Merge pull request #238 from CSE-Shaco/develop

CSE-Shaco · web-flow · commit 1b56c3f8b95d · 2025-10-27T10:24:37.000+09:00
fix(user-admin): 사용자 목록 정렬 및 권한별 접근 로직 개선
diff --git a/src/main/java/inha/gdgoc/domain/user/controller/UserAdminController.java b/src/main/java/inha/gdgoc/domain/user/controller/UserAdminController.java
@@ -3,6 +3,8 @@
 import inha.gdgoc.domain.user.dto.request.UpdateRoleRequest;
 import inha.gdgoc.domain.user.dto.request.UpdateUserRoleTeamRequest;
 import inha.gdgoc.domain.user.dto.response.UserSummaryResponse;
+import inha.gdgoc.domain.user.enums.TeamType;
+import inha.gdgoc.domain.user.enums.UserRole;
 import inha.gdgoc.domain.user.service.UserAdminService;
 import inha.gdgoc.global.config.jwt.TokenProvider.CustomUserDetails;
 import inha.gdgoc.global.dto.response.ApiResponse;
@@ -11,10 +13,7 @@
 import io.swagger.v3.oas.annotations.security.SecurityRequirement;
 import jakarta.validation.Valid;
 import lombok.RequiredArgsConstructor;
-import org.springframework.data.domain.Page;
-import org.springframework.data.domain.PageRequest;
-import org.springframework.data.domain.Pageable;
-import org.springframework.data.domain.Sort;
+import org.springframework.data.domain.*;
 import org.springframework.http.ResponseEntity;
 import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.core.annotation.AuthenticationPrincipal;
@@ -27,37 +26,57 @@ public class UserAdminController {
 
     private final UserAdminService userAdminService;
 
+    // q(검색) + role/team(필터) + pageable
     @Operation(summary = "사용자 요약 목록 조회", security = {@SecurityRequirement(name = "BearerAuth")})
     @PreAuthorize("hasAnyRole('LEAD','ORGANIZER','ADMIN') or T(inha.gdgoc.domain.user.enums.TeamType).HR == principal.team")
     @GetMapping
-    public ResponseEntity<ApiResponse<Page<UserSummaryResponse>, PageMeta>> list(@RequestParam(required = false) String q, @RequestParam(defaultValue = "0") int page, @RequestParam(defaultValue = "20") int size, @RequestParam(defaultValue = "name") String sort, @RequestParam(defaultValue = "ASC") String dir) {
+    public ResponseEntity<ApiResponse<Page<UserSummaryResponse>, PageMeta>> list(
+            @RequestParam(required = false) String q,
+            @RequestParam(required = false) UserRole role,
+            @RequestParam(required = false) TeamType team,
+            @RequestParam(defaultValue = "0") int page,
+            @RequestParam(defaultValue = "20") int size,
+            @RequestParam(defaultValue = "name") String sort,
+            @RequestParam(defaultValue = "ASC") String dir
+    ) {
         Sort.Direction direction = "ASC".equalsIgnoreCase(dir) ? Sort.Direction.ASC : Sort.Direction.DESC;
         Pageable pageable = PageRequest.of(page, size, Sort.by(direction, sort));
 
-        Page<UserSummaryResponse> result = userAdminService.listUsers(q, pageable);
+        Page<UserSummaryResponse> result = userAdminService.listUsers(q, role, team, pageable);
         return ResponseEntity.ok(ApiResponse.ok("USER_SUMMARY_LIST_RETRIEVED", result, PageMeta.of(result)));
     }
 
     @Operation(summary = "사용자 역할/팀 수정", security = {@SecurityRequirement(name = "BearerAuth")})
     @PreAuthorize("hasAnyRole('LEAD','ORGANIZER','ADMIN')")
     @PatchMapping("/{userId}/role-team")
-    public ResponseEntity<ApiResponse<Void, Void>> updateRoleTeam(@AuthenticationPrincipal CustomUserDetails me, @PathVariable Long userId, @RequestBody UpdateUserRoleTeamRequest req) {
+    public ResponseEntity<ApiResponse<Void, Void>> updateRoleTeam(
+            @AuthenticationPrincipal CustomUserDetails me,
+            @PathVariable Long userId,
+            @RequestBody UpdateUserRoleTeamRequest req
+    ) {
         userAdminService.updateRoleAndTeam(me, userId, req);
         return ResponseEntity.ok(ApiResponse.ok("USER_ROLE_TEAM_UPDATED"));
     }
 
