hyungi/tk-factory-services
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(tkfb): pageAccessRoutes 레거시 users/roles 테이블 → sso_users 전환

Browse Source 
users 테이블과 sso_users 테이블의 user_id가 다른 문제 해결.
- 모든 사용자 조회를 sso_users로 전환
- admin 체크를 req.user.role(JWT)로 간소화 → DB 쿼리 제거
- POST/DELETE에 UPSERT 패턴 적용
- is_admin_only 참조 완전 제거

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Hyungi Ahn
2026-03-31 07:32:16 +09:00
parent d3cef659ce
commit 4dd39ceab7
1 changed files with 41 additions and 89 deletions
Download Patch File Download Diff File Expand all files Collapse all files

130
system1-factory/api/routes/pageAccessRoutes.js
View File

@@ -3,6 +3,11 @@ const router = express.Router();
const { getDb } = require('../dbPool');
const { requireAuth, requireAdmin } = require('../middlewares/auth');
// Admin 역할 확인 헬퍼
function isAdminRole(role) {
return ['admin', 'system'].includes((role || '').toLowerCase());
}
/**
* 모든 페이지 목록 조회
* GET /api/pages
@@ -11,7 +16,7 @@ router.get('/pages', requireAuth, async (req, res) => {
try {
const db = await getDb();
const [pages] = await db.query(`
SELECT id, page_key, page_name, page_path, category, description, is_admin_only, display_order
SELECT id, page_key, page_name, page_path, category, description, display_order
FROM pages
ORDER BY display_order, page_name
`);
@@ -32,12 +37,9 @@ router.get('/users/:userId/page-access', requireAuth, async (req, res) => {
const { userId } = req.params;
const db = await getDb();
// 사용자의 역할 확인
// 사용자 조회 (sso_users)
const [userRows] = await db.query(`
SELECT u.user_id, u.username, u.role_id, r.name as role_name
FROM users u
LEFT JOIN roles r ON u.role_id = r.id
WHERE u.user_id = ?
SELECT user_id, name, role FROM sso_users WHERE user_id = ?
`, [userId]);
if (userRows.length === 0) {
@@ -46,10 +48,10 @@ router.get('/users/:userId/page-access', requireAuth, async (req, res) => {
const user = userRows[0];
// Admin/System Admin인 경우 모든 페이지 접근 가능
if (user.role_name === 'Admin' || user.role_name === 'System Admin') {
// Admin인 경우 모든 페이지 접근 가능
if (isAdminRole(user.role)) {
const [allPages] = await db.query(`
SELECT id, page_key, page_name, page_path, category, is_admin_only
SELECT id, page_key, page_name, page_path, category
FROM pages
ORDER BY display_order, page_name
`);
@@ -60,9 +62,8 @@ router.get('/users/:userId/page-access', requireAuth, async (req, res) => {
page_name: page.page_name,
page_path: page.page_path,
category: page.category,
is_admin_only: page.is_admin_only,
can_access: true,
is_default: true // Admin은 기본적으로 모든 권한 보유
is_default: true
}));
return res.json({ success: true, data: { user, pageAccess } });
@@ -70,9 +71,7 @@ router.get('/users/:userId/page-access', requireAuth, async (req, res) => {
// 사용자의 부서 조회
const [workerRows] = await db.query(`
SELECT w.department_id FROM sso_users su
LEFT JOIN workers w ON su.user_id = w.user_id
WHERE su.user_id = ?
SELECT w.department_id FROM workers w WHERE w.user_id = ?
`, [userId]);
const departmentId = workerRows[0]?.department_id || 0;
@@ -85,16 +84,13 @@ router.get('/users/:userId/page-access', requireAuth, async (req, res) => {
p.page_name,
p.page_path,
p.category,
p.is_admin_only,
COALESCE(upa.can_access, dpp.can_access, p.is_default_accessible, 0) as can_access,
upa.granted_at,
u2.username as granted_by_username
upa.granted_at
FROM pages p
LEFT JOIN user_page_access upa ON p.id = upa.page_id AND upa.user_id = ?
LEFT JOIN department_page_permissions dpp
ON dpp.department_id = ?
AND (dpp.page_name = CONCAT('s1.', p.page_key) OR dpp.page_name = p.page_key)
LEFT JOIN users u2 ON upa.granted_by = u2.user_id
ORDER BY p.display_order, p.page_name
`, [userId, departmentId]);
@@ -112,50 +108,29 @@ router.get('/users/:userId/page-access', requireAuth, async (req, res) => {
*/
router.post('/users/:userId/page-access', requireAuth, async (req, res) => {
try {
const { userId } = req.params;
const { pageIds, canAccess } = req.body;
const adminUserId = req.user.user_id; // 권한을 부여하는 Admin의 user_id
// Admin 권한 확인
const db = await getDb();
const [adminRows] = await db.query(`
