From 52090057dec600c86b0df23a69a67014eccb9d53 Mon Sep 17 00:00:00 2001
From: joungmin <joungmin@joungmins-Mac-mini.local>
Date: Mon, 15 Jun 2026 21:02:32 +0900
Subject: [PATCH] =?UTF-8?q?fix(restaurant):=20#357=20=ED=9B=84=EC=86=8D=20?=
 =?UTF-8?q?=E2=80=94=20tabling-url=20validation=EC=97=90=20www.=20?=
 =?UTF-8?q?=ED=98=B8=EC=8A=A4=ED=8A=B8=20=ED=97=88=EC=9A=A9?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Naver/DDG 결과가 www.tabling.co.kr 형태인데 PUT validation에서 거부됨
- bulk-tabling SSE는 validation 없이 통과 — 불일치 해소
- catchtable은 이미 app/www 둘 다 허용 (기존)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 CHANGELOG.md                                               | 6 ++++++
 .../java/com/tasteby/controller/RestaurantController.java  | 7 +++++--
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 85dd286..02eb57f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,12 @@
 
 ## 2026-06-15
 
+### 🐛 #357 후속 — tabling-url validation에 www. 호스트 허용 (v0.1.47)
+- Naver/DDG 결과가 `https://www.tabling.co.kr/...` 형태인데 #290 validation은 `tabling.co.kr/`만 허용 → 단건 매핑 PUT 거부
+- bulk-tabling SSE는 validation 없이 service.update 직접 호출이라 통과 → 단일/벌크 불일치
+- `www.tabling.co.kr` prefix도 허용 (catchtable은 이미 app/www 둘 다 허용)
+- 시연 등록: bbq 부천은하마을점 → BBQ 치킨 부천은하마을점
+
 ### 🔍 #359 1단계 — google_place_id 중복 조회 API (v0.1.46)
 - GET /api/admin/restaurants/duplicates/place-id (어드민 전용)
 - 응답: 그룹별 식당 + video/review/memo 카운트 (병합 의사결정 자료)
diff --git a/backend-java/src/main/java/com/tasteby/controller/RestaurantController.java b/backend-java/src/main/java/com/tasteby/controller/RestaurantController.java
index fcde880..7462464 100644
--- a/backend-java/src/main/java/com/tasteby/controller/RestaurantController.java
+++ b/backend-java/src/main/java/com/tasteby/controller/RestaurantController.java
@@ -252,8 +252,11 @@ public class RestaurantController {
         if (r == null) throw new ResponseStatusException(HttpStatus.NOT_FOUND);
         String url = body.get("tabling_url");
         // #290 — javascript:/외부 악성 URL 차단. 빈 문자열은 매핑 해제로 허용.
-        if (url != null && !url.isBlank() && !url.startsWith("https://tabling.co.kr/")) {
-            throw new ResponseStatusException(HttpStatus.BAD_REQUEST, "테이블링 URL은 https://tabling.co.kr/ 만 허용");
+        // Naver/DDG 결과가 www.tabling.co.kr 형태로도 옴.
+        if (url != null && !url.isBlank()
+                && !url.startsWith("https://tabling.co.kr/")
+                && !url.startsWith("https://www.tabling.co.kr/")) {
+            throw new ResponseStatusException(HttpStatus.BAD_REQUEST, "테이블링 URL은 https://(www.)tabling.co.kr/ 만 허용");
         }
         restaurantService.update(id, Map.of("tabling_url", url != null ? url : ""));
         cache.flush();