✨ Allow admin users to remove/edit comments

Zeta611 · Zeta611 · commit be74b2bb2c99 · 2025-08-28T18:03:27.000+09:00
diff --git a/components/comment/comment-item.tsx b/components/comment/comment-item.tsx
@@ -47,6 +47,8 @@ export default function CommentItem({
   const { data: user } = useUserQuery();
   const { openLogin } = useLoginDialog();
 
+  const isAdmin = user?.app_metadata?.userrole === "admin";
+
   const [showReplyForm, setShowReplyForm] = useState(false);
   const [showReplies, setShowReplies] = useState(true);
   const [isEditing, setIsEditing] = useState(false);
@@ -227,55 +229,58 @@ export default function CommentItem({
                   <MessageCircle className="size-3" />
                   답글
                 </Button>
-                {user?.id === comment.author_id && !isEditing && (
-                  <>
-                    <Button
-                      variant="ghost"
-                      className="h-6 px-2.5 text-xs"
-                      onClick={() => setIsEditing(true)}
-                    >
-                      고치기
-                    </Button>
-                    <AlertDialog>
-                      <AlertDialogTrigger asChild>
-                        <Button
-                          type="button"
-                          variant="ghost"
-                          className="h-6 px-2.5 text-xs text-red-600 hover:text-red-700"
-                        >
-                          지우기
-                        </Button>
-                      </AlertDialogTrigger>
-                      <AlertDialogContent>
-                        <AlertDialogHeader>
-                          <AlertDialogTitle>
-                            정말로 댓글을 지울까요?
-                          </AlertDialogTitle>
-                          <AlertDialogDescription>
-                            이 작업은 되돌릴 수 없어요. 이미 답글이 달린 댓글은
-                            {" '지워진 댓글'"}로 표시돼요.
-                          </AlertDialogDescription>
-                        </AlertDialogHeader>
-                        {removeState?.error && (
-                          <span className="text-xs text-red-600">
-                            {removeState.error}
-                          </span>
-                        )}
-                        <AlertDialogFooter>
-                          <AlertDialogCancel>닫기</AlertDialogCancel>
-                          <Form action={removeAction}>
-                            <AlertDialogAction
-                              type="submit"
-                              className="bg-red-600 hover:bg-red-700"
-                            >
-                              지우기
-                            </AlertDialogAction>
-                          </Form>
-                        </AlertDialogFooter>
-                      </AlertDialogContent>
-                    </AlertDialog>
-                  </>
-                )}
+                {user &&
+                  (user.id === comment.author_id || isAdmin) &&
+                  !isEditing && (
+                    <>
+                      <Button
+                        variant="ghost"
+                        className="h-6 px-2.5 text-xs"
+                        onClick={() => setIsEditing(true)}
+                      >
+                        고치기
+                      </Button>
+                      <AlertDialog>
+                        <AlertDialogTrigger asChild>
+                          <Button
+                            type="button"
+                            variant="ghost"
+                            className="h-6 px-2.5 text-xs text-red-600 hover:text-red-700"
+                          >
+                            지우기
+                          </Button>
+                        </AlertDialogTrigger>
+                        <AlertDialogContent>
+                          <AlertDialogHeader>
+                            <AlertDialogTitle>
+                              정말로 댓글을 지울까요?
+                            </AlertDialogTitle>
+                            <AlertDialogDescription>
+                              이 작업은 되돌릴 수 없어요. 이미 답글이 달린
+                              댓글은
+                              {" '지워진 댓글'"}로 표시돼요.
