Refactor profile authorization logic into service layer #273
Description
Currently, profile authorization logic (checkProfileAuthorization) is in UserController as a private method. This should be extracted into a ProfileAuthorizationService for:
-
Testability/Security: Authorization logic needs comprehensive unit tests covering:
- Client accessing own profile
- Client accessing another client's profile (should fail)
- Worker accessing same-org client (should succeed)
- Worker accessing different-org client (should fail)
- Missing users, null sessions, etc.
-
Reusability: Similar authorization patterns exist in:
- PdfController (pdfDownload, pdfDelete)
- FileController (file access)
- Could be reused across profile-related endpoints
-
Consistency: Other authorization logic (AuthenticateUserService, LoginService) follows service pattern
-
Maintainability: Centralized authorization rules are easier to audit and modify
Current implementation works but makes testing difficult and violates separation of concerns.
Priority: Medium (not blocking, but improves code quality and testability)