diff --git a/nowait-app-admin-api/src/main/java/com/nowait/applicationadmin/exception/GlobalExceptionHandler.java b/nowait-app-admin-api/src/main/java/com/nowait/applicationadmin/exception/GlobalExceptionHandler.java index daa88858..a888d311 100644 --- a/nowait-app-admin-api/src/main/java/com/nowait/applicationadmin/exception/GlobalExceptionHandler.java +++ b/nowait-app-admin-api/src/main/java/com/nowait/applicationadmin/exception/GlobalExceptionHandler.java @@ -27,7 +27,10 @@ import com.nowait.domaincorerdb.menu.exception.MenuViewUnauthorizedException; import com.nowait.domaincorerdb.order.exception.DuplicateOrderException; import com.nowait.domaincorerdb.order.exception.OrderItemsEmptyException; +import com.nowait.domaincorerdb.order.exception.OrderNotFoundException; import com.nowait.domaincorerdb.order.exception.OrderParameterEmptyException; +import com.nowait.domaincorerdb.order.exception.OrderUpdateUnauthorizedException; +import com.nowait.domaincorerdb.order.exception.OrderViewUnauthorizedException; import com.nowait.domaincorerdb.reservation.exception.ReservationNotFoundException; import com.nowait.domaincorerdb.token.exception.BusinessException; import com.nowait.domaincorerdb.user.exception.UserNotFoundException; @@ -125,6 +128,27 @@ public ErrorResponse duplicateOrderException(DuplicateOrderException e) { return new ErrorResponse(e.getMessage(), ErrorMessage.DUPLICATE_ORDER.getCode()); } + @ResponseStatus(value = FORBIDDEN) + @ExceptionHandler(OrderViewUnauthorizedException.class) + public ErrorResponse orderViewUnauthorizedException(OrderViewUnauthorizedException e) { + log.error("orderViewUnauthorizedException", e); + return new ErrorResponse(e.getMessage(), ORDER_VIEW_UNAUTHORIZED.getCode()); + } + + @ResponseStatus(value = NOT_FOUND) + @ExceptionHandler(OrderNotFoundException.class) + public ErrorResponse orderNotFoundException(OrderNotFoundException e) { + log.error("orderNotFoundException", e); + return new ErrorResponse(e.getMessage(), ORDER_NOT_FOUND.getCode()); + } + + @ResponseStatus(value = FORBIDDEN) + @ExceptionHandler(OrderUpdateUnauthorizedException.class) + public ErrorResponse orderUpdateUnauthorizedException(OrderUpdateUnauthorizedException e) { + log.error("orderUpdateUnauthorizedException", e); + return new ErrorResponse(e.getMessage(), ORDER_UPDATE_UNAUTHORIZED.getCode()); + } + @ResponseStatus(value = NOT_FOUND) @ExceptionHandler(ReservationNotFoundException.class) public ErrorResponse reservationNotFoundException(ReservationNotFoundException e) { diff --git a/nowait-app-admin-api/src/main/java/com/nowait/applicationadmin/order/controller/OrderController.java b/nowait-app-admin-api/src/main/java/com/nowait/applicationadmin/order/controller/OrderController.java index dfc03619..6c2b845d 100644 --- a/nowait-app-admin-api/src/main/java/com/nowait/applicationadmin/order/controller/OrderController.java +++ b/nowait-app-admin-api/src/main/java/com/nowait/applicationadmin/order/controller/OrderController.java @@ -4,6 +4,7 @@ import org.springframework.http.HttpStatus; import org.springframework.http.ResponseEntity; +import org.springframework.security.core.annotation.AuthenticationPrincipal; import org.springframework.web.bind.annotation.GetMapping; import org.springframework.web.bind.annotation.PatchMapping; import org.springframework.web.bind.annotation.PathVariable; @@ -16,6 +17,7 @@ import com.nowait.applicationadmin.order.dto.OrderStatusUpdateResponseDto; import com.nowait.applicationadmin.order.service.OrderService; import com.nowait.common.api.ApiUtils; +import com.nowait.domaincorerdb.user.entity.MemberDetails; import