20260310 #292 출석 세션 관리자 추가 삭제 api 구현

[discipline24]

Summary by CodeRabbit

• 새로운 기능

  • 세션에서 사용자의 관리자(MANAGER) 권한을 부여·해제하는 API 추가

• 개선사항

  • 사용자 등급(Grade)을 지정 가능한 유연한 변경 흐름 도입
  • 사용자 활동 로그(출석/게시글) 조회에 페이징·정렬 지원 추가
  • 일부 관리권한 검토: 회장(PRESIDENT) 또는 시스템 관리자까지 권한 범위 조정
  • 세션/라운드 삭제 시 소유자(OWNER) 기준 권한 강화 및 관련 데이터 일괄 삭제 처리 추가
  • 에러 코드 및 검증 메시지 보강

• 제거/변경

  • 일부 등급·상태 항목 정리(사용 가능한 항목 축소)

[coderabbitai]

Warning

Rate limit exceeded

@discipline24 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 8 minutes and 42 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c4746d75-3a10-42ca-b205-ed52ec31fe06

📥 Commits

Reviewing files that changed from the base of the PR and between c9ee57d and 46818fe.

📒 Files selected for processing (1)

• backend/src/main/java/org/sejongisc/backend/attendance/controller/SessionUserController.java

Walkthrough

관리자 등급 API가 promoteToSenior → updateUserGrade(UUID, Grade)로 일반화되고 권한이 PRESIDENT 또는 SYSTEM_ADMIN으로 확대되었습니다. 출석 세션/라운드 권한이 OWNER 중심으로 재조정되고 세션 관리자 추가/제거 엔드포인트 및 세션 단위 bulk 삭제 리포지토리 메서드가 추가되었습니다. 일부 enum 상수(SENIOR, GRADUATED)가 주석 처리되었습니다.

Changes

Cohort / File(s)	Summary
관리자 사용자 및 등급 관리 backend/src/main/java/org/sejongisc/backend/admin/controller/AdminUserController.java, backend/src/main/java/org/sejongisc/backend/admin/service/AdminUserService.java, backend/src/main/java/org/sejongisc/backend/user/service/UserService.java	promoteToSenior → updateUserGrade(UUID, Grade)로 시그니처 변경 및 호출 경로 변경. 컨트롤러 권한 검사 hasRole('SYSTEM_ADMIN') → hasAnyRole('PRESIDENT','SYSTEM_ADMIN'). 엔드포인트 경로/요약/파라미터(/senior → /grade) 변경.
사용자 엔티티 및 상태 backend/src/main/java/org/sejongisc/backend/user/entity/Grade.java, backend/src/main/java/org/sejongisc/backend/user/entity/UserStatus.java, backend/src/main/java/org/sejongisc/backend/user/entity/User.java	Grade에서 SENIOR 주석 처리, UserStatus에서 GRADUATED 주석 처리. User.isManagerPosition 로직이 positionName 기반에서 역할(Role) 기반 판정으로 변경.
세션 사용자 관리 (컨트롤러) backend/src/main/java/org/sejongisc/backend/attendance/controller/SessionUserController.java	세션 관리자 할당 POST /{sessionId}/admins/{userId} 및 관리자 제거 DELETE /{sessionId}/admins/{userId} 엔드포인트 추가 (인증된 actor 추출 및 서비스 호출).
세션 사용자 관리 (서비스) backend/src/main/java/org/sejongisc/backend/attendance/service/SessionUserService.java	여러 public 메서드에 actorUserId 파라미터 추가(소유자 권한 검증으로 전환). addAllUsers/권한 관련 로직을 ensureOwner로 변경. joinSession/leaveSession/isUserInSession 제거. 관리자 승진/강등 흐름에 OWNER 검증 및 OWNER 보호 로직 추가.
출석 세션·라운드 권한 및 동작 변경 backend/src/main/java/org/sejongisc/backend/attendance/controller/AttendanceRoundController.java, backend/src/main/java/org/sejongisc/backend/attendance/controller/AttendanceSessionController.java, backend/src/main/java/org/sejongisc/backend/attendance/service/AttendanceRoundService.java, backend/src/main/java/org/sejongisc/backend/attendance/service/AttendanceSessionService.java	여러 엔드포인트의 권한 요구 변경(일부는 MANAGER→OWNER로 제한, 일부는 MEMBER 범위 확장). createSession에 생성자 포지션(manager) 검증 추가. 세션 삭제에 연관 엔티티 삭제 호출 추가 및 소유자 기반 권한 검사로 변경.
출석 관련 리포지토리: bulk 삭제 추가 backend/src/main/java/org/sejongisc/backend/attendance/repository/AttendanceRepository.java, backend/src/main/java/org/sejongisc/backend/attendance/repository/AttendanceRoundRepository.java, backend/src/main/java/org/sejongisc/backend/attendance/repository/SessionUserRepository.java	세션 단위로 연관된 Attendance/AttendanceRound/SessionUser를 삭제하는 deleteBySessionId(UUID) 메서드 추가(@Modifying, JPQL DELETE). AttendanceRepository는 서브쿼리를 이용한 bulk 삭제 구현.
활동 로그 페이징 및 리포지토리 변경 backend/src/main/java/org/sejongisc/backend/activity/repository/ActivityLogRepository.java, backend/src/main/java/org/sejongisc/backend/user/controller/UserController.java, backend/src/main/java/org/sejongisc/backend/user/service/UserService.java	ActivityLog 조회가 List → Page로 변경되고 페이징 파라미터(Pageable) 수용으로 API/리포지토리 시그니처 변경. 컨트롤러에서 @PageableDefault 추가.
오류 코드 확장 backend/src/main/java/org/sejongisc/backend/common/exception/ErrorCode.java	사용자·엑셀·베팅 관련 신규 에러 코드 다수 추가(예: DUPLICATE_EMAIL, DUPLICATE_PHONE, NOT_MANAGER_POSITION, BET_* 등).
문서/주석 변경 backend/src/main/java/org/sejongisc/backend/attendance/controller/AttendanceSessionController.java, backend/src/main/java/org/sejongisc/backend/attendance/service/AttendanceService.java	OpenAPI Operation 설명에 권한 명시 추가 및 updateAttendanceStatusByRound에 activityLog 관련 TODO 주석 추가.

