feat: 권한 검증이 필요한 곳에서 권한 검증을 수행한다 (#112)

* [#111] feat: About 권한 검증 추가

* [#111] feat: Category 권한 검증 추가

* [#111] feat: Blog, Post 권한 검증 추가

* [#111] feat: Comment 권한 검증 추가

* [#111] refactor: polishing

src/main/java/com/mallang/blog/application/AboutService.java

@@ -29,19 +29,20 @@ public Long write(WriteAboutCommand command) {
         Blog blog = blogRepository.getByNameAndOwner(command.blogName(), command.memberId());
         About about = command.toAbout(member, blog);
         about.write(aboutValidator);
-        return aboutRepository.save(about)
-                .getId();
+        return aboutRepository.save(about).getId();
     }
 
     public void update(UpdateAboutCommand command) {
-        About about = aboutRepository
-                .getByIdAndWriterAndBlog(command.aboutId(), command.memberId(), command.blogName());
+        About about = aboutRepository.getById(command.aboutId());
+        Member member = memberRepository.getById(command.memberId());
+        about.validateWriter(member);
         about.update(command.content());
     }
 
     public void delete(DeleteAboutCommand command) {
-        About about = aboutRepository
-                .getByIdAndWriterAndBlog(command.aboutId(), command.memberId(), command.blogName());
+        About about = aboutRepository.getById(command.aboutId());
+        Member member = memberRepository.getById(command.memberId());
+        about.validateWriter(member);
         aboutRepository.delete(about);
     }
 }

src/main/java/com/mallang/blog/application/command/DeleteAboutCommand.java

@@ -2,7 +2,6 @@
 
 public record DeleteAboutCommand(
         Long aboutId,
-        Long memberId,
-        String blogName
+        Long memberId
 ) {
 }

src/main/java/com/mallang/blog/application/command/UpdateAboutCommand.java

@@ -3,7 +3,6 @@
 public record UpdateAboutCommand(
         Long aboutId,
         Long memberId,
-        String blogName,
         String content
 ) {
 }

src/main/java/com/mallang/blog/domain/About.java

@@ -3,6 +3,7 @@
 import static jakarta.persistence.FetchType.LAZY;
 
 import com.mallang.auth.domain.Member;
+import com.mallang.blog.exception.NoAuthorityAboutException;
 import com.mallang.common.domain.CommonDomainModel;
 import jakarta.persistence.Column;
 import jakarta.persistence.Entity;
@@ -43,4 +44,10 @@ public void write(AboutValidator validator) {
     public void update(String content) {
         this.content = content;
     }
+
+    public void validateWriter(Member member) {
+        if (!writer.equals(member)) {
+            throw new NoAuthorityAboutException();
+        }
+    }
 }

src/main/java/com/mallang/blog/domain/AboutRepository.java

@@ -1,24 +1,13 @@
 package com.mallang.blog.domain;
 
 import com.mallang.blog.exception.NotFoundAboutException;
-import java.util.Optional;
 import org.springframework.data.jpa.repository.JpaRepository;
-import org.springframework.data.jpa.repository.Query;
-import org.springframework.data.repository.query.Param;
 
 public interface AboutRepository extends JpaRepository<About, Long> {
 
-    boolean existsByBlog(Blog blog);
-
-    default About getByIdAndWriterAndBlog(Long aboutId, Long memberId, String blogName) {
-        return findByIdAndWriterAndBlog(aboutId, memberId, blogName)
-                .orElseThrow(NotFoundAboutException::new);
+    default About getById(Long id) {
+        return findById(id).orElseThrow(NotFoundAboutException::new);
     }
 
-    @Query("SELECT a FROM About a WHERE a.id = :aboutId AND a.writer.id = :writerId AND a.blog.name.value = :blogName")
-    Optional<About> findByIdAndWriterAndBlog(
-            @Param("aboutId") Long aboutId,
-            @Param("writerId") Long writerId,
-            @Param("blogName") String blogName
-    );
+    boolean existsByBlog(Blog blog);
 }

src/main/java/com/mallang/blog/domain/Blog.java

@@ -4,6 +4,7 @@
 import static lombok.AccessLevel.PROTECTED;
 
 import com.mallang.auth.domain.Member;
+import com.mallang.blog.exception.NoAuthorityBlogException;
 import com.mallang.common.domain.CommonDomainModel;
 import jakarta.persistence.Column;
 import jakarta.persistence.Entity;
@@ -38,4 +39,10 @@ public void open(BlogValidator blogValidator) {
     public String getName() {
         return name.getValue();
     }
+
+    public void validateOwner(Member member) {
+        if (!owner.equals(member)) {
+            throw new NoAuthorityBlogException();
+        }
+    }
 }

src/main/java/com/mallang/blog/exception/IsNotBlogOwnerException.java → src/main/java/com/mallang/blog/exception/NoAuthorityAboutException.java

@@ -5,9 +5,9 @@
 import com.mallang.common.execption.ErrorCode;
 import com.mallang.common.execption.MallangLogException;
 
