feat: 유저 본인이 아니면 유저 정보를 가져올 수 없도록 권한 부여 #158

boostcampwm-2024 · Nov 20, 2024 · 7ec0da8 · 7ec0da8
1 parent 9793638
commit 7ec0da8
Show file tree

Hide file tree

Showing 4 changed files with 36 additions and 2 deletions.
diff --git a/backend/src/course/exception/CoursePermissionException.ts b/backend/src/course/exception/CoursePermissionException.ts
@@ -1,4 +1,4 @@
-import { BaseException } from '../../common/exception/BaseException';
+import { BaseException } from '@src/common/exception/BaseException';
 import { HttpStatus } from '@nestjs/common';
 
 export class CoursePermissionException extends BaseException {

diff --git a/backend/src/user/exception/UserPermissionException.ts b/backend/src/user/exception/UserPermissionException.ts
@@ -0,0 +1,11 @@
+import { BaseException } from '@src/common/exception/BaseException';
+
+export class UserPermissionException extends BaseException {
+  constructor(id: number) {
+    super({
+      code: 2001,
+      message: `id:${id} 유저에 대한 권한이 없습니다.`,
+      status: 403,
+    });
+  }
+}
diff --git a/backend/src/user/guards/UserPermissionGuard.ts b/backend/src/user/guards/UserPermissionGuard.ts
@@ -0,0 +1,20 @@
+import { CanActivate, ExecutionContext, Injectable } from '@nestjs/common';
+import { UserService } from '@src/user/user.service';
+import { UserPermissionException } from '@src/user/exception/UserPermissionException';
+
+@Injectable()
+export class UserPermissionGuard implements CanActivate {
+  constructor(private readonly userService: UserService) {}
+
+  async canActivate(context: ExecutionContext): Promise<boolean> {
+    const request = context.switchToHttp().getRequest();
+    const userId = Number(request.params.id);
+    const requesterId = Number(request.user.userId);
+
+    const user = await this.userService.getUserInfo(userId);
+    if (user.id !== requesterId) {
+      throw new UserPermissionException(userId);
+    }
+    return true;
+  }
+}
diff --git a/backend/src/user/user.controller.ts b/backend/src/user/user.controller.ts
@@ -1,11 +1,14 @@
-import { Controller, Get, Param } from '@nestjs/common';
+import { Controller, Get, Param, UseGuards } from '@nestjs/common';
 import { UserService } from './user.service';
+import { JwtAuthGuard } from '@src/auth/JwtAuthGuard';
+import { UserPermissionGuard } from '@src/user/guards/UserPermissionGuard';
 
 @Controller('users')
 export class UserController {
   constructor(private readonly userService: UserService) {}
 
   @Get('/:id')
+  @UseGuards(JwtAuthGuard, UserPermissionGuard)
   async getUserInfo(@Param('id') id: number) {
     return await this.userService.getUserInfo(id);
   }