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant SessionUserController
  participant Auth as Security
  participant SessionUserService
  participant SessionUserRepository
  participant DB

  Client->>SessionUserController: POST /{sessionId}/admins/{userId} (토큰)
  SessionUserController->>Auth: 토큰 검증
  Auth-->>SessionUserController: principal (actorUserId)
  SessionUserController->>SessionUserService: addAdmin(sessionId, targetUserId, actorUserId)
  SessionUserService->>SessionUserService: ensureOwner(actorUserId, sessionId)
  SessionUserService->>SessionUserRepository: update role -> MANAGER for targetUserId
  SessionUserRepository->>DB: execute update
  DB-->>SessionUserRepository: OK
  SessionUserRepository-->>SessionUserService: success
  SessionUserService-->>SessionUserController: success
  SessionUserController-->>Client: 200 OK

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50분

Possibly related PRs

• [BE] [FEAT] 관리자 회원 관리 기능 추가 #228: Admin/grade 관리 및 promoteToSenior/updateUserGrade, Grade/UserStatus 변경과 직접적 충돌 가능성.
• [BE] SISC1-228 [FIX] session user 관련 로직 개선 #152: SessionUserRepository의 JPQL/메서드 변경(예: deleteBySessionId)과 코드 레벨 영향 가능성.
• [BE] SISC1-225 [FEAT] session user 구현 #148: 세션 사용자 추가/삭제 엔드포인트 및 관련 서비스 변경과 중복 또는 상호 영향 가능성.

시

🐰 깡총깡총 권한을 정리했지요,
SENIOR와 GRADUATED는 살짝 숨겼어요.
OWNER가 무대를 지키니 관리자 춤이 새로 생겼네.
등급은 update로 바뀌고, 삭제는 한 번에 쓱 —
당근 한입, 배포의 봄이 왔어요! 🥕

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 57.50% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	PR 제목은 '출석 세션 관리자 추가 삭제 API 구현'으로 SessionUserController에 addAdminToSession, removeAdminFromSession 엔드포인트 추가와 관련된 주요 변경사항을 명확히 반영합니다.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch 20260310-#292-출석-세션-관리자-추가-삭제-API-구현

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)

backend/src/main/java/org/sejongisc/backend/attendance/controller/AttendanceRoundController.java (1)

97-120: ⚠️ Potential issue | 🟡 Minor

API 문서의 권한 및 에러 코드 설명이 실제 구현과 불일치합니다.

Line 104에서 권한을 "세션 OWNER"로 올바르게 변경했지만:

• Line 114: "요청 유저가 해당 세션의 관리 권한(MANAGER/OWNER)을 가졌는지 검증"은 이제 OWNER만 가능하므로 수정이 필요합니다.
• Line 118: 에러 코드 NOT_SESSION_ADMIN은 NOT_SESSION_OWNER로 변경해야 합니다 (서비스에서 ensureOwner 호출 시 NOT_SESSION_OWNER 발생).

📝 문서 수정 제안

       ## 동작 설명
       - 특정 출석 회차(Round)를 삭제
-      - 요청 유저가 해당 세션의 관리 권한(MANAGER/OWNER)을 가졌는지 검증
+      - 요청 유저가 해당 세션의 소유자(OWNER) 권한을 가졌는지 검증
       
       ## 에러 코드
       - **`ROUND_NOT_FOUND`**: 해당 출석 라운드가 존재하지 않습니다.
-      - **`NOT_SESSION_ADMIN`**: 세션 관리자 권한이 없습니다.
+      - **`NOT_SESSION_OWNER`**: 세션 소유자 권한이 없습니다.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@backend/src/main/java/org/sejongisc/backend/attendance/controller/AttendanceRoundController.java`
around lines 97 - 120, Update the API doc block in AttendanceRoundController for
the DeleteMapping("/rounds/{roundId}") to match the implementation: change the
permission description that currently says "요청 유저가 해당 세션의 관리 권한(MANAGER/OWNER)을
가졌는지 검증" to indicate only the session OWNER is allowed (e.g., "요청 유저가 세션 OWNER인지
검증"), and replace the listed error code `NOT_SESSION_ADMIN` with
`NOT_SESSION_OWNER` so the documented error matches the service's ensureOwner
behavior.

