MOSU-150 feat: Profile 수정 변경되지 않는 필드 삭제

[wlgns12370]

✨ 구현한 기능

• Profile 수정 변경되지 않는 필드 삭제
• 전파 타입 설정 Propagation.REQUIRES_NEW로 설정

📢 논의하고 싶은 내용

• x

🎸 기타

• x

Summary by CodeRabbit

• New Features

  • Enhanced error messages for validation, authentication, and access errors, now provided in Korean for improved user clarity.
  • Added clearer feedback for JSON parsing errors during requests.

• Bug Fixes

  • User profile editing now only updates relevant fields (email, education, school info, grade); name, gender, birthdate, and phone number are no longer modifiable through profile edits.

• Refactor

  • Updated naming conventions for user roles and login response fields for consistency.
  • Simplified profile editing requests by removing unused fields.
  • Improved security role hierarchy for more precise permission management.

• Tests

  • Updated tests to reflect changes in login response field names.

[coderabbitai]

Walkthrough

This update introduces a role hierarchy to the security configuration, improves exception handling with localized messages and logging, and refines several DTOs and domain entities by removing or renaming fields. It also applies transactional behavior to a failure handler, updates enum constants, and aligns related tests and usages with these changes.

Changes

File(s)	Change Summary
.../application/auth/kmc/tx/KmcTxFailureHandler.java	Added @Transactional(propagation = Propagation.REQUIRES_NEW) to handle method.
.../domain/profile/ProfileJpaEntity.java	edit method no longer updates userName, gender, birth, phoneNumber.
.../domain/user/UserRole.java	Renamed enum constant PENDING to ROLE_PENDING.
.../global/config/SecurityConfig.java	Added role hierarchy and method security beans; enabled .cors(Customizer.withDefaults()).
.../global/exception/GlobalExceptionHandler.java	Added @Slf4j, improved error messages (localized), added handler for JSON parse errors.
.../presentation/auth/dto/LoginResponse.java	Renamed field oauthUser to userInfo in record and JSON output.
.../presentation/auth/dto/SignUpAccountRequest.java	Changed assigned role from UserRole.PENDING to UserRole.ROLE_PENDING.
.../presentation/profile/ProfileController.java	Removed final from userId params; deleted logging statements for userId.
.../presentation/profile/dto/EditProfileRequest.java	Removed fields: userName, birth, gender, phoneNumber; removed validation logic/method.
.../presentation/auth/dto/LoginResponseTest.java	Updated assertions to use userInfo() instead of oauthUser().

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant ProfileController
    participant ProfileJpaEntity

    Client->>ProfileController: update(userId, EditProfileRequest)
    ProfileController->>ProfileJpaEntity: edit(EditProfileRequest)
    Note right of ProfileJpaEntity: Only updates email, education, schoolInfo, grade
    ProfileJpaEntity-->>ProfileController: void
    ProfileController-->>Client: ApiResponseWrapper<Void>

Loading

sequenceDiagram
    participant SecurityConfig
    participant SpringSecurity
    participant Application

    SecurityConfig->>SpringSecurity: Define RoleHierarchy (ADMIN > USER > ROLE_PENDING)
    SecurityConfig->>SpringSecurity: Provide MethodSecurityExpressionHandler
    Application->>SpringSecurity: Method-level security checks
    SpringSecurity-->>Application: Enforce role hierarchy

Loading

sequenceDiagram
    participant Client
    participant GlobalExceptionHandler

    Client->>GlobalExceptionHandler: Malformed JSON request
    GlobalExceptionHandler-->>Client: 409 Conflict, message in Korean

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• MOSU-kmc feat: 본인인증 연동 구현(이쿠죠잇!) #131: Adds a transactional annotation to the handle method in KmcTxFailureHandler, directly relating to the transactional change in this PR.

Suggested labels

우선순위 중

Poem

A bunny hops through fields of code,
Refactoring names, lightening the load.
Roles now stack in tidy rows,
Errors speak in words we know.
With DTOs trimmed and tests aligned,
This patch brings peace of mind!
🐇✨

Note

⚡️ Unit Test Generation is now available in beta!

Learn more here, or try it out under "Finishing Touches" below.

✨ Finishing Touches

• 📝 Generate Docstrings

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch feature/mosu-150

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[gemini-code-assist]

Summary of Changes

Hello @wlgns12370, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request primarily focuses on refining the user profile update mechanism by restricting editable fields and enhancing transactional integrity for specific failure handling. It also significantly improves the application's robustness by implementing a comprehensive global exception handling strategy with more informative error messages. Furthermore, it introduces Spring Security role hierarchies for more granular access control and includes minor refactorings for DTO clarity and enum consistency.

Highlights

• Profile Update Streamlining: The ProfileJpaEntity.edit method and EditProfileRequest DTO have been updated to remove fields (username, gender, birth, phone number) that are not intended to be modified through the profile edit functionality, focusing the edit operation on email, education, and schoolInfo.
• Transactional Isolation for KMC Failure Handling: The KmcTxFailureHandler's handle method now explicitly uses Propagation.REQUIRES_NEW, ensuring that transaction failure handling logic executes in its own independent transaction, preventing rollback issues from the main transaction.
• Spring Security Role Hierarchy Configuration: Spring Security has been configured to support role hierarchies, establishing a clear permission structure where ROLE_ADMIN implicitly inherits ROLE_USER permissions, and ROLE_USER inherits PENDING permissions, simplifying access control management.
• Enhanced Global Exception Handling: The GlobalExceptionHandler has been improved to provide more detailed and user-friendly error responses for various exceptions, including MethodArgumentNotValidException, IllegalArgumentException, EntityNotFoundException, AuthenticationException, AccessDeniedException, and a new handler for HttpMessageNotReadableException for better JSON parsing error feedback.
• DTO and Enum Refactoring: The LoginResponse DTO's oauthUser field was renamed to userInfo for better clarity, and the UserRole enum value PENDING was consistently renamed to ROLE_PENDING across the codebase.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in issue comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments or fill out our survey to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request refactors the profile editing functionality by removing fields that should not be modified and enhances security by setting up a role hierarchy. It also adds a new transaction propagation setting for a failure handler.

The review identified a few issues:

• A critical configuration error in SecurityConfig where an incorrect role name is used in the role hierarchy, which will prevent it from working as intended.
• A few medium severity issues in GlobalExceptionHandler related to inconsistent error response structures and the use of a non-standard HTTP status code for a specific exception type.

Addressing these points will improve the correctness and consistency of the application.

[gemini-code-assist]

The role hierarchy definition uses PENDING, but the UserRole enum was updated in this pull request to use ROLE_PENDING. This inconsistency will cause the role hierarchy to not function as expected for users with the pending role, as Spring Security will not recognize the relationship.

To ensure the hierarchy works correctly, update the string to use the correct ROLE_PENDING name.

Suggested change

	hierarchy.setHierarchy("ROLE_ADMIN > ROLE_USER \n ROLE_USER > PENDING");
	hierarchy.setHierarchy("ROLE_ADMIN > ROLE_USER \n ROLE_USER > ROLE_PENDING");

[gemini-code-assist]

In this handler, the user-friendly message ("잘못된 요청입니다.") is assigned to the errors field, while the technical detail from the exception is in the message field. In other handlers (like handleEntityNotFoundException), this is reversed. The content of these fields should be consistent across all handlers.

To improve consistency, swap the values assigned here to align with the pattern used in other handlers.

Suggested change

	response.put("errors", "잘못된 요청입니다.");
	response.put("message", ex.getMessage());
	response.put("message", ex.getMessage());
	response.put("errors", "잘못된 요청입니다.");

[gemini-code-assist]

The Javadoc at the top says @return 409 Bad Request, which is a contradiction. It should be either "409 Conflict" or "400 Bad Request".
HttpStatus.CONFLICT (409) is returned for an HttpMessageNotReadableException. This exception is typically thrown for client-side errors like malformed JSON. The more conventional and semantically appropriate HTTP status for such errors is HttpStatus.BAD_REQUEST (400). Aligning with this standard will make your API more predictable for developers.

Change the status code to BAD_REQUEST and correct the Javadoc.

    /**
     * @return 400 Bad Request
     * @RequestBody JSON 파싱 실패 (필드명 불일치, 데이터 타입 불일치, JSON 형식 오류 등)
     */
    @ExceptionHandler(HttpMessageNotReadableException.class)
    public ResponseEntity<Map<String, Object>> handleHttpMessageNotReadableException(
            HttpMessageNotReadableException ex) {
        Map<String, Object> response = new LinkedHashMap<>();
        response.put("status", HttpStatus.BAD_REQUEST.value());
        response.put("message", "필드명 또는 데이터 타입이 일치하지 않습니다.");
        response.put("errors", ex.getMessage());

        return ResponseEntity.status(HttpStatus.BAD_REQUEST).body(response);
    }

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (2)

src/main/java/life/mosu/mosuserver/global/exception/GlobalExceptionHandler.java (2)

6-6: Good addition of logging capability.

Adding @Slf4j enables proper logging for exception handling, which is a best practice for monitoring and debugging.

Consider replacing the System.out.println on line 124 with proper logging:

-        System.out.println("Exception: " + ex.getMessage());
+        log.error("Unhandled exception occurred", ex);

Also applies to: 16-16

---

85-85: Good localization with minor grammar correction needed.

