From 74766fecab6aa0ecb29d1f6797530f4c32a569c4 Mon Sep 17 00:00:00 2001
From: abazov73 <92822431+abazov73@users.noreply.github.com>
Date: Tue, 16 May 2023 10:19:24 +0400
Subject: [PATCH] =?UTF-8?q?=D0=A8=D0=B5=D1=81=D1=82=D0=B0=D1=8F=20=D0=BB?=
 =?UTF-8?q?=D0=B0=D0=B1=D0=BE=D1=80=D0=B0=D1=82=D0=BE=D1=80=D0=BD=D0=B0?=
 =?UTF-8?q?=D1=8F=20=D1=80=D0=B0=D0=B1=D0=BE=D1=82=D0=B0.=20=D0=A4=D0=B8?=
 =?UTF-8?q?=D0=BA=D1=81=20=D0=B2=D1=8B=D0=B2=D0=BE=D0=B4=D0=B0=20forbidden?=
 =?UTF-8?q?.?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 backend/ipLab/data.mv.db                      | Bin 114688 -> 159744 bytes
 .../Configurations/SecurityConfiguration.java |   4 +
 .../Controllers/CustomerController.java       |   6 +-
 .../Exceptions/ForbiddenException.java        |   8 ++
 .../main/resources/templates/customer.html    |  98 ++++++++++--------
 frontend/src/App.jsx                          |   3 +
 .../src/components/pages/customerPage.jsx     |   9 +-
 .../src/components/pages/forbiddenPage.jsx    |   8 ++
 8 files changed, 88 insertions(+), 48 deletions(-)
 create mode 100644 backend/ipLab/src/main/java/com/example/ipLab/StoreDataBase/Exceptions/ForbiddenException.java
 create mode 100644 frontend/src/components/pages/forbiddenPage.jsx

diff --git a/backend/ipLab/data.mv.db b/backend/ipLab/data.mv.db
index d358ec9396150e8accc7532f061449b778fd2a28..beb5caadacd6b43004dae5cffbead44e3ea29117 100644
GIT binary patch
delta 12540
zcmeI2d5{#<9mo6i%<Rk#3%l&Wt{l4ya_H`&eIElcOT6$vzz8UXar<11D+>ZDmT^|C
zGMDASOF3c^1x-+64mYDUpq3$~qO7TSBwiIwiRBf8O4RZy3(fDn?&<DfXLnh^gg@X9
zUU$!Szw`U~9q;w^CHr<&-ZYIhxtpiYYB0GDx5rs$t#mHQ2$t${k}9P8jXSFGSJg+4
z^f&phT2h@he8TMMwJypi9X-yf4Bv6Fu^PT5L3w$`;kb@f&gJVeZpUh)+gY0tIxgw$
zU6*kzj{M_QiPt*TU3jsR;U$UF6qU0(E_E(hdtvXYj0j&|*K1`gUB~?kPfMj4CNZg^
znZd0eHl{5x3H2NY_2lP$_yl4N7hipC3o`OwJ{FHvTVf1;VVH^m=3c~1z<sYxkqo`k
zTDgAJMaPMT5nNfpl^t9;!Ihgw+qNUz_j+a4(EVQW4(+De(R1OY&I0J7pbH$mSwuT%
zd;K>J+J9Ad`~eVTe*}2h9|A)nBOtq?Y!rt;bPbWyg^u;B)~|K!dFz%IhhnbbgyRBj
zA>*R(oZQiCS?gCDtE>$f(d7i5yBE<;W}uUPg9RDC;mpi>?Gd0(Z$bohpBXVUG9!{C
z@+Hj?tTN4kj|Z~^*Q7PP2~!ugh7;}%T4F&<@N+xcSku}#(2_MtJ)Eq&yi)8pv`W)?