backend/src/main/java/org/sejongisc/backend/user/entity/Grade.java (1)

3-18: ⚠️ Potential issue | 🟠 Major

데이터 마이그레이션 필요: SENIOR 값 제거 시 런타임 오류 발생 가능

SENIOR enum 상수를 주석 처리하면, 데이터베이스에 grade='SENIOR'로 저장된 기존 사용자 레코드를 로드할 때 JPA가 IllegalArgumentException을 발생시킵니다. AdminUserService.java의 주석(line 113)에서 사용자를 SENIOR 등급으로 변경하던 기능이 있었던 것으로 보아, 기존 데이터베이스에 SENIOR 값이 존재할 가능성이 있습니다.

코드 주석의 "선배/OB는 정회원으로 대체"에 따라, 배포 전에 기존 SENIOR 데이터를 REGULAR_MEMBER로 마이그레이션하는 SQL 스크립트를 작성하고 실행해야 합니다.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@backend/src/main/java/org/sejongisc/backend/user/entity/Grade.java` around
lines 3 - 18, Existing DB rows with grade='SENIOR' will cause JPA to throw
IllegalArgumentException because the SENIOR enum constant was removed from
Grade; before deploying, run a migration that updates all legacy values to
REGULAR_MEMBER (for example: UPDATE user SET grade='REGULAR_MEMBER' WHERE
grade='SENIOR') and verify AdminUserService logic that previously set SENIOR is
updated to use REGULAR_MEMBER; also consider adding a temporary tolerant import
in Grade.fromString to map "선배"/"OB" strings to REGULAR_MEMBER during migration
rollout if needed.

🧹 Nitpick comments (8)

backend/src/main/java/org/sejongisc/backend/attendance/service/SessionUserService.java (1)

102-103: 세션 조회 결과가 사용되지 않습니다.

attendanceSessionRepository.findById(sessionId) 결과가 변수에 할당되지 않고 존재 여부만 확인합니다. 이 패턴이 의도된 것이라면, 가독성을 위해 existsById를 사용하거나 명시적으로 무시하는 것이 좋습니다.

♻️ 개선 제안

-    attendanceSessionRepository.findById(sessionId)
-        .orElseThrow(() -> new CustomException(ErrorCode.SESSION_NOT_FOUND));
+    if (!attendanceSessionRepository.existsById(sessionId)) {
+      throw new CustomException(ErrorCode.SESSION_NOT_FOUND);
+    }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@backend/src/main/java/org/sejongisc/backend/attendance/service/SessionUserService.java`
around lines 102 - 103, The call attendanceSessionRepository.findById(sessionId)
in SessionUserService currently only checks existence and discards the result;
change it to capture the Optional result and assign the resolved entity to a
variable (e.g., attendanceSession =
attendanceSessionRepository.findById(sessionId).orElseThrow(() -> new
CustomException(ErrorCode.SESSION_NOT_FOUND))) so the retrieved session can be
used, or if the intent is only to check existence replace the call with
attendanceSessionRepository.existsById(sessionId) or explicitly ignore the value
with a clear comment; update any subsequent code to use the new
attendanceSession variable if needed.

backend/src/main/java/org/sejongisc/backend/user/entity/User.java (1)

87-94: 주석이 새로운 구현과 일치하지 않습니다.

Line 89의 주석 "직위에 '팀장', '대표', '부대표' 등의 키워드가 있으면 운영진 권한 부여 후보"는 이전 positionName 기반 구현에 대한 설명입니다. 새 구현은 role 기반이므로 주석을 업데이트해야 합니다.

구현 자체는 명확하고 적절합니다: Role enum을 기반으로 한 권한 검증이 문자열 매칭보다 안전합니다.

📝 주석 수정 제안

     public boolean isManagerPosition() {
         if (this.role == Role.TEAM_MEMBER || this.role == Role.PENDING_MEMBER ) return false;
-        // 직위에 '팀장', '대표', '부대표' 등의 키워드가 있으면 운영진 권한 부여 후보
+        // SYSTEM_ADMIN, PRESIDENT, VICE_PRESIDENT, TEAM_LEADER 역할은 운영진 권한 보유
         return this.role == Role.SYSTEM_ADMIN ||
             this.role == Role.PRESIDENT ||
             this.role == Role.VICE_PRESIDENT ||
             this.role == Role.TEAM_LEADER;
     }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@backend/src/main/java/org/sejongisc/backend/user/entity/User.java` around
lines 87 - 94, Update the outdated comment in the isManagerPosition method to
reflect that the check is now role-based rather than string-matching on
positionName: replace the current note about keywords like '팀장', '대표', '부대표'
with a brief description that the method returns true for users whose Role enum
is one of SYSTEM_ADMIN, PRESIDENT, VICE_PRESIDENT, or TEAM_LEADER (and false for
TEAM_MEMBER and PENDING_MEMBER), referencing the isManagerPosition method and
the Role enum so future readers understand the enum-based permission check.

backend/src/main/java/org/sejongisc/backend/attendance/service/AttendanceRoundService.java (1)

164-174: Javadoc과 실제 구현이 일치하지 않습니다.

