make stocks transient

src/main/java/com/danielbohry/stocks/api/portfolio/PortfolioController.java

@@ -41,7 +41,10 @@ public class PortfolioController {
 
     @DeleteMapping("{id}")
     public ResponseEntity<Void> delete(@PathVariable String id) {
-        service.delete(id);
+        if (UserContextHolder.isAdmin()) {
+            service.delete(id);
+        }
+
         return ResponseEntity.ok().build();
     }
 

src/main/java/com/danielbohry/stocks/repository/PortfolioEntity.java

@@ -4,6 +4,7 @@ import lombok.AllArgsConstructor;
 import lombok.Builder;
 import lombok.Data;
 import lombok.NoArgsConstructor;
+import org.springframework.data.annotation.Transient;
 import org.springframework.data.mongodb.core.mapping.Document;
 
 import java.time.LocalDateTime;
@@ -22,6 +23,8 @@ public class PortfolioEntity {
     private String username;
     private LocalDateTime createdAt;
     private LocalDateTime updatedAt;
+
+    @Transient
     private List<PortfolioStock> stocks = new ArrayList<>();
 
     @Data

src/main/java/com/danielbohry/stocks/service/PortfolioService.java

@@ -6,6 +6,7 @@ import com.danielbohry.stocks.domain.Quote;
 import com.danielbohry.stocks.domain.Stock;
 import com.danielbohry.stocks.exception.BadRequestException;
 import com.danielbohry.stocks.exception.NotFoundException;
+import com.danielbohry.stocks.exception.UnauthorizedException;
 import com.danielbohry.stocks.repository.PortfolioEntity;
 import com.danielbohry.stocks.repository.PortfolioEntity.PortfolioStock;
 import com.danielbohry.stocks.repository.PortfolioRepository;
@@ -19,6 +20,7 @@ import java.math.BigDecimal;
 import java.math.RoundingMode;
 import java.util.List;
 import java.util.Map;
+import java.util.Objects;
 import java.util.UUID;
 
 import static com.danielbohry.stocks.domain.Portfolio.convert;
@@ -56,8 +58,7 @@ public class PortfolioService {
             .orElseThrow(() -> new NotFoundException("No portfolio found with id: " + id));
 
         String encrypted = entity.getEncryptedStocks();
-
-        if (portfolioEncryptService.isEncrypted(entity)) {
+        if (encrypted != null) {
             entity.setStocks(portfolioEncryptService.decryptStocks(encrypted));
         }
 
@@ -105,6 +106,10 @@ public class PortfolioService {
         log.info("Updating portfolio [{}]", id);
         PortfolioEntity toUpdate = repository.findById(id).orElseThrow(() -> new NotFoundException("Failed to update portfolio with id: " + id));
 
+        if (!Objects.equals(toUpdate.getUsername(), UserContextHolder.get().getUsername())) {
+            throw new UnauthorizedException("You do not have permission to update portfolio");
+        }
+
         validate(stocks);
 
         toUpdate.setUpdatedAt(now());