fix(tkfb): pageAccessRoutes 레거시 users/roles 테이블 → sso_users 전환

users 테이블과 sso_users 테이블의 user_id가 다른 문제 해결. - 모든 사용자 조회를 sso_users로 전환 - admin 체크를 req.user.role(JWT)로 간소화 → DB 쿼리 제거 - POST/DELETE에 UPSERT 패턴 적용 - is_admin_only 참조 완전 제거 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-31 07:32:16 +09:00
parent d3cef659ce
commit 4dd39ceab7
1 changed files with 41 additions and 89 deletions
--- a/system1-factory/api/routes/pageAccessRoutes.js
+++ b/system1-factory/api/routes/pageAccessRoutes.js
@@ -3,6 +3,11 @@ const router = express.Router();
 const { getDb } = require('../dbPool');
 const { requireAuth, requireAdmin } = require('../middlewares/auth');
 // Admin 역할 확인 헬퍼
 function isAdminRole(role) {
  return ['admin', 'system'].includes((role || '').toLowerCase());
 }
 /**
 * 모든 페이지 목록 조회
 * GET /api/pages
@@ -11,7 +16,7 @@ router.get('/pages', requireAuth, async (req, res) => {
  try {
    const db = await getDb();
    const [pages] = await db.query(`
-      SELECT id, page_key, page_name, page_path, category, description, is_admin_only, display_order
+      SELECT id, page_key, page_name, page_path, category, description, display_order
      FROM pages
      ORDER BY display_order, page_name
    `);
@@ -32,12 +37,9 @@ router.get('/users/:userId/page-access', requireAuth, async (req, res) => {
    const { userId } = req.params;
    const db = await getDb();
-    // 사용자의 역할 확인
+    // 사용자 조회 (sso_users)
    const [userRows] = await db.query(`
-      SELECT u.user_id, u.username, u.role_id, r.name as role_name
+      SELECT user_id, name, role FROM sso_users WHERE user_id = ?
      FROM users u
      LEFT JOIN roles r ON u.role_id = r.id
      WHERE u.user_id = ?
    `, [userId]);
    if (userRows.length === 0) {
@@ -46,10 +48,10 @@ router.get('/users/:userId/page-access', requireAuth, async (req, res) => {
    const user = userRows[0];
-    // Admin/System Admin인 경우 모든 페이지 접근 가능
+    // Admin인 경우 모든 페이지 접근 가능
-    if (user.role_name === 'Admin' || user.role_name === 'System Admin') {
+    if (isAdminRole(user.role)) {
      const [allPages] = await db.query(`
-        SELECT id, page_key, page_name, page_path, category, is_admin_only
+        SELECT id, page_key, page_name, page_path, category
        FROM pages
        ORDER BY display_order, page_name
      `);
@@ -60,9 +62,8 @@ router.get('/users/:userId/page-access', requireAuth, async (req, res) => {
        page_name: page.page_name,
        page_path: page.page_path,
        category: page.category,
        is_admin_only: page.is_admin_only,
        can_access: true,
-        is_default: true // Admin은 기본적으로 모든 권한 보유
+        is_default: true
      }));
      return res.json({ success: true, data: { user, pageAccess } });
@@ -70,9 +71,7 @@ router.get('/users/:userId/page-access', requireAuth, async (req, res) => {
    // 사용자의 부서 조회
    const [workerRows] = await db.query(`
-      SELECT w.department_id FROM sso_users su
+      SELECT w.department_id FROM workers w WHERE w.user_id = ?
      LEFT JOIN workers w ON su.user_id = w.user_id
      WHERE su.user_id = ?
    `, [userId]);
    const departmentId = workerRows[0]?.department_id || 0;
@@ -85,16 +84,13 @@ router.get('/users/:userId/page-access', requireAuth, async (req, res) => {
        p.page_name,
        p.page_path,
        p.category,
        p.is_admin_only,
        COALESCE(upa.can_access, dpp.can_access, p.is_default_accessible, 0) as can_access,
-        upa.granted_at,
+        upa.granted_at
        u2.username as granted_by_username
      FROM pages p
      LEFT JOIN user_page_access upa ON p.id = upa.page_id AND upa.user_id = ?
      LEFT JOIN department_page_permissions dpp
        ON dpp.department_id = ?
        AND (dpp.page_name = CONCAT('s1.', p.page_key) OR dpp.page_name = p.page_key)
      LEFT JOIN users u2 ON upa.granted_by = u2.user_id
      ORDER BY p.display_order, p.page_name
    `, [userId, departmentId]);
@@ -112,50 +108,29 @@ router.get('/users/:userId/page-access', requireAuth, async (req, res) => {
 */
 router.post('/users/:userId/page-access', requireAuth, async (req, res) => {
  try {
-    const { userId } = req.params;
+    if (!isAdminRole(req.user.role)) {
    const { pageIds, canAccess } = req.body;
    const adminUserId = req.user.user_id; // 권한을 부여하는 Admin의 user_id
    // Admin 권한 확인
    const db = await getDb();
    const [adminRows] = await db.query(`
      SELECT u.role_id, r.name as role_name
      FROM users u
      LEFT JOIN roles r ON u.role_id = r.id
      WHERE u.user_id = ?