Line 164의 주석에는 "라운드 삭제(관리자/OWNER)"라고 되어 있지만, 실제 구현(line 170)은 ensureOwner를 호출하여 OWNER만 삭제할 수 있습니다. 주석을 업데이트하거나 의도된 권한 정책을 확인해 주세요.

또한 closeRound와 openRound는 여전히 ensureAdmin을 사용하는데, deleteRound만 ensureOwner를 사용하는 것이 의도된 설계인지 확인이 필요합니다.

📝 Javadoc 수정 제안

-  /** 라운드 삭제(관리자/OWNER) */
+  /** 라운드 삭제(OWNER 전용) */
   public void deleteRound(UUID roundId, UUID userId) {

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@backend/src/main/java/org/sejongisc/backend/attendance/service/AttendanceRoundService.java`
around lines 164 - 174, The Javadoc "라운드 삭제(관리자/OWNER)" for deleteRound is
inconsistent with the implementation which calls
authorizationService.ensureOwner (so only OWNER can delete); decide which policy
you want and make them consistent: either update the Javadoc on
deleteRound(UUID, UUID) to state "OWNER only" or change the authorization call
to use the same admin-check as closeRound/openRound (e.g., replace ensureOwner
with the admin check used in closeRound/openRound) and then run a quick pass to
ensure closeRound and openRound (methods closeRound(...) and openRound(...)) use
the intended authority uniformly across the class.

backend/src/main/java/org/sejongisc/backend/attendance/controller/SessionUserController.java (2)

195-214: removeAdminFromSession에도 동일하게 문서 보완이 필요합니다.

addAdminToSession과 마찬가지로 ## 인증(JWT), ## 경로 파라미터, ## 에러 코드 섹션을 추가하여 API 문서의 일관성을 유지해주세요.

📝 제안된 문서 개선

   `@Operation`(
       summary = "세션 관리자 제거",
       description = """
+    ## 인증(JWT)
+    - **필요**
+    
     ## 권한
     - **세션 OWNER**
     
+    ## 경로 파라미터
+    - **`sessionId`**: 세션 ID (`UUID`)
+    - **`userId`**: 관리자에서 제거할 사용자 ID (`UUID`)
+    
     ## 동작 설명
     - 특정 사용자의 역할을 `PARTICIPANT`로 강등시킵니다.
     - `OWNER`는 강등될 수 없습니다.
+    
+    ## 에러 코드
+    - **`SESSION_NOT_FOUND`**: 해당 출석 세션이 존재하지 않습니다.
+    - **`NOT_SESSION_OWNER`**: 세션 소유자 권한이 없습니다.
     """)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@backend/src/main/java/org/sejongisc/backend/attendance/controller/SessionUserController.java`
around lines 195 - 214, The Operation description for removeAdminFromSession in
SessionUserController lacks the same documentation sections as
addAdminToSession; update the `@Operation`(description=...) block for the method
removeAdminFromSession to include ## 인증(JWT) with info about required JWT and
scope, ## 경로 파라미터 describing sessionId and userId, and ## 에러 코드 listing possible
HTTP error responses (e.g., 400/401/403/404) and their conditions so the API
docs match addAdminToSession's format.

---

171-189: OpenAPI 문서가 다른 엔드포인트와 일관성이 부족합니다.

이 파일의 다른 엔드포인트들과 달리 ## 인증(JWT), ## 경로 파라미터, ## 에러 코드 섹션이 누락되어 있습니다. 또한 Line 187의 주석은 서비스 레이어에서 검증이 구현되어 있다면 제거하는 것이 좋습니다.

📝 제안된 문서 개선

   `@Operation`(
       summary = "세션 관리자 추가",
       description = """
+    ## 인증(JWT)
+    - **필요**
+    
     ## 권한
     - **세션 OWNER**
     
+    ## 경로 파라미터
+    - **`sessionId`**: 세션 ID (`UUID`)
+    - **`userId`**: 관리자로 추가할 사용자 ID (`UUID`)
+    
     ## 동작 설명
     - 특정 사용자의 역할을 `MANAGER`로 격상시킵니다.
+    
+    ## 에러 코드
+    - **`SESSION_NOT_FOUND`**: 해당 출석 세션이 존재하지 않습니다.
+    - **`USER_NOT_FOUND`**: 유저를 찾을 수 없습니다.
+    - **`NOT_SESSION_OWNER`**: 세션 소유자 권한이 없습니다.
     """)
   `@PostMapping`("/{sessionId}/admins/{userId}")
   public ResponseEntity<Void> addAdminToSession(
       `@PathVariable` UUID sessionId,
       `@PathVariable` UUID userId,
       `@AuthenticationPrincipal` CustomUserDetails userDetails) {
 