     @Operation(summary = "사용자 역할 수정", security = {@SecurityRequirement(name = "BearerAuth")})
-    @PatchMapping("/{userId}/role")
     @PreAuthorize("hasAnyRole('LEAD','ORGANIZER','ADMIN') or T(inha.gdgoc.domain.user.enums.TeamType).HR == principal.team")
-    public ResponseEntity<ApiResponse<Void, Void>> updateUserRole(@AuthenticationPrincipal CustomUserDetails me, @PathVariable Long userId, @RequestBody @Valid UpdateRoleRequest req) {
+    @PatchMapping("/{userId}/role")
+    public ResponseEntity<ApiResponse<Void, Void>> updateUserRole(
+            @AuthenticationPrincipal CustomUserDetails me,
+            @PathVariable Long userId,
+            @RequestBody @Valid UpdateRoleRequest req
+    ) {
         userAdminService.updateUserRoleWithRules(me, userId, req.role());
         return ResponseEntity.ok(ApiResponse.ok("USER_ROLE_UPDATED"));
     }
 
     @Operation(summary = "사용자 삭제", security = {@SecurityRequirement(name = "BearerAuth")})
-    @PreAuthorize("hasAnyRole('LEAD', 'ORGANIZER', 'ADMIN')")
+    @PreAuthorize("hasAnyRole('LEAD','ORGANIZER','ADMIN')")
     @DeleteMapping("/{userId}")
-    public ResponseEntity<ApiResponse<Void, Void>> deleteUser(@AuthenticationPrincipal CustomUserDetails me, @PathVariable Long userId) {
+    public ResponseEntity<ApiResponse<Void, Void>> deleteUser(
+            @AuthenticationPrincipal CustomUserDetails me,
+            @PathVariable Long userId
+    ) {
         userAdminService.deleteUserWithRules(me, userId);
         return ResponseEntity.ok(ApiResponse.ok("USER_DELETED"));
     }
diff --git a/src/main/java/inha/gdgoc/domain/user/repository/UserRepository.java b/src/main/java/inha/gdgoc/domain/user/repository/UserRepository.java
@@ -20,6 +20,7 @@
 public interface UserRepository extends JpaRepository<User, Long>, UserRepositoryCustom {
 
     boolean existsByNameAndEmail(String name, String email);
+
     boolean existsByEmail(String email);
 
     /* ===== 출석/팀 뷰용 기본 쿼리 ===== */
@@ -37,13 +38,22 @@ public interface UserRepository extends JpaRepository<User, Long>, UserRepositor
     List<User> findByTeam(TeamType team);
 
     @Query("""
-        select new inha.gdgoc.domain.user.dto.response.UserSummaryResponse(
-            u.id, u.name, u.major, u.studentId, u.email, u.userRole, u.team
-        )
-        from User u
-        where (:q is null or :q = '' or u.name like concat('%', :q, '%'))
-        """)
-    Page<UserSummaryResponse> findSummaries(@Param("q") String q, Pageable pageable);
+            select new inha.gdgoc.domain.user.dto.response.UserSummaryResponse(
+                u.id, u.name, u.major, u.studentId, u.email, u.userRole, u.team
+            )
+            from User u
+            where
+              (
+                :q is null or :q = '' or
+                lower(u.name)      like lower(concat('%', :q, '%')) or
+                lower(u.email)     like lower(concat('%', :q, '%')) or
+                u.studentId        like concat('%', :q, '%') or
+                lower(u.major)     like lower(concat('%', :q, '%'))
+              )
+              and (:role is null or u.userRole = :role)
+              and (:team is null or u.team = :team)
+            """)
+    Page<UserSummaryResponse> findSummaries(@Param("q") String q, @Param("role") inha.gdgoc.domain.user.enums.UserRole role, @Param("team") inha.gdgoc.domain.user.enums.TeamType team, Pageable pageable);
 
     @NotNull Optional<User> findById(@NotNull Long id);
 }
diff --git a/src/main/java/inha/gdgoc/domain/user/service/UserAdminService.java b/src/main/java/inha/gdgoc/domain/user/service/UserAdminService.java
@@ -26,10 +26,13 @@ public class UserAdminService {
 
     private final UserRepository userRepository;
 