+                            </AlertDialogDescription>
+                          </AlertDialogHeader>
+                          {removeState?.error && (
+                            <span className="text-xs text-red-600">
+                              {removeState.error}
+                            </span>
+                          )}
+                          <AlertDialogFooter>
+                            <AlertDialogCancel>닫기</AlertDialogCancel>
+                            <Form action={removeAction}>
+                              <AlertDialogAction
+                                type="submit"
+                                className="bg-red-600 hover:bg-red-700"
+                              >
+                                지우기
+                              </AlertDialogAction>
+                            </Form>
+                          </AlertDialogFooter>
+                        </AlertDialogContent>
+                      </AlertDialog>
+                    </>
+                  )}
               </div>
             )}
 
diff --git a/supabase/migrations/20250828052832_custom_claims.sql b/supabase/migrations/20250828052832_custom_claims.sql
@@ -0,0 +1,101 @@
+CREATE OR REPLACE FUNCTION is_claims_admin() RETURNS "bool"
+  LANGUAGE "plpgsql"
+  AS $$
+  BEGIN
+    IF session_user = 'authenticator' THEN
+      --------------------------------------------
+      -- To disallow any authenticated app users
+      -- from editing claims, delete the following
+      -- block of code and replace it with:
+      -- RETURN FALSE;
+      --------------------------------------------
+      IF extract(epoch from now()) > coalesce((current_setting('request.jwt.claims', true)::jsonb)->>'exp', '0')::numeric THEN
+        return false; -- jwt expired
+      END IF;
+      If current_setting('request.jwt.claims', true)::jsonb->>'role' = 'service_role' THEN
+        RETURN true; -- service role users have admin rights
+      END IF;
+      IF coalesce((current_setting('request.jwt.claims', true)::jsonb)->'app_metadata'->'claims_admin', 'false')::bool THEN
+        return true; -- user has claims_admin set to true
+      ELSE
+        return false; -- user does NOT have claims_admin set to true
+      END IF;
+      --------------------------------------------
+      -- End of block
+      --------------------------------------------
+    ELSE -- not a user session, probably being called from a trigger or something
+      return true;
+    END IF;
+  END;
+$$;
+
+CREATE OR REPLACE FUNCTION get_my_claims() RETURNS "jsonb"
+    LANGUAGE "sql" STABLE
+    AS $$
+  select
+  	coalesce(nullif(current_setting('request.jwt.claims', true), '')::jsonb -> 'app_metadata', '{}'::jsonb)::jsonb
+$$;
+CREATE OR REPLACE FUNCTION get_my_claim(claim TEXT) RETURNS "jsonb"
+    LANGUAGE "sql" STABLE
+    AS $$
+  select
+  	coalesce(nullif(current_setting('request.jwt.claims', true), '')::jsonb -> 'app_metadata' -> claim, null)
+$$;
+
+CREATE OR REPLACE FUNCTION get_claims(uid uuid) RETURNS "jsonb"
+    LANGUAGE "plpgsql" SECURITY DEFINER SET search_path = public
+    AS $$
+    DECLARE retval jsonb;
+    BEGIN
+      IF NOT is_claims_admin() THEN
+          RETURN '{"error":"access denied"}'::jsonb;
+      ELSE
+        select raw_app_meta_data from auth.users into retval where id = uid::uuid;
+        return retval;
+      END IF;
+    END;
+$$;
+
+CREATE OR REPLACE FUNCTION get_claim(uid uuid, claim text) RETURNS "jsonb"
+    LANGUAGE "plpgsql" SECURITY DEFINER SET search_path = public
+    AS $$
+    DECLARE retval jsonb;
+    BEGIN
+      IF NOT is_claims_admin() THEN
+          RETURN '{"error":"access denied"}'::jsonb;
+      ELSE
+        select coalesce(raw_app_meta_data->claim, null) from auth.users into retval where id = uid::uuid;
+        return retval;
+      END IF;
+    END;
+$$;
+
+CREATE OR REPLACE FUNCTION set_claim(uid uuid, claim text, value jsonb) RETURNS "text"
+    LANGUAGE "plpgsql" SECURITY DEFINER SET search_path = public
+    AS $$
+    BEGIN
+      IF NOT is_claims_admin() THEN
+          RETURN 'error: access denied';
+      ELSE
