diff --git a/public/erd.svg b/public/erd.svg index c0563d1..2404231 100644 --- a/public/erd.svg +++ b/public/erd.svg @@ -1 +1 @@ -

enum:status

enum:type

enum:readLevel

enum:writeLevel

category

enum:role

board

user

enum:status

board

author

enum:status

enum:authLevel

enum:resource

enum:action

role

user

role

post

author

post

tag

enum:type

post

enum:type

post

user

post

user

post

enum:targetType

reporter

post

comment

sender

receiver

blocker

blocked

enum:referenceType

user

enum:appliesTo

enum:type

user

enum:targetType

actor

enum:targetType

createdByUser

user

createdByUser

user

user

coupon

user

BoardStatus

active

active

hidden

hidden

archived

archived

BoardType

general

general

special

special

AccessLevel

public

public

member

member

moderator

moderator

admin

admin

PostStatus

published

published

hidden

hidden

deleted

deleted

AttachmentType

image

image

file

file

BoardModRole

MODERATOR

MODERATOR

MANAGER

MANAGER

UserStatus

active

active

suspended

suspended

withdrawn

withdrawn

AuthLevel

USER

USER

MOD

MOD

ADMIN

ADMIN

ReactionType

RECOMMEND

RECOMMEND

REPORT

REPORT

SanctionType

SUSPEND

SUSPEND

BAN

BAN

DOWNGRADE

DOWNGRADE

TargetType

POST

POST

COMMENT

COMMENT

USER

USER

BOARD

BOARD

SYSTEM

SYSTEM

Resource

BOARD

BOARD

POST

POST

COMMENT

COMMENT

USER

USER

ADMIN

ADMIN

Action

READ

READ

CREATE

CREATE

UPDATE

UPDATE

DELETE

DELETE

MODERATE

MODERATE

ADMINISTER

ADMINISTER

board_categories

String

id

🗝️

String

name

String

slug

Int

sortOrder

String

status

DateTime

createdAt

DateTime

updatedAt

boards

String

id

🗝️

String

name

String

slug

String

description

Int

sortOrder

BoardStatus

status

BoardType

type

Boolean

requiresApproval

Boolean

allowAnonymousPost

Boolean

allowSecretComment

Boolean

isAdultOnly

Json

requiredTags

Json

requiredFields

AccessLevel

readLevel

AccessLevel

writeLevel

DateTime

createdAt

DateTime

updatedAt

board_moderators

String

id

🗝️

BoardModRole

role

DateTime

createdAt

posts

String

id

🗝️

String

title

String

content

PostStatus

status

Boolean

isAnonymous

Boolean

isPinned

Int

pinnedOrder

DateTime

createdAt

DateTime

updatedAt

DateTime

lastActivityAt

users

String

userId

🗝️

String

nickname

String

passwordHash

String

name

DateTime

birth

String

phone

Int

rank

UserStatus

status

AuthLevel

authLevel

String

profileImage

DateTime

lastLoginAt

Boolean

isAdultVerified

Int

loginFailCount

DateTime

agreementTermsAt

DateTime

createdAt

DateTime

updatedAt

roles

String

roleId

🗝️

String

name

String

description

DateTime

createdAt

role_permissions

String

id

🗝️

Resource

resource

Action

action

Boolean

allowed

DateTime

createdAt

user_roles

String

id

🗝️

DateTime

createdAt

comments

String

id

🗝️

String

content

Boolean

isAnonymous

Boolean

isSecret

String

secretPasswordHash

DateTime

createdAt

DateTime

updatedAt

tags

String

tagId

🗝️

String

name

String

slug

DateTime

createdAt

post_tags

String

id

🗝️

attachments

String

id

🗝️

String

url

AttachmentType

type

Int

size

Int

width

Int

height

Int

sortOrder

DateTime

createdAt

reactions

String

id

🗝️

String

clientHash

ReactionType

type

DateTime

createdAt

post_view_logs

String

id

🗝️

String

ip

String

userAgent

DateTime

createdAt

post_stats

Int

views

Int

recommendCount

Int

reportCount

Int

commentsCount

reports

String

id

🗝️

TargetType

targetType

String

reason

String

status

DateTime

createdAt

messages

String

id

🗝️

String

body

DateTime

readAt

DateTime

createdAt

blocks

String

id

🗝️

DateTime

createdAt

point_transactions

String

id

🗝️

Int

amount

String

reason

