Skip to content

Feature/patient#4

Merged
RedAvocado22 merged 26 commits into
mainfrom
feature/patient
Mar 6, 2026
Merged

Feature/patient#4
RedAvocado22 merged 26 commits into
mainfrom
feature/patient

Conversation

@LetMeSoloSir

Copy link
Copy Markdown
Collaborator

No description provided.

@RedAvocado22 RedAvocado22 self-requested a review March 4, 2026 10:34
@RedAvocado22 RedAvocado22 reopened this Mar 4, 2026
@LetMeSoloSir

LetMeSoloSir commented Mar 5, 2026

Copy link
Copy Markdown
Collaborator Author

done phase 2

@github-actions

github-actions Bot commented Mar 6, 2026

Copy link
Copy Markdown

🔍 PR Review

Summary

Introduces Medicine Management APIs with endpoints for listing, creating, updating, and deactivating medicines, alongside security configurations and service call integrations.

Issues Found

[File: SecurityConfig.java, ~line 42]

  • Problem: /v1/medicines/** is exempted from authentication. Trusted operations like creating, updating, and deactivating medicines should require authentication and authorization checks.
  • Scenario: Anyone can call deActivateMedicine or createMedicine endpoints without authentication, creating a security vulnerability.
  • Suggestion: Restrict /v1/medicines/** to authenticated users with role-based authorization (e.g., only admins can deactivate or create). Fix this in SecurityConfig.

[File: MedicineController.java, ~line 35]

  • Problem: Business logic (duration calculation and trace ID generation) is implemented in the Controller layer across all methods. Controllers should be lightweight and delegate operational work to the service layer.
  • Scenario: If similar logging is needed for other controllers, code duplication arises unnecessarily. It's also harder to maintain and extend the logic.
  • Suggestion: Move timing, trace ID generation, and logging to an Aspect or a middleware-like dedicated class.

[File: MedicineController.java, ~line 72]

  • Problem: GET /detail/{id} does not validate if an id not found throws an appropriate exception or fails gracefully.
  • Scenario: If a non-existent UUID is passed (e.g., 12345), the service may fail with a generic error instead of a 404 Not Found response.
  • Suggestion: Implement exception handling to return a 404 Not Found if the medicine isn't found and 400 Bad Request for invalid UUIDs.

[File: MedicineController.java, ~line 130]

  • Problem: Directly exposing MedicineResponse from controller methods without using DTO or view-specific objects.
  • Scenario: If MedicineResponse contains sensitive data fields (e.g., costPrice, manufacturing details), they might accidentally be sent to clients.
  • Suggestion: Ensure a slimmed-down DTO layer (e.g., MedicinePublicView) for data intended for public API responses.

[File: MedicineController.java, ~line 92]

  • Problem: @ModelAttribute used for GetAllMedicineRequest isn't validated. Missing @Valid can lead to unvalidated query parameters.
  • Scenario: If an empty page number or invalid pagination inputs are passed, unexpected behavior may occur without proper validation.
  • Suggestion: Add @Valid to ensure GetAllMedicineRequest fields are validated.

What's Done Well

  • Logging enhancements with trace IDs are thorough and detailed, making debugging easier in distributed systems.
  • Use of custom ApiResponse and ResponseMetadata improves response structuring for client consumption.

Verdict

🔴 Needs changes


🤖 Automated review by GitHub Models

@LetMeSoloSir

Copy link
Copy Markdown
Collaborator Author

lead said ok @RedAvocado22

@RedAvocado22 RedAvocado22 merged commit bc09037 into main Mar 6, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants