From 280efc46ed4bf9351ae4a201fa677829a7841b14 Mon Sep 17 00:00:00 2001
From: Hyungi Ahn <hyungiahn@Hyungiui-MacBookPro.local>
Date: Wed, 25 Mar 2026 14:30:53 +0900
Subject: [PATCH] =?UTF-8?q?fix(tksupport):=20=EB=B6=80=EC=84=9C=20?=
 =?UTF-8?q?=ED=8E=98=EC=9D=B4=EC=A7=80=20=EA=B6=8C=ED=95=9C=20=EB=8F=99?=
 =?UTF-8?q?=EC=9E=91=20=EC=88=98=EC=A0=95=20=E2=80=94=20requireAdmin/requi?=
 =?UTF-8?q?reSupportTeam=20=EC=A0=9C=EA=B1=B0,=20=EB=84=A4=EB=B9=84?=
 =?UTF-8?q?=EA=B2=8C=EC=9D=B4=EC=85=98=20=EA=B6=8C=ED=95=9C=20=EA=B8=B0?=
 =?UTF-8?q?=EB=B0=98=20=EB=A0=8C=EB=8D=94=EB=A7=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .../api/routes/vacationDashboardRoutes.js     |  8 ++--
 tksupport/api/routes/vacationRoutes.js        | 24 ++++++------
 tksupport/web/company-holidays.html           |  5 +--
 tksupport/web/static/js/tksupport-core.js     | 39 ++++++++++++++++---
 tksupport/web/vacation-admin.html             |  5 +--
 tksupport/web/vacation-approval.html          |  5 +--
 tksupport/web/vacation-dashboard.html         |  5 +--
 user-management/api/models/permissionModel.js |  1 +
 8 files changed, 54 insertions(+), 38 deletions(-)

diff --git a/tksupport/api/routes/vacationDashboardRoutes.js b/tksupport/api/routes/vacationDashboardRoutes.js
index ce84e5b..025a16c 100644
--- a/tksupport/api/routes/vacationDashboardRoutes.js
+++ b/tksupport/api/routes/vacationDashboardRoutes.js
@@ -1,12 +1,12 @@
 const express = require('express');
 const router = express.Router();
-const { requireAuth, requireSupportTeam, requirePage } = require('../middleware/auth');
+const { requireAuth, requirePage } = require('../middleware/auth');
 const ctrl = require('../controllers/vacationDashboardController');
 
 router.use(requireAuth);
 
-router.get('/', requireSupportTeam, requirePage('support_vacation_dashboard'), ctrl.getDashboard);
-router.get('/yearly-overview', requireSupportTeam, requirePage('support_vacation_dashboard'), ctrl.getYearlyOverview);
-router.get('/monthly-detail', requireSupportTeam, requirePage('support_vacation_dashboard'), ctrl.getMonthlyDetail);
+router.get('/', requirePage('support_vacation_dashboard'), ctrl.getDashboard);
+router.get('/yearly-overview', requirePage('support_vacation_dashboard'), ctrl.getYearlyOverview);
+router.get('/monthly-detail', requirePage('support_vacation_dashboard'), ctrl.getMonthlyDetail);
 
 module.exports = router;
diff --git a/tksupport/api/routes/vacationRoutes.js b/tksupport/api/routes/vacationRoutes.js
index eb48825..ca11501 100644
--- a/tksupport/api/routes/vacationRoutes.js
+++ b/tksupport/api/routes/vacationRoutes.js
@@ -1,6 +1,6 @@
 const express = require('express');
 const router = express.Router();
-const { requireAuth, requireAdmin, requirePage } = require('../middleware/auth');
+const { requireAuth, requirePage } = require('../middleware/auth');
 const ctrl = require('../controllers/vacationController');
 
 router.use(requireAuth);
@@ -15,25 +15,25 @@ router.get('/requests/:id', ctrl.getRequestById);
 router.put('/requests/:id', requirePage('support_vacation_request'), ctrl.updateRequest);
 router.patch('/requests/:id/cancel', requirePage('support_vacation_request'), ctrl.cancelRequest);
 
-// 승인 (관리자)
-router.get('/pending', requireAdmin, ctrl.getPending);
-router.patch('/requests/:id/approve', requireAdmin, requirePage('support_vacation_approval'), ctrl.approveRequest);
-router.patch('/requests/:id/reject', requireAdmin, requirePage('support_vacation_approval'), ctrl.rejectRequest);
+// 승인
+router.get('/pending', requirePage('support_vacation_approval'), ctrl.getPending);
+router.patch('/requests/:id/approve', requirePage('support_vacation_approval'), ctrl.approveRequest);
+router.patch('/requests/:id/reject', requirePage('support_vacation_approval'), ctrl.rejectRequest);
 
 // 내 휴가 현황
 router.get('/my-status', ctrl.getMyStatus);
 
 // 잔여일
 router.get('/balance', ctrl.getMyBalance);
-router.get('/balance/all', requireAdmin, ctrl.getAllBalances);
-router.get('/balance/:userId', requireAdmin, ctrl.getUserBalance);
-router.post('/balance/allocate', requireAdmin, ctrl.allocateBalance);
+router.get('/balance/all', requirePage('support_vacation_approval'), ctrl.getAllBalances);
+router.get('/balance/:userId', requirePage('support_vacation_approval'), ctrl.getUserBalance);
+router.post('/balance/allocate', requirePage('support_vacation_approval'), ctrl.allocateBalance);
 
 // 관리자 보정
-router.post('/admin/correct', requireAdmin, ctrl.adminCreateRequest);
-router.delete('/admin/requests/:id', requireAdmin, ctrl.adminDeleteRequest);
+router.post('/admin/correct', requirePage('support_vacation_admin'), ctrl.adminCreateRequest);
+router.delete('/admin/requests/:id', requirePage('support_vacation_admin'), ctrl.adminDeleteRequest);
 
-// 사용자 목록 (관리자)
-router.get('/users', requireAdmin, ctrl.getUsers);
+// 사용자 목록
+router.get('/users', requirePage('support_vacation_approval'), ctrl.getUsers);
 
 module.exports = router;
diff --git a/tksupport/web/company-holidays.html b/tksupport/web/company-holidays.html
index fbebe3a..52f5c57 100644
--- a/tksupport/web/company-holidays.html
+++ b/tksupport/web/company-holidays.html
@@ -112,10 +112,7 @@
     <script>
     async function initPage() {
         if (!initAuth()) return;
-        if (!currentUser || !['support_team','admin','system'].includes(currentUser.role)) {
-            document.querySelector('.flex-1').innerHTML = '<div class="bg-white rounded-xl shadow-sm p-8 text-center text-gray-500"><i class="fas fa-lock text-4xl mb-3 block"></i>지원팀 이상 권한이 필요합니다</div>';
-            return;
-        }
+        // 권한은 API requirePage에서 체크
 
         // 연도 셀렉트
         const sel = document.getElementById('yearSelect');
diff --git a/tksupport/web/static/js/tksupport-core.js b/tksupport/web/static/js/tksupport-core.js
index 7f9cf0f..d7c2057 100644
--- a/tksupport/web/static/js/tksupport-core.js
+++ b/tksupport/web/static/js/tksupport-core.js
@@ -98,6 +98,8 @@ function toggleMobileMenu() {
 }
 
 /* ===== Navbar ===== */
+let currentUserPermissions = {};
+
 function renderNavbar() {
     const currentPage = location.pathname.replace(/\//g, '') || 'index.html';
     const isAdmin = currentUser && ['admin','system'].includes(currentUser.role);
@@ -105,16 +107,18 @@ function renderNavbar() {
         { href: '/', icon: 'fa-home', label: '대시보드', match: ['index.html'] },
         { href: '/vacation-request.html', icon: 'fa-paper-plane', label: '휴가 신청', match: ['vacation-request.html'] },
         { href: '/vacation-status.html', icon: 'fa-calendar-check', label: '내 휴가 현황', match: ['vacation-status.html'] },
-        { href: '/vacation-approval.html', icon: 'fa-clipboard-check', label: '휴가 승인', match: ['vacation-approval.html'], admin: true },
-        { href: '/company-holidays.html', icon: 'fa-calendar-day', label: '전사 휴가 관리', match: ['company-holidays.html'], roles: ['support_team','admin','system'] },
-        { href: '/vacation-dashboard.html', icon: 'fa-chart-bar', label: '전체 휴가관리', match: ['vacation-dashboard.html'], roles: ['support_team','admin','system'] },
-        { href: '/vacation-admin.html', icon: 'fa-user-edit', label: '휴가 보정', match: ['vacation-admin.html'], admin: true },
+        { href: '/vacation-approval.html', icon: 'fa-clipboard-check', label: '휴가 승인', match: ['vacation-approval.html'], page: 'support_vacation_approval' },
+        { href: '/company-holidays.html', icon: 'fa-calendar-day', label: '전사 휴가 관리', match: ['company-holidays.html'], page: 'support_company_holidays' },
+        { href: '/vacation-dashboard.html', icon: 'fa-chart-bar', label: '전체 휴가관리', match: ['vacation-dashboard.html'], page: 'support_vacation_dashboard' },
+        { href: '/vacation-admin.html', icon: 'fa-user-edit', label: '휴가 보정', match: ['vacation-admin.html'], page: 'support_vacation_admin' },
     ];
     const nav = document.getElementById('sideNav');
     if (!nav) return;
     nav.innerHTML = links.filter(l => {
-        if (l.roles) return currentUser && l.roles.includes(currentUser.role);
-        if (l.admin) return isAdmin;
+        if (l.page) {
+            if (isAdmin) return true;
+            return currentUserPermissions[l.page]?.can_access === true;
+        }
         return true;
     }).map(l => {
         const active = l.match.some(m => currentPage === m || currentPage.endsWith(m));
@@ -159,6 +163,12 @@ function initAuth() {
     const avatarEl = document.getElementById('headerUserAvatar');
     if (nameEl) nameEl.textContent = dn;
     if (avatarEl) avatarEl.textContent = dn.charAt(0).toUpperCase();
+
+    // 권한 로드 후 네비게이션 렌더링
+    const isAdmin = ['admin','system'].includes(currentUser.role);
+    if (!isAdmin) {
+        _loadPermissions(currentUser.id).then(() => renderNavbar());
+    }
     renderNavbar();
 