zad5v4D^ii=SL8%1;`Oj1+wZbYr$`K@h=;BPQ&dY9Azh=UL+414@cjc#Cz@nBI7N5l
zNV9lNcil40iq3}ZHOsXv{D+4pAOpX$shzbr+;UTM)}(_<mU-l(3a@IM|53W`RmtLu
z4<eIZGUpDh#e`{#46+#Z-Szu!Mf;wG^~q~i*!i^?(d#?RD$%E)z>g&YEv`<JDpXN)
zIU>-Z8tO)7$@PcBG&_2;!Rq8S#8>&M=LB0;svNHdxRJ~%#}@-HSWa-G$eb430Gov1
zMl-DN#)6rHU+74aPlq4SPgOK4c*zztsMW8?Q6#B&BLTyLiX>O#G=^b18D{oUC>aK=
zYw9;%WO3h($zvk03j`2lsAP+(=$Iw|>nyzYf-#L`?GrcxF943kg-3L7{4hEQz76Z&
z6PIJdCr@1t3}o(%J<PBv#4!KvWSAu{G0bjwNJ_YmJ$oB16VFei&so;HPe1$*`n>AR
z<+Q9m-z&#IzoKnsTU*OfQ}DPoXIA9n^AS4}cddCZDajJ2NP2E@B|0l<yQ&}<a^VIO
zeH_Q!+MY^=sa(c>z_Km5SDVmjl_{N9Tn$!d?ynor(Mip+4A(LX?{7f0EIu#0IQPsX
zw7vlUHKJTi6M8(~cjc5gzUk@&dI7h5*pxO+59g-k<J=@TXALv|)nl<(m1)KV(*pjl
zso8@6SZHlEv;flOux?Utk9i<KkcMlP96Ltvsmu#p?%D0AF>4UXbG%l{Ji$?mng@9T
zlWj-0%0M6rK@bT*&=I0&;>6zt4Jd0qvc!JKrS^mO4d@{@Ach%{XwiPmDls5}3`21k
z8IXK1cqTC*yEe_r`hx;!@}M=yhEZsd`3!JdI(-zkL)n_>5SbosVIf3tn-vMfJl#sN
zMj=L5(ANsFkYTfVc@z-KEnJ2sj3)p9n8nZaV3xQeKkuhKG2HibYF5amC~pFP(9}RL
zvPqmT%ChEt&Ff$zdi*d(G^`_HFo9_+Jf=P5F>UujG7a8m=d5V=m^NiPuGw;W#Vv^*
z#J1zEEl(y)jThDY%sX$Z0E$fqidC&i@+><&_c=zNB{<HK^}>5UK@-Q|MJpBqpW<xY
zzdS(MKA;>QP?qm+_CF8@KH0!02l!-7E)YJolyx@EfLXua_RvUfr38=)e3rG~KYOEn
zsNKq_e^tanDHYVi%dI^8s8AL0!Yusk&e>m+pG(<8om5#?b>cwLo1xf~h1lZYJ*W^q
zqhb#*CwKNTR98D^1;tNd*)32)Kz94me&fn&ik}cCQ8Wbju?4`79^%K@*TbcPI2b=R
ztTyyniI?RQX<K<B?cM?27I;%ovNpgKysu%stRj)x+ri5sL|SuNGBqdtCqPo}`fhZ7
zqs`m0o{|;Km0ZJs3)2CYUCzDVjdmmi@W92wuT~<51!BzyEX^*=y$F2~^ZAwjjQKOm
zwih~kQ4%$2GRG@sN)t`Vf&iFYC^{#qg$1k8_Ei4<-!>u&wb~OX)GXc)q6Hsnj^}kb
z)ax2+@eoA|FliGePmbfOUTbM9i?y;b^pVI}JQ6t<z38E0+K40YKaZR#O{u#m3j(Dn
zy(!W(OW4ZGhd3VHf11icaO%gSeGreH0R)AT&<9FNA8_pw(|opGcy7P(bC0bdE2EGL
z*vdmUZ8czPy4&RaIMt2Dsg~j;34~&j0D==QjaSSPSe`wyI6IOh&_zS!!*Bz>O=DQw
zHh`|D_;lS`O4oNg{aAKKDP7??I~Mv2v2EEH)~D;N_V!kvuBTV*idP_Z7KvhO{3tdh
z$*!tE8mL@2+j<$U=x0@yZKbhnZA#}X%ds41grN4$p@Z6Q5xiDfvX9q%=Z8BHWK$_!
