fix: скрыл отзывы от студентов

backend/UniVerse.Api.Tests/Authorization/EndpointAuthorizationTests.cs

@@ -47,10 +47,13 @@ public class EndpointAuthorizationTests : IClassFixture<ApiWebApplicationFactory
             body: """{"displayName":"Test","avatarUrl":null}""");
         yield return E("users/{id}/stats [AnyAuth]",       "GET",    "api/v1/users/1/stats",  "Student");
         yield return E("users/{id}/enrollments [AnyAuth]", "GET",    "api/v1/users/1/enrollments", "Student");
-        yield return E("users/{id}/reviews [AnyAuth]",     "GET",    "api/v1/users/1/reviews","Student");
         yield return E("users/{id}/achievements [AnyAuth]","GET",    "api/v1/users/1/achievements","Student");
         yield return E("users/{id}/transactions [AnyAuth/self]","GET","api/v1/users/1/transactions","Student");
 
+        // ── Users — Admin OR Teacher ─────────────────────────────────────────
+        yield return E("users/{id}/reviews [Admin]",       "GET",    "api/v1/users/1/reviews","Admin",   forbidden: ["Student"]);
+        yield return E("users/{id}/reviews [Teacher]",     "GET",    "api/v1/users/1/reviews","Teacher", forbidden: ["Student"]);
+
         // ── Users — Admin only ────────────────────────────────────────────────
         yield return E("users GET [Admin]",                "GET",    "api/v1/users",          "Admin",   forbidden: ["Student", "Teacher"]);
         yield return E("users/{id}/role PATCH [Admin]",    "PATCH",  "api/v1/users/1/role",   "Admin",   forbidden: ["Student", "Teacher"],
@@ -75,7 +78,6 @@ public class EndpointAuthorizationTests : IClassFixture<ApiWebApplicationFactory
         // ── Lectures — any auth ───────────────────────────────────────────────
         yield return E("lectures GET [AnyAuth]",           "GET",    "api/v1/lectures",       "Student");
         yield return E("lectures/{id} GET [AnyAuth]",      "GET",    "api/v1/lectures/1",     "Student");
-        yield return E("lectures/{id}/reviews GET [AnyAuth]","GET",  "api/v1/lectures/1/reviews","Student");
 
         // ── Lectures — Admin only ─────────────────────────────────────────────
         yield return E("lectures POST [Admin]",            "POST",   "api/v1/lectures",       "Admin",   forbidden: ["Student", "Teacher"],
@@ -93,17 +95,22 @@ public class EndpointAuthorizationTests : IClassFixture<ApiWebApplicationFactory
             body: "true");
         yield return E("lectures/{id}/enrollments GET [Admin]",  "GET","api/v1/lectures/1/enrollments","Admin",  forbidden: ["Student"]);
         yield return E("lectures/{id}/enrollments GET [Teacher]","GET","api/v1/lectures/1/enrollments","Teacher",forbidden: ["Student"]);
+        yield return E("lectures/{id}/reviews GET [Admin]",      "GET","api/v1/lectures/1/reviews","Admin",  forbidden: ["Student"]);
+        yield return E("lectures/{id}/reviews GET [Teacher]",    "GET","api/v1/lectures/1/reviews","Teacher",forbidden: ["Student"]);
 
         // ── Lectures — Student only ───────────────────────────────────────────
         yield return E("lectures/{id}/enroll POST [Student]",   "POST",  "api/v1/lectures/1/enroll",  "Student", forbidden: ["Admin", "Teacher"]);
         yield return E("lectures/{id}/enroll DELETE [Student]", "DELETE","api/v1/lectures/1/enroll",  "Student", forbidden: ["Admin", "Teacher"]);
 
         // ── Reviews — any auth ────────────────────────────────────────────────
-        yield return E("reviews/{id} GET [AnyAuth]",       "GET",    "api/v1/reviews/1",      "Student");
         yield return E("reviews/{id} PUT [AnyAuth]",       "PUT",    "api/v1/reviews/1",      "Student",
             body: """{"rating":"Like","text":"Updated"}""");
         yield return E("reviews/{id} DELETE [AnyAuth]",    "DELETE", "api/v1/reviews/1",      "Student");
 
+        // ── Reviews — Admin OR Teacher ───────────────────────────────────────
+        yield return E("reviews/{id} GET [Admin]",         "GET",    "api/v1/reviews/1",      "Admin",   forbidden: ["Student"]);
+        yield return E("reviews/{id} GET [Teacher]",       "GET",    "api/v1/reviews/1",      "Teacher", forbidden: ["Student"]);
+
         // ── Reviews — Student only ────────────────────────────────────────────
         yield return E("reviews POST [Student]",           "POST",   "api/v1/reviews",        "Student", forbidden: ["Admin", "Teacher"],
             body: """{"lectureId":1,"rating":"Like","text":"Great lecture!"}""");

backend/UniVerse.Api/Controllers/LecturesController.cs

@@ -189,14 +189,18 @@ public class LecturesController : ControllerBase
         Ok(await _lectures.GetEnrollmentsAsync(id, pagination));
 
