Skip to content

feat(Order): 관리자 접근 제한 #64

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
HyemIin merged 1 commit into from
Jul 7, 2025
Merged

feat(Order): 관리자 접근 제한 #64

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 24 additions & 0 deletions ...admin-api/src/main/java/com/nowait/applicationadmin/exception/GlobalExceptionHandler.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,10 @@
import com.nowait.domaincorerdb.menu.exception.MenuViewUnauthorizedException;
import com.nowait.domaincorerdb.order.exception.DuplicateOrderException;
import com.nowait.domaincorerdb.order.exception.OrderItemsEmptyException;
import com.nowait.domaincorerdb.order.exception.OrderNotFoundException;
import com.nowait.domaincorerdb.order.exception.OrderParameterEmptyException;
import com.nowait.domaincorerdb.order.exception.OrderUpdateUnauthorizedException;
import com.nowait.domaincorerdb.order.exception.OrderViewUnauthorizedException;
import com.nowait.domaincorerdb.reservation.exception.ReservationNotFoundException;
import com.nowait.domaincorerdb.token.exception.BusinessException;
import com.nowait.domaincorerdb.user.exception.UserNotFoundException;
Expand Down Expand Up @@ -125,6 +128,27 @@ public ErrorResponse duplicateOrderException(DuplicateOrderException e) {
return new ErrorResponse(e.getMessage(), ErrorMessage.DUPLICATE_ORDER.getCode());
}

@ResponseStatus(value = FORBIDDEN)
@ExceptionHandler(OrderViewUnauthorizedException.class)
public ErrorResponse orderViewUnauthorizedException(OrderViewUnauthorizedException e) {
log.error("orderViewUnauthorizedException", e);
return new ErrorResponse(e.getMessage(), ORDER_VIEW_UNAUTHORIZED.getCode());
}

@ResponseStatus(value = NOT_FOUND)
@ExceptionHandler(OrderNotFoundException.class)
public ErrorResponse orderNotFoundException(OrderNotFoundException e) {
log.error("orderNotFoundException", e);
return new ErrorResponse(e.getMessage(), ORDER_NOT_FOUND.getCode());
}

@ResponseStatus(value = FORBIDDEN)
@ExceptionHandler(OrderUpdateUnauthorizedException.class)
public ErrorResponse orderUpdateUnauthorizedException(OrderUpdateUnauthorizedException e) {
log.error("orderUpdateUnauthorizedException", e);
return new ErrorResponse(e.getMessage(), ORDER_UPDATE_UNAUTHORIZED.getCode());
}

@ResponseStatus(value = NOT_FOUND)
@ExceptionHandler(ReservationNotFoundException.class)
public ErrorResponse reservationNotFoundException(ReservationNotFoundException e) {
Expand Down
13 changes: 9 additions & 4 deletions ...admin-api/src/main/java/com/nowait/applicationadmin/order/controller/OrderController.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@

import org.springframework.http.HttpStatus;
import org.springframework.http.ResponseEntity;
import org.springframework.security.core.annotation.AuthenticationPrincipal;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.PatchMapping;
import org.springframework.web.bind.annotation.PathVariable;
Expand All @@ -16,6 +17,7 @@
import com.nowait.applicationadmin.order.dto.OrderStatusUpdateResponseDto;
import com.nowait.applicationadmin.order.service.OrderService;
import com.nowait.common.api.ApiUtils;
import com.nowait.domaincorerdb.user.entity.MemberDetails;