+        update auth.users set raw_app_meta_data =
+          raw_app_meta_data ||
+            json_build_object(claim, value)::jsonb where id = uid;
+        return 'OK';
+      END IF;
+    END;
+$$;
+
+CREATE OR REPLACE FUNCTION delete_claim(uid uuid, claim text) RETURNS "text"
+    LANGUAGE "plpgsql" SECURITY DEFINER SET search_path = public
+    AS $$
+    BEGIN
+      IF NOT is_claims_admin() THEN
+          RETURN 'error: access denied';
+      ELSE
+        update auth.users set raw_app_meta_data =
+          raw_app_meta_data - claim where id = uid;
+        return 'OK';
+      END IF;
+    END;
+$$;
+NOTIFY pgrst, 'reload schema';
diff --git a/supabase/migrations/20250828063200_admin_remove_comment.sql b/supabase/migrations/20250828063200_admin_remove_comment.sql
@@ -0,0 +1,45 @@
+CREATE OR REPLACE FUNCTION public.remove_comment(p_comment_id uuid) RETURNS boolean
+    LANGUAGE plpgsql SECURITY DEFINER
+    SET search_path TO 'public'
+AS $$
+declare
+  v_author_id uuid := auth.uid();
+  v_comment_author_id uuid;
+  v_is_userrole_admin boolean := coalesce(get_my_claim('userrole')::text, '') = '"admin"';
+begin
+  -- Auth check
+  if v_author_id is null then
+    raise exception 'Not authenticated' using errcode = '28000';
+  end if;
+
+  -- Input validation
+  if p_comment_id is null then
+    raise exception 'Comment ID is required' using errcode = '22023';
+  end if;
+
+  -- Check comment exists and get its author
+  select author_id
+  into v_comment_author_id
+  from public.comment
+  where id = p_comment_id;
+
+  if not found then
+    raise exception 'Comment not found' using errcode = 'NO_COMMENT';
+  end if;
+
+  -- Authorization: author or userrole "admin" may remove
+  if v_comment_author_id <> v_author_id and not v_is_userrole_admin then
+    raise exception 'Not authorized to remove this comment' using errcode = '42501';
+  end if;
+
+  -- Perform the update
+  update public.comment
+  set removed = true,
+      updated_at = now()
+  where id = p_comment_id;
+
+  return true;
+end;
+$$;
+
+NOTIFY pgrst, 'reload schema';
diff --git a/supabase/migrations/20250828063500_admin_update_comment.sql b/supabase/migrations/20250828063500_admin_update_comment.sql
@@ -0,0 +1,55 @@
+CREATE OR REPLACE FUNCTION public.update_comment(p_comment_id uuid, p_content text) RETURNS boolean
+    LANGUAGE plpgsql SECURITY DEFINER
+    SET search_path TO 'public'
+AS $$
+declare
+  v_author_id uuid := auth.uid();
+  v_comment_author_id uuid;
+  v_removed boolean;
+  v_is_userrole_admin boolean := coalesce(get_my_claim('userrole')::text, '') = '"admin"';
+begin
+  -- Auth check
+  if v_author_id is null then
+    raise exception 'Not authenticated' using errcode = '28000';
+  end if;
+
+  -- Input validation
+  if p_comment_id is null then
+    raise exception 'Comment ID is required' using errcode = '22023';
+  end if;
+
+  if p_content is null or trim(p_content) = '' then
+    raise exception 'Content is required' using errcode = '22023';
+  end if;
+
+  -- Check comment exists, get author and removed status
+  select author_id, removed
+  into v_comment_author_id, v_removed
+  from public.comment
+  where id = p_comment_id;
+
+  if not found then
+    raise exception 'Comment not found' using errcode = 'NO_COMMENT';
+  end if;
+
+  -- Prevent updates to removed comments
+  if v_removed then
+    raise exception 'Cannot update a removed comment' using errcode = 'COMMENT_REMOVED';
+  end if;
+
+  -- Authorization check (author or admin can update)
+  if v_comment_author_id <> v_author_id and not v_is_userrole_admin then
+    raise exception 'Not authorized to update this comment' using errcode = '42501';
+  end if;
+
+  -- Perform the update
+  update public.comment
+  set content = trim(p_content),
+      updated_at = now()
+  where id = p_comment_id;
+
+  return true;
+end;
+$$;
+
+NOTIFY pgrst, 'reload schema';
diff --git a/supabase/seed.sql b/supabase/seed.sql
@@ -0,0 +1,21 @@
+-- auth.users