TargetType

referenceType

String

referenceId

DateTime

createdAt

level_thresholds

String

id

🗝️

Int

level

Int

minPoints

banned_keywords

String

id

🗝️

String

pattern

TargetType

appliesTo

Int

severity

Boolean

active

DateTime

createdAt

sanctions

String

id

🗝️

SanctionType

type

String

reason

DateTime

startAt

DateTime

endAt

String

createdBy

audit_logs

String

id

🗝️

String

action

TargetType

targetType

String

targetId

Json

meta

DateTime

createdAt

admin_notifications

String

id

🗝️

String

type

String

message

TargetType

targetType

String

targetId

DateTime

createdAt

DateTime

readAt

login_sessions

String

id

🗝️

String

device

String

ip

String

userAgent

DateTime

createdAt

DateTime

lastSeenAt

ip_blocks

String

id

🗝️

String

ip

String

reason

Boolean

active

DateTime

createdAt

nickname_changes

String

id

🗝️

String

oldNickname

String

newNickname

DateTime

changedAt

password_reset_tokens

String

id

🗝️

String

token

DateTime

expiresAt

DateTime

usedAt

DateTime

createdAt

coupons

String

id

🗝️

String

code

String

title

String

description

Int

stock

Int

maxPerUser

DateTime

expiresAt

Boolean

active

DateTime

createdAt

coupon_redemptions

String

id

🗝️

DateTime

createdAt

partners

String

id

🗝️

String

name

String

category

Float

latitude

Float

longitude

String

address

DateTime

createdAt

DateTime

updatedAt

banners

String

id

🗝️

String

title

String

imageUrl

String

linkUrl

Boolean

active

Int

sortOrder

DateTime

startAt

DateTime

endAt

DateTime

createdAt

DateTime

updatedAt

partner_inquiries

String

id

🗝️

String

name

String

contact

String

category

String

message

String

status

DateTime

createdAt

DateTime

approvedAt

partner_requests

String

id

🗝️

String

name

String

category

Float

latitude

Float

longitude

String

address

String

contact

String

status

DateTime

createdAt

DateTime

approvedAt

 \ No newline at end of file +

enum:status

enum:type

enum:readLevel

enum:writeLevel

category

enum:role

board

user

enum:status

board

author

enum:status

enum:authLevel

enum:resource

enum:action

role

user

role

post

author

post

tag

enum:type

post

enum:type

post

user

post

user

post

enum:targetType

reporter

post

comment

sender

receiver

blocker

blocked

enum:referenceType

user

enum:appliesTo

enum:type

user

enum:targetType

actor

enum:targetType

createdByUser

user

createdByUser

user

user

coupon

user

BoardStatus

active

active

hidden

hidden

archived

archived

BoardType

general

general

special

special

AccessLevel

public

public

member

member

moderator

moderator

admin

admin

PostStatus

published

published

hidden

hidden

deleted

deleted

AttachmentType

image

image

file

file

BoardModRole

MODERATOR

MODERATOR

MANAGER

MANAGER

UserStatus

active

active

suspended

suspended

withdrawn

withdrawn

AuthLevel

USER

USER

MOD

MOD

ADMIN

ADMIN

ReactionType

RECOMMEND

RECOMMEND

REPORT

REPORT

SanctionType

SUSPEND

SUSPEND

BAN

BAN

DOWNGRADE

DOWNGRADE

TargetType

POST

POST

COMMENT

COMMENT

USER

USER

BOARD

BOARD

SYSTEM

SYSTEM

Resource

BOARD

BOARD

POST

POST

COMMENT

COMMENT

USER

USER

ADMIN

ADMIN

Action

READ

READ

CREATE

CREATE

UPDATE

UPDATE

DELETE

DELETE

MODERATE

MODERATE

ADMINISTER

ADMINISTER

board_categories

String

id

🗝️

String

name

String

slug

Int

sortOrder

String

status

DateTime

createdAt

DateTime

updatedAt

boards

String

id

🗝️

String

name

String

slug

String

description

Int

sortOrder

BoardStatus

status

BoardType

type

Boolean

requiresApproval

Boolean

allowAnonymousPost

Boolean

allowSecretComment

Boolean

isAdultOnly

Json

requiredTags

Json

requiredFields

