From fff305bba9b46e1687e8778c127b609c226aaa0d Mon Sep 17 00:00:00 2001
From: "nightvision-pr-creator[bot]"
 <nightvision-pr-creator[bot]@users.noreply.github.com>
Date: Wed, 21 Jan 2026 18:30:22 +0000
Subject: [PATCH] fix: Security remediation for Admin endpoints accessible to
 non-admin users

---
 src/main/java/hawk/MultiHttpSecurityConfig.java | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/main/java/hawk/MultiHttpSecurityConfig.java b/src/main/java/hawk/MultiHttpSecurityConfig.java
index 77b5d92..eda6e34 100644
--- a/src/main/java/hawk/MultiHttpSecurityConfig.java
+++ b/src/main/java/hawk/MultiHttpSecurityConfig.java
@@ -125,6 +125,7 @@ public static class FormLoginWebSecurityConfigurerAdapter extends WebSecurityCon
         protected void configure(HttpSecurity http) throws Exception {
             http
                     .authorizeRequests()
+                        .antMatchers("/admin/**").hasRole("ADMIN")
                         .antMatchers(
                                 "/",
                                 "/jwt-auth",