     /// <summary>Получить отзывы к лекции.</summary>
+    /// <remarks>Только Admin или Teacher.</remarks>
     /// <param name="id">ID лекции.</param>
     /// <param name="pagination">Параметры пагинации.</param>
     /// <response code="200">Список отзывов (пагинированный).</response>
     /// <response code="401">Требуется аутентификация.</response>
+    /// <response code="403">Требуется роль Admin или Teacher.</response>
     /// <response code="404">Лекция не найдена.</response>
+    [Authorize(Roles = "Admin,Teacher")]
     [HttpGet("{id:int}/reviews")]
     [ProducesResponseType(typeof(PagedResult<UniVerse.Application.DTOs.Reviews.ReviewDto>), StatusCodes.Status200OK)]
     [ProducesResponseType(StatusCodes.Status401Unauthorized)]
+    [ProducesResponseType(StatusCodes.Status403Forbidden)]
     [ProducesResponseType(StatusCodes.Status404NotFound)]
     public async Task<ActionResult> Reviews(int id, [FromQuery] PaginationRequest pagination) =>
         Ok(await _reviews.GetByLectureAsync(id, pagination));

backend/UniVerse.Api/Controllers/ReviewsController.cs

@@ -44,13 +44,17 @@ public class ReviewsController : ControllerBase
         CreatedAtAction(nameof(Get), new { id = 0 }, await _reviews.CreateAsync(CurrentUserId, req));
 
     /// <summary>Получить отзыв по ID.</summary>
+    /// <remarks>Только Admin или Teacher.</remarks>
     /// <param name="id">ID отзыва.</param>
     /// <response code="200">Данные отзыва (включая LLM-статус и сентимент).</response>
     /// <response code="401">Требуется аутентификация.</response>
+    /// <response code="403">Требуется роль Admin или Teacher.</response>
     /// <response code="404">Отзыв не найден.</response>
+    [Authorize(Roles = "Admin,Teacher")]
     [HttpGet("{id:int}")]
     [ProducesResponseType(typeof(ReviewDto), StatusCodes.Status200OK)]
     [ProducesResponseType(StatusCodes.Status401Unauthorized)]
+    [ProducesResponseType(StatusCodes.Status403Forbidden)]
     [ProducesResponseType(StatusCodes.Status404NotFound)]
     public async Task<ActionResult<ReviewDto>> Get(int id) => Ok(await _reviews.GetByIdAsync(id));
 

backend/UniVerse.Api/Controllers/UsersController.cs

@@ -86,13 +86,17 @@ public class UsersController : ControllerBase
     }
 
     /// <summary>Получить отзывы пользователя.</summary>
+    /// <remarks>Только Admin или Teacher.</remarks>
     /// <param name="id">ID пользователя.</param>
     /// <param name="pagination">Параметры пагинации.</param>
     /// <response code="200">Список отзывов (пагинированный).</response>
     /// <response code="401">Требуется аутентификация.</response>
+    /// <response code="403">Требуется роль Admin или Teacher.</response>
+    [Authorize(Roles = "Admin,Teacher")]
     [HttpGet("{id:int}/reviews")]
     [ProducesResponseType(typeof(PagedResult<UniVerse.Application.DTOs.Reviews.ReviewDto>), StatusCodes.Status200OK)]
     [ProducesResponseType(StatusCodes.Status401Unauthorized)]
+    [ProducesResponseType(StatusCodes.Status403Forbidden)]
     public async Task<ActionResult> Reviews(int id, [FromQuery] PaginationRequest pagination) =>
         Ok(await _reviews.GetByUserAsync(id, pagination));
 

backend/UniVerse.Api/openapi.json

@@ -1827,7 +1827,7 @@
           "Lectures"
         ],
         "summary": "Получить отзывы к лекции.",
-        "description": "**Required:** any authenticated user",
+        "description": "Только Admin или Teacher.\n\n**Required roles:** Admin, Teacher",
         "parameters": [
           {
             "name": "id",
@@ -1877,6 +1877,16 @@
               }
             }
           },
+          "403": {
+            "description": "Требуется роль Admin или Teacher.",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/ProblemDetails"
+                }
+              }
+            }
+          },
           "404": {
             "description": "Лекция не найдена.",
             "content": {
@@ -2501,7 +2511,7 @@
           "Reviews"
         ],
         "summary": "Получить отзыв по ID.",
-        "description": "**Required:** any authenticated user",
+        "description": "Только Admin или Teacher.\n\n**Required roles:** Admin, Teacher",
         "parameters": [
           {
             "name": "id",
@@ -2535,6 +2545,16 @@
               }
             }
           },
+          "403": {
+            "description": "Требуется роль Admin или Teacher.",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/ProblemDetails"
+                }
+              }
+            }
+          },
           "404": {
             "description": "Отзыв не найден.",
             "content": {
@@ -3679,7 +3699,7 @@
           "Users"
         ],
         "summary": "Получить отзывы пользователя.",
-        "description": "**Required:** any authenticated user",
+        "description": "Только Admin или Teacher.\n\n**Required roles:** Admin, Teacher",
         "parameters": [
           {
             "name": "id",
@@ -3728,6 +3748,16 @@
                 }
               }
             }
+          },
+          "403": {
+            "description": "Требуется роль Admin или Teacher.",
+            "content": {
+              "application/json": {
+                "schema": {
+                  "$ref": "#/components/schemas/ProblemDetails"
+                }
+              }
+            }
           }
         },
         "security": [