     UUID adminUserId = requireUserId(userDetails);
-    // 서비스단에서 세션 소유자(OWNER)인지 검증하는 로직이 포함되어야 함
     sessionUserService.addAdmin(sessionId, userId, adminUserId);
     return ResponseEntity.ok().build();
   }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@backend/src/main/java/org/sejongisc/backend/attendance/controller/SessionUserController.java`
around lines 171 - 189, Update the OpenAPI Operation for addAdminToSession to
match other endpoints by adding "## 인증(JWT)" with JWT auth note, "## 경로 파라미터"
documenting sessionId and userId, and "## 에러 코드" listing possible HTTP errors;
remove the inline comment about service-layer validation on the line above
sessionUserService.addAdmin (since validation belongs in the service), and
ensure you reference requireUserId(CustomUserDetails) and
sessionUserService.addAdmin(sessionId, userId, adminUserId) as the call that
performs the OWNER check in the service layer.

backend/src/main/java/org/sejongisc/backend/admin/service/AdminUserService.java (1)

112-118: Javadoc 주석이 실제 메서드 동작과 불일치합니다.

메서드가 이제 모든 등급 변경을 처리하지만, Javadoc은 여전히 "선배(SENIOR) 등급으로 변경"이라고 되어 있습니다.

📝 제안된 수정

     /**
-     * 특정 사용자를 선배(SENIOR) 등급으로 변경
+     * 특정 사용자의 등급(Grade) 변경
      */
     `@Transactional`
     public void updateUserGrade(UUID userId, Grade grade) {
         userService.updateUserGrade(userId, grade);
     }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@backend/src/main/java/org/sejongisc/backend/admin/service/AdminUserService.java`
around lines 112 - 118, The Javadoc for AdminUserService.updateUserGrade is
inaccurate (says it changes a user to SENIOR) while the method accepts a Grade
and updates any grade; update the method comment to describe that
updateUserGrade(UUID userId, Grade grade) updates the specified user's grade to
the provided Grade value, mention parameters (userId, grade) and transactional
behavior if desired, and remove the SENIOR-specific wording so the doc matches
the method signature and behavior.

backend/src/main/java/org/sejongisc/backend/admin/controller/AdminUserController.java (1)

99-101: 메서드명이 실제 동작과 불일치합니다.

메서드명 promoteToSenior는 이제 SENIOR만이 아닌 모든 등급 변경을 처리하므로 updateUserGrade로 변경하는 것이 적절합니다.

♻️ 제안된 수정

-    public ResponseEntity<Void> promoteToSenior(`@PathVariable` UUID userId,
+    public ResponseEntity<Void> updateUserGrade(`@PathVariable` UUID userId,
                                                 `@RequestParam` Grade grade) {
         adminUserService.updateUserGrade(userId, grade);
         return ResponseEntity.noContent().build();
     }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@backend/src/main/java/org/sejongisc/backend/admin/controller/AdminUserController.java`
around lines 99 - 101, The controller method name promoteToSenior no longer
matches its behavior (it updates any Grade), so rename the method in
AdminUserController from promoteToSenior to updateUserGrade; update the method
signature and any internal references or usages (e.g., in tests or other
callers) to the new name while keeping the existing `@PathVariable` UUID userId
and `@RequestParam` Grade grade parameters and request mapping intact so behavior
and routing don't change.

backend/src/main/java/org/sejongisc/backend/user/service/UserService.java (1)

100-105: 로그 메시지가 실제 동작과 불일치합니다.

updateUserGrade 메서드는 이제 모든 등급 변경을 처리하지만, 로그 메시지는 여전히 "선배 등급 전환 완료"라고 되어 있습니다. 정확한 로깅을 위해 실제 변경된 등급을 포함하도록 수정해주세요.

🔧 제안된 수정

     `@Transactional`
     public void updateUserGrade(UUID userId, Grade grade) {
         User user = findUser(userId);
         user.setGrade(grade);
-        log.info("선배 등급 전환 완료: userId={}, 학번={}", userId, user.getStudentId());
+        log.info("사용자 등급 변경 완료: userId={}, 학번={}, 등급={}", userId, user.getStudentId(), grade);
     }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@backend/src/main/java/org/sejongisc/backend/user/service/UserService.java`
around lines 100 - 105, updateUserGrade in UserService currently logs a
hardcoded "선배 등급 전환 완료" message which is incorrect; change the log.info call in
updateUserGrade(UUID userId, Grade grade) to include the actual new grade value
(e.g., include grade or user.getGrade()) and adjust the message text to reflect
the dynamic grade change (for example "유저 등급 전환 완료: userId={}, 학번={}, 이전등급={},
변경등급={}"), so the log accurately reports the changed grade.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@backend/src/main/java/org/sejongisc/backend/admin/controller/AdminUserController.java`:
- Around line 86-103: The `@Operation` annotation on the promoteToSenior method is
missing its closing parenthesis, causing a compile error; fix it by adding the
closing ')' after the description block in the `@Operation` declaration (the
annotation that precedes the promoteToSenior(...) method) so the annotation is
properly terminated and the method signature compiles.
- Around line 97-101: Frontend callers that currently hit
/api/admin/users/{userId}/senior must be updated because the backend expose the
promoteToSenior(PATCH) handler which now lives at
/api/admin/users/{userId}/grade and requires a grade query parameter used by
adminUserService.updateUserGrade; change the API calls to PATCH
/api/admin/users/{userId}/grade and append ?grade=REGULAR_MEMBER (or the desired
Grade enum value), ensuring the HTTP method remains PATCH and the grade query
string is included in the request URL wherever the old /senior endpoint was
used.