zO^(vF+LD2;3efe%S|>i*9Hm=yCE;sFa+C*5+6RLW)6Y@X=f2#A>h{-xqtT?d+6QH9
zAuAM0FU;aZ!b#o@vv;8{MAAfF=JIHg9Vkg%md{*fhY7j{HLE1281gsTtVlvN#7Nkz
zL9OZunsqSF*r1k{3}E1(;YS~CBue_{rnc-s>@j$??eF|SQwYIeBO)?RoR<yo2q>ur
z4<5O9Q?wypvk5tXY(OnRDai(0F#$@5S9iSBZ(IeTC`oOGCLmb2@GP(yhAwI<=cP7d
zt*z<&2lu@Yquyl0N-so~{1938y-CUQCMAz|rUWsv%rMDoC%+hH8evanPOHHeIc5mK
zl^9$}MYbJXBUnZ>9JcWL+n2D0gg5V;8gn@rUv=x#c(2uf?-@9gJidR^RHWl)oqO54
z(8jJN{O+a{((poOBA(tQeRI%SGlYm(1v=R(Y}iCnKSCIHiX@kq6-+OKKI9G;`0&Jq
zi0*KSrX>ri6sG<~)3r3Y_#o;giIE10{^}DW4Qk-TFuN%gjW^!)<g~0wQv8vvH`rPz
z-Fwq%&WdEo0;65p5SsPmWtA`Iz)6voNwj6Q=0sXn&(SQIPCWz3m5Fbq<2`TPh$nSd
z<rXhP^|fbB^j6`=zT+|%9G5r7k)ZGx+3yN8I#`8<9Iisk<#@s51e%ok@`7}eQhWiR
z8OgA#_{TqNJzl4q0<vm{n;4=in|uicAyr8BuWW^+*iRO{bX33Rp1j@Zxh3!P`DO7Q
z+!E3Yc#b|@j^ExqwPMDxZOu(y8vVNXWr&@T?^>gyL8<fkkaSAzt-6k7n~A&86U~+1
z9xF+X$Jq(pp0X5QS*our*;AJ6D@y@osi3UO$F~owEGbZy98nfmqAb%>mJG^jP0AoG
zPTPvFzI7_H@Xg!maE*NyYsk3Eo{CJ|J1~8}MR)3fi0&|5;*&Ws+-HrfSZXBkt2<$j
zQ{LBe7WeU-J$)#m6<wM`X-+N?16i&D2OJ6c#OoxU@s_(JDiu_88vf5)HxyM@R|gB#
zlbzzpF7Z8(-EM$C$S$IyP<BcvJKNw@hyoNMJGM2wbrD*<u`AWB7RBf7Iu^ILbg%Ql
z-XiRomxc|x7kGg|4GHARj;cjd@T#XvM<-%Gd5)*c`-jlw4litYr$m>a&m9bV-g3NW
z^HCKu+S;1wHrE-+)VTDQh;5_kmjq3}<lgK?1JPs)@$DCvWLi>NS({~#%FVh4Evevb
zN0N=ghHKDWajMzE=4SLV8&6ECFL;vGe97v*WED@ciZ59WB&&mDd+OdBR<d#+StXP#
zFO^8v@Fc5H$-+MAp_1&m2O`;f0+)JUVFcUplq6t453NR&5jA3lqE$Ll-o7j^;&-hX
ztV!*KHH^I&JQmRkLmM(!lyt32nqU({XcaX%lSK0SM)c?T3ccn9P%5}*1GnC6JWd4~
zQCcWaH590$C{Tl_7VYB7K^u;TVE-VjIov9M3Qs!E)8?a|HjCTRP_kST4c$w&rQvz%
