From f6aaf0b923b672cfe03cc7e11079c248e559c652 Mon Sep 17 00:00:00 2001
From: Sergey Karmanov <ppoocpel8888@gmail.com>
Date: Wed, 13 May 2026 19:16:48 +0300
Subject: [PATCH] =?UTF-8?q?fix:=20=D1=81=D0=BA=D1=80=D1=8B=D0=BB=20=D0=BE?=
 =?UTF-8?q?=D1=82=D0=B7=D1=8B=D0=B2=D1=8B=20=D0=BE=D1=82=20=D1=81=D1=82?=
 =?UTF-8?q?=D1=83=D0=B4=D0=B5=D0=BD=D1=82=D0=BE=D0=B2?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../EndpointAuthorizationTests.cs             | 13 +++++--
 .../Controllers/LecturesController.cs         |  4 +++
 .../Controllers/ReviewsController.cs          |  4 +++
 .../Controllers/UsersController.cs            |  4 +++
 backend/UniVerse.Api/openapi.json             | 36 +++++++++++++++++--
 frontend/src/components/ui/LectureCard.vue    |  6 +++-
 frontend/src/views/student/CatalogView.vue    |  1 +
 7 files changed, 61 insertions(+), 7 deletions(-)

diff --git a/backend/UniVerse.Api.Tests/Authorization/EndpointAuthorizationTests.cs b/backend/UniVerse.Api.Tests/Authorization/EndpointAuthorizationTests.cs
index b94eb92..9252436 100644
--- a/backend/UniVerse.Api.Tests/Authorization/EndpointAuthorizationTests.cs
+++ b/backend/UniVerse.Api.Tests/Authorization/EndpointAuthorizationTests.cs
@@ -47,10 +47,13 @@ public class EndpointAuthorizationTests : IClassFixture<ApiWebApplicationFactory
             body: """{"displayName":"Test","avatarUrl":null}""");
         yield return E("users/{id}/stats [AnyAuth]",       "GET",    "api/v1/users/1/stats",  "Student");
         yield return E("users/{id}/enrollments [AnyAuth]", "GET",    "api/v1/users/1/enrollments", "Student");
-        yield return E("users/{id}/reviews [AnyAuth]",     "GET",    "api/v1/users/1/reviews","Student");
         yield return E("users/{id}/achievements [AnyAuth]","GET",    "api/v1/users/1/achievements","Student");
         yield return E("users/{id}/transactions [AnyAuth/self]","GET","api/v1/users/1/transactions","Student");
 
+        // ── Users — Admin OR Teacher ─────────────────────────────────────────
+        yield return E("users/{id}/reviews [Admin]",       "GET",    "api/v1/users/1/reviews","Admin",   forbidden: ["Student"]);
+        yield return E("users/{id}/reviews [Teacher]",     "GET",    "api/v1/users/1/reviews","Teacher", forbidden: ["Student"]);
+
         // ── Users — Admin only ────────────────────────────────────────────────
         yield return E("users GET [Admin]",                "GET",    "api/v1/users",          "Admin",   forbidden: ["Student", "Teacher"]);
         yield return E("users/{id}/role PATCH [Admin]",    "PATCH",  "api/v1/users/1/role",   "Admin",   forbidden: ["Student", "Teacher"],
@@ -75,7 +78,6 @@ public class EndpointAuthorizationTests : IClassFixture<ApiWebApplicationFactory
         // ── Lectures — any auth ───────────────────────────────────────────────
         yield return E("lectures GET [AnyAuth]",           "GET",    "api/v1/lectures",       "Student");
         yield return E("lectures/{id} GET [AnyAuth]",      "GET",    "api/v1/lectures/1",     "Student");
-        yield return E("lectures/{id}/reviews GET [AnyAuth]","GET",  "api/v1/lectures/1/reviews","Student");
 
         // ── Lectures — Admin only ─────────────────────────────────────────────
         yield return E("lectures POST [Admin]",            "POST",   "api/v1/lectures",       "Admin",   forbidden: ["Student", "Teacher"],
@@ -93,17 +95,22 @@ public class EndpointAuthorizationTests : IClassFixture<ApiWebApplicationFactory
             body: "true");
         yield return E("lectures/{id}/enrollments GET [Admin]",  "GET","api/v1/lectures/1/enrollments","Admin",  forbidden: ["Student"]);
         yield return E("lectures/{id}/enrollments GET [Teacher]","GET","api/v1/lectures/1/enrollments","Teacher",forbidden: ["Student"]);
+        yield return E("lectures/{id}/reviews GET [Admin]",      "GET","api/v1/lectures/1/reviews","Admin",  forbidden: ["Student"]);
+        yield return E("lectures/{id}/reviews GET [Teacher]",    "GET","api/v1/lectures/1/reviews","Teacher",forbidden: ["Student"]);
 