In
`@backend/src/main/java/org/sejongisc/backend/attendance/service/AttendanceService.java`:
- Line 116: The admin manual attendance update (in
updateAttendanceStatusByRound) currently only has a TODO for activityLog and
does not publish an ActivityEvent like checkIn does; modify
updateAttendanceStatusByRound to create and publish an ActivityEvent (or call
the same helper used by checkIn) whenever an attendance is created, its status
changes, or deleted, including relevant metadata (actor=admin, target attendance
id, previousStatus, newStatus, reason), and ensure you reuse the existing
ActivityEvent class and publisher/service used by checkIn so logs are consistent
and tests still pass.

In
`@backend/src/main/java/org/sejongisc/backend/attendance/service/AttendanceSessionService.java`:
- Around line 131-141: deleteSession currently deletes the AttendanceSession
without removing related rows, which will violate FK constraints on SessionUser,
AttendanceRound, and Attendance; either add cascade deletes on the entity
relationships or implement explicit deletion order in the service. Option A: in
the AttendanceSession entity, add/adjust `@OneToMany` mappings for sessionUsers
and attendanceRounds to include cascade = CascadeType.REMOVE (or
CascadeType.ALL) and orphanRemoval = true, and in AttendanceRound add `@OneToMany`
for attendances with cascade remove so removing AttendanceSession deletes all
children. Option B: in AttendanceSessionService.deleteSession, before calling
attendanceSessionRepository.delete(session), delete dependent records explicitly
(call the repository methods such as attendanceRepository.deleteByRoundIds(...),
attendanceRoundRepository.deleteBySessionId(sessionId),
sessionUserRepository.deleteBySessionId(sessionId)) in the correct order, then
delete the session; update/introduce repository deleteBy... methods as needed.

---

Outside diff comments:
In
`@backend/src/main/java/org/sejongisc/backend/attendance/controller/AttendanceRoundController.java`:
- Around line 97-120: Update the API doc block in AttendanceRoundController for
the DeleteMapping("/rounds/{roundId}") to match the implementation: change the
permission description that currently says "요청 유저가 해당 세션의 관리 권한(MANAGER/OWNER)을
가졌는지 검증" to indicate only the session OWNER is allowed (e.g., "요청 유저가 세션 OWNER인지
검증"), and replace the listed error code `NOT_SESSION_ADMIN` with
`NOT_SESSION_OWNER` so the documented error matches the service's ensureOwner
behavior.

In `@backend/src/main/java/org/sejongisc/backend/user/entity/Grade.java`:
- Around line 3-18: Existing DB rows with grade='SENIOR' will cause JPA to throw
IllegalArgumentException because the SENIOR enum constant was removed from
Grade; before deploying, run a migration that updates all legacy values to
REGULAR_MEMBER (for example: UPDATE user SET grade='REGULAR_MEMBER' WHERE
grade='SENIOR') and verify AdminUserService logic that previously set SENIOR is
updated to use REGULAR_MEMBER; also consider adding a temporary tolerant import
in Grade.fromString to map "선배"/"OB" strings to REGULAR_MEMBER during migration
rollout if needed.

---

Nitpick comments:
In
`@backend/src/main/java/org/sejongisc/backend/admin/controller/AdminUserController.java`:
- Around line 99-101: The controller method name promoteToSenior no longer
matches its behavior (it updates any Grade), so rename the method in
AdminUserController from promoteToSenior to updateUserGrade; update the method
signature and any internal references or usages (e.g., in tests or other
callers) to the new name while keeping the existing `@PathVariable` UUID userId
and `@RequestParam` Grade grade parameters and request mapping intact so behavior
and routing don't change.

In
`@backend/src/main/java/org/sejongisc/backend/admin/service/AdminUserService.java`:
- Around line 112-118: The Javadoc for AdminUserService.updateUserGrade is
inaccurate (says it changes a user to SENIOR) while the method accepts a Grade
and updates any grade; update the method comment to describe that
updateUserGrade(UUID userId, Grade grade) updates the specified user's grade to
the provided Grade value, mention parameters (userId, grade) and transactional
behavior if desired, and remove the SENIOR-specific wording so the doc matches
the method signature and behavior.

