Merged
Conversation
Contributor
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review infoConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro 📒 Files selected for processing (1)
🚧 Files skipped from review as they are similar to previous changes (1)
Walkthrough여러 컨트롤러 클래스에 Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (2)
src/main/java/com/umc/linkyou/web/controller/LinkuController.java (1)
98-103:⚠️ Potential issue | 🟠 Major인증 없이 임의 사용자 링크 조회 가능 (기존 문제)
GET /{userId}/{linkuId}엔드포인트는@AuthenticationPrincipal을 사용하지 않고userId를 경로 변수로 직접 수신합니다. 이로 인해 인증된 사용자라면 타인의userId와linkuId를 알고 있을 경우 해당 링크 상세 정보를 무제한으로 조회할 수 있습니다. 이번 PR의 변경 사항은 아니지만, 버전 경로가 갱신되면서 외부에 더 명확히 노출될 수 있는 엔드포인트입니다. 요청자의 인증 정보와 대상userId가 일치하는지 또는 공유 폴더 뷰어 권한을 가지고 있는지 검사하는 로직이 필요합니다.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@src/main/java/com/umc/linkyou/web/controller/LinkuController.java` around lines 98 - 103, The detailLinku endpoint currently accepts userId and linkuId directly which allows unauthenticated access to arbitrary users' links; update the controller method detailLinku to accept the authenticated principal (e.g., add an `@AuthenticationPrincipal` parameter or Authentication/Principal) and pass the principal's user id into linkuService.detailGetLinku (or add a new service method that accepts both requesterId and target userId/linkuId) so the service can verify requesterId == userId or that the requester has shared-folder/viewer permission before returning data; ensure permission checks live in linkuService (e.g., in detailGetLinku) to centralize auth logic and avoid relying on client-supplied path userId.src/main/java/com/umc/linkyou/web/controller/ShareFolderController.java (1)
43-43:⚠️ Potential issue | 🟡 Minor쿼리 파라미터명을
token으로 변경하여 명확성 개선
ShareFolderController.java라인 43에서 생성되는 딥링크 URL은folderId파라미터에 실제 초대 토큰값을 담고 있습니다.DeepLinkController.java라인 31에서 이 파라미터를 그대로 받아 라인 34에서 템플릿에 전달하고 있습니다. 파라미터명이 실제 데이터와 맞지 않아 혼동을 야기할 수 있으므로,folderId대신token으로 변경하는 것이 권장됩니다.URL 생성 코드
deeplinkBaseUrl + "/open?action=share&folderId=" + token🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@src/main/java/com/umc/linkyou/web/controller/ShareFolderController.java` at line 43, Change the deep link query parameter from folderId to token to match the actual value: update the URL construction in ShareFolderController (the return ApiResponse.of(...) that builds deeplinkBaseUrl + "/open?action=share&folderId=" + token) to use "token" instead of "folderId", and update DeepLinkController to read the "token" request parameter (the code around where it currently reads the folderId at line ~31 and passes it to the template at ~34) so the param name matches across both controllers.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Outside diff comments:
In `@src/main/java/com/umc/linkyou/web/controller/LinkuController.java`:
- Around line 98-103: The detailLinku endpoint currently accepts userId and
linkuId directly which allows unauthenticated access to arbitrary users' links;
update the controller method detailLinku to accept the authenticated principal
(e.g., add an `@AuthenticationPrincipal` parameter or Authentication/Principal)
and pass the principal's user id into linkuService.detailGetLinku (or add a new
service method that accepts both requesterId and target userId/linkuId) so the
service can verify requesterId == userId or that the requester has
shared-folder/viewer permission before returning data; ensure permission checks
live in linkuService (e.g., in detailGetLinku) to centralize auth logic and
avoid relying on client-supplied path userId.
In `@src/main/java/com/umc/linkyou/web/controller/ShareFolderController.java`:
- Line 43: Change the deep link query parameter from folderId to token to match
the actual value: update the URL construction in ShareFolderController (the
return ApiResponse.of(...) that builds deeplinkBaseUrl +
"/open?action=share&folderId=" + token) to use "token" instead of "folderId",
and update DeepLinkController to read the "token" request parameter (the code
around where it currently reads the folderId at line ~31 and passes it to the
template at ~34) so the param name matches across both controllers.
ℹ️ Review info
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (12)
src/main/java/com/umc/linkyou/awsS3/controller/AwsS3Controller.javasrc/main/java/com/umc/linkyou/web/controller/AiArticleController.javasrc/main/java/com/umc/linkyou/web/controller/AlarmController.javasrc/main/java/com/umc/linkyou/web/controller/CategoryController.javasrc/main/java/com/umc/linkyou/web/controller/CurationController.javasrc/main/java/com/umc/linkyou/web/controller/DeepLinkController.javasrc/main/java/com/umc/linkyou/web/controller/DomainController.javasrc/main/java/com/umc/linkyou/web/controller/FolderController.javasrc/main/java/com/umc/linkyou/web/controller/InvitationController.javasrc/main/java/com/umc/linkyou/web/controller/LinkuController.javasrc/main/java/com/umc/linkyou/web/controller/ShareFolderController.javasrc/main/java/com/umc/linkyou/web/controller/SharedFolderController.java
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🔗 관련 이슈
📌 작업 내용
📎 참고 사항 (선택)
Summary by CodeRabbit
릴리스 노트
/api접두사를 제거하고 일관된 API 버전 어노테이션을 적용했습니다. 일부 컨트롤러는 경로 변경 없이 버전 어노테이션(또는 관련 import)만 추가되었습니다.