fix :: 주말급식 문제 해결#569
Hidden character warning
Conversation
개요ROLE_STU 역할에 대한 PATCH 엔드포인트 접근 권한이 기존 "/notification/**"에서 "/weekend-meal/period" 경로를 추가하도록 확대되었습니다. 변경 사항
예상 코드 검토 난이도🎯 1 (간단함) | ⏱️ ~3분
시
Pre-merge checks and finishing touches❌ Failed checks (1 warning)
✅ Passed checks (2 passed)
✨ Finishing touches
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
📜 Review details
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Cache: Disabled due to data retention organization setting
Knowledge base: Disabled due to data retention organization setting
📒 Files selected for processing (1)
src/main/kotlin/dsm/pick2024/global/config/security/SecurityConfig.kt(1 hunks)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: Check Code Quality
| "/notification/**", | ||
| "/weekend-meal/period" |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
find . -type f -name "*.kt" | xargs rg -l "weekend.*meal" | grep -v node_modules | head -20Repository: DSM-PICK/PiCK_CORE_SERVER
Length of output: 1913
🏁 Script executed:
rg -n --type=kotlin "weekend-meal/period" --no-heading -B 5 -A 5Repository: DSM-PICK/PiCK_CORE_SERVER
Length of output: 2475
🏁 Script executed:
find . -type f -name "*Weekend*" -o -name "*Meal*" | grep -i kotlinRepository: DSM-PICK/PiCK_CORE_SERVER
Length of output: 5936
🏁 Script executed:
cat -n src/main/kotlin/dsm/pick2024/domain/weekendmeal/presentation/WeekendMealController.ktRepository: DSM-PICK/PiCK_CORE_SERVER
Length of output: 5360
🏁 Script executed:
rg -n --type=kotlin "@PatchMapping|@PostMapping|@GetMapping" src/main/kotlin/dsm/pick2024/domain/weekendmeal/presentation/WeekendMealController.kt -A 3Repository: DSM-PICK/PiCK_CORE_SERVER
Length of output: 1953
🏁 Script executed:
cat -n src/main/kotlin/dsm/pick2024/domain/weekendmeal/presentation/dto/request/SettingWeekendMealPeriodRequest.ktRepository: DSM-PICK/PiCK_CORE_SERVER
Length of output: 541
🏁 Script executed:
cat -n src/main/kotlin/dsm/pick2024/domain/weekendmeal/service/SettingWeekendMealPeriodService.kt | head -50Repository: DSM-PICK/PiCK_CORE_SERVER
Length of output: 1803
Remove "/weekend-meal/period" from ROLE_STU PATCH permissions — this is an admin-only endpoint.
The endpoint modifies the weekend meal application period (start/end dates), which is a system-level setting for administrators. The service code at line 18 calls adminFacadeUseCase.currentAdmin(), confirming it expects an admin user. Granting ROLE_STU access violates authorization requirements and will cause runtime failures when students attempt to access it. This endpoint should remain restricted to ROLE_SCH only.
🤖 Prompt for AI Agents
In src/main/kotlin/dsm/pick2024/global/config/security/SecurityConfig.kt around
lines 129-130, remove the "/weekend-meal/period" entry from the PATCH
permissions granted to ROLE_STU so that students no longer have access; ensure
the path remains only in the admin/ROLE_SCH-only rules (or the admin antMatcher)
so that only administrators can PATCH this endpoint, and adjust the
corresponding authorizeRequests/antMatchers block accordingly.
2 participants
Summary by CodeRabbit
릴리스 노트
✏️ Tip: You can customize this high-level summary in your review settings.