     // 알림 벨 로드
@@ -168,6 +178,23 @@ function initAuth() {
     return true;
 }
 
+/* ===== 권한 로드 (tkuser API) ===== */
+async function _loadPermissions(userId) {
+    try {
+        const tkuserBase = location.hostname.includes('technicalkorea.net')
+            ? 'https://tkuser.technicalkorea.net/api'
+            : location.protocol + '//' + location.hostname + ':30300/api';
+        const token = getToken();
+        const res = await fetch(`${tkuserBase}/permissions/users/${userId}/effective-permissions`, {
+            headers: { 'Authorization': `Bearer ${token}` }
+        });
+        if (res.ok) {
+            const data = await res.json();
+            currentUserPermissions = data.permissions || {};
+        }
+    } catch (e) { /* 실패 시 빈 객체 유지 — 권한 메뉴 안 보임 */ }
+}
+
 /* ===== 알림 벨 ===== */
 function _loadNotificationBell() {
     const s = document.createElement('script');
diff --git a/tksupport/web/vacation-admin.html b/tksupport/web/vacation-admin.html
index 868bef8..c95f905 100644
--- a/tksupport/web/vacation-admin.html
+++ b/tksupport/web/vacation-admin.html
@@ -133,10 +133,7 @@
 
     async function initPage() {
         if (!initAuth()) return;
-        if (!currentUser || !['admin','system'].includes(currentUser.role)) {
-            document.querySelector('.flex-1').innerHTML = '<div class="bg-white rounded-xl shadow-sm p-8 text-center text-gray-500"><i class="fas fa-lock text-4xl mb-3 block"></i>관리자 권한이 필요합니다</div>';
-            return;
-        }
+        // 권한은 API requirePage에서 체크
         const thisYear = new Date().getFullYear();
         const ySel = document.getElementById('yearSelect');
         for (let y = thisYear + 1; y >= thisYear - 2; y--) ySel.innerHTML += `<option value="${y}" ${y === thisYear ? 'selected' : ''}>${y}년</option>`;
diff --git a/tksupport/web/vacation-approval.html b/tksupport/web/vacation-approval.html
index b6bef5d..d459805 100644
--- a/tksupport/web/vacation-approval.html
+++ b/tksupport/web/vacation-approval.html
@@ -210,10 +210,7 @@
 
     async function initApprovalPage() {
         if (!initAuth()) return;
-        if (!currentUser || !['admin','system'].includes(currentUser.role)) {
-            document.querySelector('.flex-1').innerHTML = '<div class="bg-white rounded-xl shadow-sm p-8 text-center text-gray-500"><i class="fas fa-lock text-4xl mb-3 block"></i>관리자 권한이 필요합니다</div>';
-            return;
-        }
+        // 권한은 API requirePage에서 체크
 
         document.getElementById('allocYear').value = new Date().getFullYear();
         await loadDropdowns();
diff --git a/tksupport/web/vacation-dashboard.html b/tksupport/web/vacation-dashboard.html
index dd94733..b89fe4a 100644
--- a/tksupport/web/vacation-dashboard.html
+++ b/tksupport/web/vacation-dashboard.html
@@ -163,10 +163,7 @@
 
     async function initPage() {
         if (!initAuth()) return;
-        if (!currentUser || !['support_team','admin','system'].includes(currentUser.role)) {
-            document.querySelector('.flex-1').innerHTML = '<div class="bg-white rounded-xl shadow-sm p-8 text-center text-gray-500"><i class="fas fa-lock text-4xl mb-3 block"></i>지원팀 이상 권한이 필요합니다</div>';
-            return;
-        }
+        // 권한은 API requirePage에서 체크 — 403 시 loadAll에서 에러 표시
         const thisYear = new Date().getFullYear();
         [document.getElementById('yearSelect'), document.getElementById('v2YearSelect')].forEach(sel => {
             for (let y = thisYear + 1; y >= thisYear - 2; y--)
diff --git a/user-management/api/models/permissionModel.js b/user-management/api/models/permissionModel.js
index afc5f6b..ab591f2 100644
--- a/user-management/api/models/permissionModel.js
+++ b/user-management/api/models/permissionModel.js
@@ -76,6 +76,7 @@ const DEFAULT_PAGES = {
   'support_vacation_approval':  { title: '휴가 승인',       system: 'tksupport', group: '관리', default_access: false },
   'support_company_holidays':   { title: '전사 휴가 관리',  system: 'tksupport', group: '관리', default_access: false },
   'support_vacation_dashboard': { title: '전체 휴가관리',   system: 'tksupport', group: '관리', default_access: false },
+  'support_vacation_admin':     { title: '휴가 보정',       system: 'tksupport', group: '관리', default_access: false },
 
   // ===== tkuser - 통합 관리 =====
   'tkuser.users':                    { title: '사용자 관리',       system: 'tkuser', group: '통합 관리', default_access: false },