feat(api): 카테고리 관리자 API에 RBAC 권한 체크 추가

docs(todo): 체크리스트 2.4 완료 표시
2025-10-13 07:01:33 +09:00
parent 0ecf29bdfe
commit e56c8c47ff
3 changed files with 12 additions and 2 deletions
--- a/src/app/api/admin/categories/[id]/route.ts
+++ b/src/app/api/admin/categories/[id]/route.ts
@@ -1,8 +1,12 @@
 import { NextResponse } from "next/server";
 import prisma from "@/lib/prisma";
+import { getUserIdFromRequest } from "@/lib/auth";
+import { requirePermission } from "@/lib/rbac";

 export async function PATCH(req: Request, context: { params: Promise<{ id: string }> }) {
  const { id } = await context.params;
+  const userId = getUserIdFromRequest(req);
+  await requirePermission({ userId, resource: "ADMIN", action: "MODERATE" });
  const body = await req.json().catch(() => ({}));
  const data: any = {};
  for (const k of ["name", "slug", "sortOrder", "status"]) {
@@ -12,8 +16,10 @@ export async function PATCH(req: Request, context: { params: Promise<{ id: strin
  return NextResponse.json({ category });
 }

-export async function DELETE(_: Request, context: { params: Promise<{ id: string }> }) {
+export async function DELETE(req: Request, context: { params: Promise<{ id: string }> }) {
  const { id } = await context.params;
+  const userId = getUserIdFromRequest(req);
+  await requirePermission({ userId, resource: "ADMIN", action: "MODERATE" });
  await prisma.boardCategory.delete({ where: { id } });
  return NextResponse.json({ ok: true });
 }
--- a/src/app/api/admin/categories/route.ts
+++ b/src/app/api/admin/categories/route.ts
@@ -1,6 +1,8 @@
 import { NextResponse } from "next/server";
 import prisma from "@/lib/prisma";
 import { z } from "zod";
+import { getUserIdFromRequest } from "@/lib/auth";
+import { requirePermission } from "@/lib/rbac";

 export async function GET() {
  const categories = await prisma.boardCategory.findMany({
@@ -17,6 +19,8 @@ const createSchema = z.object({
 });

 export async function POST(req: Request) {
+  const userId = getUserIdFromRequest(req);
+  await requirePermission({ userId, resource: "ADMIN", action: "MODERATE" });
  const body = await req.json().catch(() => ({}));
  const parsed = createSchema.safeParse(body);
  if (!parsed.success) return NextResponse.json({ error: parsed.error.flatten() }, { status: 400 });