Merge pull request #164 from SSambee/chore/casl

chore/casl   orphan s3, upload etc

Author: rklpoi5678

package.json

@@ -37,6 +37,8 @@
     "@aws-sdk/client-ssm": "^3.988.0",
     "@aws-sdk/cloudfront-signer": "^3.988.0",
     "@aws-sdk/s3-request-presigner": "^3.984.0",
+    "@casl/ability": "^6.8.0",
+    "@casl/prisma": "^1.6.1",
     "@prisma/adapter-pg": "^7.2.0",
     "@prisma/client": "^7.2.0",
     "@sentry/node": "^10.38.0",

pnpm-lock.yaml

@@ -0,0 +1,6 @@
+import type { PureAbility } from '@casl/ability';
+import type { PrismaQuery } from '@casl/prisma';
+import type { Action } from './actions.js';
+import type { AppSubjects } from './subjects.js';
+
+export type AppAbility = PureAbility<[Action, AppSubjects], PrismaQuery>;

src/casl/ability.types.ts

@@ -0,0 +1,11 @@
+export const Action = {
+  Create: 'create',
+  Read: 'read',
+  Update: 'update',
+  Delete: 'delete',
+  UpdateStatus: 'updateStatus',
+  List: 'list',
+  Manage: 'manage',
+} as const;
+
+export type Action = (typeof Action)[keyof typeof Action];

src/casl/actions.ts

@@ -0,0 +1,148 @@
+import { subject } from '@casl/ability';
+import { defineStudentPostAbility } from './student-post.ability.js';
+import { Action } from './actions.js';
+import { UserType } from '../constants/auth.constant.js';
+import { AuthorRole } from '../constants/posts.constant.js';
+
+describe('StudentPost Ability', () => {
+  describe('STUDENT 역할', () => {
+    const ability = defineStudentPostAbility({
+      userType: UserType.STUDENT,
+      profileId: 'student-1',
+      enrollmentIds: ['enrollment-1', 'enrollment-2'],
+    });
+
+    it('자기 enrollment의 STUDENT 글을 읽을 수 있다', () => {
+      const post = subject('StudentPost', {
+        enrollmentId: 'enrollment-1',
+        authorRole: AuthorRole.STUDENT,
+        instructorId: 'inst-1',
+      } as Record<string, unknown>);
+      expect(ability.can(Action.Read, post)).toBe(true);
+    });
+
+    it('타인 enrollment의 글은 읽을 수 없다', () => {
+      const post = subject('StudentPost', {
+        enrollmentId: 'other-enrollment',
+        authorRole: AuthorRole.STUDENT,
+        instructorId: 'inst-1',
+      } as Record<string, unknown>);
+      expect(ability.can(Action.Read, post)).toBe(false);
+    });
+
+    it('PARENT가 작성한 글은 읽을 수 없다', () => {
+      const post = subject('StudentPost', {
+        enrollmentId: 'enrollment-1',
+        authorRole: AuthorRole.PARENT,
+        instructorId: 'inst-1',
+      } as Record<string, unknown>);
+      expect(ability.can(Action.Read, post)).toBe(false);
+    });
+
+    it('글을 삭제할 수 있다 (자기 enrollment)', () => {
+      const post = subject('StudentPost', {
+        enrollmentId: 'enrollment-1',
+        authorRole: AuthorRole.STUDENT,
+        instructorId: 'inst-1',
+      } as Record<string, unknown>);
+      expect(ability.can(Action.Delete, post)).toBe(true);
+    });
+  });
+
+  describe('INSTRUCTOR 역할', () => {
+    const ability = defineStudentPostAbility({
+      userType: UserType.INSTRUCTOR,
+      profileId: 'inst-1',
+      effectiveInstructorId: 'inst-1',
+    });
+
+    it('담당 학생의 글을 읽을 수 있다', () => {
+      const post = subject('StudentPost', {
+        instructorId: 'inst-1',
+        enrollmentId: 'enrollment-1',
+        authorRole: AuthorRole.STUDENT,
+      } as Record<string, unknown>);
+      expect(ability.can(Action.Read, post)).toBe(true);
+    });
+
+    it('글을 수정/삭제할 수 없다', () => {
+      const post = subject('StudentPost', {
+        instructorId: 'inst-1',
+        enrollmentId: 'enrollment-1',
+        authorRole: AuthorRole.STUDENT,
+      } as Record<string, unknown>);
+      expect(ability.can(Action.Update, post)).toBe(false);
+      expect(ability.can(Action.Delete, post)).toBe(false);
+    });
+
+    it('타 강사 담당 글은 읽을 수 없다', () => {
+      const post = subject('StudentPost', {
+        instructorId: 'other-inst',
+        enrollmentId: 'enrollment-1',
+        authorRole: AuthorRole.STUDENT,
+      } as Record<string, unknown>);
+      expect(ability.can(Action.Read, post)).toBe(false);
+    });
+  });
+
+  describe('ASSISTANT 역할', () => {
+    const ability = defineStudentPostAbility({
+      userType: UserType.ASSISTANT,
+      profileId: 'assi-1',
+      effectiveInstructorId: 'inst-1', // 조교가 담당하는 강사 ID
+    });
+
+    it('담당 강사의 글을 읽을 수 있다', () => {
+      const post = subject('StudentPost', {
+        instructorId: 'inst-1',
+        enrollmentId: 'enrollment-1',
+        authorRole: AuthorRole.STUDENT,
+      } as Record<string, unknown>);
+      expect(ability.can(Action.Read, post)).toBe(true);
+    });
+
+    it('타 강사 담당 글은 읽을 수 없다', () => {
+      const post = subject('StudentPost', {
+        instructorId: 'other-inst',
+        enrollmentId: 'enrollment-1',
+        authorRole: AuthorRole.STUDENT,
+      } as Record<string, unknown>);
+      expect(ability.can(Action.Read, post)).toBe(false);
+    });
+  });
+
+  describe('PARENT 역할', () => {
+    const ability = defineStudentPostAbility({
+      userType: UserType.PARENT,
+      profileId: 'parent-1',
+      parentEnrollmentIds: ['enrollment-1'],
+    });
+
+    it('자녀 enrollment의 PARENT 글을 읽을 수 있다', () => {
+      const post = subject('StudentPost', {
+        enrollmentId: 'enrollment-1',
+        authorRole: AuthorRole.PARENT,
+        instructorId: 'inst-1',
+      } as Record<string, unknown>);
+      expect(ability.can(Action.Read, post)).toBe(true);
+    });
+
+    it('자녀 enrollment의 STUDENT 글은 읽을 수 없다', () => {
+      const post = subject('StudentPost', {
+        enrollmentId: 'enrollment-1',
+        authorRole: AuthorRole.STUDENT,
+        instructorId: 'inst-1',
+      } as Record<string, unknown>);
+      expect(ability.can(Action.Read, post)).toBe(false);
+    });
+
+    it('타인 자녀 enrollment의 글은 읽을 수 없다', () => {
+      const post = subject('StudentPost', {
+        enrollmentId: 'other-enrollment',
+        authorRole: AuthorRole.PARENT,
+        instructorId: 'inst-1',
+      } as Record<string, unknown>);
+      expect(ability.can(Action.Read, post)).toBe(false);
+    });
+  });
+});