z%G-tx>EU;>Elu@`$8K4Oa{2SOILTzibz}Fi!<yA`@z-Lbm38{|W-HFNkpyZrN|xkH
ziLeJM_O@+Jj9{yYN#8nkSH%c)NL239UrFYlxaZ}{WaTb(Zi=0fd+J#9dj4mZf09a6
zHO}8%S@;yA+NuPzZc%?aw__n%9lvPNv@!URE;oTrTY6trp`#z2f?`XTjLm(25prTn
zuNarxvj}y>mi(qV*SwfqwASPnEJn}7&e=3R*LpUZ7(3_JwYhJcjn0gn6R*o%e>OTk
zS*e}BqMkX5xZqM*7d%3pfIn(*rBM>0NAQ*(Ov9Nc>+#3iPn<%1#vx8G8Q9o6HR-}X
z&V7(L6C}#6$F=sn=3!sch@Zj2E2{_mSMC`Y@fG6wyVUj1`>y{aJf&;S1)hM1uP=g-
zvQdCo7?N(7e{%AnF#G%6K$)7y5<j46Lxy+5CWb~mw`UuIBYzZf*%2YP-%Th_y+{ip
z)bgBjI5e00d>d-Yng`<}jB+YNM<Rf8H5sX229rsShcw~^&V)*De|7&4h(u#HEwX&d
zo(B<#ljfZ{fgAxjK0r?+aYH5yvZLI>(`e8|zU>tA#}I!V@ENGS+_#sZ+AM)MSSt!~
zDCyZEC@I9Dq<L8=>DeME>DeME0pbi3W0?AvQ&9FX^`Alci$12I_9=!L$1n{J+>h&I
z8nP^u@cc)QG0e;zOv5eL!#$LL>13E$3{%(ex9i{n{_w4npdk#?@X_*q<L_gsU5uEy
zsC5dm7Otggf-8ClvLIgU4v$5a#ES=WJTj~}JPJu%R&rvsW?9{QrZ8?ZYO2UT_d+I}
zOrxf|5i^mn_k;ssZ$M%FaHnw0eGqMYrYZNyHUtEIX72P7*_O}Q>iArDD*o;lX`JjD
z4_TWd=stpO$jv|u`2R-t2uJxyR$Q^+us1mtPELYn*Mb>^I2g{tAL^rgdc@9zj(9LY
z8!{xnm*u(9TANWCo3bZv17mXn?4FL|uo@h*1=`R44h4Mt#EH3i^@xKr4lluphmRr~
dZE*VvH~5HqWJHWGD1zf_f~<)m35p<V@n7?}Ukm^M

delta 3721
zcmc(iYiu0V8HVROdtcwym&8lf*VxzzY}~o*&dw|;auOs+W#TAR9C1m=nVB=einHrD
zHUcRMTPli#T7flcPgRhBf@B)05ZAO5(w1I+04*gn2(>7&Qm9b#r=ks&+CNRxGnd_&
z6q+a!RriO_&d%<cbI$X=-}k!qL8?|uJh>iWadCKb4Hom}44K#OCv#;%!75)YN$F+$
zOq+GNZRlFxS-ISw9H)Oj2ko?P6~^h@Ds)=QliQPNj^hqSj&k&Zgv>-d7JUr3HT1+Q
z&`0n5J@hs4DgFM1%E2)S3pV@^UIp5kgP}};$9#Tf`T?>NA0S7{gl@^f6!7#9IvPL)
ziJr>AnN~gg6^Xum7QT#BgI?SYgI&rC;7(kY*hJb)RX<qPtz%O|^y6MgN`&Y074qPG