In
`@backend/src/main/java/org/sejongisc/backend/attendance/controller/SessionUserController.java`:
- Around line 195-214: The Operation description for removeAdminFromSession in
SessionUserController lacks the same documentation sections as
addAdminToSession; update the `@Operation`(description=...) block for the method
removeAdminFromSession to include ## 인증(JWT) with info about required JWT and
scope, ## 경로 파라미터 describing sessionId and userId, and ## 에러 코드 listing possible
HTTP error responses (e.g., 400/401/403/404) and their conditions so the API
docs match addAdminToSession's format.
- Around line 171-189: Update the OpenAPI Operation for addAdminToSession to
match other endpoints by adding "## 인증(JWT)" with JWT auth note, "## 경로 파라미터"
documenting sessionId and userId, and "## 에러 코드" listing possible HTTP errors;
remove the inline comment about service-layer validation on the line above
sessionUserService.addAdmin (since validation belongs in the service), and
ensure you reference requireUserId(CustomUserDetails) and
sessionUserService.addAdmin(sessionId, userId, adminUserId) as the call that
performs the OWNER check in the service layer.

In
`@backend/src/main/java/org/sejongisc/backend/attendance/service/AttendanceRoundService.java`:
- Around line 164-174: The Javadoc "라운드 삭제(관리자/OWNER)" for deleteRound is
inconsistent with the implementation which calls
authorizationService.ensureOwner (so only OWNER can delete); decide which policy
you want and make them consistent: either update the Javadoc on
deleteRound(UUID, UUID) to state "OWNER only" or change the authorization call
to use the same admin-check as closeRound/openRound (e.g., replace ensureOwner
with the admin check used in closeRound/openRound) and then run a quick pass to
ensure closeRound and openRound (methods closeRound(...) and openRound(...)) use
the intended authority uniformly across the class.

In
`@backend/src/main/java/org/sejongisc/backend/attendance/service/SessionUserService.java`:
- Around line 102-103: The call attendanceSessionRepository.findById(sessionId)
in SessionUserService currently only checks existence and discards the result;
change it to capture the Optional result and assign the resolved entity to a
variable (e.g., attendanceSession =
attendanceSessionRepository.findById(sessionId).orElseThrow(() -> new
CustomException(ErrorCode.SESSION_NOT_FOUND))) so the retrieved session can be
used, or if the intent is only to check existence replace the call with
attendanceSessionRepository.existsById(sessionId) or explicitly ignore the value
with a clear comment; update any subsequent code to use the new
attendanceSession variable if needed.

In `@backend/src/main/java/org/sejongisc/backend/user/entity/User.java`:
- Around line 87-94: Update the outdated comment in the isManagerPosition method
to reflect that the check is now role-based rather than string-matching on
positionName: replace the current note about keywords like '팀장', '대표', '부대표'
with a brief description that the method returns true for users whose Role enum
is one of SYSTEM_ADMIN, PRESIDENT, VICE_PRESIDENT, or TEAM_LEADER (and false for
TEAM_MEMBER and PENDING_MEMBER), referencing the isManagerPosition method and
the Role enum so future readers understand the enum-based permission check.

In `@backend/src/main/java/org/sejongisc/backend/user/service/UserService.java`:
- Around line 100-105: updateUserGrade in UserService currently logs a hardcoded
"선배 등급 전환 완료" message which is incorrect; change the log.info call in
updateUserGrade(UUID userId, Grade grade) to include the actual new grade value
(e.g., include grade or user.getGrade()) and adjust the message text to reflect
the dynamic grade change (for example "유저 등급 전환 완료: userId={}, 학번={}, 이전등급={},
변경등급={}"), so the log accurately reports the changed grade.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c233d833-5166-45f4-99d2-1b4fd8163119

📥 Commits

Reviewing files that changed from the base of the PR and between 5eaafc4 and 8293e4a.

📒 Files selected for processing (14)

• backend/src/main/java/org/sejongisc/backend/admin/controller/AdminUserController.java
• backend/src/main/java/org/sejongisc/backend/admin/service/AdminUserService.java
• backend/src/main/java/org/sejongisc/backend/attendance/controller/AttendanceRoundController.java
• backend/src/main/java/org/sejongisc/backend/attendance/controller/AttendanceSessionController.java
• backend/src/main/java/org/sejongisc/backend/attendance/controller/SessionUserController.java
• backend/src/main/java/org/sejongisc/backend/attendance/service/AttendanceRoundService.java
• backend/src/main/java/org/sejongisc/backend/attendance/service/AttendanceService.java
• backend/src/main/java/org/sejongisc/backend/attendance/service/AttendanceSessionService.java
• backend/src/main/java/org/sejongisc/backend/attendance/service/SessionUserService.java
• backend/src/main/java/org/sejongisc/backend/common/exception/ErrorCode.java
• backend/src/main/java/org/sejongisc/backend/user/entity/Grade.java
• backend/src/main/java/org/sejongisc/backend/user/entity/User.java
• backend/src/main/java/org/sejongisc/backend/user/entity/UserStatus.java
• backend/src/main/java/org/sejongisc/backend/user/service/UserService.java

[coderabbitai]

Actionable comments posted: 3

🧹 Nitpick comments (1)

backend/src/main/java/org/sejongisc/backend/admin/controller/AdminUserController.java (1)

99-101: 메서드명은 이제 실제 동작과 맞추는 편이 좋겠습니다.