+    /* ======================= 목록 ======================= */
+
     @Transactional(readOnly = true)
-    public Page<UserSummaryResponse> listUsers(String q, Pageable pageable) {
+    public Page<UserSummaryResponse> listUsers(String q, UserRole role, TeamType team, Pageable pageable) {
         Pageable fixed = rewriteSort(pageable);
-        return userRepository.findSummaries(q, fixed);
+        // 레포지토리에 role/team 조건 추가한 메서드가 있어야 함
+        return userRepository.findSummaries(q, role, team, fixed);
     }
 
     private Pageable rewriteSort(Pageable pageable) {
@@ -45,40 +48,23 @@ private Pageable rewriteSort(Pageable pageable) {
 
             if ("userRole".equals(prop)) {
                 hasUserRoleOrder = true;
-                String roleRankCase = "CASE u.userRole " +
-                        "WHEN 'GUEST' THEN 0 " +
-                        "WHEN 'MEMBER' THEN 1 " +
-                        "WHEN 'CORE' THEN 2 " +
-                        "WHEN 'LEAD' THEN 3 " +
-                        "WHEN 'ORGANIZER' THEN 4 " +
-                        "WHEN 'ADMIN' THEN 5 " +
-                        "ELSE -1 END";
+                String roleRankCase = "CASE u.userRole " + "WHEN 'GUEST' THEN 0 " + "WHEN 'MEMBER' THEN 1 " + "WHEN 'CORE' THEN 2 " + "WHEN 'LEAD' THEN 3 " + "WHEN 'ORGANIZER' THEN 4 " + "WHEN 'ADMIN' THEN 5 " + "ELSE -1 END";
                 composed = composed.and(JpaSort.unsafe(dir, roleRankCase));
             } else {
                 composed = composed.and(Sort.by(new Sort.Order(dir, prop)));
             }
         }
 
-        // ROLE 정렬 요청이 있었다면, 같은 권한 내에서 name ASC로 안정화
+        // ROLE 정렬이 있으면 같은 권한 내 name ASC로 안정화
         if (hasUserRoleOrder) {
             composed = composed.and(Sort.by("name").ascending());
         }
 
         return PageRequest.of(pageable.getPageNumber(), pageable.getPageSize(), composed);
     }
 
-    /**
-     * 역할/팀 동시 수정 API (PATCH /admin/users/{userId}/role-team)
-     * - 공통 규칙:
-     * 에디터의 role은 타겟의 현재/신규 role보다 "엄격히 높아야" 함
-     * - ADMIN: 자기 자신 강등 금지
-     * - ORGANIZER: ADMIN 대상 수정 금지
-     * - LEAD:
-     * - MEMBER/CORE만 수정 가능, 변경도 MEMBER/CORE로만
-     * - HR-LEAD: 자기 자신 제외 타인의 팀 변경 가능
-     * - 그 외 LEAD: 같은 팀 구성원만 수정 가능, 팀 변경 불가
-     * - 팀 보유 가능 역할: CORE, LEAD (그 외는 팀 자동 null)
-     */
+    /* ======================= 수정 ======================= */
+
     @Transactional
     public void updateRoleAndTeam(CustomUserDetails editor, Long targetUserId, UpdateUserRoleTeamRequest req) {
         User editorUser = getEditor(editor);
@@ -91,10 +77,10 @@ public void updateRoleAndTeam(CustomUserDetails editor, Long targetUserId, Updat
         UserRole newRole = (req.role() != null ? req.role() : targetCurrentRole);
         TeamType requestedTeam = (req.team() != null ? req.team() : target.getTeam());
 
-        // ✅ 팀 보유 가능한 역할만 팀 유지/지정 (CORE, LEAD만 가능)
+        // 팀 보유 가능한 역할만 팀 허용 (CORE, LEAD)
         TeamType newTeam = isTeamAssignableRole(newRole) ? requestedTeam : null;
 
-        // 공통: 에디터는 타겟의 현재/신규 role보다 높아야 함 (동급 불가)
+        // 공통: 에디터는 대상의 현재/신규 role보다 엄격히 높아야 함
         if (!(editorRole.rank() > targetCurrentRole.rank())) {
             throw new BusinessException(GlobalErrorCode.FORBIDDEN_USER, "동급/상위 사용자의 정보는 변경할 수 없습니다.");
         }
@@ -104,14 +90,11 @@ public void updateRoleAndTeam(CustomUserDetails editor, Long targetUserId, Updat
 