z*~rhj4-oTn)#`kiD7^C$6iHC>^V5e&Sty7i)(eViEl+oL@%abH+>z;O#hrG(s+V=q
z;-|B8T`xS-0YbAs0WTUwxtWycxqf)6HB#faO?R+^V6Qu}EBt64?3E?xPkf=iMA2WO
z9GX9bLoSMHLDbk9CU?+F_dyeVGY1)ZF$Y`du3JzS`~3E9=cK<I`8tP^z;S;X=eXVP
zv+?Kjt^F|4%dXMzS?8LAKd)mW$2I@6XXEgOjlJ0(tM%|i{I2LX0S(*x1yI3$QiH!m
zDgO@`iKRYhc?;P`d(pX6G?wem(DrvBo5o7w5S|?qv1(@!ya7nX*5pz@8&+nQB9S(%
zMA$u!i=Jq&MY+xf@N|<}2d-idIJ`{Ta<IO=s4^%4a)Ec4?`AW)&~GS642<$(ovNz(
zM@HzG9E^ZW2Y47*Cl?%kMcoMa2}Bo(QKUi-bgsq00kat#fC7;uYsdMu&JNCh|0aY>
zR{EvBLD^M;BLulF1i>t*x}oP6Dho%5LGL*WJ+c~}5W5p%jpVDkzA%d``a@-2a#SJf
z&aw(}L13zob-LOQ6LjZ~LF;f}aN}ImSj$F^iyi;nGQJd{wVy$9RP(o33N2a-Oo~-g
z!;&1RqR;eypyp>tr7YwbqOyohHa=L^d3xqm=pHM%OA$(JDfNvpg-fbj3_ZnkccMvR
z-NUh5T;Qz5_qx-V_~gwxdE${LF8LNr7<rTJM2l<!t9HDfPB5P%m0S<)s6(6nBnR(Y
z&E(C>N<$9BftSLDyI11v_2yCoV&G;$HVM&uh@QQj&Aaj_kkA<r_Y8E2{}fH{2*Vz~
z(}6kJGR}NH<#L4iwafU{sK+tD(x@J)8E_;e#?c6Iq^}z&Lr<S&?*3#ugx&qP=k5#a
zK_Pe3i#&A4Trbm>4`C9XxA%SsB*DCkev0g;J3a4qjriWxe1f`15L9c&(g3I{)um{p
z8EcH6&iEZ}-(x*|e89oiv?g$^*6^=>Jw$!~{-^;g@b6zv!Vo>Cqd2{hhuq+Qw{YEg
zzwLpZVO0;Y3alK0C7ATJ9DL8Z=X?sOx|P|zF(qQ`nZeq*t$RHwIj(f8eZvcascJGW
zg&$SC;!(P14cQDm$uoJ$tvv;-I3{;XzbgyeiFn`SFZw3`n3+6}JaHJlXTycWxI!GP
zn0ex`E>)XY&-1%k*y9@S>;AgiT5yQ0PkIf_a7>?O?IgA*zLkRw^di8Tj==YxdNkfq
z&jDy_t>8msY@uRQC#na=B<rt_>}PIwYQm682ArGa#?8DwNANtEsy9*9bc;r(S2QA`
z#&cYJF!GIXM(Ax;Nkeny^=R(@R7EyjyNU#L%XD;^{*NMk^Hqwp*L{Lq;uS74;K)jg
z!;uy5Pbt((H&-uQU(GJ#Z4s;XL~=BcTBB|;ku*Z0qKH`5yj0>ylNL6!vbA?J+CqP@
z*$X93{LAd=+{W3h&q6kCzc+=-=@@sg<8^QXp`I=<-tAp)pim}cyv;gq%zL~)pHLX?
