserGroupAssoAuthority(authentication.getName(), request.groupId())
+                    .equalsIgnoreCase("RESTRICTED"))
+                return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
+        }

        return fridgeService.updateProductInFridge(request).map(ResponseEntity::ok).orElseGet(()-> ResponseEntity.notFound().build());
    }
@@ -137,9 +144,16 @@ public class FridgeController {
                                                       @PathVariable("amount") String amountStr, Authentication authentication) {


-        if (!fridgeService.isUserInGroupWithFridgeProduct( authentication.getName(), fridgeProductId)
-        && !authentication.getAuthorities().contains(new SimpleGrantedAuthority(Authority.ADMIN.name()))){
-            return ResponseEntity.status(403).body("You are not a member of this group");
+        if(authentication.getAuthorities().stream().noneMatch(a -> a.getAuthority().equals(Authority.ADMIN.name()))){
+            if (!fridgeService.isUserInGroupWithFridgeProduct(authentication.getName(), fridgeProductId)) {
+                return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
+            }
+
+            if(groupService.getUserGroupAssoAuthority(authentication.getName(),
+                    fridgeService.getGroupIdFromFridgeProuctId(fridgeProductId))
+                    .equalsIgnoreCase("RESTRICTED")
+                   )
+                return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
        }

        try {
@@ -167,9 +181,16 @@ public class FridgeController {
    public ResponseEntity<String> removeProductFromFridge(@PathVariable("fridgeProductId") long fridgeProductId,
                                                          Authentication authentication) {

-        if (!fridgeService.isUserInGroupWithFridgeProduct( authentication.getName(), fridgeProductId)
-                && !authentication.getAuthorities().contains(new SimpleGrantedAuthority(Authority.ADMIN.name()))){
-            return ResponseEntity.status(403).body("You are not a member of this group");
+        if(authentication.getAuthorities().stream().noneMatch(a -> a.getAuthority().equals(Authority.ADMIN.name()))){
+            if (!fridgeService.isUserInGroupWithFridgeProduct(authentication.getName(), fridgeProductId)) {
+                return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
+            }
+
+            if(groupService.getUserGroupAssoAuthority(authentication.getName(),
+                            fridgeService.getGroupIdFromFridgeProuctId(fridgeProductId))
+                    .equalsIgnoreCase("RESTRICTED")
+            )
+                return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
        }

        try {
@@ -193,9 +214,16 @@ public class FridgeController {
    @DeleteMapping("/waste/product/{fridgeProductId}")
    public ResponseEntity<?> wasteProductFromFridge(@PathVariable("fridgeProductId") long fridgeProductId,
                                                    Authentication authentication){
-        if (!fridgeService.isUserInGroupWithFridgeProduct( authentication.getName(), fridgeProductId)
-                && !authentication.getAuthorities().contains(new SimpleGrantedAuthority(Authority.ADMIN.name()))){
-            return ResponseEntity.status(403).body("You are not a member of this group");
+        if(authentication.getAuthorities().stream().noneMatch(a -> a.getAuthority().equals(Authority.ADMIN.name()))){
+            if (!fridgeService.isUserInGroupWithFridgeProduct(authentication.getName(), fridgeProductId)) {
+                return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
+            }
+
+            if(groupService.getUserGroupAssoAuthority(authentication.getName(),
+                            fridgeService.getGroupIdFromFridgeProuctId(fridgeProductId))
+                    .equalsIgnoreCase("RESTRICTED")
+            )
+                return ResponseEntity.status(HttpStatus.FORBIDDEN).build();
        }

        return fridgeService.wasteProductFromFridge(fridgeProductId)

--- a/src/main/java/ntnu/idatt2016/v233/SmartMat/controller/group/GroupController.java
+++ b/src/main/java/ntnu/idatt2016/v233/SmartMat/controller/group/GroupController.java
@@ -303,8 +303,6 @@ public class GroupController {
                                             Authentication auth) {
        Optional<User> groupAdminOpt = userService.getUserFromUsername(auth.getName());
        if (groupAdminOpt.isPresent()) {
-            User groupAdmin = groupAdminOpt.get();
-
            if (auth.getAuthorities().stream().noneMatch(role -> role.getAuthority().equals("ADMIN"))){
                if (!groupService.isUserAssociatedWithGroup(auth.getName(), authorityRequest.groupId())) {
                    return ResponseEntity.status(HttpStatus.FORBIDDEN).build();