AccessLevel

readLevel

AccessLevel

writeLevel

DateTime

createdAt

DateTime

updatedAt

board_moderators

String

id

🗝️

BoardModRole

role

DateTime

createdAt

posts

String

id

🗝️

String

title

String

content

PostStatus

status

Boolean

isAnonymous

Boolean

isPinned

Int

pinnedOrder

DateTime

createdAt

DateTime

updatedAt

DateTime

lastActivityAt

users

String

userId

🗝️

String

nickname

String

passwordHash

String

name

DateTime

birth

String

phone

Int

rank

UserStatus

status

AuthLevel

authLevel

String

profileImage

DateTime

lastLoginAt

Boolean

isAdultVerified

Int

loginFailCount

DateTime

agreementTermsAt

DateTime

createdAt

DateTime

updatedAt

roles

String

roleId

🗝️

String

name

String

description

DateTime

createdAt

role_permissions

String

id

🗝️

Resource

resource

Action

action

Boolean

allowed

DateTime

createdAt

user_roles

String

id

🗝️

DateTime

createdAt

comments

String

id

🗝️

String

content

Boolean

isAnonymous

Boolean

isSecret

String

secretPasswordHash

DateTime

createdAt

DateTime

updatedAt

tags

String

tagId

🗝️

String

name

String

slug

DateTime

createdAt

post_tags

String

id

🗝️

attachments

String

id

🗝️

String

url

AttachmentType

type

Int

size

Int

width

Int

height

Int

sortOrder

DateTime

createdAt

reactions

String

id

🗝️

String

clientHash

ReactionType

type

DateTime

createdAt

post_view_logs

String

id

🗝️

String

ip

String

userAgent

DateTime

createdAt

post_stats

Int

views

Int

recommendCount

Int

reportCount

Int

commentsCount

reports

String

id

🗝️

TargetType

targetType

String

reason

String

status

DateTime

createdAt

messages

String

id

🗝️

String

body

DateTime

readAt

DateTime

createdAt

blocks

String

id

🗝️

DateTime

createdAt

point_transactions

String

id

🗝️

Int

amount

String

reason

TargetType

referenceType

String

referenceId

DateTime

createdAt

level_thresholds

String

id

🗝️

Int

level

Int

minPoints

banned_keywords

String

id

🗝️

String

pattern

TargetType

appliesTo

Int

severity

Boolean

active

DateTime

createdAt

sanctions

String

id

🗝️

SanctionType

type

String

reason

DateTime

startAt

DateTime

endAt

String

createdBy

audit_logs

String

id

🗝️

String

action

TargetType

targetType

String

targetId

Json

meta

DateTime

createdAt

admin_notifications

String

id

🗝️

String

type

String

message

TargetType

targetType

String

targetId

DateTime

createdAt

DateTime

readAt

login_sessions

String

id

🗝️

String

device

String

ip

String

userAgent

DateTime

createdAt

DateTime

lastSeenAt

ip_blocks

String

id

🗝️

String

ip

String

reason

Boolean

active

DateTime

createdAt

nickname_changes

String

id

🗝️

String

oldNickname

String

newNickname

DateTime

changedAt

password_reset_tokens

String

id

🗝️

String

token

DateTime

expiresAt

DateTime

usedAt

DateTime

createdAt

coupons

String

id

🗝️

String

code

String

title

String

description

Int

stock

Int

maxPerUser

DateTime

expiresAt

Boolean

active

DateTime

createdAt

coupon_redemptions

String

id

🗝️

DateTime

createdAt

partners

String

id

🗝️

String

name

String

category

Float

latitude

Float

longitude

String

address

DateTime

createdAt

DateTime

updatedAt

banners

String

id

🗝️

String

title

String

imageUrl

String

linkUrl

Boolean

active

Int

sortOrder

DateTime

startAt

DateTime

endAt

DateTime

createdAt

DateTime

updatedAt

partner_inquiries

String

id

🗝️

String

name

String

contact

String

category

String

message

String

status

DateTime

createdAt

DateTime

approvedAt

partner_requests

String

id

🗝️

String

name

String

category

Float

latitude

Float

longitude

String

address

String

contact

String