-public class IsNotBlogOwnerException extends MallangLogException {
+public class NoAuthorityAboutException extends MallangLogException {
 
-    public IsNotBlogOwnerException() {
-        super(new ErrorCode(FORBIDDEN, "블로그 주인이 아닙니다."));
+    public NoAuthorityAboutException() {
+        super(new ErrorCode(FORBIDDEN, "소개에 대한 권한이 없습니다."));
     }
 }

src/main/java/com/mallang/blog/exception/NoAuthorityBlogException.java

@@ -0,0 +1,13 @@
+package com.mallang.blog.exception;
+
+import static org.springframework.http.HttpStatus.FORBIDDEN;
+
+import com.mallang.common.execption.ErrorCode;
+import com.mallang.common.execption.MallangLogException;
+
+public class NoAuthorityBlogException extends MallangLogException {
+
+    public NoAuthorityBlogException() {
+        super(new ErrorCode(FORBIDDEN, "블로그에 대한 권한이 없습니다."));
+    }
+}

src/main/java/com/mallang/blog/presentation/AboutController.java

@@ -2,7 +2,7 @@
 
 import com.mallang.auth.presentation.support.Auth;
 import com.mallang.blog.application.AboutService;
-import com.mallang.blog.presentation.request.DeleteAboutRequest;
+import com.mallang.blog.application.command.DeleteAboutCommand;
 import com.mallang.blog.presentation.request.UpdateAboutRequest;
 import com.mallang.blog.presentation.request.WriteAboutRequest;
 import com.mallang.blog.query.AboutQueryService;
@@ -50,10 +50,9 @@ public ResponseEntity<Void> update(
     @DeleteMapping("/{id}")
     public ResponseEntity<Void> delete(
             @PathVariable("id") Long aboutId,
-            @Auth Long memberId,
-            @RequestBody DeleteAboutRequest request
+            @Auth Long memberId
     ) {
-        aboutService.delete(request.toCommand(aboutId, memberId));
+        aboutService.delete(new DeleteAboutCommand(aboutId, memberId));
         return ResponseEntity.noContent().build();
     }
 

src/main/java/com/mallang/blog/presentation/request/UpdateAboutRequest.java

@@ -3,10 +3,9 @@
 import com.mallang.blog.application.command.UpdateAboutCommand;
 
 public record UpdateAboutRequest(
-        String blogName,
         String content
 ) {
     public UpdateAboutCommand toCommand(Long aboutId, Long memberId) {
-        return new UpdateAboutCommand(aboutId, memberId, blogName, content);
+        return new UpdateAboutCommand(aboutId, memberId, content);
     }
 }

src/main/java/com/mallang/category/application/CategoryService.java

@@ -27,21 +27,23 @@ public class CategoryService {
     public Long create(CreateCategoryCommand command) {
         Member member = memberRepository.getById(command.memberId());
         Blog blog = blogRepository.getByNameAndOwner(command.blogName(), command.memberId());
-        Category parentCategory = categoryRepository
-                .getParentByIdAndOwner(command.parentCategoryId(), command.memberId());
+        Category parentCategory = categoryRepository.getParentById(command.parentCategoryId());
         Category category = Category.create(command.name(), member, blog, parentCategory, categoryValidator);
         return categoryRepository.save(category).getId();
     }
 
     public void update(UpdateCategoryCommand command) {
-        Category category = categoryRepository.getByIdAndOwner(command.categoryId(), command.memberId());
-        Category parentCategory = categoryRepository
-                .getParentByIdAndOwner(command.parentCategoryId(), command.memberId());
+        Member member = memberRepository.getById(command.memberId());
+        Category category = categoryRepository.getById(command.categoryId());
+        category.validateOwner(member);
+        Category parentCategory = categoryRepository.getParentById(command.parentCategoryId());
         category.update(command.name(), parentCategory, categoryValidator);
     }
 
     public void delete(DeleteCategoryCommand command) {
-        Category category = categoryRepository.getByIdAndOwner(command.categoryId(), command.memberId());
+        Member member = memberRepository.getById(command.memberId());
+        Category category = categoryRepository.getById(command.categoryId());
+        category.validateOwner(member);
         category.delete();
         categoryRepository.delete(category);
     }

src/main/java/com/mallang/category/domain/Category.java

@@ -9,6 +9,7 @@
 import com.mallang.category.exception.CategoryHierarchyViolationException;
 import com.mallang.category.exception.ChildCategoryExistException;
 import com.mallang.category.exception.DuplicateCategoryNameException;
+import com.mallang.category.exception.NoAuthorityCategoryException;
 import com.mallang.common.domain.CommonDomainModel;
 import jakarta.annotation.Nullable;
 import jakarta.persistence.Entity;
@@ -72,17 +73,13 @@ public void delete() {
     }
 
     private void setParent(@Nullable Category parent, CategoryValidator validator) {
-        if (willBeRoot(parent)) {
+        if (parent == null) {
             beRoot(validator);
             return;
         }
         beChild(parent);
     }
 
