[#33] 피드를 여행일지로 묶기

src/main/java/com/stoury/controller/CommentController.java

@@ -45,7 +45,8 @@ public List<ChildCommentResponse> getChildComments(@PathVariable Long commentId,
     }
 
     @DeleteMapping("/comments/{commentId}")
-    public void deleteComment(@PathVariable Long commentId) {
-        commentService.deleteComment(commentId);
+    public void deleteComment(@AuthenticationPrincipal AuthenticatedMember authenticatedMember,
+                              @PathVariable Long commentId) {
+        commentService.deleteCommentIfOwner(commentId, authenticatedMember.getId());
     }
 }

src/main/java/com/stoury/controller/DiaryController.java

@@ -27,7 +27,9 @@ public DiaryPageResponse getMemberDiaries(@PathVariable Long memberId,
     }
 
     @DeleteMapping("/diaries/{diaryId}")
-    public void cancelDiary(@PathVariable Long diaryId) {
-        diaryService.cancelDiary(diaryId);
+    public void cancelDiary(
+            @AuthenticationPrincipal AuthenticatedMember authenticatedMember,
+            @PathVariable Long diaryId) {
+        diaryService.cancelDiaryIfOwner(diaryId, authenticatedMember.getId());
     }
 }

src/main/java/com/stoury/controller/FeedController.java

@@ -45,12 +45,15 @@ public List<FeedResponse> getFeedsOfMember(@PathVariable Long memberId,
     }
 
     @PutMapping("/feeds/{feedId}")
-    public FeedResponse updateFeed(@PathVariable Long feedId, @RequestBody FeedUpdateRequest feedUpdateRequest) {
-        return feedService.updateFeed(feedId, feedUpdateRequest);
+    public FeedResponse updateFeed(@AuthenticationPrincipal AuthenticatedMember authenticatedMember,
+                                   @PathVariable Long feedId,
+                                   @RequestBody FeedUpdateRequest feedUpdateRequest) {
+        return feedService.updateFeedIfOwner(feedId, feedUpdateRequest, authenticatedMember.getId());
     }
 
     @DeleteMapping("/feeds/{feedId}")
-    public void deleteFeed(@PathVariable Long feedId) {
-        feedService.deleteFeed(feedId);
+    public void deleteFeed(@AuthenticationPrincipal AuthenticatedMember authenticatedMember,
+                           @PathVariable Long feedId) {
+        feedService.deleteFeedIfOwner(feedId, authenticatedMember.getId());
     }
 }

src/main/java/com/stoury/service/CommentService.java

@@ -7,6 +7,7 @@
 import com.stoury.dto.comment.CommentResponse;
 import com.stoury.exception.CommentCreateException;
 import com.stoury.exception.CommentSearchException;
+import com.stoury.exception.authentication.NotAuthorizedException;
 import com.stoury.exception.feed.FeedSearchException;
 import com.stoury.exception.member.MemberSearchException;
 import com.stoury.repository.CommentRepository;
@@ -16,7 +17,6 @@
 import org.springframework.data.domain.PageRequest;
 import org.springframework.data.domain.Pageable;
 import org.springframework.data.domain.Sort;
-import org.springframework.security.access.prepost.PostAuthorize;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
 
@@ -85,13 +85,25 @@ public List<ChildCommentResponse> getChildComments(Long parentCommentId, LocalDa
                 orderThan, pageable));
     }
 
-    @PostAuthorize("returnObject.writer.id == authentication.principal.id")
-    @Transactional
-    public CommentResponse deleteComment(Long commentId) {
+    protected CommentResponse deleteComment(Long commentId) {
         Comment comment = commentRepository.findById(Objects.requireNonNull(commentId))
                 .orElseThrow(CommentSearchException::new);
 
         comment.delete();
         return CommentResponse.from(comment);
     }
+
+    @Transactional
+    public CommentResponse deleteCommentIfOwner(Long commentId, Long memberId) {
+        Comment comment = commentRepository.findById(Objects.requireNonNull(commentId))
+                .orElseThrow(CommentSearchException::new);
+        if(isNotOwner(memberId, comment)){
+            throw new NotAuthorizedException();
+        }
+        return deleteComment(commentId);
+    }
+
+    private boolean isNotOwner(Long memberId, Comment comment) {
+        return !comment.getMember().getId().equals(memberId);
+    }
 }

src/main/java/com/stoury/service/DiaryService.java

@@ -20,8 +20,10 @@
 import com.stoury.repository.MemberRepository;
 import lombok.RequiredArgsConstructor;
 import org.jetbrains.annotations.NotNull;
-import org.springframework.data.domain.*;
-import org.springframework.security.access.prepost.PostAuthorize;
+import org.springframework.data.domain.Page;
+import org.springframework.data.domain.PageRequest;
+import org.springframework.data.domain.Pageable;
+import org.springframework.data.domain.Sort;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Transactional;
 import org.springframework.util.StringUtils;
@@ -115,13 +117,24 @@ public DiaryPageResponse getMemberDiaries(Long memberId, int pageNo) {
         return DiaryPageResponse.from(diaryPage);
     }
 