    `, [adminUserId]);
    if (adminRows.length === 0 || (adminRows[0].role_name !== 'Admin' && adminRows[0].role_name !== 'System Admin')) {
      return res.status(403).json({ success: false, error: '권한이 없습니다. Admin 계정만 사용자 권한을 관리할 수 있습니다.' });
    }
    const { userId } = req.params;
    const { pageIds, canAccess } = req.body;
    const adminUserId = req.user.user_id;
    const db = await getDb();
    // 사용자 존재 확인
-    const [userRows] = await db.query('SELECT user_id FROM users WHERE user_id = ?', [userId]);
+    const [userRows] = await db.query('SELECT user_id FROM sso_users WHERE user_id = ?', [userId]);
    if (userRows.length === 0) {
      return res.status(404).json({ success: false, error: '사용자를 찾을 수 없습니다.' });
    }
    // 페이지 접근 권한 업데이트
    for (const pageId of pageIds) {
-      // 기존 권한 확인
+      await db.query(`
-      const [existing] = await db.query(
+        INSERT INTO user_page_access (user_id, page_id, can_access, granted_by)
-        'SELECT * FROM user_page_access WHERE user_id = ? AND page_id = ?',
+        VALUES (?, ?, ?, ?)
-        [userId, pageId]
+        ON DUPLICATE KEY UPDATE can_access = ?, granted_at = NOW(), granted_by = ?
-      );
+      `, [userId, pageId, canAccess ? 1 : 0, adminUserId, canAccess ? 1 : 0, adminUserId]);
      if (existing.length > 0) {
        // 업데이트
        await db.query(
          'UPDATE user_page_access SET can_access = ?, granted_at = NOW(), granted_by = ? WHERE user_id = ? AND page_id = ?',
          [canAccess ? 1 : 0, adminUserId, userId, pageId]
        );
      } else {
        // 삽입
        await db.query(
          'INSERT INTO user_page_access (user_id, page_id, can_access, granted_by) VALUES (?, ?, ?, ?)',
          [userId, pageId, canAccess ? 1 : 0, adminUserId]
        );
      }
    }
    res.json({ success: true, message: '페이지 접근 권한이 업데이트되었습니다.' });
@@ -171,23 +146,13 @@ router.post('/users/:userId/page-access', requireAuth, async (req, res) => {
 */
 router.delete('/users/:userId/page-access/:pageId', requireAuth, async (req, res) => {
  try {
-    const { userId, pageId } = req.params;
+    if (!isAdminRole(req.user.role)) {
    const adminUserId = req.user.user_id;
    // Admin 권한 확인
    const db = await getDb();
    const [adminRows] = await db.query(`
      SELECT u.role_id, r.name as role_name
      FROM users u
      LEFT JOIN roles r ON u.role_id = r.id
      WHERE u.user_id = ?
    `, [adminUserId]);
    if (adminRows.length === 0 || (adminRows[0].role_name !== 'Admin' && adminRows[0].role_name !== 'System Admin')) {
      return res.status(403).json({ success: false, error: '권한이 없습니다.' });
    }
-    // 접근 권한 삭제
+    const { userId, pageId } = req.params;
    const db = await getDb();
    await db.query(
      'DELETE FROM user_page_access WHERE user_id = ? AND page_id = ?',
      [userId, pageId]
@@ -206,36 +171,23 @@ router.delete('/users/:userId/page-access/:pageId', requireAuth, async (req, res
 */
 router.get('/page-access/summary', requireAuth, async (req, res) => {
  try {
-    const adminUserId = req.user.user_id;
+    if (!isAdminRole(req.user.role)) {
    // Admin 권한 확인
    const db = await getDb();
    const [adminRows] = await db.query(`
      SELECT u.role_id, r.name as role_name
      FROM users u
      LEFT JOIN roles r ON u.role_id = r.id
      WHERE u.user_id = ?
    `, [adminUserId]);
    if (adminRows.length === 0 || (adminRows[0].role_name !== 'Admin' && adminRows[0].role_name !== 'System Admin')) {
      return res.status(403).json({ success: false, error: '권한이 없습니다.' });
    }
-    // 모든 사용자와 페이지 권한 조회
+    const db = await getDb();
    const [summary] = await db.query(`
      SELECT
-        u.user_id,
+        su.user_id,
-        u.username,
+        su.name,
-        u.name,
+        su.role,
        r.name as role_name,
        COUNT(DISTINCT upa.page_id) as accessible_pages_count,
        (SELECT COUNT(*) FROM pages) as total_pages_count
-      FROM users u
+      FROM sso_users su
-      LEFT JOIN roles r ON u.role_id = r.id
+      LEFT JOIN user_page_access upa ON su.user_id = upa.user_id AND upa.can_access = 1
-      LEFT JOIN user_page_access upa ON u.user_id = upa.user_id AND upa.can_access = 1
+      WHERE su.role NOT IN ('admin', 'system')
-      WHERE r.name NOT IN ('Admin', 'System Admin')
+      GROUP BY su.user_id, su.name, su.role
-      GROUP BY u.user_id, u.username, u.name, r.name
+      ORDER BY su.name
      ORDER BY u.username
    `);
    res.json({ success: true, data: summary });