         // ── Lectures — Student only ───────────────────────────────────────────
         yield return E("lectures/{id}/enroll POST [Student]",   "POST",  "api/v1/lectures/1/enroll",  "Student", forbidden: ["Admin", "Teacher"]);
         yield return E("lectures/{id}/enroll DELETE [Student]", "DELETE","api/v1/lectures/1/enroll",  "Student", forbidden: ["Admin", "Teacher"]);
 
         // ── Reviews — any auth ────────────────────────────────────────────────
-        yield return E("reviews/{id} GET [AnyAuth]",       "GET",    "api/v1/reviews/1",      "Student");
         yield return E("reviews/{id} PUT [AnyAuth]",       "PUT",    "api/v1/reviews/1",      "Student",
             body: """{"rating":"Like","text":"Updated"}""");
         yield return E("reviews/{id} DELETE [AnyAuth]",    "DELETE", "api/v1/reviews/1",      "Student");
 
+        // ── Reviews — Admin OR Teacher ───────────────────────────────────────
+        yield return E("reviews/{id} GET [Admin]",         "GET",    "api/v1/reviews/1",      "Admin",   forbidden: ["Student"]);
+        yield return E("reviews/{id} GET [Teacher]",       "GET",    "api/v1/reviews/1",      "Teacher", forbidden: ["Student"]);
+
         // ── Reviews — Student only ────────────────────────────────────────────
         yield return E("reviews POST [Student]",           "POST",   "api/v1/reviews",        "Student", forbidden: ["Admin", "Teacher"],
             body: """{"lectureId":1,"rating":"Like","text":"Great lecture!"}""");
diff --git a/backend/UniVerse.Api/Controllers/LecturesController.cs b/backend/UniVerse.Api/Controllers/LecturesController.cs
index dc4da78..9eb1d4a 100644
--- a/backend/UniVerse.Api/Controllers/LecturesController.cs
+++ b/backend/UniVerse.Api/Controllers/LecturesController.cs
@@ -189,14 +189,18 @@ public class LecturesController : ControllerBase
         Ok(await _lectures.GetEnrollmentsAsync(id, pagination));
 
     /// <summary>Получить отзывы к лекции.</summary>
+    /// <remarks>Только Admin или Teacher.</remarks>
     /// <param name="id">ID лекции.</param>
     /// <param name="pagination">Параметры пагинации.</param>
     /// <response code="200">Список отзывов (пагинированный).</response>
     /// <response code="401">Требуется аутентификация.</response>
+    /// <response code="403">Требуется роль Admin или Teacher.</response>
     /// <response code="404">Лекция не найдена.</response>
+    [Authorize(Roles = "Admin,Teacher")]
     [HttpGet("{id:int}/reviews")]
     [ProducesResponseType(typeof(PagedResult<UniVerse.Application.DTOs.Reviews.ReviewDto>), StatusCodes.Status200OK)]
     [ProducesResponseType(StatusCodes.Status401Unauthorized)]
+    [ProducesResponseType(StatusCodes.Status403Forbidden)]
     [ProducesResponseType(StatusCodes.Status404NotFound)]
     public async Task<ActionResult> Reviews(int id, [FromQuery] PaginationRequest pagination) =>
         Ok(await _reviews.GetByLectureAsync(id, pagination));
diff --git a/backend/UniVerse.Api/Controllers/ReviewsController.cs b/backend/UniVerse.Api/Controllers/ReviewsController.cs
index 781c89d..6c4634d 100644
--- a/backend/UniVerse.Api/Controllers/ReviewsController.cs
+++ b/backend/UniVerse.Api/Controllers/ReviewsController.cs
@@ -44,13 +44,17 @@ public class ReviewsController : ControllerBase
         CreatedAtAction(nameof(Get), new { id = 0 }, await _reviews.CreateAsync(CurrentUserId, req));
 
     /// <summary>Получить отзыв по ID.</summary>
+    /// <remarks>Только Admin или Teacher.</remarks>
     /// <param name="id">ID отзыва.</param>
     /// <response code="200">Данные отзыва (включая LLM-статус и сентимент).</response>
     /// <response code="401">Требуется аутентификация.</response>
+    /// <response code="403">Требуется роль Admin или Teacher.</response>
     /// <response code="404">Отзыв не найден.</response>
+    [Authorize(Roles = "Admin,Teacher")]
     [HttpGet("{id:int}")]
     [ProducesResponseType(typeof(ReviewDto), StatusCodes.Status200OK)]
     [ProducesResponseType(StatusCodes.Status401Unauthorized)]
+    [ProducesResponseType(StatusCodes.Status403Forbidden)]
     [ProducesResponseType(StatusCodes.Status404NotFound)]
     public async Task<ActionResult<ReviewDto>> Get(int id) => Ok(await _reviews.GetByIdAsync(id));
 
diff --git a/backend/UniVerse.Api/Controllers/UsersController.cs b/backend/UniVerse.Api/Controllers/UsersController.cs
index 0b08da8..bfe1d9b 100644
--- a/backend/UniVerse.Api/Controllers/UsersController.cs
+++ b/backend/UniVerse.Api/Controllers/UsersController.cs
@@ -86,13 +86,17 @@ public class UsersController : ControllerBase
     }
 
