Skip to content

Employee management with DateRange filters and APIs#7

Merged
LetMeSoloSir merged 24 commits into
mainfrom
feature/employee
Mar 9, 2026
Merged

Employee management with DateRange filters and APIs#7
LetMeSoloSir merged 24 commits into
mainfrom
feature/employee

Conversation

@RedAvocado22

Copy link
Copy Markdown
Owner

No description provided.

RedAvocado22 and others added 16 commits March 7, 2026 04:34
Teammate reformatted SQL files which caused Flyway checksum mismatch on startup.
Restored original file content from git history to match what was applied to the DB.
Encapsulates from/to LocalDate pair. Used in search requests across employee,
department, and future domains to avoid verbose fromX/toX field explosion.
… DateRange

Replace standalone LocalDateTime createdAt/updatedAt fields with DateRange records.
Update DepartmentSpecification to use atStartOfDay/atTime(23,59,59) for proper
LocalDate to LocalDateTime conversion in between predicates.
…oyeeSpecification

- EmployeeResponse: record with all account fields + employee fields + nested DepartmentResponse
- SearchEmployeeRequest: extends PaginatedRequest with DateRange filters for dob/hireDate/createdAt/updatedAt
- EmployeeSpecification: dynamic filtering with always-joined account and conditional department join,
  OR logic for name search across fullName and username
- EmployeeInfoRepository: add JpaSpecificationExecutor for Specification support
- GetEmployeeService: overrides execute() with @transactional(readOnly=true) to keep
  Hibernate session open during lazy relationship mapping (account, department, role)
- EmployeeController: add GET /employees endpoint with @ModelAttribute SearchEmployeeRequest
…tion bypass

@transactional on doProcess() is never intercepted by Spring AOP proxy because doProcess()
is called internally via this.doProcess() inside BaseService.execute(). Transaction never
starts. Fix: override execute() in each service and annotate that instead.

- CreateEmployeeService: @transactional on execute()
- CreatePatientService: @transactional on execute() (was incorrectly readOnly=true)
- application.yml: remove repair-on-migrate (not a valid Flyway property)
@github-actions

github-actions Bot commented Mar 9, 2026

Copy link
Copy Markdown

🔍 PR Review

Summary

This PR introduces enhancements including date range filtering for employee management in the backend API and API documentation annotations using Swagger. It touches multiple files to update request/response models, introduce validation rules, and add API documentation.

Issues Found

[File: SignInRequest.java, ~line 6]

  • Problem: @Size annotation imposes length constraints on username and password, but doesn't enforce minimum lengths, which may lead to security or validation issues (e.g., empty/very short passwords).
  • Scenario: Setting password to an empty string ("") satisfies @Size but violates @NotBlank only at runtime.
  • Suggestion: Add a minimum length constraint in the @Size annotation (e.g., @Size(min = 8, max = 100) for passwords).

[File: AccountResponse.java, ~line 5]

  • Problem: Exposing the Account entity directly in the method AccountResponse.from(Account account). While using a DTO is good practice, this direct mapping exposes the entity in the method and risks unintended property leaks.
  • Scenario: If the Account class changes, sensitive fields could be accidentally included in the response.
  • Suggestion: Map only specific fields explicitly in the from() method to ensure control over the data exposed in the response.

[File: AuthResponse.java, ~line 18]

  • Problem: Overridden toString() method returns sensitive details (like token expiration times). It's good for logging purposes but risks exposing sensitive implementation details.
  • Scenario: Logging the toString() output for debug could expose certain token details, which is not advisable.
  • Suggestion: Exclude sensitive data in logging/debug by using a more controlled logger approach or remove toString() override.

[File: PaginatedRequest.java, ~line 18]

  • Problem: Default value for sortDirection is "ASC", but the validation regex allows case-insensitive values. Users can supply unexpected lowercase input, which would still pass validation.
  • Scenario: Supplying invalid values like "asc" or "deSc" will not be normalized, potentially leading to unexpected errors elsewhere.
  • Suggestion: Add normalization logic for sortDirection in the setter method or force strict uppercase validation with flags = {Pattern.Flag.UNICODE_CASE}.

[File: PaginatedRequest.java, ~line 19]

  • Problem: Default page and size values (0 and 20 respectively) may result in inefficient queries when combined with a high row count or when no limit is applied.
  • Scenario: Without a maximum limit (even though @Max is present), API consumers may suffer performance issues due to large amounts of data being fetched inadvertently.
  • Suggestion: Enforce stricter maximums or use a global configuration for default pagination in the application level.

[File: BaseRequest.java, ~line 14]

  • Problem: The comment indicates userContext is set by the framework, but the mechanism is unclear. If userContext is not populated, potential null-pointer exceptions could occur during usage.
  • Scenario: A controller action accesses userContext.getUserId() without verifying whether userContext was correctly set, leading to a runtime crash.
  • Suggestion: Validate that userContext is non-null at runtime or include a fallback value where it's retrieved.

[General Observation]

  • Problem: There's no explicit authentication or role-based access control verification in the code snippets provided (though these snippets may not relate to this).
  • Scenario: Without proper access checks, unauthorized users might gain access to employee management API endpoints.
  • Suggestion: Use Spring Security with role-based access control annotations (@PreAuthorize or @secured) where necessary. Add test cases to validate restricted access.

What's Done Well

  • Effective use of @Schema annotations for API documentation provides clear documentation and proper examples for OpenAPI.
  • Good use of @Valid and bean validation (@NotBlank, @Size, etc.) in requests.
  • Some examples employ clean design ideas like using DTOs (AccountResponse, AuthResponse).

Verdict

🔴 Needs changes
The PR introduces useful enhancements but requires addressing several critical concerns related to validation, security, and design. Please address the issues above before merging.


🤖 Automated review by GitHub Models

@RedAvocado22

Copy link
Copy Markdown
Owner Author

Lead said gud to go!

@LetMeSoloSir LetMeSoloSir merged commit 97fd97c into main Mar 9, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants