diff --git a/src/Entity/CourseAttendee.php b/src/Entity/CourseAttendee.php
index a2eb29ceb4e540b0899be85cc60a829a0499cff2..b29e3b33c5c05b71b917db7ca028130fb16cd70f 100644
--- a/src/Entity/CourseAttendee.php
+++ b/src/Entity/CourseAttendee.php
@@ -23,6 +23,7 @@ use Symfony\Component\Serializer\Annotation\Groups;
* "get_bycourse" = {
* "method" = "GET",
* "path" = "/base/courses/{identifier}/attendees",
+ * "security" = "is_granted('IS_AUTHENTICATED_FULLY')",
* "controller" = GetAttendeesByCourse::class,
* "read" = false,
* "normalization_context" = {
diff --git a/tests/ApiTest.php b/tests/ApiTest.php
index d0feae71bd7acc574a63e5b77909dfbcead3f342..0a702255782e91cf402830f7fbbce4ff96ca0768 100644
--- a/tests/ApiTest.php
+++ b/tests/ApiTest.php
@@ -12,14 +12,35 @@ class ApiTest extends ApiTestCase
public function testCoursesNoAuth()
{
$client = self::createClient();
- $response = $client->request('GET', '/courses');
+ $response = $client->request('GET', '/base/courses');
$this->assertSame(Response::HTTP_UNAUTHORIZED, $response->getStatusCode());
}
public function testCourseNoAuth()
{
$client = self::createClient();
- $response = $client->request('GET', '/courses/123');
+ $response = $client->request('GET', '/base/courses/123');
+ $this->assertSame(Response::HTTP_UNAUTHORIZED, $response->getStatusCode());
+ }
+
+ public function testAttendeesByCourseNoAuth()
+ {
+ $client = self::createClient();
+ $response = $client->request('GET', '/base/courses/123/attendees');
+ $this->assertSame(Response::HTTP_UNAUTHORIZED, $response->getStatusCode());
+ }
+
+ public function testCoursesByOrganizationNoAuth()
+ {
+ $client = self::createClient();
+ $response = $client->request('GET', '/base/organizations/123/courses');
+ $this->assertSame(Response::HTTP_UNAUTHORIZED, $response->getStatusCode());
+ }
+
+ public function testCoursesByPersonNoAuth()
+ {
+ $client = self::createClient();
+ $response = $client->request('GET', '/base/people/123/courses');
$this->assertSame(Response::HTTP_UNAUTHORIZED, $response->getStatusCode());
}
}