From f77b4016282db783ade6695421832bf3910b5309 Mon Sep 17 00:00:00 2001
From: tuanvu <tuan-minh.vu@univ-rennes1.fr>
Date: Thu, 8 Jan 2026 11:34:13 +0100
Subject: [PATCH] athlete test

---
 .../main/java/hackathon/FrisbYEE/config/WebSecurityConfig.java  | 2 +-
 .../src/main/java/hackathon/FrisbYEE/rest/AthleteResource.java  | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/back_end/src/main/java/hackathon/FrisbYEE/config/WebSecurityConfig.java b/back_end/src/main/java/hackathon/FrisbYEE/config/WebSecurityConfig.java
index c96ab6c..e054c00 100644
--- a/back_end/src/main/java/hackathon/FrisbYEE/config/WebSecurityConfig.java
+++ b/back_end/src/main/java/hackathon/FrisbYEE/config/WebSecurityConfig.java
@@ -26,7 +26,7 @@ public class WebSecurityConfig {
                 .cors(cors -> cors.configurationSource(corsConfigurationSource()))
                 .csrf(csrf -> csrf.disable())
                 .authorizeHttpRequests(auth -> auth
-                        .requestMatchers(HttpMethod.OPTIONS, "/", "/public", "/coach/**").permitAll() // allow coach endpoints
+                        .requestMatchers(HttpMethod.OPTIONS, "/", "/public", "/coach/**","/athlete/**").permitAll() // allow coach endpoints
                         .requestMatchers("/admin/**").hasRole("admin")
                         .requestMatchers("/user/**").hasRole("user")
                         .anyRequest().authenticated())
diff --git a/back_end/src/main/java/hackathon/FrisbYEE/rest/AthleteResource.java b/back_end/src/main/java/hackathon/FrisbYEE/rest/AthleteResource.java
index a638c7f..56c46d3 100644
--- a/back_end/src/main/java/hackathon/FrisbYEE/rest/AthleteResource.java
+++ b/back_end/src/main/java/hackathon/FrisbYEE/rest/AthleteResource.java
@@ -34,6 +34,7 @@ import io.swagger.v3.oas.annotations.responses.ApiResponses;
 
 @RestController
 @RequestMapping("/athlete")
+@CrossOrigin(origins = "http://localhost:3000")
 public class AthleteResource {
     @Autowired
     private AthleteDAO athleteDAO;
@@ -44,6 +45,7 @@ public class AthleteResource {
             @ApiResponse(responseCode = "200", description = "Renvoie l'athlète créé", content = @Content(mediaType = "application/json", schema = @Schema(implementation = AthleteDTO.class)))
     })
     @PostMapping("/create")
+    @PreAuthorize("hasRole('Admin') or hasRole('Coach') or hasRole('Athlete')")
     public ResponseEntity<AthleteDTO> create(@RequestBody AthleteDTO dto) {
         Athlete athlete = mapToEntity(dto);
         athleteDAO.save(athlete);