Skip to content

fix(#396): 캠페인 제안 상세 조회에 제품 이름 추가 #397

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
ParkJiYeoung8297 merged 2 commits into from
Feb 19, 2026
Merged

fix(#396): 캠페인 제안 상세 조회에 제품 이름 추가 #397

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
4afad86
fix(#396): 캠페인 제안 상세 조회에 제품 이름 추가
ParkJiYeoung8297 Feb 19, 2026
2086223
chore: 제미나이 피드백에 따라 코드 간결화
ParkJiYeoung8297 Feb 19, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions ...n/java/com/example/RealMatch/brand/domain/repository/BrandAvailableSponsorRepository.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
package com.example.RealMatch.brand.domain.repository;

import java.util.List;
import java.util.Optional;

import org.springframework.data.jpa.repository.JpaRepository;
import org.springframework.data.jpa.repository.Query;
Expand All @@ -14,4 +15,6 @@ public interface BrandAvailableSponsorRepository extends JpaRepository<BrandAvai

@Query("SELECT s FROM BrandAvailableSponsor s LEFT JOIN FETCH s.images WHERE s.brand.id = :brandId")
List<BrandAvailableSponsor> findByBrandIdWithImages(@Param("brandId") Long brandId);

Optional<BrandAvailableSponsor> findByBrandIdAndId(Long brandId, Long id);
}
14 changes: 13 additions & 1 deletion ...java/com/example/RealMatch/business/application/service/CampaignProposalQueryService.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,12 @@
package com.example.RealMatch.business.application.service;

import java.util.Optional;

import org.springframework.stereotype.Service;
import org.springframework.transaction.annotation.Transactional;

import com.example.RealMatch.brand.domain.entity.BrandAvailableSponsor;
import com.example.RealMatch.brand.domain.repository.BrandAvailableSponsorRepository;
import com.example.RealMatch.business.domain.entity.CampaignProposal;
import com.example.RealMatch.business.domain.repository.CampaignProposalRepository;
import com.example.RealMatch.business.exception.BusinessErrorCode;
Expand All @@ -17,14 +21,22 @@
public class CampaignProposalQueryService {

private final CampaignProposalRepository campaignProposalRepository;
private final BrandAvailableSponsorRepository brandAvailableSponsorRepository;

public CampaignProposalDetailResponse getProposalDetail(
Long userId,
Long proposalId
) {
CampaignProposal proposal = campaignProposalRepository.findByIdWithTags(proposalId)
.orElseThrow(() -> new CustomException(BusinessErrorCode.CAMPAIGN_PROPOSAL_NOT_FOUND));
Comment on lines 30 to 31
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-high high

The getProposalDetail method takes a userId and a proposalId but fails to verify if the user is authorized to access the proposal. An attacker could potentially view any campaign proposal by providing its ID. The code even contains a TODO comment acknowledging the missing authorization check. Implement an authorization check to ensure the userId matches either the senderUserId or receiverUserId of the proposal (or has appropriate administrative privileges).

Suggested change
CampaignProposal proposal = campaignProposalRepository.findByIdWithTags(proposalId)
.orElseThrow(() -> new CustomException(BusinessErrorCode.CAMPAIGN_PROPOSAL_NOT_FOUND));
CampaignProposal proposal = campaignProposalRepository.findByIdWithTags(proposalId)
.orElseThrow(() -> new CustomException(BusinessErrorCode.CAMPAIGN_PROPOSAL_NOT_FOUND));
if (!proposal.getSenderUserId().equals(userId) && !proposal.getReceiverUserId().equals(userId)) {
throw new CustomException(BusinessErrorCode.CAMPAIGN_PROPOSAL_FORBIDDEN);
}

Copy link
Contributor Author

@ParkJiYeoung8297 ParkJiYeoung8297 Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

추후 권한 확인 로직 추가 예정 (데모데이 이후)


// TODO: 데모데이 이후에 해당 제품이 없으면 에러 던지는 방향으로 수정 필요!! + 조회 권한 로직 추가 필요(본인만 조회 가능)
String productName = Optional.ofNullable(proposal.getProductId())
.flatMap(productId -> brandAvailableSponsorRepository
.findByBrandIdAndId(proposal.getBrand().getId(), productId))
.map(BrandAvailableSponsor::getName)
.orElse(null);

return CampaignProposalDetailResponse.from(proposal);
return CampaignProposalDetailResponse.from(proposal, productName);
Comment on lines +33 to +40
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-high high

The getProposalDetail method currently lacks an authorization check, leading to an Insecure Direct Object Reference (IDOR) vulnerability. The userId parameter is passed but unused, allowing unauthorized access to campaign proposal details. It is critical to verify that the userId matches either the senderUserId or receiverUserId of the proposal before returning the response. Additionally, please add a comment to clarify why Optional.ofNullable is used for the productId field in the CampaignProposal entity, given that productId is marked as nullable=false.

        if (!proposal.getSenderUserId().equals(userId) && !proposal.getReceiverUserId().equals(userId)) {
            throw new CustomException(BusinessErrorCode.CAMPAIGN_PROPOSAL_USER_MISMATCH);
        }

        String productName = Optional.ofNullable(proposal.getProductId())
                .flatMap(productId -> brandAvailableSponsorRepository
                        .findByBrandIdAndId(proposal.getBrand().getId(), productId))
                .map(BrandAvailableSponsor::getName)
                .orElse(null);

        return CampaignProposalDetailResponse.from(proposal, productName);

}
}
4 changes: 3 additions & 1 deletion .../example/RealMatch/business/presentation/dto/response/CampaignProposalDetailResponse.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ public class CampaignProposalDetailResponse {

private Long rewardAmount;
private Long productId;
private String productName;

private LocalDate startDate;
private LocalDate endDate;
Expand All @@ -36,7 +37,7 @@ public class CampaignProposalDetailResponse {

private CampaignContentTagResponse contentTags;

public static CampaignProposalDetailResponse from(CampaignProposal proposal) {
public static CampaignProposalDetailResponse from(CampaignProposal proposal, String productName) {
Campaign campaign = proposal.getCampaign();

return CampaignProposalDetailResponse.builder()
Expand All @@ -49,6 +50,7 @@ public static CampaignProposalDetailResponse from(CampaignProposal proposal) {
.description(proposal.getCampaignDescription())
.rewardAmount(Long.valueOf(proposal.getRewardAmount()))
.productId(proposal.getProductId())
.productName(productName)
.startDate(proposal.getStartDate())
.endDate(proposal.getEndDate())
.status(proposal.getStatus().name())
Expand Down