--- a/src/main/java/ntnu/idatt2016/v233/SmartMat/service/ShoppingListService.java
+++ b/src/main/java/ntnu/idatt2016/v233/SmartMat/service/ShoppingListService.java
@@ -117,4 +117,14 @@ public class ShoppingListService {
                .anyMatch(shoppingList -> shoppingList.getShoppingListID() == id);

    }
+
+    /**
+     * Get group id by shoppinglist id
+     * @param shoppinglistId id of shoppinglist
+     * @return id of group
+     */
+    public long getGroupIdByShoppingListId(long shoppinglistId){
+        return shoppingListRepository.findById(shoppinglistId).map(shoppingList -> shoppingList.getGroup().getGroupId())
+                .orElse(-1L);
+    }
 }
--- a/src/main/java/ntnu/idatt2016/v233/SmartMat/service/group/FridgeService.java
+++ b/src/main/java/ntnu/idatt2016/v233/SmartMat/service/group/FridgeService.java
@@ -28,7 +28,7 @@ import java.util.Optional;
 *
 * @author Anders Austlid & Birk
 * @version 2
- * @since 04.05.2023
+ * @since 05.05.2023
 */
 @AllArgsConstructor
 @Service
@@ -203,4 +203,16 @@ public class FridgeService {
        return fridge.map(value -> value.getGroup().getUser().stream()
                .anyMatch(user -> user.getUser().getUsername().equals(username))).orElse(false);
    }
+
+
+    /**
+     * Get the group id of a fridge product
+     * @param fridgeProductId the id of the fridge product
+     * @return the id of the group of the fridge product
+     */
+    public long getGroupIdFromFridgeProuctId(long fridgeProductId){
+        return fridgeProductAssoRepo.findById(fridgeProductId)
+                .map(fridgeProductAsso -> fridgeProductAsso.getFridgeId().getGroup().getGroupId()).orElse(0L);
+
+    }
 }
--- a/src/test/java/ntnu/idatt2016/v233/SmartMat/controller/ShoppingListControllerTest.java
+++ b/src/test/java/ntnu/idatt2016/v233/SmartMat/controller/ShoppingListControllerTest.java
@@ -265,6 +265,10 @@ public class ShoppingListControllerTest {
        when(shoppingListService.addProductToShoppingList(ean, shoppingListId))
                .thenReturn(Optional.of(shoppingList));

+        when(shoppingListService.getGroupIdByShoppingListId(shoppingListId)).thenReturn(groupId);
+
+        when(groupService.getUserGroupAssoAuthority(eq(regularUser.getName()), eq(groupId))).thenReturn("USER");
+
        when(userService.getUserFromUsername(regularUser.getName())).thenReturn(Optional.of(user));

        ResponseEntity<?> response = shoppingListController.addItemToShoppingList(shoppingListId, String.valueOf(ean), regularUser);
@@ -317,6 +321,12 @@ public class ShoppingListControllerTest {
        when(shoppingListService.removeProductFromShoppingList(ean, shoppingListId))
                .thenReturn(Optional.of(shoppingList));

+        when(shoppingListService.getGroupIdByShoppingListId(shoppingListId)).thenReturn(groupId);
+
+        when(groupService.getUserGroupAssoAuthority(eq(regularUser.getName()), eq(groupId))).thenReturn("USER");
+
+
+

        ResponseEntity<?> response = shoppingListController.removeProductFromShoppingList(String.valueOf(shoppingListId),
                String.valueOf(ean), regularUser);

--- a/src/test/java/ntnu/idatt2016/v233/SmartMat/controller/group/FridgeControllerTest.java
+++ b/src/test/java/ntnu/idatt2016/v233/SmartMat/controller/group/FridgeControllerTest.java
@@ -7,7 +7,9 @@ import ntnu.idatt2016.v233.SmartMat.entity.fridgeProduct.FridgeProductAsso;
 import ntnu.idatt2016.v233.SmartMat.entity.group.Fridge;
 import ntnu.idatt2016.v233.SmartMat.entity.product.Product;
 import ntnu.idatt2016.v233.SmartMat.service.group.FridgeService;
+import ntnu.idatt2016.v233.SmartMat.service.group.GroupService;
 import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Nested;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.InjectMocks;
@@ -27,8 +29,7 @@ import java.util.Optional;

 import static org.junit.jupiter.api.Assertions.*;
 import static org.mockito.ArgumentMatchers.any;
-import static org.mockito.Mockito.verify;
-import static org.mockito.Mockito.when;
+import static org.mockito.Mockito.*;


 @ExtendWith(MockitoExtension.class)
@@ -43,6 +44,9 @@ public class FridgeControllerTest {
    @Mock
    private FridgeService fridgeService;

