feat: 어드민 멤버 생성 권한 추가 (#375)

mash-up-kr · Jul 29, 2023 · 6603549 · 6603549
1 parent d0c9647
commit 6603549
Show file tree

Hide file tree

Showing 3 changed files with 26 additions and 22 deletions.
diff --git a/mashup-admin/src/main/java/kr/mashup/branding/config/security/SecurityConfig.java b/mashup-admin/src/main/java/kr/mashup/branding/config/security/SecurityConfig.java
@@ -1,13 +1,18 @@
 package kr.mashup.branding.config.security;
 
-import java.util.Arrays;
-import java.util.stream.Collectors;
-
+import com.fasterxml.jackson.databind.ObjectMapper;
+import kr.mashup.branding.config.jwt.JwtService;
+import kr.mashup.branding.domain.ResultCode;
+import kr.mashup.branding.domain.adminmember.entity.Position;
+import kr.mashup.branding.service.adminmember.AdminMemberService;
+import kr.mashup.branding.ui.ApiResponse;
+import lombok.RequiredArgsConstructor;
 import org.springframework.context.annotation.Bean;
 import org.springframework.context.annotation.Configuration;
 import org.springframework.http.HttpStatus;
 import org.springframework.http.MediaType;
 import org.springframework.security.authentication.ProviderManager;
+import org.springframework.security.config.annotation.method.configuration.EnableMethodSecurity;
 import org.springframework.security.config.annotation.web.builders.HttpSecurity;
 import org.springframework.security.config.annotation.web.builders.WebSecurity;
 import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
@@ -17,17 +22,12 @@
 import org.springframework.web.cors.CorsConfigurationSource;
 import org.springframework.web.cors.UrlBasedCorsConfigurationSource;
 
-import com.fasterxml.jackson.databind.ObjectMapper;
-
-import kr.mashup.branding.config.jwt.JwtService;
-import kr.mashup.branding.domain.ResultCode;
-import kr.mashup.branding.service.adminmember.AdminMemberService;
-import kr.mashup.branding.domain.adminmember.entity.Position;
-import kr.mashup.branding.ui.ApiResponse;
-import lombok.RequiredArgsConstructor;
+import java.util.Arrays;
+import java.util.stream.Collectors;
 
 @RequiredArgsConstructor
 @Configuration
+@EnableMethodSecurity
 public class SecurityConfig extends WebSecurityConfigurerAdapter {
     public static final String[] AUTHORITY_NAMES = Arrays.stream(Position.values()).map(Enum::name)
         .collect(Collectors.toList()).toArray(new String[Position.values().length]);
@@ -111,4 +111,4 @@ public CorsConfigurationSource corsConfigurationSource() {
         source.registerCorsConfiguration("/**", configuration);
         return source;
     }
-}
+}
diff --git a/mashup-admin/src/main/java/kr/mashup/branding/ui/AdminControllerAdvice.java b/mashup-admin/src/main/java/kr/mashup/branding/ui/AdminControllerAdvice.java
@@ -1,8 +1,10 @@
 package kr.mashup.branding.ui;
 
-import java.security.Principal;
-
+import kr.mashup.branding.domain.ResultCode;
+import kr.mashup.branding.domain.exception.*;
+import lombok.extern.slf4j.Slf4j;
 import org.springframework.http.HttpStatus;
+import org.springframework.security.access.AccessDeniedException;
 import org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken;
 import org.springframework.web.HttpMediaTypeException;
 import org.springframework.web.bind.MethodArgumentNotValidException;
@@ -12,14 +14,7 @@
 import org.springframework.web.bind.annotation.RestControllerAdvice;
 import org.springframework.web.method.annotation.MethodArgumentTypeMismatchException;
 
-import kr.mashup.branding.domain.ResultCode;
-import kr.mashup.branding.domain.exception.BadRequestException;
-import kr.mashup.branding.domain.exception.ForbiddenException;
-import kr.mashup.branding.domain.exception.InternalServerErrorException;
-import kr.mashup.branding.domain.exception.NotFoundException;
-import kr.mashup.branding.domain.exception.ServiceUnavailableException;
-import kr.mashup.branding.domain.exception.UnauthorizedException;
-import lombok.extern.slf4j.Slf4j;
+import java.security.Principal;
 
 @Slf4j
 @RestControllerAdvice
@@ -107,6 +102,13 @@ public ApiResponse<?> handleIllegalArgumentException(Exception e) {
         return ApiResponse.failure(ResultCode.BAD_REQUEST, e.getMessage());
     }
 
+    @ExceptionHandler(AccessDeniedException.class)
+    @ResponseStatus(HttpStatus.FORBIDDEN)
+    public ApiResponse<?> handleAccessDeniedException(AccessDeniedException e) {
+        log.error("handleAccessDeniedException", e);
+        return ApiResponse.failure(ResultCode.FORBIDDEN);
+    }
+
     @ExceptionHandler(Exception.class)
     @ResponseStatus(HttpStatus.INTERNAL_SERVER_ERROR)
     public ApiResponse<?> handleException(Exception e) {

diff --git a/mashup-admin/src/main/java/kr/mashup/branding/ui/adminmember/AdminMemberController.java b/mashup-admin/src/main/java/kr/mashup/branding/ui/adminmember/AdminMemberController.java
@@ -8,6 +8,7 @@
 import kr.mashup.branding.ui.adminmember.vo.AdminMemberResponse;
 import kr.mashup.branding.ui.adminmember.vo.LoginRequest;
 import kr.mashup.branding.ui.adminmember.vo.LoginResponse;
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.web.bind.annotation.*;
 
 import kr.mashup.branding.facade.adminmember.AdminMemberFacadeService;
@@ -88,6 +89,7 @@ public ApiResponse<List<AdminMemberResponse>> readAdminMembers() {
 
     /** 어드민 멤버 생성 */
     @ApiOperation("어드민 멤버 생성")
+    @PreAuthorize("hasAnyAuthority('MASHUP_LEADER', 'MASHUP_SUBLEADER')")
     @PostMapping
     public ApiResponse<AdminMemberResponse> createAdminMember(@RequestBody AdminMemberSignUpCommand signUpCommand) {
         AdminMemberVo data = adminMemberFacadeService.createAdminMember(signUpCommand);