src/casl/student-post.ability.test.ts

@@ -0,0 +1,72 @@
+import { AbilityBuilder } from '@casl/ability';
+import { createPrismaAbility } from '@casl/prisma';
+import { Action as A } from './actions.js';
+import type { UserType } from '../constants/auth.constant.js';
+import { UserType as UT } from '../constants/auth.constant.js';
+import { AuthorRole } from '../constants/posts.constant.js';
+import type { AppAbility } from './ability.types.js';
+
+export interface AbilityContext {
+  userType: UserType;
+  profileId: string;
+  enrollmentIds?: string[];
+  effectiveInstructorId?: string;
+  parentEnrollmentIds?: string[];
+}
+
+export function defineStudentPostAbility(ctx: AbilityContext): AppAbility {
+  const { can, build } = new AbilityBuilder<AppAbility>(createPrismaAbility);
+
+  switch (ctx.userType) {
+    case UT.STUDENT: {
+      const condition = {
+        enrollmentId: { in: ctx.enrollmentIds ?? [] },
+        authorRole: AuthorRole.STUDENT,
+      };
+      can(A.Create, 'StudentPost', condition);
+      can(A.Read, 'StudentPost', condition);
+      can(A.Update, 'StudentPost', condition);
+      can(A.Delete, 'StudentPost', condition);
+      can(A.UpdateStatus, 'StudentPost', condition);
+      can(A.List, 'StudentPost', condition);
+      break;
+    }
+
+    case UT.INSTRUCTOR: {
+      if (!ctx.effectiveInstructorId) {
+        // Retrun empty ability - no permissions granted
+        break;
+      }
+      const condition = { instructorId: ctx.effectiveInstructorId };
+      can(A.Read, 'StudentPost', condition);
+      can(A.List, 'StudentPost', condition);
+      break;
+    }
+
+    case UT.ASSISTANT: {
+      if (!ctx.effectiveInstructorId) {
+        break;
+      }
+      const condition = { instructorId: ctx.effectiveInstructorId };
+      can(A.Read, 'StudentPost', condition);
+      can(A.List, 'StudentPost', condition);
+      break;
+    }
+
+    case UT.PARENT: {
+      const condition = {
+        enrollmentId: { in: ctx.parentEnrollmentIds ?? [] },
+        authorRole: AuthorRole.PARENT,
+      };
+      can(A.Create, 'StudentPost', condition);
+      can(A.Read, 'StudentPost', condition);
+      can(A.Update, 'StudentPost', condition);
+      can(A.Delete, 'StudentPost', condition);
+      can(A.UpdateStatus, 'StudentPost', condition);
+      can(A.List, 'StudentPost', condition);
+      break;
+    }
+  }
+
+  return build();
+}

src/casl/student-post.ability.ts

@@ -0,0 +1,8 @@
+import type { StudentPost } from '../generated/prisma/client.js';
+import type { Subjects as PrismaSubjects } from '@casl/prisma';
+
+export type AppSubjects =
+  | PrismaSubjects<{
+      StudentPost: StudentPost;
+    }>
+  | 'all';

src/casl/subjects.ts

@@ -92,7 +92,6 @@ import { AssignmentCategoryController } from '../controllers/assignment-categori
 
 import { SchedulesService } from '../services/schedules.service.js';
 import { SchedulesController } from '../controllers/schedules.controller.js';
-import { UploadsController } from '../controllers/uploads.controller.js';
 
 import { DashboardRepository } from '../repos/dashboard.repo.js';
 import { DashboardService } from '../services/dashboard.service.js';
@@ -391,7 +390,6 @@ const instructorPostsController = new InstructorPostsController(
 );
 const studentPostsController = new StudentPostsController(studentPostsService);
 const commentsController = new CommentsController(commentsService);
-const uploadsController = new UploadsController(fileStorageService);
 const dashboardController = new DashboardController(dashboardService);
 
 // 4. Create Middlewares (Inject Services)
@@ -458,7 +456,6 @@ export const container = {
   assignmentsController,
   assignmentResultsController,
   dashboardController,
-  uploadsController,
   profileController: new ProfileController(profileService),
   // Middlewares
   requireAuth,