feat(be): implement polygon collaborator api#3522
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a new collaborator management system for polygon problems, including GraphQL resolvers and service methods for inviting, approving, rejecting, updating roles, and removing collaborators. The review identified potential security and logic issues: the Owner role should not be assignable via the API to prevent privilege escalation, and the getCollaboratorsByStatus method requires access control to prevent unauthorized users from viewing collaborator lists.
| polygonId: number, | ||
| input: CollaboratorInput | ||
| ) { | ||
| const { userEmail, role } = input |
There was a problem hiding this comment.
The Owner role should not be assignable via the collaborator API, as ownership is strictly tied to the createdById field in the PolygonProblem table. Allowing a collaborator to have the Owner role could lead to logical inconsistencies or unintended privilege escalation. Consider validating that the requested role is either Editor or Viewer.
const { userEmail, role } = input
if (role === CollaboratorRole.Owner) {
throw new UnprocessableDataException('Cannot assign Owner role')
}| async getCollaboratorsByStatus( | ||
| polygonId: number, | ||
| status: CollaboratorStatus | ||
| ) { |
There was a problem hiding this comment.
The getCollaboratorsByStatus method lacks a permission check, which may allow any authenticated user to view the collaborators of any problem. Additionally, it should verify the existence of the problem to maintain consistency with other methods. It is recommended to restrict access to the problem owner or active collaborators.
| polygonId: number, | ||
| input: CollaboratorUpdateInput | ||
| ) { | ||
| const { userId, role } = input |
There was a problem hiding this comment.
As with the invitation logic, updating a collaborator's role to Owner should be prohibited to maintain logical consistency with the problem's createdById ownership model.
const { userId, role } = input
if (role === CollaboratorRole.Owner) {
throw new UnprocessableDataException('Cannot assign Owner role')
}1 participant
Description
문제 생성시 협업자를 관리하는 API를 구현하였습니다.
<구현 기능>
inviteCollaborator
-협업자 초대는 해당 문제의 소유자, active editor 인 경우에만 가능
-소유자가 초대시 active, active editor가 초대시 pending
getActive/PendingCollaborator
-협업자 목록 반환, 요청 대기자 목록 반환
approve/rejectInvite
-요청에 대한 수락 여부 -> 해당 문제 소유자만 가능
updateCollaboratorRole
-협업자의 role 변경 -> 해당 문제 소유자만 가능
removeCollaborator
-협업자 제거 -> 해당 문제 소유자만 가능
Additional context
Before submitting the PR, please make sure you do the following
fixes #123).