hyungi/tk-factory-services
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(tkuser): Sprint 001 리뷰 권장 개선 3건 — 방어 코딩 및 일관성 보완

Browse Source 
- setLongServiceExclusion: affectedRows 체크 추가 (존재하지 않는 user_id → 404)
- ACCESS_LEVELS: user: 1 키 추가 (role='user' 사용자 레벨 0 방지)
- escapeHtml → escHtml 통일 (tkuser-vacations.js 라인 381)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Hyungi Ahn
2026-03-23 08:27:54 +09:00
parent 19e668a56a
commit 36cf9d553d
3 changed files with 6 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
user-management/api/controllers/vacationController.js
View File

@@ -130,10 +130,13 @@ async function setLongServiceExclusion(req, res, next) {
}
const { getPool } = require('../models/userModel');
const db = getPool();
await db.query(
const [result] = await db.query(
'UPDATE sso_users SET long_service_excluded = ? WHERE user_id = ?',
[excluded ? 1 : 0, user_id]
);
if (result.affectedRows === 0) {
return res.status(404).json({ success: false, error: '해당 사용자를 찾을 수 없습니다' });
}
res.json({ success: true, message: `장기근속 제외 설정이 ${excluded ? '활성화' : '해제'}되었습니다` });
} catch (err) { next(err); }
}

2
user-management/api/middleware/auth.js
View File

@@ -80,7 +80,7 @@ function requireAdminOrPermission(pageName) {
* 최소 권한 레벨 체크 미들웨어
* worker(1) < group_leader(2) < support_team(3) < admin(4) < system(5)
*/
const ACCESS_LEVELS = { worker: 1, group_leader: 2, support_team: 3, admin: 4, system: 5 };
const ACCESS_LEVELS = { user: 1, worker: 1, group_leader: 2, support_team: 3, admin: 4, system: 5 };
function requireMinLevel(minLevel) {
return (req, res, next) => {

2
user-management/web/static/js/tkuser-vacations.js
View File

@@ -378,7 +378,7 @@ function openVacBalanceModal(editId) {
// 유형 셀렉트
const tSel = document.getElementById('vbType');
tSel.innerHTML = '<option value="">선택</option>';
vacTypes.filter(t => t.is_active).forEach(t => { tSel.innerHTML += `<option value="${t.id}">${escapeHtml(t.type_name)} (${escapeHtml(t.type_code)})</option>`; });
vacTypes.filter(t => t.is_active).forEach(t => { tSel.innerHTML += `<option value="${t.id}">${escHtml(t.type_name)} (${escHtml(t.type_code)})</option>`; });
if (editId) {
const b = vacBalances.find(x => x.id === editId);
if (!b) return;