+    @Mock
+    private GroupService groupService;
+

    private Fridge fridge;
    private Product product;
@@ -220,86 +224,250 @@ public class FridgeControllerTest {

    }

-    @Test
-    public void addProductToFridgeAsUser() throws Exception {

-        when(fridgeService.getFridgeByGroupId(1L)).thenReturn(Optional.of(fridge));
+    @Nested
+    class addProduct{
+        @Test
+        public void addProductToFridgeAsUserNotAutorized() throws Exception {

+            when(fridgeService.getFridgeByGroupId(1L)).thenReturn(Optional.of(fridge));
+            when(fridgeService.isUserInFridge("test", 0L)).thenReturn(false);

-        ResponseEntity<Product> responseEntity = fridgeController.addProductToFridge(fridgeProductRequest, regularUser);

-        verify(fridgeService).isUserInFridge("test", 0L);
+            ResponseEntity<Product> responseEntity = fridgeController.addProductToFridge(fridgeProductRequest, regularUser);

-        assertEquals(responseEntity.getStatusCode(), HttpStatus.FORBIDDEN);
+            verify(fridgeService).isUserInFridge("test", 0L);

-    }
+            assertEquals(responseEntity.getStatusCode(), HttpStatus.FORBIDDEN);

-    @Test
-    public void addProductToFridge_notFound() throws Exception {
-        when(fridgeService.addProductToFridge(any(FridgeProductRequest.class))).thenReturn(Optional.empty( ));
+        }

-        when(fridgeService.getFridgeByGroupId(1L)).thenReturn(Optional.of(fridge));
+        @Test
+        public void addProductToFridge_notFound() throws Exception {
+            when(fridgeService.addProductToFridge(any(FridgeProductRequest.class))).thenReturn(Optional.empty( ));

+            when(fridgeService.getFridgeByGroupId(1L)).thenReturn(Optional.of(fridge));
+            when(fridgeService.isUserInFridge("test", 0L)).thenReturn(true);

-        ResponseEntity<Product> responseEntity = fridgeController.addProductToFridge(fridgeProductRequest, adminUser);

-        verify(fridgeService).isUserInFridge("test", 0L);
+            ResponseEntity<Product> responseEntity = fridgeController.addProductToFridge(fridgeProductRequest, regularUser);

-        assertEquals(responseEntity.getStatusCode(), HttpStatus.NOT_FOUND);
-    }
+            verify(fridgeService).isUserInFridge("test", 0L);

-    @Test
-    public void updateProductInFridge() throws Exception {
-        when(fridgeService.updateProductInFridge(any(FridgeProductRequest.class))).thenReturn(Optional.of(fridgeProductAsso));
+            assertEquals(responseEntity.getStatusCode(), HttpStatus.NOT_FOUND);
+        }

-        when(fridgeService.getFridgeByGroupId(1L)).thenReturn(Optional.of(fridge));
-        ResponseEntity<FridgeProductAsso> responseEntity =
-                fridgeController.updateProductInFridge(fridgeProductRequest, adminUser);
+        @Test
+        public void addProductTOFridgeAsAdmin(){
+            when(fridgeService.getFridgeByGroupId(1L)).thenReturn(Optional.of(fridge));

+            when(fridgeService.addProductToFridge(any(FridgeProductRequest.class))).thenReturn(Optional.of(product));

-        verify(fridgeService).updateProductInFridge(any(FridgeProductRequest.class));
+            ResponseEntity<Product> responseEntity = fridgeController.addProductToFridge(fridgeProductRequest, adminUser);

-        assertEquals(responseEntity.getStatusCode(), HttpStatus.OK);
-    }

-    @Test
-    public void updateProductInFridge_notFound() throws Exception {
-        when(fridgeService.updateProductInFridge(any(FridgeProductRequest.class))).thenReturn(Optional.empty());
+            assertEquals(responseEntity.getStatusCode(), HttpStatus.OK);

-        when(fridgeService.getFridgeByGroupId(1L)).thenReturn(Optional.of(fridge));
-        ResponseEntity<FridgeProductAsso> responseEntity =
-                fridgeController.updateProductInFridge(fridgeProductRequest, adminUser);
+            verify(fridgeService).addProductToFridge(any(FridgeProductRequest.class));
+
+
+        }
+
+        @Test
+        public void addProductTOFridgeAsRegUserAllowed(){
+            when(fridgeService.getFridgeByGroupId(1L)).thenReturn(Optional.of(fridge));
+            when(fridgeService.isUserInFridge("test", 0L)).thenReturn(true);
+            when(fridgeService.addProductToFridge(any(FridgeProductRequest.class))).thenReturn(Optional.of(product));
+
+            ResponseEntity<Product> responseEntity = fridgeController.addProductToFridge(fridgeProductRequest, regularUser);
+
+
+            assertEquals(responseEntity.getStatusCode(), HttpStatus.OK);
+
+            verify(fridgeService).addProductToFridge(any(FridgeProductRequest.class));
+
+        }


