feat(admin): 콘텐츠 관리자 읽기 권한을 확장한다

src/main/kotlin/kr/co/vividnext/sodalive/admin/content/AdminContentController.kt

@@ -13,10 +13,10 @@ import org.springframework.web.bind.annotation.RestController
 import org.springframework.web.multipart.MultipartFile
 
 @RestController
-@PreAuthorize("hasRole('ADMIN')")
 @RequestMapping("/admin/audio-content")
 class AdminContentController(private val service: AdminContentService) {
     @GetMapping("/list")
+    @PreAuthorize("hasAnyRole('ADMIN', 'CONTENT_MANAGER')")
     fun getAudioContentList(
         @RequestParam(value = "status", required = false) status: ContentReleaseStatus?,
         pageable: Pageable
@@ -28,6 +28,7 @@ class AdminContentController(private val service: AdminContentService) {
     )
 
     @GetMapping("/search")
+    @PreAuthorize("hasAnyRole('ADMIN', 'CONTENT_MANAGER')")
     fun searchAudioContent(
         @RequestParam(value = "status", required = false) status: ContentReleaseStatus?,
         @RequestParam(value = "search_word") searchWord: String,
@@ -41,12 +42,14 @@ class AdminContentController(private val service: AdminContentService) {
     )
 
     @PutMapping(consumes = [MediaType.MULTIPART_FORM_DATA_VALUE])
+    @PreAuthorize("hasRole('ADMIN')")
     fun modifyAudioContent(
         @RequestPart("request") requestString: String,
         @RequestPart("coverImage", required = false) coverImage: MultipartFile? = null
     ) = ApiResponse.ok(service.updateAudioContent(coverImage, requestString))
 
     @GetMapping("/main/tab")
+    @PreAuthorize("hasAnyRole('ADMIN', 'CONTENT_MANAGER')")
     fun getContentMainTabList() = ApiResponse.ok(service.getContentMainTabList())
 }
 

src/main/kotlin/kr/co/vividnext/sodalive/menu/MenuController.kt

@@ -13,7 +13,7 @@ import org.springframework.web.bind.annotation.RestController
 @RequestMapping("/menu")
 class MenuController(private val service: MenuService) {
     @GetMapping
-    @PreAuthorize("hasAnyRole('AGENT', 'ADMIN', 'CREATOR')")
+    @PreAuthorize("hasAnyRole('AGENT', 'ADMIN', 'CREATOR', 'CONTENT_MANAGER')")
     fun getMenus(
         @AuthenticationPrincipal(expression = "#this == 'anonymousUser' ? null : member") member: Member?
     ) = run {

src/test/kotlin/kr/co/vividnext/sodalive/admin/content/AdminContentControllerSecurityTest.kt