import io.swagger.v3.oas.annotations.Operation;
import io.swagger.v3.oas.annotations.responses.ApiResponse;
Expand All @@ -34,8 +36,9 @@ public class OrderController {
@GetMapping("/{storeId}")
@Operation(summary = "주점별 주문리스트 조회", description = "특정 주점에 대한 예약리스트 조회")
@ApiResponse(responseCode = "200", description = "주리스트 조회")
public ResponseEntity<?> getOrderListByStoreId(@PathVariable Long storeId) {
List<OrderResponseDto> response = orderService.findAllOrders(storeId);
public ResponseEntity<?> getOrderListByStoreId(@PathVariable Long storeId,
@AuthenticationPrincipal MemberDetails memberDetails) {
List<OrderResponseDto> response = orderService.findAllOrders(storeId,memberDetails);
return ResponseEntity
.status(HttpStatus.OK)
.body(
Expand All @@ -51,9 +54,11 @@ public ResponseEntity<?> getOrderListByStoreId(@PathVariable Long storeId) {
@ApiResponse(responseCode = "400", description = "주문을 찾을 수 없음")
public ResponseEntity<?> updateOrderStatus(
@PathVariable Long orderId,
@RequestBody@Valid OrderStatusUpdateRequestDto requestDto
@RequestBody@Valid OrderStatusUpdateRequestDto requestDto,
@AuthenticationPrincipal MemberDetails memberDetails
) {
OrderStatusUpdateResponseDto response = orderService.updateOrderStatus(orderId, requestDto.getOrderStatus());
OrderStatusUpdateResponseDto response = orderService.updateOrderStatus(
orderId,requestDto.getOrderStatus(),memberDetails);
return ResponseEntity
.status(HttpStatus.OK)
.body(ApiUtils.success(response));
Expand Down
24 changes: 21 additions & 3 deletions ...t-app-admin-api/src/main/java/com/nowait/applicationadmin/order/service/OrderService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,28 +8,46 @@

import com.nowait.applicationadmin.order.dto.OrderResponseDto;
import com.nowait.applicationadmin.order.dto.OrderStatusUpdateResponseDto;
import com.nowait.common.enums.Role;
import com.nowait.domaincorerdb.order.entity.OrderStatus;
import com.nowait.domaincorerdb.order.entity.UserOrder;
import com.nowait.domaincorerdb.order.exception.OrderNotFoundException;
import com.nowait.domaincorerdb.order.exception.OrderUpdateUnauthorizedException;
import com.nowait.domaincorerdb.order.exception.OrderViewUnauthorizedException;
import com.nowait.domaincorerdb.order.repository.OrderRepository;
import com.nowait.domaincorerdb.user.entity.MemberDetails;
import com.nowait.domaincorerdb.user.entity.User;
import com.nowait.domaincorerdb.user.exception.UserNotFoundException;
import com.nowait.domaincorerdb.user.repository.UserRepository;

import lombok.RequiredArgsConstructor;

@Service
@RequiredArgsConstructor
public class OrderService {
private final OrderRepository orderRepository;
private final UserRepository userRepository;

@Transactional(readOnly = true)
public List<OrderResponseDto> findAllOrders(Long storeId) {
public List<OrderResponseDto> findAllOrders(Long storeId, MemberDetails memberDetails) {
User user = userRepository.findById(memberDetails.getId()).orElseThrow(UserNotFoundException::new);
if (!Role.SUPER_ADMIN.equals(user.getRole()) && !user.getStoreId().equals(storeId)) {
throw new OrderViewUnauthorizedException();
}
Comment on lines +33 to +36
Copy link

@coderabbitai coderabbitai bot Jul 7, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion

중복된 권한 검증 로직 추출 제안

권한 검증 로직이 두 메서드에서 중복되고 있습니다. 별도의 메서드로 추출하여 재사용성을 높이고 유지보수성을 개선하세요.

다음과 같이 권한 검증 메서드를 추가하세요:

private void validateUserAuthorization(MemberDetails memberDetails, Long storeId) {
    User user = userRepository.findById(memberDetails.getId())
        .orElseThrow(UserNotFoundException::new);
    if (!Role.SUPER_ADMIN.equals(user.getRole()) && !user.getStoreId().equals(storeId)) {
        throw new OrderViewUnauthorizedException();
    }
}

그리고 기존 메서드들을 다음과 같이 수정하세요:

 public List<OrderResponseDto> findAllOrders(Long storeId, MemberDetails memberDetails) {
-    User user =  userRepository.findById(memberDetails.getId()).orElseThrow(UserNotFoundException::new);
-    if (!Role.SUPER_ADMIN.equals(user.getRole()) && !user.getStoreId().equals(storeId)) {
-        throw new OrderViewUnauthorizedException();
-    }
+    validateUserAuthorization(memberDetails, storeId);
     return orderRepository.findAllByStore_StoreId(storeId).stream()
         .map(OrderResponseDto::fromEntity)
         .collect(Collectors.toList());
 }