+INSERT INTO "auth"."users" ("instance_id", "id", "aud", "role", "email", "encrypted_password", "email_confirmed_at", "invited_at", "confirmation_token", "confirmation_sent_at", "recovery_token", "recovery_sent_at", "email_change_token_new", "email_change", "email_change_sent_at", "last_sign_in_at", "raw_app_meta_data", "raw_user_meta_data", "is_super_admin", "created_at", "updated_at", "phone", "phone_confirmed_at", "phone_change", "phone_change_token", "phone_change_sent_at", "email_change_token_current", "email_change_confirm_status", "banned_until", "reauthentication_token", "reauthentication_sent_at", "is_sso_user", "deleted_at", "is_anonymous") VALUES
+	('00000000-0000-0000-0000-000000000000', 'faa73ac2-bbed-40ea-a392-53baf1a946fe', 'authenticated', 'authenticated', 'jaeho.lee@snu.ac.kr', NULL, '2025-08-28 04:27:30.258836+00', NULL, '', NULL, '', NULL, '', '', NULL, '2025-08-28 07:58:16.594996+00', '{"provider": "github", "userrole": "admin", "providers": ["github"]}', '{"iss": "https://api.github.com", "sub": "9553691", "name": "Jay Lee", "email": "jaeho.lee@snu.ac.kr", "full_name": "Jay Lee the Tester", "user_name": "Zeta611", "avatar_url": "https://avatars.githubusercontent.com/u/9553691?v=4", "provider_id": "9553691", "email_verified": true, "phone_verified": false, "preferred_username": "Zeta611"}', NULL, '2025-08-28 04:27:30.253169+00', '2025-08-28 07:58:16.597091+00', NULL, NULL, '', '', NULL, '', 0, NULL, '', NULL, false, NULL, false),
+	('00000000-0000-0000-0000-000000000000', '98e607fc-ef95-4272-9b66-62526b576c84', 'authenticated', 'authenticated', 'usera@example.com', NULL, '2025-08-28 04:27:30.258836+00', NULL, '', NULL, '', NULL, '', '', NULL, '2025-08-28 04:29:30.162166+00', '{"provider": "github", "providers": ["github"]}', '{"iss": "https://api.github.com", "sub": "1000000", "name": "User A", "email": "usera@example.com", "full_name": "User A", "user_name": "usera", "avatar_url": "", "provider_id": "1000000", "email_verified": true, "phone_verified": false, "preferred_username": "usera"}', NULL, '2025-08-28 04:27:30.253169+00', '2025-08-28 04:29:30.164132+00', NULL, NULL, '', '', NULL, '', 0, NULL, '', NULL, false, NULL, false);
+
+-- jargon
+INSERT INTO "public"."jargon" ("name", "author_id", "created_at", "updated_at", "id", "slug") VALUES
+	('user A test', '98e607fc-ef95-4272-9b66-62526b576c84', '2025-08-28 07:17:26.730353+00', '2025-08-28 07:17:26.730353+00', '6af4329d-49e6-4110-8938-f43f3cf30194', 'user-a-test'),
+	('test', 'faa73ac2-bbed-40ea-a392-53baf1a946fe', '2025-08-28 07:17:26.730353+00', '2025-08-28 07:17:26.730353+00', 'd4ed1ffb-896f-47c5-a94e-0fc7cd7ec1f6', 'test'),
+	('test 2', 'faa73ac2-bbed-40ea-a392-53baf1a946fe', '2025-08-28 07:17:41.53785+00', '2025-08-28 07:17:41.53785+00', 'fed56078-e4f7-41cf-b608-56fa173a82e6', 'test-2');
+
+-- translation
+INSERT INTO "public"."translation" ("name", "author_id", "created_at", "updated_at", "id", "jargon_id", "comment_id") VALUES
+	('테스트 2', 'faa73ac2-bbed-40ea-a392-53baf1a946fe', '2025-08-28 07:19:24.414112+00', '2025-08-28 07:19:24.414112+00', '7b1c9053-d772-4e13-bf43-1940ec66534e', 'fed56078-e4f7-41cf-b608-56fa173a82e6', '02c0cd00-3ccc-444b-bdfb-c7c25b444f7e');
+
+-- comment
+INSERT INTO "public"."comment" ("content", "author_id", "created_at", "updated_at", "removed", "id", "jargon_id", "translation_id", "parent_id") VALUES
+	('test의 번역이 필요해요.', 'faa73ac2-bbed-40ea-a392-53baf1a946fe', '2025-08-28 07:17:26.730353+00', '2025-08-28 07:17:26.730353+00', false, '31418f6a-fe63-49a8-a8eb-e6205171a4ac', 'd4ed1ffb-896f-47c5-a94e-0fc7cd7ec1f6', NULL, NULL),
+	('test 2의 번역이 필요해요.', 'faa73ac2-bbed-40ea-a392-53baf1a946fe', '2025-08-28 07:17:41.53785+00', '2025-08-28 07:17:41.53785+00', false, '205e4e38-5fb1-47e0-94b2-8ab2616fcc74', '6af4329d-49e6-4110-8938-f43f3cf30194', NULL, NULL),
+    ('user a test의 번역이 필요해요.', '98e607fc-ef95-4272-9b66-62526b576c84', '2025-08-28 07:17:41.53785+00', '2025-08-28 07:17:41.53785+00', false, '14fe7f09-18d9-4194-a2e1-6ad7e0acea8b', '6af4329d-49e6-4110-8938-f43f3cf30194', NULL, NULL),
+	('테스트 2를 제안해요.', 'faa73ac2-bbed-40ea-a392-53baf1a946fe', '2025-08-28 07:19:24.414112+00', '2025-08-28 07:19:24.414112+00', false, '02c0cd00-3ccc-444b-bdfb-c7c25b444f7e', 'fed56078-e4f7-41cf-b608-56fa173a82e6', '7b1c9053-d772-4e13-bf43-1940ec66534e', NULL);