@@ -0,0 +1,184 @@
+package kr.co.vividnext.sodalive.admin.content
+
+import kr.co.vividnext.sodalive.common.CountryContext
+import kr.co.vividnext.sodalive.content.main.tab.GetContentMainTabItem
+import kr.co.vividnext.sodalive.i18n.LangContext
+import kr.co.vividnext.sodalive.i18n.SodaMessageSource
+import org.junit.jupiter.api.DisplayName
+import org.junit.jupiter.api.Test
+import org.mockito.Mockito
+import org.springframework.beans.factory.annotation.Autowired
+import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest
+import org.springframework.boot.test.context.TestConfiguration
+import org.springframework.boot.test.mock.mockito.MockBean
+import org.springframework.context.annotation.Bean
+import org.springframework.context.annotation.Import
+import org.springframework.data.domain.PageRequest
+import org.springframework.http.HttpStatus
+import org.springframework.http.MediaType
+import org.springframework.mock.web.MockMultipartFile
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity
+import org.springframework.security.config.annotation.web.builders.HttpSecurity
+import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.anonymous
+import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.user
+import org.springframework.security.web.SecurityFilterChain
+import org.springframework.security.web.authentication.HttpStatusEntryPoint
+import org.springframework.test.web.servlet.MockMvc
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders.multipart
+import org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath
+import org.springframework.test.web.servlet.result.MockMvcResultMatchers.status
+import javax.servlet.http.HttpServletResponse
+
+@WebMvcTest(AdminContentController::class)
+@Import(AdminContentControllerSecurityTest.TestSecurityConfig::class)
+class AdminContentControllerSecurityTest @Autowired constructor(
+    private val mockMvc: MockMvc
+) {
+    @MockBean
+    private lateinit var service: AdminContentService
+
+    @MockBean
+    private lateinit var countryContext: CountryContext
+
+    @MockBean
+    private lateinit var langContext: LangContext
+
+    @MockBean
+    private lateinit var sodaMessageSource: SodaMessageSource
+
+    @TestConfiguration
+    @EnableGlobalMethodSecurity(prePostEnabled = true)
+    class TestSecurityConfig {
+        @Bean
+        fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
+            return http
+                .csrf().disable()
+                .authorizeRequests()
+                .anyRequest().authenticated()
+                .and()
+                .exceptionHandling()
+                .authenticationEntryPoint(HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED))
+                .accessDeniedHandler { _, response, _ -> response.sendError(HttpServletResponse.SC_FORBIDDEN) }
+                .and()
+                .build()
+        }
+    }
+
+    @Test
+    @DisplayName("콘텐츠 관리자 권한이면 관리자 콘텐츠 목록 조회에 성공한다")
+    fun shouldAllowContentManagerRoleForContentList() {
+        Mockito.`when`(
+            service.getAudioContentList(
+                status = ContentReleaseStatus.OPEN,
+                pageable = PageRequest.of(0, 20)
+            )
+        ).thenReturn(GetAdminContentListResponse(totalCount = 0, items = emptyList()))
+
+        mockMvc.perform(
+            get("/admin/audio-content/list")
+                .param("page", "0")
+                .param("size", "20")
+                .with(user("content-manager").roles("CONTENT_MANAGER"))
+        )
+            .andExpect(status().isOk)
+            .andExpect(jsonPath("$.success").value(true))
+            .andExpect(jsonPath("$.data.totalCount").value(0))
+    }
+
+    @Test
+    @DisplayName("콘텐츠 관리자 권한이면 관리자 콘텐츠 검색에 성공한다")
+    fun shouldAllowContentManagerRoleForContentSearch() {
+        Mockito.`when`(
+            service.searchAudioContent(
+                status = ContentReleaseStatus.OPEN,
+                searchWord = "title",
+                pageable = PageRequest.of(0, 20)
+            )
+        ).thenReturn(GetAdminContentListResponse(totalCount = 0, items = emptyList()))
+
+        mockMvc.perform(
+            get("/admin/audio-content/search")
+                .param("search_word", "title")
+                .param("page", "0")
+                .param("size", "20")
+                .with(user("content-manager").roles("CONTENT_MANAGER"))
+        )
+            .andExpect(status().isOk)
+            .andExpect(jsonPath("$.success").value(true))
+    }
+
+    @Test
+    @DisplayName("콘텐츠 관리자 권한이면 관리자 콘텐츠 메인 탭 조회에 성공한다")
+    fun shouldAllowContentManagerRoleForContentMainTab() {
+        Mockito.`when`(service.getContentMainTabList()).thenReturn(
+            listOf(GetContentMainTabItem(tabId = 1L, title = "홈"))
+        )
+
+        mockMvc.perform(
+            get("/admin/audio-content/main/tab")
+                .with(user("content-manager").roles("CONTENT_MANAGER"))
+        )
+            .andExpect(status().isOk)
+            .andExpect(jsonPath("$.success").value(true))
+            .andExpect(jsonPath("$.data[0].tabId").value(1L))
+    }
+
+    @Test
+    @DisplayName("콘텐츠 관리자 권한이면 관리자 콘텐츠 수정에 접근할 수 없다")
+    fun shouldRejectContentManagerRoleForContentUpdate() {
+        val requestPart = MockMultipartFile(
+            "request",
+            "request.json",
+            MediaType.APPLICATION_JSON_VALUE,
+            "{\"id\":1,\"isDefaultCoverImage\":false}".toByteArray()
+        )
+
+        mockMvc.perform(
+            multipart("/admin/audio-content")
+                .file(requestPart)
+                .with { request ->
+                    request.method = "PUT"
+                    request
+                }
+                .with(user("content-manager").roles("CONTENT_MANAGER"))
+        )
+            .andExpect(status().isOk)
+            .andExpect(jsonPath("$.success").value(false))
+    }
+
+    @Test
+    @DisplayName("관리자 권한이면 관리자 콘텐츠 수정에 접근할 수 있다")
+    fun shouldAllowAdminRoleForContentUpdate() {
+        val requestPart = MockMultipartFile(
+            "request",
+            "request.json",
+            MediaType.APPLICATION_JSON_VALUE,
+            "{\"id\":1,\"isDefaultCoverImage\":false}".toByteArray()
+        )
+
+        mockMvc.perform(
+            multipart("/admin/audio-content")
+                .file(requestPart)
+                .with { request ->
+                    request.method = "PUT"
+                    request
+                }
+                .with(user("admin").roles("ADMIN"))
+        )
+            .andExpect(status().isOk)
+            .andExpect(jsonPath("$.success").value(true))
+    }
+
+    @Test
+    @DisplayName("익명 사용자는 관리자 콘텐츠 목록 조회에 접근할 수 없다")
+    fun shouldRejectAnonymousUserForContentList() {
+        mockMvc.perform(
+            get("/admin/audio-content/list")
+                .param("page", "0")
+                .param("size", "20")
+                .with(anonymous())
+        )
+            .andExpect(status().isUnauthorized)
+    }
+}

