// utils/access.js
exports.requireAccess = (...allowed) => {
  return (req, res, next) => {
    if (!req.user || !allowed.includes(req.user.access_level)) {
      return res.status(403).json({ error: '접근 권한이 없습니다' });
    }
    next();
  };
};