The Korean authentication message is excellent. However, the authorization message has a minor grammar issue.

Fix the Korean grammar in the authorization message:

-        response.put("message", "인가를 실패 했습니다");
+        response.put("message", "인가에 실패했습니다");

Also applies to: 101-101

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fed722f and 87f8909.

📒 Files selected for processing (10)

• src/main/java/life/mosu/mosuserver/application/auth/kmc/tx/KmcTxFailureHandler.java (2 hunks)
• src/main/java/life/mosu/mosuserver/domain/profile/ProfileJpaEntity.java (0 hunks)
• src/main/java/life/mosu/mosuserver/domain/user/UserRole.java (1 hunks)
• src/main/java/life/mosu/mosuserver/global/config/SecurityConfig.java (2 hunks)
• src/main/java/life/mosu/mosuserver/global/exception/GlobalExceptionHandler.java (6 hunks)
• src/main/java/life/mosu/mosuserver/presentation/auth/dto/LoginResponse.java (1 hunks)
• src/main/java/life/mosu/mosuserver/presentation/auth/dto/SignUpAccountRequest.java (1 hunks)
• src/main/java/life/mosu/mosuserver/presentation/profile/ProfileController.java (1 hunks)
• src/main/java/life/mosu/mosuserver/presentation/profile/dto/EditProfileRequest.java (0 hunks)
• src/test/java/life/mosu/mosuserver/presentation/auth/dto/LoginResponseTest.java (4 hunks)

💤 Files with no reviewable changes (2)

• src/main/java/life/mosu/mosuserver/domain/profile/ProfileJpaEntity.java
• src/main/java/life/mosu/mosuserver/presentation/profile/dto/EditProfileRequest.java

🔇 Additional comments (10)

src/main/java/life/mosu/mosuserver/presentation/profile/ProfileController.java (1)

33-33: LGTM: Parameter modifier changes are harmless

Removing the final modifier from method parameters is a minor change that doesn't affect functionality. Method parameters are effectively final when not reassigned, so this change likely improves code consistency or addresses linting recommendations.

Also applies to: 43-43, 53-53

src/main/java/life/mosu/mosuserver/domain/user/UserRole.java (1)

4-4: ROLE_PENDING Rename Verified – No Remaining Code References

The grep search returned no occurrences of UserRole.PENDING or "PENDING" in the Java source files, confirming that the rename to ROLE_PENDING has been applied consistently in code.

Please also verify that:

• Configuration files (e.g., application.yml/.properties) don’t reference the old PENDING role
• Test suites, SQL/data scripts, and any external integrations are updated to use ROLE_PENDING instead of PENDING

src/main/java/life/mosu/mosuserver/presentation/auth/dto/SignUpAccountRequest.java (1)

38-38: LGTM: Consistent with UserRole enum update

The update to use UserRole.ROLE_PENDING is consistent with the enum constant rename and maintains the same functional behavior for new user registration.

src/test/java/life/mosu/mosuserver/presentation/auth/dto/LoginResponseTest.java (1)

80-80: LGTM: Test updates align with DTO field rename

The test assertions have been correctly updated to use userInfo() instead of oauthUser(), maintaining the same test logic while reflecting the field rename in the LoginResponse DTO. Test coverage and validation remain intact.

Also applies to: 102-102, 121-121, 135-135

src/main/java/life/mosu/mosuserver/application/auth/kmc/tx/KmcTxFailureHandler.java (1)

8-9: Excellent: Proper transaction isolation for failure handling

Adding @Transactional(propagation = Propagation.REQUIRES_NEW) is the correct approach for failure handlers. This ensures:

1. The failure handler executes in a completely new transaction, isolated from the original
2. Any persistence operations in the handler won't be affected by the original transaction's rollback
3. Proper separation of concerns between business logic and failure handling

This aligns perfectly with the PR objective of setting the propagation type to REQUIRES_NEW.

Also applies to: 18-18

src/main/java/life/mosu/mosuserver/presentation/auth/dto/LoginResponse.java (1)

10-10: Approve rename; ensure external API compatibility

• Renamed oauthUser → userInfo in LoginResponse and updated all related factory methods.
• Confirmed no internal references to the old property name remain (grep across code and tests).
• Tests now use response.userInfo() and pass with Jackson’s @JsonInclude(Include.NON_NULL) intact.

Please manually verify that any external API consumers (e.g., frontend apps or third-party clients) are updated to expect the JSON field "userInfo" instead of "oauthUser".

src/main/java/life/mosu/mosuserver/global/config/SecurityConfig.java (1)

68-74: Excellent implementation of method security with role hierarchy.

The MethodSecurityExpressionHandler bean is properly configured to use the role hierarchy, enabling method-level security annotations to respect role inheritance.

src/main/java/life/mosu/mosuserver/global/exception/GlobalExceptionHandler.java (3)

37-37: Improved user experience with localized validation message.

