From 36cf9d553d086a6e3820f58f09e3592db9310fbb Mon Sep 17 00:00:00 2001
From: Hyungi Ahn <hyungiahn@Hyungiui-MacBookPro.local>
Date: Mon, 23 Mar 2026 08:27:54 +0900
Subject: [PATCH] =?UTF-8?q?fix(tkuser):=20Sprint=20001=20=EB=A6=AC?=
 =?UTF-8?q?=EB=B7=B0=20=EA=B6=8C=EC=9E=A5=20=EA=B0=9C=EC=84=A0=203?=
 =?UTF-8?q?=EA=B1=B4=20=E2=80=94=20=EB=B0=A9=EC=96=B4=20=EC=BD=94=EB=94=A9?=
 =?UTF-8?q?=20=EB=B0=8F=20=EC=9D=BC=EA=B4=80=EC=84=B1=20=EB=B3=B4=EC=99=84?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- setLongServiceExclusion: affectedRows 체크 추가 (존재하지 않는 user_id → 404)
- ACCESS_LEVELS: user: 1 키 추가 (role='user' 사용자 레벨 0 방지)
- escapeHtml → escHtml 통일 (tkuser-vacations.js 라인 381)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 user-management/api/controllers/vacationController.js | 5 ++++-
 user-management/api/middleware/auth.js                | 2 +-
 user-management/web/static/js/tkuser-vacations.js     | 2 +-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/user-management/api/controllers/vacationController.js b/user-management/api/controllers/vacationController.js
index b262b43..c00af07 100644
--- a/user-management/api/controllers/vacationController.js
+++ b/user-management/api/controllers/vacationController.js
@@ -130,10 +130,13 @@ async function setLongServiceExclusion(req, res, next) {
     }
     const { getPool } = require('../models/userModel');
     const db = getPool();
-    await db.query(
+    const [result] = await db.query(
       'UPDATE sso_users SET long_service_excluded = ? WHERE user_id = ?',
       [excluded ? 1 : 0, user_id]
     );
+    if (result.affectedRows === 0) {
+      return res.status(404).json({ success: false, error: '해당 사용자를 찾을 수 없습니다' });
+    }
     res.json({ success: true, message: `장기근속 제외 설정이 ${excluded ? '활성화' : '해제'}되었습니다` });
   } catch (err) { next(err); }
 }
diff --git a/user-management/api/middleware/auth.js b/user-management/api/middleware/auth.js
index 848a3fc..253e447 100644
--- a/user-management/api/middleware/auth.js
+++ b/user-management/api/middleware/auth.js
@@ -80,7 +80,7 @@ function requireAdminOrPermission(pageName) {
  * 최소 권한 레벨 체크 미들웨어
  * worker(1) < group_leader(2) < support_team(3) < admin(4) < system(5)
  */
-const ACCESS_LEVELS = { worker: 1, group_leader: 2, support_team: 3, admin: 4, system: 5 };
+const ACCESS_LEVELS = { user: 1, worker: 1, group_leader: 2, support_team: 3, admin: 4, system: 5 };
 
 function requireMinLevel(minLevel) {
   return (req, res, next) => {
diff --git a/user-management/web/static/js/tkuser-vacations.js b/user-management/web/static/js/tkuser-vacations.js
index a7d4f0c..820f543 100644
--- a/user-management/web/static/js/tkuser-vacations.js
+++ b/user-management/web/static/js/tkuser-vacations.js
@@ -378,7 +378,7 @@ function openVacBalanceModal(editId) {
     // 유형 셀렉트
     const tSel = document.getElementById('vbType');
     tSel.innerHTML = '<option value="">선택</option>';
-    vacTypes.filter(t => t.is_active).forEach(t => { tSel.innerHTML += `<option value="${t.id}">${escapeHtml(t.type_name)} (${escapeHtml(t.type_code)})</option>`; });
+    vacTypes.filter(t => t.is_active).forEach(t => { tSel.innerHTML += `<option value="${t.id}">${escHtml(t.type_name)} (${escHtml(t.type_code)})</option>`; });
     if (editId) {
         const b = vacBalances.find(x => x.id === editId);
         if (!b) return;