From 35174aa7dc1b1224e9dac7ae884bf0ffbcec3934 Mon Sep 17 00:00:00 2001
From: androidlover5842 <androidlover5842@gmail.com>
Date: Wed, 28 Jan 2026 04:54:38 +0530
Subject: [PATCH] Require auth for room type write endpoints

---
 .../com/android/trisolarisserver/security/FirebaseAuthFilter.kt | 2 +-
 .../com/android/trisolarisserver/security/SecurityConfig.kt     | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/main/kotlin/com/android/trisolarisserver/security/FirebaseAuthFilter.kt b/src/main/kotlin/com/android/trisolarisserver/security/FirebaseAuthFilter.kt
index 6e73eb7..5cfa455 100644
--- a/src/main/kotlin/com/android/trisolarisserver/security/FirebaseAuthFilter.kt
+++ b/src/main/kotlin/com/android/trisolarisserver/security/FirebaseAuthFilter.kt
@@ -27,7 +27,7 @@ class FirebaseAuthFilter(
         }
         return path.matches(Regex("^/properties/[^/]+/rooms/[^/]+/images/[^/]+/file$"))
             || path.matches(Regex("^/properties/[^/]+/rooms/[^/]+/images$"))
-            || path.matches(Regex("^/properties/[^/]+/room-types$"))
+            || (path.matches(Regex("^/properties/[^/]+/room-types$")) && request.method.equals("GET", true))
             || path.matches(Regex("^/properties/[^/]+/room-types/[^/]+/images$"))
             || (path == "/image-tags" && request.method.equals("GET", true))
             || path == "/icons/png"
diff --git a/src/main/kotlin/com/android/trisolarisserver/security/SecurityConfig.kt b/src/main/kotlin/com/android/trisolarisserver/security/SecurityConfig.kt
index f1ccc21..2d7e87a 100644
--- a/src/main/kotlin/com/android/trisolarisserver/security/SecurityConfig.kt
+++ b/src/main/kotlin/com/android/trisolarisserver/security/SecurityConfig.kt
@@ -28,7 +28,7 @@ class SecurityConfig(
                 it.requestMatchers("/", "/health", "/auth/**").permitAll()
                 it.requestMatchers("/properties/*/rooms/*/images/*/file").permitAll()
                 it.requestMatchers("/properties/*/rooms/*/images").permitAll()
-                it.requestMatchers("/properties/*/room-types").permitAll()
+                it.requestMatchers(org.springframework.http.HttpMethod.GET, "/properties/*/room-types").permitAll()
                 it.requestMatchers("/properties/*/room-types/*/images").permitAll()
                 it.requestMatchers(org.springframework.http.HttpMethod.GET, "/image-tags").permitAll()
                 it.requestMatchers("/icons/png").permitAll()