z7oX3$7q5Np|BD=2_^cdigmH_XokgD*^lB7quL{S3)35e%9LuNCZArIpMfcj!3J=5b
ztQL1QAo%6R2n2?OKm)4AG(bEJL<R=Z_AhRQUWB@ya$8Lb7yVXaw;_0wr9|1w3bLOS
zimcbjOahlXc17t+uRx){SVynQjd!KSJH?U1NW@+}2{S<1-!$EI3bOQHC!x!0A&;Gc
zThh!O;nW8TediPmBGXTrvT<e76y2l=Dm|~G!7MMZo}jp?%{webcCx(eWchkQccQeD
z+P>y>``FvrmBnK>LOst1;WRik_F2O@rfK4m8S40%`ab{yi@+?p$@DoJHdDm5#ftI7
zy<WC|)a(8q)x7S{Ms&lsIqswJ#&zU{@389{7cY8aa^KzVeYBM=n0=l;>|EEl=66>&
z3_009*E3{g7QYm4i~SnV25bLf*?NBQZae-*n2RSEn0(9o$lixxG#*XgmblISVimTg
zQRfBwD-XeQ$=FRxF_fj1U%_ts=p*n+0u7z9XCH@0Q|NTUzIPOLG)FUg@=JEhvv4V8
czjhb=GDd&%GJFe7+((TQaKsjO!s+V20W!8>WB>pF

diff --git a/backend/ipLab/src/main/java/com/example/ipLab/StoreDataBase/Configurations/SecurityConfiguration.java b/backend/ipLab/src/main/java/com/example/ipLab/StoreDataBase/Configurations/SecurityConfiguration.java
index 992e0d2..6aefd06 100644
--- a/backend/ipLab/src/main/java/com/example/ipLab/StoreDataBase/Configurations/SecurityConfiguration.java
+++ b/backend/ipLab/src/main/java/com/example/ipLab/StoreDataBase/Configurations/SecurityConfiguration.java
@@ -63,6 +63,10 @@ public class SecurityConfiguration {
                         .requestMatchers(HttpMethod.DELETE, "/api/**").hasRole("ADMIN")
                         .requestMatchers(HttpMethod.PUT, "/api/**").hasRole("ADMIN")
                         .requestMatchers(HttpMethod.POST, "/api/**").hasRole("ADMIN")
+                        .requestMatchers(HttpMethod.GET, "/api/customer/**").hasRole("ADMIN")
+                        .requestMatchers(HttpMethod.GET, "/api/store/addStore/**").hasRole("ADMIN")
+                        .requestMatchers(HttpMethod.GET, "/customer/**").hasRole("ADMIN")
+                        .requestMatchers(HttpMethod.GET, "/store/addToStore/**").hasRole("ADMIN")
                         .requestMatchers("/api/**").authenticated()
                         .requestMatchers(HttpMethod.POST, UserController.URL_LOGIN).permitAll()
                         .requestMatchers(HttpMethod.GET, "/img/**").permitAll())
diff --git a/backend/ipLab/src/main/java/com/example/ipLab/StoreDataBase/Controllers/CustomerController.java b/backend/ipLab/src/main/java/com/example/ipLab/StoreDataBase/Controllers/CustomerController.java
index a1c9c23..30ef893 100644
--- a/backend/ipLab/src/main/java/com/example/ipLab/StoreDataBase/Controllers/CustomerController.java
+++ b/backend/ipLab/src/main/java/com/example/ipLab/StoreDataBase/Controllers/CustomerController.java
@@ -1,10 +1,14 @@
 package com.example.ipLab.StoreDataBase.Controllers;
 
 import com.example.ipLab.StoreDataBase.DTO.CustomerDTO;
+import com.example.ipLab.StoreDataBase.Exceptions.ForbiddenException;
+import com.example.ipLab.StoreDataBase.Model.CustomUser;
 import com.example.ipLab.StoreDataBase.Model.Customer;
+import com.example.ipLab.StoreDataBase.Model.UserRole;
 import com.example.ipLab.StoreDataBase.Service.CustomerService;
 import com.example.ipLab.WebConfiguration;
 import jakarta.validation.Valid;
+import org.springframework.security.core.annotation.AuthenticationPrincipal;
 import org.springframework.web.bind.annotation.*;
 
 import java.util.List;
@@ -24,7 +28,7 @@ public class CustomerController {
     }
 
     @GetMapping
-    public List<CustomerDTO> getCustomers(){
+    public List<CustomerDTO> getCustomers(@AuthenticationPrincipal CustomUser user){
         return  customerService.getAllCustomers().stream()
                 .map(CustomerDTO::new)
                 .toList();
diff --git a/backend/ipLab/src/main/java/com/example/ipLab/StoreDataBase/Exceptions/ForbiddenException.java b/backend/ipLab/src/main/java/com/example/ipLab/StoreDataBase/Exceptions/ForbiddenException.java
new file mode 100644
index 0000000..580c4b2
--- /dev/null
+++ b/backend/ipLab/src/main/java/com/example/ipLab/StoreDataBase/Exceptions/ForbiddenException.java
@@ -0,0 +1,8 @@
+package com.example.ipLab.StoreDataBase.Exceptions;
+
+import org.springframework.http.HttpStatus;
+import org.springframework.web.bind.annotation.ResponseStatus;
+
+@ResponseStatus(HttpStatus.FORBIDDEN)