status

DateTime

createdAt

DateTime

approvedAt

 \ No newline at end of file diff --git a/src/app/api/admin/categories/[id]/route.ts b/src/app/api/admin/categories/[id]/route.ts index 515ae88..8324408 100644 --- a/src/app/api/admin/categories/[id]/route.ts +++ b/src/app/api/admin/categories/[id]/route.ts @@ -6,7 +6,11 @@ import { requirePermission } from "@/lib/rbac"; export async function PATCH(req: Request, context: { params: Promise<{ id: string }> }) { const { id } = await context.params; const userId = getUserIdFromRequest(req); - await requirePermission({ userId, resource: "ADMIN", action: "MODERATE" }); + try { + await requirePermission({ userId, resource: "ADMIN", action: "MODERATE" }); + } catch (e) { + return NextResponse.json({ error: "Forbidden" }, { status: 403 }); + } const body = await req.json().catch(() => ({})); const data: any = {}; for (const k of ["name", "slug", "sortOrder", "status"]) { @@ -19,7 +23,11 @@ export async function PATCH(req: Request, context: { params: Promise<{ id: strin export async function DELETE(req: Request, context: { params: Promise<{ id: string }> }) { const { id } = await context.params; const userId = getUserIdFromRequest(req); - await requirePermission({ userId, resource: "ADMIN", action: "MODERATE" }); + try { + await requirePermission({ userId, resource: "ADMIN", action: "MODERATE" }); + } catch (e) { + return NextResponse.json({ error: "Forbidden" }, { status: 403 }); + } await prisma.boardCategory.delete({ where: { id } }); return NextResponse.json({ ok: true }); } diff --git a/src/app/api/admin/categories/route.ts b/src/app/api/admin/categories/route.ts index 16cbff4..94fb774 100644 --- a/src/app/api/admin/categories/route.ts +++ b/src/app/api/admin/categories/route.ts @@ -20,7 +20,11 @@ const createSchema = z.object({ export async function POST(req: Request) { const userId = getUserIdFromRequest(req); - await requirePermission({ userId, resource: "ADMIN", action: "MODERATE" }); + try { + await requirePermission({ userId, resource: "ADMIN", action: "MODERATE" }); + } catch (e) { + return NextResponse.json({ error: "Forbidden" }, { status: 403 }); + } const body = await req.json().catch(() => ({})); const parsed = createSchema.safeParse(body); if (!parsed.success) return NextResponse.json({ error: parsed.error.flatten() }, { status: 400 }); diff --git a/src/app/api/posts/[id]/route.ts b/src/app/api/posts/[id]/route.ts index a2fbc77..6085d36 100644 --- a/src/app/api/posts/[id]/route.ts +++ b/src/app/api/posts/[id]/route.ts @@ -24,7 +24,11 @@ const updateSchema = z.object({ export async function PATCH(req: Request, context: { params: Promise<{ id: string }> }) { const { id } = await context.params; const userId = getUserIdFromRequest(req); - await requirePermission({ userId, resource: "POST", action: "UPDATE" }); + try { + await requirePermission({ userId, resource: "POST", action: "UPDATE" }); + } catch (e) { + return NextResponse.json({ error: "Forbidden" }, { status: 403 }); + } const body = await req.json(); const parsed = updateSchema.safeParse(body); if (!parsed.success) return NextResponse.json({ error: parsed.error.flatten() }, { status: 400 }); @@ -35,7 +39,11 @@ export async function PATCH(req: Request, context: { params: Promise<{ id: strin export async function DELETE(req: Request, context: { params: Promise<{ id: string }> }) { const { id } = await context.params; const userId = getUserIdFromRequest(req); - await requirePermission({ userId, resource: "POST", action: "DELETE" }); + try { + await requirePermission({ userId, resource: "POST", action: "DELETE" }); + } catch (e) { + return NextResponse.json({ error: "Forbidden" }, { status: 403 }); + } const post = await prisma.post.update({ where: { id }, data: { status: "deleted" } }); return NextResponse.json({ post }); }