The Korean message "유효성 검사에 실패했습니다." provides clear feedback to users about validation failures.

---

53-54: Consistent localized error messaging.

The Korean message "잘못된 요청입니다." provides consistent user experience while preserving the technical exception message for debugging.

---

69-70: Consistent error response structure.

The Korean message "요청한 리소스가 존재하지 않습니다." with technical details in the errors field maintains consistency with other exception handlers.

[coderabbitai]

⚠️ Potential issue

Fix role hierarchy inconsistency.

The role hierarchy defines "PENDING" but according to the AI summary, this should be "ROLE_PENDING" to maintain consistency with the enum constant renaming mentioned in the PR.

-        hierarchy.setHierarchy("ROLE_ADMIN > ROLE_USER \n ROLE_USER > PENDING");
+        hierarchy.setHierarchy("ROLE_ADMIN > ROLE_USER \n ROLE_USER > ROLE_PENDING");

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	@Bean
	public RoleHierarchy roleHierarchy() {
	RoleHierarchyImpl hierarchy = new RoleHierarchyImpl();
	hierarchy.setHierarchy("ROLE_ADMIN > ROLE_USER \n ROLE_USER > PENDING");
	return hierarchy;
	}
	@Bean
	public RoleHierarchy roleHierarchy() {
	RoleHierarchyImpl hierarchy = new RoleHierarchyImpl();
	hierarchy.setHierarchy("ROLE_ADMIN > ROLE_USER \n ROLE_USER > ROLE_PENDING");
	return hierarchy;
	}

🤖 Prompt for AI Agents

In src/main/java/life/mosu/mosuserver/global/config/SecurityConfig.java around
lines 61 to 66, the role hierarchy string uses "PENDING" instead of the
consistent enum naming "ROLE_PENDING". Update the hierarchy string to replace
"PENDING" with "ROLE_PENDING" to align with the enum constant naming convention.

[coderabbitai]

🛠️ Refactor suggestion

Useful addition but consider using HTTP 400 status.

The new handler for JSON parsing errors fills an important gap in error handling coverage. However, HTTP 409 Conflict is typically reserved for resource state conflicts rather than malformed request data.

Consider using HTTP 400 Bad Request for JSON parsing errors:

-        response.put("status", HttpStatus.CONFLICT.value());
+        response.put("status", HttpStatus.BAD_REQUEST.value());
-        return ResponseEntity.status(HttpStatus.CONFLICT).body(response);
+        return ResponseEntity.badRequest().body(response);

HTTP 400 is more semantically appropriate for malformed request data, while HTTP 409 is better suited for business logic conflicts.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	/**
	* @return 409 Bad Request
	* @RequestBody JSON 파싱 실패 (필드명 불일치, 데이터 타입 불일치, JSON 형식 오류 등)
	*/
	@ExceptionHandler(HttpMessageNotReadableException.class)
	public ResponseEntity<Map<String, Object>> handleHttpMessageNotReadableException(
	HttpMessageNotReadableException ex) {
	Map<String, Object> response = new LinkedHashMap<>();
	response.put("status", HttpStatus.CONFLICT.value());
	response.put("message", "필드명 또는 데이터 타입이 일치하지 않습니다.");
	response.put("errors", ex.getMessage());
	return ResponseEntity.status(HttpStatus.CONFLICT).body(response);
	}
	/**
	* @return 409 Bad Request
	* @RequestBody JSON 파싱 실패 (필드명 불일치, 데이터 타입 불일치, JSON 형식 오류 등)
	*/
	@ExceptionHandler(HttpMessageNotReadableException.class)
	public ResponseEntity<Map<String, Object>> handleHttpMessageNotReadableException(
	HttpMessageNotReadableException ex) {
	Map<String, Object> response = new LinkedHashMap<>();
	- response.put("status", HttpStatus.CONFLICT.value());
	+ response.put("status", HttpStatus.BAD_REQUEST.value());
	response.put("message", "필드명 또는 데이터 타입이 일치하지 않습니다.");
	response.put("errors", ex.getMessage());
	-
	- return ResponseEntity.status(HttpStatus.CONFLICT).body(response);
	+ return ResponseEntity.badRequest().body(response);
	}

🤖 Prompt for AI Agents

In
src/main/java/life/mosu/mosuserver/global/exception/GlobalExceptionHandler.java
around lines 107 to 120, the handler for HttpMessageNotReadableException
currently returns HTTP 409 Conflict, which is not appropriate for JSON parsing
errors. Change the HTTP status code from HttpStatus.CONFLICT (409) to
HttpStatus.BAD_REQUEST (400) in both the response map and the ResponseEntity
status to correctly indicate a malformed request error.