-        verify(fridgeService).updateProductInFridge(any(FridgeProductRequest.class));

-        assertEquals(responseEntity.getStatusCode(), HttpStatus.NOT_FOUND);
    }

-    @Test
-    public void removeProductFromFridge_success() throws Exception {
-        when(fridgeService.removeProductFromFridge(1L)).thenReturn(true);

+    @Nested
+    class updateProduct{
+        @Test
+        public void updateProductInFridge() throws Exception {
+            when(fridgeService.updateProductInFridge(any(FridgeProductRequest.class))).thenReturn(Optional.of(fridgeProductAsso));

-        ResponseEntity<String> responseEntity =
-                fridgeController.removeProductFromFridge(1L, adminUser);
+            when(fridgeService.getFridgeByGroupId(1L)).thenReturn(Optional.of(fridge));
+            ResponseEntity<FridgeProductAsso> responseEntity =
+                    fridgeController.updateProductInFridge(fridgeProductRequest, adminUser);

-        verify(fridgeService).removeProductFromFridge(1L);

-        assertEquals(responseEntity.getStatusCode(), HttpStatus.OK);
+            verify(fridgeService).updateProductInFridge(any(FridgeProductRequest.class));
+
+            assertEquals(responseEntity.getStatusCode(), HttpStatus.OK);
+        }
+
+        @Test
+        public void updateProductInFridge_notFound() throws Exception {
+            when(fridgeService.updateProductInFridge(any(FridgeProductRequest.class))).thenReturn(Optional.empty());
+
+            when(fridgeService.getFridgeByGroupId(1L)).thenReturn(Optional.of(fridge));
+            ResponseEntity<FridgeProductAsso> responseEntity =
+                    fridgeController.updateProductInFridge(fridgeProductRequest, adminUser);
+
+
+            verify(fridgeService).updateProductInFridge(any(FridgeProductRequest.class));
+
+            assertEquals(responseEntity.getStatusCode(), HttpStatus.NOT_FOUND);
+        }
+
+        @Test
+        public void updateNotAuthorized() throws Exception {
+            when(fridgeService.isUserInFridge("test", 0L)).thenReturn(false);
+            when(fridgeService.getFridgeByGroupId(1L)).thenReturn(Optional.of(fridge));
+            ResponseEntity<FridgeProductAsso> responseEntity =
+                    fridgeController.updateProductInFridge(fridgeProductRequest, regularUser);
+
+            verify(fridgeService, times(0)).updateProductInFridge(any(FridgeProductRequest.class));
+
+            assertEquals(responseEntity.getStatusCode(), HttpStatus.FORBIDDEN);
+
+        }
+        @Test
+        public void updateNotAuthorizedRestricted() throws Exception {
+            when(fridgeService.isUserInFridge("test", 0L)).thenReturn(true);
+            when(groupService.getUserGroupAssoAuthority("test", 1L))
+                    .thenReturn("restricted");
+
+            when(fridgeService.getFridgeByGroupId(1L)).thenReturn(Optional.of(fridge));
+            ResponseEntity<FridgeProductAsso> responseEntity =
+                    fridgeController.updateProductInFridge(fridgeProductRequest, regularUser);
+
+            verify(fridgeService, times(0)).updateProductInFridge(any(FridgeProductRequest.class));
+
+            assertEquals(responseEntity.getStatusCode(), HttpStatus.FORBIDDEN);
+
+        }
+        @Test
+        public void updateAuthorizedWhenNotRestricted(){
+            when(fridgeService.isUserInFridge("test", 0L)).thenReturn(true);
+            when(groupService.getUserGroupAssoAuthority("test", 1L))
+                    .thenReturn("USER");
+            when(fridgeService.updateProductInFridge(any(FridgeProductRequest.class)))
+                    .thenReturn(Optional.of(fridgeProductAsso));
+
+            when(fridgeService.getFridgeByGroupId(1L)).thenReturn(Optional.of(fridge));
+            ResponseEntity<FridgeProductAsso> responseEntity =
+                    fridgeController.updateProductInFridge(fridgeProductRequest, regularUser);
+
+            verify(fridgeService, times(1)).updateProductInFridge(any(FridgeProductRequest.class));
+
+            assertEquals(HttpStatus.OK, responseEntity.getStatusCode());
+        }
+        @Test
+        public void updateAuthorizedWhenAdmin(){
+            when(fridgeService.isUserInFridge("test", 0L)).thenReturn(true);
+            when(groupService.getUserGroupAssoAuthority("test", 1L))
+                    .thenReturn("ADMIN");
+            when(fridgeService.updateProductInFridge(any(FridgeProductRequest.class)))
+                    .thenReturn(Optional.of(fridgeProductAsso));
+
+            when(fridgeService.getFridgeByGroupId(1L)).thenReturn(Optional.of(fridge));
+            ResponseEntity<FridgeProductAsso> responseEntity =
+                    fridgeController.updateProductInFridge(fridgeProductRequest, regularUser);
+
+            verify(fridgeService, times(1)).updateProductInFridge(any(FridgeProductRequest.class));
+
+            assertEquals(HttpStatus.OK, responseEntity.getStatusCode());
+        }