SELECT u.role_id, r.name as role_name
FROM users u
LEFT JOIN roles r ON u.role_id = r.id
WHERE u.user_id = ?
`, [adminUserId]);
if (adminRows.length === 0 || (adminRows[0].role_name !== 'Admin' && adminRows[0].role_name !== 'System Admin')) {
if (!isAdminRole(req.user.role)) {
return res.status(403).json({ success: false, error: '권한이 없습니다. Admin 계정만 사용자 권한을 관리할 수 있습니다.' });
}
const { userId } = req.params;
const { pageIds, canAccess } = req.body;
const adminUserId = req.user.user_id;
const db = await getDb();
// 사용자 존재 확인
const [userRows] = await db.query('SELECT user_id FROM users WHERE user_id = ?', [userId]);
const [userRows] = await db.query('SELECT user_id FROM sso_users WHERE user_id = ?', [userId]);
if (userRows.length === 0) {
return res.status(404).json({ success: false, error: '사용자를 찾을 수 없습니다.' });
}
// 페이지 접근 권한 업데이트
for (const pageId of pageIds) {
// 기존 권한 확인
const [existing] = await db.query(
'SELECT * FROM user_page_access WHERE user_id = ? AND page_id = ?',
[userId, pageId]
);
if (existing.length > 0) {
// 업데이트
await db.query(
'UPDATE user_page_access SET can_access = ?, granted_at = NOW(), granted_by = ? WHERE user_id = ? AND page_id = ?',
[canAccess ? 1 : 0, adminUserId, userId, pageId]
);
} else {
// 삽입
await db.query(
'INSERT INTO user_page_access (user_id, page_id, can_access, granted_by) VALUES (?, ?, ?, ?)',
[userId, pageId, canAccess ? 1 : 0, adminUserId]
);
}
await db.query(`
INSERT INTO user_page_access (user_id, page_id, can_access, granted_by)
VALUES (?, ?, ?, ?)
ON DUPLICATE KEY UPDATE can_access = ?, granted_at = NOW(), granted_by = ?
`, [userId, pageId, canAccess ? 1 : 0, adminUserId, canAccess ? 1 : 0, adminUserId]);
}
res.json({ success: true, message: '페이지 접근 권한이 업데이트되었습니다.' });
@@ -171,23 +146,13 @@ router.post('/users/:userId/page-access', requireAuth, async (req, res) => {
*/
router.delete('/users/:userId/page-access/:pageId', requireAuth, async (req, res) => {
try {
const { userId, pageId } = req.params;
const adminUserId = req.user.user_id;
// Admin 권한 확인
const db = await getDb();
const [adminRows] = await db.query(`
SELECT u.role_id, r.name as role_name
FROM users u
LEFT JOIN roles r ON u.role_id = r.id
WHERE u.user_id = ?
`, [adminUserId]);
if (adminRows.length === 0 || (adminRows[0].role_name !== 'Admin' && adminRows[0].role_name !== 'System Admin')) {
if (!isAdminRole(req.user.role)) {
return res.status(403).json({ success: false, error: '권한이 없습니다.' });
}
// 접근 권한 삭제
const { userId, pageId } = req.params;
const db = await getDb();
await db.query(
'DELETE FROM user_page_access WHERE user_id = ? AND page_id = ?',
[userId, pageId]
@@ -206,36 +171,23 @@ router.delete('/users/:userId/page-access/:pageId', requireAuth, async (req, res
*/
router.get('/page-access/summary', requireAuth, async (req, res) => {
try {
const adminUserId = req.user.user_id;
// Admin 권한 확인
const db = await getDb();
const [adminRows] = await db.query(`
SELECT u.role_id, r.name as role_name
FROM users u
LEFT JOIN roles r ON u.role_id = r.id
WHERE u.user_id = ?
`, [adminUserId]);
if (adminRows.length === 0 || (adminRows[0].role_name !== 'Admin' && adminRows[0].role_name !== 'System Admin')) {
if (!isAdminRole(req.user.role)) {
return res.status(403).json({ success: false, error: '권한이 없습니다.' });
}
// 모든 사용자와 페이지 권한 조회
const db = await getDb();
const [summary] = await db.query(`
SELECT
u.user_id,
u.username,
u.name,
r.name as role_name,
su.user_id,
su.name,
su.role,
COUNT(DISTINCT upa.page_id) as accessible_pages_count,
(SELECT COUNT(*) FROM pages) as total_pages_count
FROM users u
LEFT JOIN roles r ON u.role_id = r.id
LEFT JOIN user_page_access upa ON u.user_id = upa.user_id AND upa.can_access = 1
WHERE r.name NOT IN ('Admin', 'System Admin')
GROUP BY u.user_id, u.username, u.name, r.name
ORDER BY u.username
FROM sso_users su
LEFT JOIN user_page_access upa ON su.user_id = upa.user_id AND upa.can_access = 1
WHERE su.role NOT IN ('admin', 'system')
GROUP BY su.user_id, su.name, su.role
ORDER BY su.name
`);
res.json({ success: true, data: summary });