motaju/msgapp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(api): 카테고리 관리자 API에 RBAC 권한 체크 추가

Browse Source 
docs(todo): 체크리스트 2.4 완료 표시
This commit is contained in:
mota
2025-10-13 07:01:33 +09:00
parent 0ecf29bdfe
commit e56c8c47ff
3 changed files with 12 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
.cursor/.prompt/게시판 대분류작업.md
View File

@@ -15,7 +15,7 @@ API
- [x] 2.1 Admin: 카테고리 CRUD 엔드포인트 추가(`src/app/api/admin/categories/route.ts`)
- [x] 2.2 Admin: 게시판 생성/수정 요청에 `categoryId` 허용(`src/app/api/admin/boards/...`)
- [x] 2.3 Public: 게시판 목록 조회에 `category` 포함 및 `?category` 필터 지원(`src/app/api/boards/route.ts`)
- [ ] 2.4 RBAC 검토: `ADMIN` 또는 `BOARD` 권한으로 카테고리 관리 허용
- [x] 2.4 RBAC 검토: `ADMIN` 또는 `BOARD` 권한으로 카테고리 관리 허용
프론트엔드
- [ ] 3.1 Admin 보드 관리 화면에 카테고리 선택(Select) 추가(`src/app/admin/boards/page.tsx`)

8
src/app/api/admin/categories/[id]/route.ts
View File

@@ -1,8 +1,12 @@
import { NextResponse } from "next/server";
import prisma from "@/lib/prisma";
import { getUserIdFromRequest } from "@/lib/auth";
import { requirePermission } from "@/lib/rbac";
export async function PATCH(req: Request, context: { params: Promise<{ id: string }> }) {
const { id } = await context.params;
const userId = getUserIdFromRequest(req);
await requirePermission({ userId, resource: "ADMIN", action: "MODERATE" });
const body = await req.json().catch(() => ({}));
const data: any = {};
for (const k of ["name", "slug", "sortOrder", "status"]) {
@@ -12,8 +16,10 @@ export async function PATCH(req: Request, context: { params: Promise<{ id: strin
return NextResponse.json({ category });
}
export async function DELETE(_: Request, context: { params: Promise<{ id: string }> }) {
export async function DELETE(req: Request, context: { params: Promise<{ id: string }> }) {
const { id } = await context.params;
const userId = getUserIdFromRequest(req);
await requirePermission({ userId, resource: "ADMIN", action: "MODERATE" });
await prisma.boardCategory.delete({ where: { id } });
return NextResponse.json({ ok: true });
}

4
src/app/api/admin/categories/route.ts
View File

@@ -1,6 +1,8 @@
import { NextResponse } from "next/server";
import prisma from "@/lib/prisma";
import { z } from "zod";
import { getUserIdFromRequest } from "@/lib/auth";
import { requirePermission } from "@/lib/rbac";
export async function GET() {
const categories = await prisma.boardCategory.findMany({
@@ -17,6 +19,8 @@ const createSchema = z.object({
});
export async function POST(req: Request) {
const userId = getUserIdFromRequest(req);
await requirePermission({ userId, resource: "ADMIN", action: "MODERATE" });
const body = await req.json().catch(() => ({}));
const parsed = createSchema.safeParse(body);
if (!parsed.success) return NextResponse.json({ error: parsed.error.flatten() }, { status: 400 });