+public class ForbiddenException extends RuntimeException {
+}
diff --git a/backend/ipLab/src/main/resources/templates/customer.html b/backend/ipLab/src/main/resources/templates/customer.html
index 352bbed..f69045e 100644
--- a/backend/ipLab/src/main/resources/templates/customer.html
+++ b/backend/ipLab/src/main/resources/templates/customer.html
@@ -5,52 +5,60 @@
 <head>
 </head>
 <body>
-<div sec:authorize="hasRole('ROLE_ADMIN')" layout:fragment="content">
-    <div>
-        <a class="btn btn-success button-fixed"
-           th:href="@{/customer/edit/}">
-            <i class="fa-solid fa-plus"></i> Добавить
-        </a>
+<div layout:fragment="content">
+    <div sec:authorize="hasRole('ROLE_ADMIN')">
+        <div>
+            <a class="btn btn-success button-fixed"
+               th:href="@{/customer/edit/}">
+                <i class="fa-solid fa-plus"></i> Добавить
+            </a>
+        </div>
+        <div class="table-responsive">
+            <table class="table table-success table-hover">
+                <thead>
+                <tr>
+                    <th scope="col">#</th>
+                    <th scope="col">ID</th>
+                    <th scope="col">Фамилия</th>
+                    <th scope="col">Имя</th>
+                    <th scope="col">Отчество</th>
+                    <th scope="col"></th>
+                </tr>
+                </thead>
+                <tbody>
+                <tr th:each="customer, iterator: ${customers}">
+                    <th scope="row" th:text="${iterator.index} + 1"/>
+                    <td th:text="${customer.Id}"/>
+                    <td th:text="${customer.lastName}"/>
+                    <td th:text="${customer.firstName}"/>
+                    <td th:text="${customer.middleName}"/>
+                    <td style="width: 10%">
+                        <div class="btn-group" role="group" aria-label="Basic example">
+                            <a class="btn btn-warning button-fixed button-sm"
+                               th:href="@{/customer/edit/{id}(id=${customer.id})}">
+                                <i class="fa fa-pencil" aria-hidden="true"></i> Изменить
+                            </a>
+                            <button type="button" class="btn btn-danger button-fixed button-sm"
+                                    th:attr="onclick=|confirm('Удалить запись?') && document.getElementById('remove-${customer.id}').click()|">
+                                <i class="fa fa-trash" aria-hidden="true"></i> Удалить
+                            </button>
+                        </div>
+                        <form th:action="@{/customer/delete/{id}(id=${customer.id})}" method="post">
+                            <button th:id="'remove-' + ${customer.id}" type="submit" style="display: none">
+                                Удалить
+                            </button>
+                        </form>
+                    </td>
+                </tr>
+                </tbody>
+            </table>
+        </div>
     </div>
-    <div class="table-responsive">
-        <table class="table table-success table-hover">
-            <thead>
-            <tr>
-                <th scope="col">#</th>
-                <th scope="col">ID</th>
-                <th scope="col">Фамилия</th>
-                <th scope="col">Имя</th>
-                <th scope="col">Отчество</th>
-                <th scope="col"></th>
-            </tr>
-            </thead>
-            <tbody>
-            <tr th:each="customer, iterator: ${customers}">
-                <th scope="row" th:text="${iterator.index} + 1"/>
-                <td th:text="${customer.Id}"/>
-                <td th:text="${customer.lastName}"/>
-                <td th:text="${customer.firstName}"/>
-                <td th:text="${customer.middleName}"/>
-                <td style="width: 10%">
-                    <div class="btn-group" role="group" aria-label="Basic example">
-                        <a class="btn btn-warning button-fixed button-sm"