    }

-    @Test
-    public void removeProductFromFridge_notFound() throws Exception {
-        when(fridgeService.removeProductFromFridge(1L)).thenReturn(false);

-        ResponseEntity<String> responseEntity =
-                fridgeController.removeProductFromFridge(1L, adminUser);
+    @Nested
+    class removeProductFromFridge {
+        @Test
+        public void removeProductFromFridge_success() throws Exception {
+            when(fridgeService.removeProductFromFridge(1L)).thenReturn(true);

-        verify(fridgeService).removeProductFromFridge(1L);

-        assertEquals(responseEntity.getStatusCode(), HttpStatus.NOT_FOUND);
+            ResponseEntity<String> responseEntity =
+                    fridgeController.removeProductFromFridge(1L, adminUser);
+
+            verify(fridgeService).removeProductFromFridge(1L);
+
+            assertEquals(responseEntity.getStatusCode(), HttpStatus.OK);
+
+
+        }
+
+        @Test
+        public void removeProductFromFridge_notFound() throws Exception {
+            when(fridgeService.removeProductFromFridge(1L)).thenReturn(false);
+
+            ResponseEntity<String> responseEntity =
+                    fridgeController.removeProductFromFridge(1L, adminUser);
+
+            verify(fridgeService).removeProductFromFridge(1L);
+
+            assertEquals(responseEntity.getStatusCode(), HttpStatus.NOT_FOUND);
+        }
+
+        @Test
+        public void removeProductNotAuthorizedWhenRestricted(){
+
+            when(fridgeService.isUserInGroupWithFridgeProduct("test", 1L))
+                    .thenReturn(true);
+            when(groupService.getUserGroupAssoAuthority(eq("test"), eq(1L)))
+                    .thenReturn("restricted");
+
+            when(fridgeService.getGroupIdFromFridgeProuctId(1L)).thenReturn(1L);
+
+            ResponseEntity<String> responseEntity =
+                    fridgeController.removeProductFromFridge(1L, regularUser);
+
+            verify(fridgeService, times(0)).removeProductFromFridge(1L);
+
+            assertEquals(responseEntity.getStatusCode(), HttpStatus.FORBIDDEN);
+        }
+
+        @Test
+        public void removeProductAuthorizedWhenNotRestricted(){
+
+            when(fridgeService.removeProductFromFridge(1L)).thenReturn(true );
+
+            when(fridgeService.isUserInGroupWithFridgeProduct("test", 1L))
+                    .thenReturn(true);
+            when(groupService.getUserGroupAssoAuthority(eq("test"), eq(1L)))
+                    .thenReturn("USER");
+
+            when(fridgeService.getGroupIdFromFridgeProuctId(1L)).thenReturn(1L);
+
+            ResponseEntity<String> responseEntity =
+                    fridgeController.removeProductFromFridge(1L, regularUser);
+
+            verify(fridgeService, times(1)).removeProductFromFridge(1L);
+
+            assertEquals(responseEntity.getStatusCode(), HttpStatus.OK);
+        }
+
+        @Test
+        public void notRemoveProductWhenNotInGroup(){
+
+            when(fridgeService.isUserInGroupWithFridgeProduct("test", 1L))
+                    .thenReturn(false);
+
+            ResponseEntity<String> responseEntity =
+                    fridgeController.removeProductFromFridge(1L, regularUser);
+
+            verify(fridgeService, times(0)).removeProductFromFridge(1L);
+
+            assertEquals(responseEntity.getStatusCode(), HttpStatus.FORBIDDEN);
+        }
    }
+
+
 }