     /// <summary>Получить отзывы пользователя.</summary>
+    /// <remarks>Только Admin или Teacher.</remarks>
     /// <param name="id">ID пользователя.</param>
     /// <param name="pagination">Параметры пагинации.</param>
     /// <response code="200">Список отзывов (пагинированный).</response>
     /// <response code="401">Требуется аутентификация.</response>
+    /// <response code="403">Требуется роль Admin или Teacher.</response>
+    [Authorize(Roles = "Admin,Teacher")]
     [HttpGet("{id:int}/reviews")]
     [ProducesResponseType(typeof(PagedResult<UniVerse.Application.DTOs.Reviews.ReviewDto>), StatusCodes.Status200OK)]
     [ProducesResponseType(StatusCodes.Status401Unauthorized)]
+    [ProducesResponseType(StatusCodes.Status403Forbidden)]
     public async Task<ActionResult> Reviews(int id, [FromQuery] PaginationRequest pagination) =>
         Ok(await _reviews.GetByUserAsync(id, pagination));
 
diff --git a/backend/UniVerse.Api/openapi.json b/backend/UniVerse.Api/openapi.json
index c7e2f32..223c948 100644
--- a/backend/UniVerse.Api/openapi.json
+++ b/backend/UniVerse.Api/openapi.json
@@ -1827,7 +1827,7 @@
           "Lectures"
         ],
         "summary": "Получить отзывы к лекции.",
-        "description": "**Required:** any authenticated user",
+        "description": "Только Admin или Teacher.\n\n**Required roles:** Admin, Teacher",
         "parameters": [
           {
             "name": "id",
@@ -1877,6 +1877,16 @@
               }
             }
           },
+          "403": {
+            "description": "Требуется роль Admin или Teacher.",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/ProblemDetails"
+                }
+              }
+            }
+          },
           "404": {
             "description": "Лекция не найдена.",
             "content": {
@@ -2501,7 +2511,7 @@
           "Reviews"
         ],
         "summary": "Получить отзыв по ID.",
-        "description": "**Required:** any authenticated user",
+        "description": "Только Admin или Teacher.\n\n**Required roles:** Admin, Teacher",
         "parameters": [
           {
             "name": "id",
@@ -2535,6 +2545,16 @@
               }
             }
           },
+          "403": {
+            "description": "Требуется роль Admin или Teacher.",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/ProblemDetails"
+                }
+              }
+            }
+          },
           "404": {
             "description": "Отзыв не найден.",
             "content": {
@@ -3679,7 +3699,7 @@
           "Users"
         ],
         "summary": "Получить отзывы пользователя.",
-        "description": "**Required:** any authenticated user",
+        "description": "Только Admin или Teacher.\n\n**Required roles:** Admin, Teacher",
         "parameters": [
           {
             "name": "id",
@@ -3728,6 +3748,16 @@
                 }
               }
             }
+          },
+          "403": {
+            "description": "Требуется роль Admin или Teacher.",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/ProblemDetails"
+                }
+              }
+            }
           }
         },
         "security": [
diff --git a/frontend/src/components/ui/LectureCard.vue b/frontend/src/components/ui/LectureCard.vue
index e536109..a3d090f 100644
--- a/frontend/src/components/ui/LectureCard.vue
+++ b/frontend/src/components/ui/LectureCard.vue
@@ -6,6 +6,7 @@ import AppIcon from '@/components/ui/AppIcon.vue'
 const props = defineProps<{
   lecture: Lecture
   registered?: boolean
+  showRating?: boolean
 }>()
 const emit = defineEmits<{ register: [id: string] }>()
 const router = useRouter()
@@ -78,7 +79,7 @@ function goDetail() {
     </div>
 
     <div class="card-footer">
-      <div class="rating">
+      <div v-if="showRating !== false" class="rating">
         <span class="stars">{{ starsHtml(lecture.rating) }}</span>
         <span class="rating-value">{{ lecture.rating }}</span>
         <span class="text-secondary text-sm">({{ lecture.reviewCount }})</span>
@@ -178,6 +179,9 @@ function goDetail() {
   justify-content: space-between;
   margin-top: 4px;
 }
+.card-footer button {
+  margin-left: auto;
+}
 .rating {
   display: flex;
   align-items: center;
diff --git a/frontend/src/views/student/CatalogView.vue b/frontend/src/views/student/CatalogView.vue
index 5c4aa47..77666db 100644
--- a/frontend/src/views/student/CatalogView.vue
+++ b/frontend/src/views/student/CatalogView.vue
@@ -205,6 +205,7 @@ async function registerLecture(id: string) {
         :key="l.id"
         :lecture="l"
         :registered="lecturesStore.registeredIds.includes(l.id)"
+        :show-rating="false"
         @register="registerLecture"
       />
     </div>