Also applies to: 45-50

🤖 Prompt for AI Agents 
In
nowait-app-admin-api/src/main/java/com/nowait/applicationadmin/order/service/OrderService.java
around lines 33-36 and 45-50, the user authorization check logic is duplicated.
Extract this logic into a private method named validateUserAuthorization that
takes MemberDetails and storeId as parameters, performs the user retrieval and
role/storeId check, and throws exceptions as needed. Then replace the duplicated
code in both locations by calls to this new method to improve reusability and
maintainability.

return orderRepository.findAllByStore_StoreId(storeId).stream()
.map(OrderResponseDto::fromEntity)
.collect(Collectors.toList());
}

@Transactional
public OrderStatusUpdateResponseDto updateOrderStatus(Long orderId, OrderStatus newStatus) {
public OrderStatusUpdateResponseDto updateOrderStatus(Long orderId, OrderStatus newStatus,
MemberDetails memberDetails) {
User user = userRepository.findById(memberDetails.getId()).orElseThrow(UserNotFoundException::new);
UserOrder userOrder = orderRepository.findById(orderId)
.orElseThrow(() -> new IllegalArgumentException("Order not found with id: " + orderId));
.orElseThrow(OrderNotFoundException::new);
if (!Role.SUPER_ADMIN.equals(user.getRole()) && !user.getStoreId().equals(userOrder.getStore().getStoreId())) {
throw new OrderUpdateUnauthorizedException();
}
userOrder.updateStatus(newStatus);
return OrderStatusUpdateResponseDto.fromEntity(userOrder);
}
Expand Down
3 changes: 3 additions & 0 deletions nowait-common/src/main/java/com/nowait/common/exception/ErrorMessage.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,9 @@ public enum ErrorMessage {
ORDER_ITEMS_EMPTY("주문 항목이 없습니다.", "order002"),
DUPLICATE_ORDER("동일한 주문이 접수되었습니다.", "order003"),
DEPOSITOR_NAME_TOO_LONG("주문자명은 10자 이내 글자열입니다.", "order004"),
ORDER_VIEW_UNAUTHORIZED("주문 보기 권한이 없습니다.(슈퍼계정 or 주점 관리자만 가능)", "order005"),
ORDER_NOT_FOUND("해당 주문을 찾을 수 없습니다.", "order006"),
ORDER_UPDATE_UNAUTHORIZED("주문 수정 권한이 없습니다.(슈퍼계정 or 주점 관리자만 가능)", "order007"),

//reservation
NOTFOUND_RESERVATION("저장된 예약 정보가 없습니다.", "reservation001"),
Expand Down
9 changes: 9 additions & 0 deletions ...re-rdb/src/main/java/com/nowait/domaincorerdb/order/exception/OrderNotFoundException.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
package com.nowait.domaincorerdb.order.exception;

import com.nowait.common.exception.ErrorMessage;

public class OrderNotFoundException extends RuntimeException {
public OrderNotFoundException() {
super(ErrorMessage.ORDER_NOT_FOUND.getMessage());
}
}
9 changes: 9 additions & 0 deletions .../main/java/com/nowait/domaincorerdb/order/exception/OrderUpdateUnauthorizedException.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
package com.nowait.domaincorerdb.order.exception;

import com.nowait.common.exception.ErrorMessage;

public class OrderUpdateUnauthorizedException extends RuntimeException {
public OrderUpdateUnauthorizedException() {
super(ErrorMessage.ORDER_UPDATE_UNAUTHORIZED.getMessage());
}
}
9 changes: 9 additions & 0 deletions ...rc/main/java/com/nowait/domaincorerdb/order/exception/OrderViewUnauthorizedException.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
package com.nowait.domaincorerdb.order.exception;

import com.nowait.common.exception.ErrorMessage;

public class OrderViewUnauthorizedException extends RuntimeException {
public OrderViewUnauthorizedException() {
super(ErrorMessage.ORDER_VIEW_UNAUTHORIZED.getMessage());
}
}