io.swagger.v3.oas.annotations.Operation; import io.swagger.v3.oas.annotations.responses.ApiResponse; @@ -34,8 +36,9 @@ public class OrderController { @GetMapping("/{storeId}") @Operation(summary = "주점별 주문리스트 조회", description = "특정 주점에 대한 예약리스트 조회") @ApiResponse(responseCode = "200", description = "주리스트 조회") - public ResponseEntity getOrderListByStoreId(@PathVariable Long storeId) { - List response = orderService.findAllOrders(storeId); + public ResponseEntity getOrderListByStoreId(@PathVariable Long storeId, + @AuthenticationPrincipal MemberDetails memberDetails) { + List response = orderService.findAllOrders(storeId,memberDetails); return ResponseEntity .status(HttpStatus.OK) .body( @@ -51,9 +54,11 @@ public ResponseEntity getOrderListByStoreId(@PathVariable Long storeId) { @ApiResponse(responseCode = "400", description = "주문을 찾을 수 없음") public ResponseEntity updateOrderStatus( @PathVariable Long orderId, - @RequestBody@Valid OrderStatusUpdateRequestDto requestDto + @RequestBody@Valid OrderStatusUpdateRequestDto requestDto, + @AuthenticationPrincipal MemberDetails memberDetails ) { - OrderStatusUpdateResponseDto response = orderService.updateOrderStatus(orderId, requestDto.getOrderStatus()); + OrderStatusUpdateResponseDto response = orderService.updateOrderStatus( + orderId,requestDto.getOrderStatus(),memberDetails); return ResponseEntity .status(HttpStatus.OK) .body(ApiUtils.success(response)); diff --git a/nowait-app-admin-api/src/main/java/com/nowait/applicationadmin/order/service/OrderService.java b/nowait-app-admin-api/src/main/java/com/nowait/applicationadmin/order/service/OrderService.java index 41418531..beea5508 100644 --- a/nowait-app-admin-api/src/main/java/com/nowait/applicationadmin/order/service/OrderService.java +++ b/nowait-app-admin-api/src/main/java/com/nowait/applicationadmin/order/service/OrderService.java @@ -8,9 +8,17 @@ import com.nowait.applicationadmin.order.dto.OrderResponseDto; import com.nowait.applicationadmin.order.dto.OrderStatusUpdateResponseDto; +import com.nowait.common.enums.Role; import com.nowait.domaincorerdb.order.entity.OrderStatus; import com.nowait.domaincorerdb.order.entity.UserOrder; +import com.nowait.domaincorerdb.order.exception.OrderNotFoundException; +import com.nowait.domaincorerdb.order.exception.OrderUpdateUnauthorizedException; +import com.nowait.domaincorerdb.order.exception.OrderViewUnauthorizedException; import com.nowait.domaincorerdb.order.repository.OrderRepository; +import com.nowait.domaincorerdb.user.entity.MemberDetails; +import com.nowait.domaincorerdb.user.entity.User; +import com.nowait.domaincorerdb.user.exception.UserNotFoundException; +import com.nowait.domaincorerdb.user.repository.UserRepository; import lombok.RequiredArgsConstructor; @@ -18,18 +26,28 @@ @RequiredArgsConstructor public class OrderService { private final OrderRepository orderRepository; + private final UserRepository userRepository; @Transactional(readOnly = true) - public List findAllOrders(Long storeId) { + public List findAllOrders(Long storeId, MemberDetails memberDetails) { + User user = userRepository.findById(memberDetails.getId()).orElseThrow(UserNotFoundException::new); + if (!Role.SUPER_ADMIN.equals(user.getRole()) && !user.getStoreId().equals(storeId)) { + throw new OrderViewUnauthorizedException(); + } return orderRepository.findAllByStore_StoreId(storeId).stream() .map(OrderResponseDto::fromEntity) .collect(Collectors.toList()); } @Transactional - public OrderStatusUpdateResponseDto updateOrderStatus(Long orderId, OrderStatus newStatus) { + public OrderStatusUpdateResponseDto updateOrderStatus(Long orderId, OrderStatus newStatus, + MemberDetails