.

api/src/main/java/org/badminton/api/config/security/SecurityConfig.java

@@ -64,14 +64,6 @@ public SecurityFilterChain publicFilterChain(HttpSecurity http) throws Exception
 			.csrf(AbstractHttpConfigurer::disable)
 			.cors(this::corsConfigurer)
 			.authorizeHttpRequests(auth -> auth
-				.requestMatchers("/").permitAll()
-				.requestMatchers("/oauth2/**").permitAll()
-				.requestMatchers("/login/**").permitAll()
-				.requestMatchers("/error").permitAll()
-				.requestMatchers("/swagger-ui/**").permitAll()
-				.requestMatchers("/v1/leagues/**").permitAll()
-				.requestMatchers("/v1/members/session").permitAll()
-				.requestMatchers("/v1/clubs/**").permitAll()
 				.anyRequest().permitAll())
 			.sessionManagement(session -> session.sessionCreationPolicy(SessionCreationPolicy.STATELESS))
 			.oauth2Login(oauth2 -> oauth2
@@ -129,14 +121,6 @@ public SecurityFilterChain clubFilterChain(HttpSecurity http) throws Exception {
 			.exceptionHandling(
 				exception -> exception.authenticationEntryPoint(failedAuthenticationEntryPoint))
 			.authorizeHttpRequests(auth -> auth
-				.requestMatchers("/").permitAll()
-				.requestMatchers("/oauth2/**").permitAll()
-				.requestMatchers("/login/**").permitAll()
-				.requestMatchers("/error").permitAll()
-				.requestMatchers("/swagger-ui/**").permitAll()
-				.requestMatchers("/v1/leagues/**").permitAll()
-				.requestMatchers("/v1/members/session").permitAll()
-				.requestMatchers("/v1/clubs/**").permitAll()
 				.requestMatchers(HttpMethod.GET, "/v1/clubs/{clubToken}/leagues/month")
 				.permitAll()
 				.requestMatchers(HttpMethod.GET, "/v1/clubs/{clubToken}/leagues/date")
@@ -146,35 +130,36 @@ public SecurityFilterChain clubFilterChain(HttpSecurity http) throws Exception {
 				.requestMatchers(HttpMethod.POST, "/v1/clubs")
 				.permitAll()
 				.requestMatchers(HttpMethod.DELETE, "/v1/clubs/{clubToken}")
-				.permitAll()
+				.access(hasClubRole("OWNER"))
 				.requestMatchers(HttpMethod.GET, "/v1/clubs/{clubToken}/applicants")
-				.permitAll()
+				.access(hasClubRole("OWNER", "MANAGER"))
 				.requestMatchers(HttpMethod.PATCH, "/v1/clubs/{clubToken}")
-				.permitAll()
+				.access(hasClubRole("OWNER", "MANAGER"))
 				.requestMatchers(HttpMethod.GET, "/v1/clubs/{clubToken}/leagues/{leagueId}")
 				.permitAll()
 				.requestMatchers(HttpMethod.GET, "/v1/clubs/{clubToken}/clubMembers")
-				.permitAll()
+				.access(hasClubRole("OWNER", "MANAGER", "USER"))
 				.requestMatchers(HttpMethod.GET, "/v1/clubs/{clubToken}")
 				.permitAll()
+
 				.requestMatchers(HttpMethod.POST, "/v1/clubs/{clubToken}/clubMembers/approve",
 					"/v1/clubs/{clubToken}/clubMembers/reject")
-				.permitAll()
+				.access(hasClubRole("OWNER", "MANAGER"))
 				.requestMatchers(HttpMethod.POST, "/v1/clubs/images")
-				.permitAll()
+				.access(hasClubRole("OWNER", "MANAGER"))
 				.requestMatchers(HttpMethod.DELETE, "/v1/clubs/{clubToken}/leagues/{leagueId}")
-				.permitAll()
+				.access(hasClubRole("OWNER", "MANAGER", "USER"))
 				.requestMatchers(HttpMethod.PATCH, "/v1/clubs/{clubToken}/leagues/{leagueId}")
-				.permitAll()
+				.access(hasClubRole("OWNER", "MANAGER", "USER"))
 				.requestMatchers(HttpMethod.POST, "/v1/clubs/{clubToken}/leagues/{leagueId}/participation",
 					"/v1/clubs/{clubToken}/leagues")
-				.permitAll()
+				.access(hasClubRole("OWNER", "MANAGER", "USER"))
 				.requestMatchers(HttpMethod.DELETE, "/v1/clubs/{clubToken}/leagues/{leagueId}/participation")
-				.permitAll()
+				.access(hasClubRole("OWNER", "MANAGER", "USER"))
 				.requestMatchers(HttpMethod.PATCH,
 					"/v1/clubs/{clubToken}/clubMembers/role",
 					"v1/clubs/{clubToken}/clubMembers/ban", "v1/clubs/{clubToken}/clubMembers/expel")
-				.permitAll()
+				.access(hasClubRole("OWNER"))
 				.anyRequest()
 				.authenticated()
 			);