엔드포인트와 서비스 호출은 범용 Grade 변경인데, 컨트롤러 메서드명만 promoteToSenior로 남아 있어 코드 탐색과 로그 해석이 헷갈립니다. updateUserGrade처럼 맞춰 두는 편이 낫습니다.

♻️ 제안

-    public ResponseEntity<Void> promoteToSenior(`@PathVariable` UUID userId,
-                                                `@RequestParam` Grade grade) {
+    public ResponseEntity<Void> updateUserGrade(`@PathVariable` UUID userId,
+                                                `@RequestParam` Grade grade) {
         adminUserService.updateUserGrade(userId, grade);
         return ResponseEntity.noContent().build();
     }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@backend/src/main/java/org/sejongisc/backend/admin/controller/AdminUserController.java`
around lines 99 - 101, The controller method name promoteToSenior no longer
matches its behavior—it's calling adminUserService.updateUserGrade and accepts a
Grade param—so rename the method to updateUserGrade (or another name matching
the service) in AdminUserController and update any references (handlers, tests,
logs) so the mapping and behavior remain unchanged; ensure the `@PathVariable`
UUID userId and `@RequestParam` Grade grade signature and the ResponseEntity<Void>
return are preserved while only renaming the method to align with
adminUserService.updateUserGrade.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@backend/src/main/java/org/sejongisc/backend/admin/controller/AdminUserController.java`:
- Around line 64-66: The OpenAPI `@Operation` text and the actual access control
(`@PreAuthorize`) are inconsistent: either update the `@Operation`
summaries/descriptions to list both allowed roles (PRESIDENT and SYSTEM_ADMIN)
for the three annotated endpoints (the blocks using
`@PatchMapping`("/{userId}/status"), the other two similar annotation blocks
around the file) or change the `@PreAuthorize` expressions to match the
documentation (e.g., remove PRESIDENT so only SYSTEM_ADMIN can call them).
Locate the three annotation groups in AdminUserController.java (the
`@Operation/`@PatchMapping/@PreAuthorize sets) and apply the chosen fix
consistently across all three places so the Swagger docs and runtime security
match.
- Line 66: Controller must pass the caller's ID into the service and the service
must enforce self-modify and superior-role protection: update the controller
calls to supply requesterId to updateUserStatus, updateUserRole,
updateUserGrade, deleteUser, then implement checks inside the corresponding
UserService methods (e.g., updateUserStatus, updateUserRole, updateUserGrade,
deleteUser) to throw a CustomException (use ErrorCode.CANNOT_MODIFY_SELF) if
userId.equals(requesterId) and to load the target user (e.g., via findUser) and
forbid modifications to Role.SYSTEM_ADMIN unless the requester has SYSTEM_ADMIN
or higher (throw ErrorCode.CANNOT_MODIFY_SUPERIOR); ensure these checks run
before applying any entity setters/changes.

In
`@backend/src/main/java/org/sejongisc/backend/attendance/service/AttendanceSessionService.java`:
- Around line 142-152: The current manual child-deletes then parent delete
(attendanceRepository.deleteBySessionId,
attendanceRoundRepository.deleteBySessionId,
sessionUserRepository.deleteBySessionId,
attendanceSessionRepository.delete(session)) risks a race where new child rows
are inserted between the child deletes and parent delete causing FK failures;
fix by either (A) protecting the parent row with a pessimistic lock before
deleting children—add a repository method like findByIdForUpdate(...) that uses
LockModeType.PESSIMISTIC_WRITE and load the AttendanceSession with that lock
inside the `@Transactional` service method before performing deletes—or (B) make
deletes atomic via JPA cascade/remove on AttendanceSession (e.g., `@OneToMany`
mappedBy = "attendanceSession" with cascade = CascadeType.REMOVE and
orphanRemoval = true) and then simply delete the parent entity; choose one
approach and update the service to use the locked parent retrieval or the
cascade-enabled entity accordingly.

---

Nitpick comments:
In
`@backend/src/main/java/org/sejongisc/backend/admin/controller/AdminUserController.java`:
- Around line 99-101: The controller method name promoteToSenior no longer
matches its behavior—it's calling adminUserService.updateUserGrade and accepts a
Grade param—so rename the method to updateUserGrade (or another name matching
the service) in AdminUserController and update any references (handlers, tests,
logs) so the mapping and behavior remain unchanged; ensure the `@PathVariable`
UUID userId and `@RequestParam` Grade grade signature and the ResponseEntity<Void>
return are preserved while only renaming the method to align with
adminUserService.updateUserGrade.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 123ab75f-6c73-469f-89d8-6f1344e1df30

📥 Commits

Reviewing files that changed from the base of the PR and between 8293e4a and 0b5a6c4.

📒 Files selected for processing (5)

• backend/src/main/java/org/sejongisc/backend/admin/controller/AdminUserController.java
• backend/src/main/java/org/sejongisc/backend/attendance/repository/AttendanceRepository.java
• backend/src/main/java/org/sejongisc/backend/attendance/repository/AttendanceRoundRepository.java
• backend/src/main/java/org/sejongisc/backend/attendance/repository/SessionUserRepository.java
• backend/src/main/java/org/sejongisc/backend/attendance/service/AttendanceSessionService.java