memberDetails) { + User user = userRepository.findById(memberDetails.getId()).orElseThrow(UserNotFoundException::new); UserOrder userOrder = orderRepository.findById(orderId) - .orElseThrow(() -> new IllegalArgumentException("Order not found with id: " + orderId)); + .orElseThrow(OrderNotFoundException::new); + if (!Role.SUPER_ADMIN.equals(user.getRole()) && !user.getStoreId().equals(userOrder.getStore().getStoreId())) { + throw new OrderUpdateUnauthorizedException(); + } userOrder.updateStatus(newStatus); return OrderStatusUpdateResponseDto.fromEntity(userOrder); } diff --git a/nowait-common/src/main/java/com/nowait/common/exception/ErrorMessage.java b/nowait-common/src/main/java/com/nowait/common/exception/ErrorMessage.java index dab1e0b9..538800de 100644 --- a/nowait-common/src/main/java/com/nowait/common/exception/ErrorMessage.java +++ b/nowait-common/src/main/java/com/nowait/common/exception/ErrorMessage.java @@ -19,6 +19,9 @@ public enum ErrorMessage { ORDER_ITEMS_EMPTY("주문 항목이 없습니다.", "order002"), DUPLICATE_ORDER("동일한 주문이 접수되었습니다.", "order003"), DEPOSITOR_NAME_TOO_LONG("주문자명은 10자 이내 글자열입니다.", "order004"), + ORDER_VIEW_UNAUTHORIZED("주문 보기 권한이 없습니다.(슈퍼계정 or 주점 관리자만 가능)", "order005"), + ORDER_NOT_FOUND("해당 주문을 찾을 수 없습니다.", "order006"), + ORDER_UPDATE_UNAUTHORIZED("주문 수정 권한이 없습니다.(슈퍼계정 or 주점 관리자만 가능)", "order007"), //reservation NOTFOUND_RESERVATION("저장된 예약 정보가 없습니다.", "reservation001"), diff --git a/nowait-domain/domain-core-rdb/src/main/java/com/nowait/domaincorerdb/order/exception/OrderNotFoundException.java b/nowait-domain/domain-core-rdb/src/main/java/com/nowait/domaincorerdb/order/exception/OrderNotFoundException.java new file mode 100644 index 00000000..935927bd --- /dev/null +++ b/nowait-domain/domain-core-rdb/src/main/java/com/nowait/domaincorerdb/order/exception/OrderNotFoundException.java @@ -0,0 +1,9 @@ +package com.nowait.domaincorerdb.order.exception; + +import com.nowait.common.exception.ErrorMessage; + +public class OrderNotFoundException extends RuntimeException { + public OrderNotFoundException() { + super(ErrorMessage.ORDER_NOT_FOUND.getMessage()); + } +} diff --git a/nowait-domain/domain-core-rdb/src/main/java/com/nowait/domaincorerdb/order/exception/OrderUpdateUnauthorizedException.java b/nowait-domain/domain-core-rdb/src/main/java/com/nowait/domaincorerdb/order/exception/OrderUpdateUnauthorizedException.java new file mode 100644 index 00000000..9b9e8833 --- /dev/null +++ b/nowait-domain/domain-core-rdb/src/main/java/com/nowait/domaincorerdb/order/exception/OrderUpdateUnauthorizedException.java @@ -0,0 +1,9 @@ +package com.nowait.domaincorerdb.order.exception; + +import com.nowait.common.exception.ErrorMessage; + +public class OrderUpdateUnauthorizedException extends RuntimeException { + public OrderUpdateUnauthorizedException() { + super(ErrorMessage.ORDER_UPDATE_UNAUTHORIZED.getMessage()); + } +} diff --git a/nowait-domain/domain-core-rdb/src/main/java/com/nowait/domaincorerdb/order/exception/OrderViewUnauthorizedException.java b/nowait-domain/domain-core-rdb/src/main/java/com/nowait/domaincorerdb/order/exception/OrderViewUnauthorizedException.java new file mode 100644 index 00000000..b623d5fa --- /dev/null +++ b/nowait-domain/domain-core-rdb/src/main/java/com/nowait/domaincorerdb/order/exception/OrderViewUnauthorizedException.java @@ -0,0 +1,9 @@ +package com.nowait.domaincorerdb.order.exception; + +import com.nowait.common.exception.ErrorMessage; + +public class OrderViewUnauthorizedException extends RuntimeException { + public OrderViewUnauthorizedException() { + super(ErrorMessage.ORDER_VIEW_UNAUTHORIZED.getMessage()); + } +}