         switch (editorRole) {
             case ADMIN -> {
-                // 자기 자신 강등 금지
                 if (editorUser.getId().equals(target.getId()) && newRole.rank() < UserRole.ADMIN.rank()) {
                     throw new BusinessException(GlobalErrorCode.FORBIDDEN_USER, "자기 자신을 강등할 수 없습니다.");
                 }
-                // ADMIN은 팀 변경 제한 없음 (위 정규화로 팀 자동 정리)
             }
             case ORGANIZER -> {
-                // ADMIN 대상은 수정 금지
                 if (targetCurrentRole == UserRole.ADMIN) {
                     throw new BusinessException(GlobalErrorCode.FORBIDDEN_USER, "ADMIN 사용자는 수정할 수 없습니다.");
                 }
@@ -120,7 +103,6 @@ public void updateRoleAndTeam(CustomUserDetails editor, Long targetUserId, Updat
                 if (editor.getTeam() == null) {
                     throw new BusinessException(GlobalErrorCode.FORBIDDEN_USER, "LEAD 토큰에 팀 정보가 없습니다.");
                 }
-                // LEAD는 MEMBER/CORE만 수정 가능, 변경도 MEMBER/CORE로만
                 if (!(targetCurrentRole == UserRole.MEMBER || targetCurrentRole == UserRole.CORE)) {
                     throw new BusinessException(GlobalErrorCode.FORBIDDEN_USER, "LEAD는 MEMBER/CORE만 수정할 수 있습니다.");
                 }
@@ -129,15 +111,13 @@ public void updateRoleAndTeam(CustomUserDetails editor, Long targetUserId, Updat
                 }
 
                 if (editor.getTeam() == TeamType.HR) {
-                    // HR-LEAD: 본인 제외 타인 팀 변경 가능
+                    // HR-LEAD: 본인 제외 타인지원 팀 변경 가능
                     if (editorUser.getId().equals(target.getId())) {
-                        // 본인은 팀 변경 불가
                         if (req.team() != null && !Objects.equals(req.team(), target.getTeam())) {
                             throw new BusinessException(GlobalErrorCode.FORBIDDEN_USER, "HR-LEAD도 자기 자신의 팀은 변경할 수 없습니다.");
                         }
                     }
                 } else {
-                    // 일반 LEAD: 같은 팀 구성원만, 팀 변경 불가
                     if (target.getTeam() != editor.getTeam()) {
                         throw new BusinessException(GlobalErrorCode.FORBIDDEN_USER, "다른 팀 사용자는 수정할 수 없습니다.");
                     }
@@ -149,16 +129,9 @@ public void updateRoleAndTeam(CustomUserDetails editor, Long targetUserId, Updat
             default -> throw new BusinessException(GlobalErrorCode.FORBIDDEN_USER);
         }
 
-        // ✅ 최종 반영 (역할이 팀 불가면 팀은 자동 null 처리)
         targetChange(target, newRole, newTeam);
     }
 
-    /**
-     * 역할만 수정 API (PATCH /admin/users/{userId}/role)
-     * - HR-CORE 특례: GUEST -> MEMBER 가능 (그 외 불가)
-     * - 일반 규칙: 에디터의 role은 대상의 현재/신규 role보다 엄격히 높아야 함
-     * - 역할이 팀 불가가 되면 팀은 자동 null 처리
-     */
     @Transactional
     public void updateUserRoleWithRules(CustomUserDetails me, Long targetUserId, UserRole newRole) {
         var meRole = me.getRole();
@@ -173,82 +146,61 @@ public void updateUserRoleWithRules(CustomUserDetails me, Long targetUserId, Use
 
         UserRole current = target.getUserRole();
 
-        // ✅ HR-CORE 특례: GUEST → MEMBER 만 허용
+        // HR-CORE 특례: GUEST -> MEMBER
         boolean isHrCore = (meRole == UserRole.CORE) && (meTeam == TeamType.HR);
         if (isHrCore) {
             if (current == UserRole.GUEST && newRole == UserRole.MEMBER) {
                 target.changeRole(UserRole.MEMBER);
-                // MEMBER는 팀 불가 → 자동 null
-                if (!isTeamAssignableRole(UserRole.MEMBER)) {
-                    target.changeTeam(null);
-                }
+                if (!isTeamAssignableRole(UserRole.MEMBER)) target.changeTeam(null);
                 userRepository.save(target);
                 return;
             }
             throw new BusinessException(GlobalErrorCode.FORBIDDEN_USER, "HR-CORE는 GUEST→MEMBER 변경만 가능");
         }
 