-    private boolean willBeRoot(@Nullable Category parent) {
-        return parent == null;
-    }
-
     private void beRoot(CategoryValidator validator) {
         validator.validateDuplicateRootName(owner.getId(), name);
         unlinkFromParent();
@@ -96,10 +93,17 @@ private void unlinkFromParent() {
     }
 
     private void beChild(Category parent) {
+        parent.validateOwner(owner);
         validateHierarchy(parent);
         link(parent);
     }
 
+    public void validateOwner(Member member) {
+        if (!owner.equals(member)) {
+            throw new NoAuthorityCategoryException();
+        }
+    }
+
     private void validateHierarchy(Category parent) {
         if (this.equals(parent)) {
             throw new CategoryHierarchyViolationException();

src/main/java/com/mallang/category/domain/CategoryRepository.java

@@ -3,7 +3,6 @@
 import com.mallang.category.exception.NotFoundCategoryException;
 import jakarta.annotation.Nullable;
 import java.util.List;
-import java.util.Optional;
 import org.springframework.data.jpa.repository.JpaRepository;
 import org.springframework.data.jpa.repository.Query;
 import org.springframework.data.repository.query.Param;
@@ -15,22 +14,14 @@ default Category getById(Long id) {
         return findById(id).orElseThrow(NotFoundCategoryException::new);
     }
 
+    @Query("SELECT c FROM Category c WHERE c.owner.id = :memberId AND c.parent = null")
+    List<Category> findAllRootByMemberId(@Param("memberId") Long memberId);
+
     @Nullable
-    default Category getParentByIdAndOwner(@Nullable Long parentCategoryId, Long memberId) {
+    default Category getParentById(@Nullable Long parentCategoryId) {
         if (parentCategoryId == null) {
             return null;
         }
-        return getByIdAndOwner(parentCategoryId, memberId);
-    }
-
-    default Category getByIdAndOwner(Long id, Long ownerId) {
-        return findByIdAndOwnerId(id, ownerId)
-                .orElseThrow(() ->
-                        new NotFoundCategoryException("존재하지 않는 카테고리거나, 해당 사용자의 카테고리가 아닙니다."));
+        return getById(parentCategoryId);
     }
-
-    Optional<Category> findByIdAndOwnerId(Long id, Long ownerId);
-
-    @Query("SELECT c FROM Category c WHERE c.owner.id = :memberId AND c.parent = null")
-    List<Category> findAllRootByMemberId(@Param("memberId") Long memberId);
 }

src/main/java/com/mallang/category/exception/NoAuthorityCategoryException.java

@@ -0,0 +1,13 @@
+package com.mallang.category.exception;
+
+import static org.springframework.http.HttpStatus.FORBIDDEN;
+
+import com.mallang.common.execption.ErrorCode;
+import com.mallang.common.execption.MallangLogException;
+
+public class NoAuthorityCategoryException extends MallangLogException {
+
+    public NoAuthorityCategoryException() {
+        super(new ErrorCode(FORBIDDEN, "카테고리에 대한 권한이 없습니다."));
+    }
+}

src/main/java/com/mallang/comment/application/AuthCommentService.java

@@ -37,12 +37,14 @@ public Long write(WriteAuthCommentCommand command) {
     public void update(UpdateAuthCommentCommand command) {
         AuthComment comment = commentRepository.getAuthCommentById(command.commentId());
         Member writer = memberRepository.getById(command.memberId());
-        comment.update(writer, command.content(), command.secret(), command.postPassword());
+        comment.validateUpdate(writer, command.postPassword());
+        comment.update(command.content(), command.secret());
     }
 
     public void delete(DeleteAuthCommentCommand command) {
         AuthComment comment = commentRepository.getAuthCommentById(command.commentId());
         Member member = memberRepository.getById(command.memberId());
-        comment.delete(member, commentDeleteService, command.postPassword());
+        comment.validateDelete(member, command.postPassword());
+        comment.delete(commentDeleteService);
     }
 }

src/main/java/com/mallang/comment/application/UnAuthCommentService.java

@@ -35,14 +35,15 @@ public Long write(WriteUnAuthCommentCommand command) {
 
     public void update(UpdateUnAuthCommentCommand command) {
         UnAuthComment comment = commentRepository.getUnAuthCommentById(command.commentId());
-        comment.update(command.password(), command.content(), command.postPassword());
+        comment.validateUpdate(command.password(), command.postPassword());
+        comment.update(command.content());
     }
 
     public void delete(DeleteUnAuthCommentCommand command) {
         UnAuthComment comment = commentRepository.getUnAuthCommentById(command.commentId());
-        Member member = (command.memberId() == null)
-                ? null
+        Member member = (command.memberId() == null) ? null
                 : memberRepository.getById(command.memberId());
-        comment.delete(member, command.password(), commentDeleteService, command.postPassword());
+        comment.validateDelete(member, command.password(), command.postPassword());
+        comment.delete(commentDeleteService);
     }
 }