-    @PostAuthorize("returnObject.memberId() == authentication.principal.id")
-    @Transactional
-    public SimpleDiaryResponse cancelDiary(Long diaryId) {
+    protected SimpleDiaryResponse cancelDiary(Long diaryId) {
         Diary toCancelDiary = diaryRepository.findById(diaryId).orElseThrow(DiarySearchException::new);
 
         diaryRepository.delete(toCancelDiary);
 
         return SimpleDiaryResponse.from(toCancelDiary);
     }
+
+    @Transactional
+    public SimpleDiaryResponse cancelDiaryIfOwner(Long diaryId, Long memberId) {
+        Diary toCancelDiary = diaryRepository.findById(diaryId).orElseThrow(DiarySearchException::new);
+        if (isNotOwner(memberId, toCancelDiary)) {
+            throw new NotAuthorizedException();
+        }
+        return cancelDiary(diaryId);
+    }
+
+    private boolean isNotOwner(Long memberId, Diary toCancelDiary) {
+        return !toCancelDiary.getMember().getId().equals(memberId);
+    }
 }

src/main/java/com/stoury/service/FeedService.java

@@ -10,6 +10,7 @@
 import com.stoury.dto.feed.LocationResponse;
 import com.stoury.event.GraphicDeleteEvent;
 import com.stoury.event.GraphicSaveEvent;
+import com.stoury.exception.authentication.NotAuthorizedException;
 import com.stoury.exception.feed.FeedCreateException;
 import com.stoury.exception.feed.FeedDeleteException;
 import com.stoury.exception.feed.FeedSearchException;
@@ -26,7 +27,6 @@
 import org.springframework.data.domain.PageRequest;
 import org.springframework.data.domain.Pageable;
 import org.springframework.data.domain.Sort;
-import org.springframework.security.access.prepost.PostAuthorize;
 import org.springframework.stereotype.Service;
 import org.springframework.transaction.annotation.Propagation;
 import org.springframework.transaction.annotation.Transactional;
@@ -41,7 +41,7 @@
 @RequiredArgsConstructor
 public class FeedService {
     @Value("${path-prefix}")
-    public  String pathPrefix;
+    public String pathPrefix;
     public static final int PAGE_SIZE = 10;
     private final FeedRepository feedRepository;
     private final MemberRepository memberRepository;
@@ -145,9 +145,7 @@ private FeedResponse toFeedResponse(Feed feed) {
         return FeedResponse.from(feed, likes);
     }
 
-    @PostAuthorize("returnObject.writer().id() == authentication.principal.id")
-    @Transactional
-    public FeedResponse updateFeed(Long feedId, FeedUpdateRequest feedUpdateRequest) {
+    protected FeedResponse updateFeed(Long feedId, FeedUpdateRequest feedUpdateRequest) {
         Feed feed = feedRepository.findById(Objects.requireNonNull(feedId))
                 .orElseThrow(FeedSearchException::new);
 
@@ -162,6 +160,22 @@ public FeedResponse updateFeed(Long feedId, FeedUpdateRequest feedUpdateRequest)
         return FeedResponse.from(feed, likeRepository.getCountByFeedId(feed.getId().toString()));
     }
 
+    @Transactional
+    public FeedResponse updateFeedIfOwner(Long feedId, FeedUpdateRequest feedUpdateRequest, Long memberId) {
+        Feed feed = feedRepository.findById(Objects.requireNonNull(feedId))
+                .orElseThrow(FeedSearchException::new);
+
+        if (isNotOwner(feed, memberId)) {
+            throw new NotAuthorizedException();
+        }
+
+        return updateFeed(feedId, feedUpdateRequest);
+    }
+
+    private boolean isNotOwner(Feed feed, Long memberId) {
+        return !feed.getMember().getId().equals(memberId);
+    }
+
     private void publishDeleteFileEvents(List<GraphicContent> beforeDeleteGraphicContents,
                                          List<GraphicContent> afterDeleteGraphicContents) {
         for (GraphicContent beforeDeleteGraphicContent : beforeDeleteGraphicContents) {
@@ -171,16 +185,24 @@ private void publishDeleteFileEvents(List<GraphicContent> beforeDeleteGraphicCon
         }
     }
 
-    @PostAuthorize("returnObject.writer().id() == authentication.name")
-    @Transactional
-    public FeedResponse deleteFeed(Long feedId) {
+    protected void deleteFeed(Long feedId) {
         if (rankingService.isRankedFeed(feedId)) {
             throw new FeedDeleteException("As the feed is in hot feeds, cannot delete this.");
         }
         Feed feed = feedRepository.findById(Objects.requireNonNull(feedId))
                 .orElseThrow(FeedSearchException::new);
         feedRepository.delete(feed);
-        return FeedResponse.from(feed, 0);
+    }
+
+    @Transactional
+    public void deleteFeedIfOwner(Long feedId, Long memberId) {
+        Feed feed = feedRepository.findById(Objects.requireNonNull(feedId))
+                .orElseThrow(FeedSearchException::new);
+
+        if (isNotOwner(feed, memberId)) {
+            throw new NotAuthorizedException();
+        }
+        deleteFeed(feedId);
     }
 
     @Transactional(readOnly = true)