-        // 일반 규칙: 나의 권한은 대상의 현재/신규 권한보다 엄격히 높아야 함
         boolean higherThanCurrent = meRole.rank() > current.rank();
         boolean higherThanNew = meRole.rank() > newRole.rank();
         if (!higherThanCurrent || !higherThanNew) {
             throw new BusinessException(GlobalErrorCode.FORBIDDEN_USER, "요청한 역할 변경 권한이 없습니다.");
         }
 
         target.changeRole(newRole);
-        // 역할이 팀 불가면 팀 자동 해제
-        if (!isTeamAssignableRole(newRole)) {
-            target.changeTeam(null);
-        }
+        if (!isTeamAssignableRole(newRole)) target.changeTeam(null);
         userRepository.save(target);
     }
 
     @Transactional
     public void deleteUserWithRules(CustomUserDetails me, Long targetUserId) {
         User editor = userRepository.findById(me.getUserId())
                 .orElseThrow(() -> new BusinessException(GlobalErrorCode.UNAUTHORIZED_USER));
-
         User target = userRepository.findById(targetUserId)
                 .orElseThrow(() -> new BusinessException(GlobalErrorCode.RESOURCE_NOT_FOUND));
 
-        // 자기 자신 삭제 금지
         if (Objects.equals(editor.getId(), target.getId())) {
             throw new BusinessException(GlobalErrorCode.FORBIDDEN_USER, "자기 자신은 삭제할 수 없습니다.");
         }
 
         UserRole editorRole = editor.getUserRole();
         TeamType editorTeam = editor.getTeam();
-
         UserRole targetRole = target.getUserRole();
         TeamType targetTeam = target.getTeam();
 
-        // 공통: '나'는 대상의 현재 role보다 "엄격히" 높아야 함
         if (!(editorRole.rank() > targetRole.rank())) {
             throw new BusinessException(GlobalErrorCode.FORBIDDEN_USER, "동급/상급 사용자는 삭제할 수 없습니다.");
         }
 
         switch (editorRole) {
-            case ADMIN -> {
-                // ADMIN: 모두 삭제 가능(단, 자기 자신은 위에서 금지)
-                // 추가 보호가 필요하면 여기서 ADMIN→ADMIN 삭제 금지도 가능
-            }
+            case ADMIN -> {}
             case ORGANIZER -> {
-                // ORGANIZER: ADMIN 삭제 불가(공통 검사로 이미 걸러짐). 그 외 삭제 가능
                 if (targetRole == UserRole.ADMIN) {
                     throw new BusinessException(GlobalErrorCode.FORBIDDEN_USER, "ADMIN 사용자는 삭제할 수 없습니다.");
                 }
             }
             case LEAD -> {
-                // LEAD: MEMBER/CORE만 삭제 가능
                 if (!(targetRole == UserRole.MEMBER || targetRole == UserRole.CORE)) {
                     throw new BusinessException(GlobalErrorCode.FORBIDDEN_USER, "LEAD는 MEMBER/CORE만 삭제할 수 있습니다.");
                 }
-
-                // HR-LEAD 특례: 본인 제외 누구든 팀 무관 삭제 가능
-                if (editorTeam == TeamType.HR) {
-                    // 자기 자신은 위에서 이미 금지
-                } else {
-                    // 일반 LEAD: 같은 팀만 삭제 가능
+                if (editorTeam != TeamType.HR) {
                     if (editorTeam == null || targetTeam != editorTeam) {
                         throw new BusinessException(GlobalErrorCode.FORBIDDEN_USER, "다른 팀 사용자는 삭제할 수 없습니다.");
                     }
@@ -260,14 +212,9 @@ public void deleteUserWithRules(CustomUserDetails me, Long targetUserId) {
         userRepository.delete(target);
     }
 
-    /**
-     * 실제 반영 (역할 변경 후 역할 정책에 따라 팀도 정리)
-     */
     private void targetChange(User target, UserRole newRole, TeamType newTeam) {
         target.changeRole(newRole);
-        if (!isTeamAssignableRole(newRole)) {
-            newTeam = null; // 방어적 정리
-        }
+        if (!isTeamAssignableRole(newRole)) newTeam = null;
         target.changeTeam(newTeam);
         userRepository.save(target);
     }
@@ -277,9 +224,6 @@ private User getEditor(CustomUserDetails editor) {
                 .orElseThrow(() -> new BusinessException(GlobalErrorCode.UNAUTHORIZED_USER));
     }
 
-    /**
-     * 팀을 가질 수 있는 역할만 true (CORE, LEAD)
-     */
     private boolean isTeamAssignableRole(UserRole role) {
         return role == UserRole.CORE || role == UserRole.LEAD;
     }
