Fix: 비공개일 경우 조회 안되게 수정

stoneTiger0912 · stoneTiger0912 · commit 549feb93eb32 · 2026-03-19T14:58:02.000+09:00
diff --git a/src/cardset/application/cardset.use-case.ts b/src/cardset/application/cardset.use-case.ts
@@ -603,7 +603,17 @@ export class CardsetUseCase {
 
   async findCardsFromYjs(
     cardSetId: number,
+    userId: number,
   ): Promise<{ id: string; question: string; answer: string }[]> {
+    const cardset = await this.cardsetRepository.findById(cardSetId);
+    if (!cardset) throw new BusinessException(ErrorCode.CARDSET_NOT_FOUND);
+    if (cardset.visibility !== Visibility.PUBLIC) {
+      const inGroup =
+        !isNaN(userId) &&
+        (await this.groupGrpcClient.isUserInGroup(cardset.groupId, userId));
+      if (!inGroup)
+        throw new BusinessException(ErrorCode.CARDSET_ACCESS_DENIED);
+    }
     const cards = await this.collaborationUseCase.getCardsFromDB(cardSetId);
     this.logger.log(`[cardset:${cardSetId}] cards: ${JSON.stringify(cards)}`);
     return cards;
diff --git a/src/cardset/infrastructure/http/cardset.controller.ts b/src/cardset/infrastructure/http/cardset.controller.ts
@@ -188,6 +188,7 @@ export class CardsetController {
   ): Promise<ApiResponse<YjsCardResponse[]>> {
     const cards = await this.cardsetUseCase.findCardsFromYjs(
       parseInt(cardsetId),
+      parseInt(_userId),
     );
     return ApiResponse.success(cards.map((c) => YjsCardResponse.from(c)));
   }

Original file line number	Diff line number	Diff line change
`@@ -188,6 +188,7 @@ export class CardsetController {`
`188`	`188`	`): Promise<ApiResponse<YjsCardResponse[]>> {`
`189`	`189`	`const cards = await this.cardsetUseCase.findCardsFromYjs(`
`190`	`190`	`parseInt(cardsetId),`
	`191`	`+ parseInt(_userId),`
`191`	`192`	`);`
`192`	`193`	`return ApiResponse.success(cards.map((c) => YjsCardResponse.from(c)));`
`193`	`194`	`}`