src/test/kotlin/kr/co/vividnext/sodalive/menu/MenuControllerSecurityTest.kt

@@ -0,0 +1,116 @@
+package kr.co.vividnext.sodalive.menu
+
+import kr.co.vividnext.sodalive.common.CountryContext
+import kr.co.vividnext.sodalive.i18n.LangContext
+import kr.co.vividnext.sodalive.i18n.SodaMessageSource
+import kr.co.vividnext.sodalive.member.Member
+import kr.co.vividnext.sodalive.member.MemberAdapter
+import kr.co.vividnext.sodalive.member.MemberRole
+import org.junit.jupiter.api.DisplayName
+import org.junit.jupiter.api.Test
+import org.mockito.Mockito
+import org.springframework.beans.factory.annotation.Autowired
+import org.springframework.boot.test.autoconfigure.web.servlet.WebMvcTest
+import org.springframework.boot.test.context.TestConfiguration
+import org.springframework.boot.test.mock.mockito.MockBean
+import org.springframework.context.annotation.Bean
+import org.springframework.context.annotation.Import
+import org.springframework.http.HttpStatus
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity
+import org.springframework.security.config.annotation.web.builders.HttpSecurity
+import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.anonymous
+import org.springframework.security.test.web.servlet.request.SecurityMockMvcRequestPostProcessors.user
+import org.springframework.security.web.SecurityFilterChain
+import org.springframework.security.web.authentication.HttpStatusEntryPoint
+import org.springframework.test.web.servlet.MockMvc
+import org.springframework.test.web.servlet.request.MockMvcRequestBuilders.get
+import org.springframework.test.web.servlet.result.MockMvcResultMatchers.jsonPath
+import org.springframework.test.web.servlet.result.MockMvcResultMatchers.status
+import javax.servlet.http.HttpServletResponse
+
+@WebMvcTest(MenuController::class)
+@Import(MenuControllerSecurityTest.TestSecurityConfig::class)
+class MenuControllerSecurityTest @Autowired constructor(
+    private val mockMvc: MockMvc
+) {
+    @MockBean
+    private lateinit var service: MenuService
+
+    @MockBean
+    private lateinit var countryContext: CountryContext
+
+    @MockBean
+    private lateinit var langContext: LangContext
+
+    @MockBean
+    private lateinit var sodaMessageSource: SodaMessageSource
+
+    @TestConfiguration
+    @EnableGlobalMethodSecurity(prePostEnabled = true)
+    class TestSecurityConfig {
+        @Bean
+        fun securityFilterChain(http: HttpSecurity): SecurityFilterChain {
+            return http
+                .csrf().disable()
+                .authorizeRequests()
+                .anyRequest().authenticated()
+                .and()
+                .exceptionHandling()
+                .authenticationEntryPoint(HttpStatusEntryPoint(HttpStatus.UNAUTHORIZED))
+                .accessDeniedHandler { _, response, _ -> response.sendError(HttpServletResponse.SC_FORBIDDEN) }
+                .and()
+                .build()
+        }
+    }
+
+    @Test
+    @DisplayName("콘텐츠 관리자 권한이면 메뉴 조회에 성공한다")
+    fun shouldAllowContentManagerRole() {
+        val member = createMember(role = MemberRole.CONTENT_MANAGER)
+        Mockito.`when`(service.getMenus(member)).thenReturn(
+            listOf(GetMenuResponse(title = "콘텐츠 리스트", route = "/content/list"))
+        )
+
+        mockMvc.perform(
+            get("/menu")
+                .with(user(MemberAdapter(member)))
+        )
+            .andExpect(status().isOk)
+            .andExpect(jsonPath("$.success").value(true))
+            .andExpect(jsonPath("$.data[0].route").value("/content/list"))
+    }
+
+    @Test
+    @DisplayName("일반 사용자 권한이면 메뉴 조회에 접근할 수 없다")
+    fun shouldRejectUserRole() {
+        val member = createMember(role = MemberRole.USER)
+
+        mockMvc.perform(
+            get("/menu")
+                .with(user(MemberAdapter(member)))
+        )
+            .andExpect(status().isOk)
+            .andExpect(jsonPath("$.success").value(false))
+    }
+
+    @Test
+    @DisplayName("익명 사용자는 메뉴 조회에 접근할 수 없다")
+    fun shouldRejectAnonymousUser() {
+        mockMvc.perform(
+            get("/menu")
+                .with(anonymous())
+        )
+            .andExpect(status().isUnauthorized)
+    }
+
+    private fun createMember(role: MemberRole): Member {
+        return Member(
+            email = "${role.name.lowercase()}@test.com",
+            password = "password",
+            nickname = role.name.lowercase(),
+            role = role
+        ).apply {
+            id = role.ordinal.toLong() + 1
+        }
+    }
+}