-                           th:href="@{/customer/edit/{id}(id=${customer.id})}">
-                            <i class="fa fa-pencil" aria-hidden="true"></i> Изменить
-                        </a>
-                        <button type="button" class="btn btn-danger button-fixed button-sm"
-                                th:attr="onclick=|confirm('Удалить запись?') && document.getElementById('remove-${customer.id}').click()|">
-                            <i class="fa fa-trash" aria-hidden="true"></i> Удалить
-                        </button>
-                    </div>
-                    <form th:action="@{/customer/delete/{id}(id=${customer.id})}" method="post">
-                        <button th:id="'remove-' + ${customer.id}" type="submit" style="display: none">
-                            Удалить
-                        </button>
-                    </form>
-                </td>
-            </tr>
-            </tbody>
-        </table>
+    <div sec:authorize="hasRole('ROLE_USER')">
+        <div>
+            <h2>Forbidden</h2>
+            <a href="/">На главную</a>
+        </div>
     </div>
 </div>
 </body>
diff --git a/frontend/src/App.jsx b/frontend/src/App.jsx
index fc8eb73..106c6ba 100644
--- a/frontend/src/App.jsx
+++ b/frontend/src/App.jsx
@@ -8,6 +8,7 @@ import OrderPage from './components/pages/orderPage';
 import AddToStorePage from './components/pages/addToStorePage';
 import LoginPage from './components/pages/loginPage';
 import Logout from './components/pages/logout';
+import ForbiddenPage from './components/pages/forbiddenPage'
 import './styleSite.css';
 
 function Router(props) {
@@ -18,10 +19,12 @@ export default function App() {
   const routes = [
     { index: true, element: <StorePage/> },
     localStorage.getItem("role") === "ADMIN" && { path: 'customer', element: <CustomerPage/>, label:'Покупатели'},
+    localStorage.getItem("role") !== "ADMIN" && { path: 'customer', element: <ForbiddenPage/>},
     { path: 'store', element: <StorePage/>, label: 'Магазины' },
     { path: 'product', element: <ProductPage/>, label: 'Товары' },
     { path: 'order', element: <OrderPage/>, label: 'Заказы'},
     localStorage.getItem("role") === "ADMIN" && { path: 'addToStore', element: <AddToStorePage/>, label: 'Доставка'},
+    localStorage.getItem("role") !== "ADMIN" && { path: 'addToStore', element: <ForbiddenPage/>},
     { path: '/login', element: <LoginPage/>},
     { path: '/logout', element: <Logout/>}
   ];
diff --git a/frontend/src/components/pages/customerPage.jsx b/frontend/src/components/pages/customerPage.jsx
index 3d5885f..d819984 100644
--- a/frontend/src/components/pages/customerPage.jsx
+++ b/frontend/src/components/pages/customerPage.jsx
@@ -28,7 +28,7 @@ function CustomerPage(){
     }
     return(
         <article className="h-100 mt-0 mb-0 d-flex flex-column justify-content-between">
-        <CustomerTable headers={catalogCustomerHeaders} 
+        {localStorage.getItem("role") === "ADMIN" && <CustomerTable headers={catalogCustomerHeaders} 
             getAllUrl={url}
             url={url}
             getUrl={getUrl}
@@ -48,7 +48,12 @@ function CustomerPage(){
             <label className="form-label" forhtml="middleName">Отчество</label>
             <input className="form-control" type="text" id="middleName" value={data.middleName} onChange={handleFormChange} required="required"/>
           </div>
-        </CustomerTable>
+        </CustomerTable>}
+        {localStorage.getItem("role") !== "ADMIN" && 
+          <div>
+            <h2>Forbidden</h2>
+            <a href="/">На главную</a>
+          </div>}
       </article>
     )
 }
diff --git a/frontend/src/components/pages/forbiddenPage.jsx b/frontend/src/components/pages/forbiddenPage.jsx
new file mode 100644
index 0000000..01982a7
--- /dev/null
+++ b/frontend/src/components/pages/forbiddenPage.jsx
@@ -0,0 +1,8 @@
+export default function ForbiddenPage(){
+    return(
+        <div>
+            <h2>Forbidden</h2>
+            <a href="/">На главную</a>
+        </div>
+    )
+}
\ No newline at end of file