From 5ac7af7b0468e20675c9fcfe3f19d3b1bee56ebb Mon Sep 17 00:00:00 2001
From: Hyungi Ahn <hyungiahn@Hyungiui-MacBookPro.local>
Date: Tue, 31 Mar 2026 07:11:25 +0900
Subject: [PATCH] =?UTF-8?q?fix(tkfb):=20=ED=8E=98=EC=9D=B4=EC=A7=80=20?=
 =?UTF-8?q?=EC=A0=91=EA=B7=BC=20=EA=B6=8C=ED=95=9C=EC=97=90=20=EB=B6=80?=
 =?UTF-8?q?=EC=84=9C=20=EA=B6=8C=ED=95=9C(department=5Fpage=5Fpermissions)?=
 =?UTF-8?q?=20=EB=B0=98=EC=98=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- department_page_permissions JOIN 추가 (s1. 접두사 자동 매칭)
- 부서/개인 명시적 권한 있으면 is_admin_only 제한 해제
- 우선순위: 개인 권한 > 부서 권한 > is_default_accessible

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 system1-factory/api/routes/pageAccessRoutes.js | 18 ++++++++++++++++--
 1 file changed, 16 insertions(+), 2 deletions(-)

diff --git a/system1-factory/api/routes/pageAccessRoutes.js b/system1-factory/api/routes/pageAccessRoutes.js
index 9ef1b17..40eb0ef 100644
--- a/system1-factory/api/routes/pageAccessRoutes.js
+++ b/system1-factory/api/routes/pageAccessRoutes.js
@@ -68,7 +68,16 @@ router.get('/users/:userId/page-access', requireAuth, async (req, res) => {
       return res.json({ success: true, data: { user, pageAccess } });
     }
 
+    // 사용자의 부서 조회
+    const [workerRows] = await db.query(`
+      SELECT w.department_id FROM sso_users su
+      LEFT JOIN workers w ON su.user_id = w.user_id
+      WHERE su.user_id = ?
+    `, [userId]);
+    const departmentId = workerRows[0]?.department_id || 0;
+
     // 일반 사용자의 페이지 접근 권한 조회
+    // department_page_permissions.page_name은 's1.' 접두사 사용, pages.page_key는 접두사 없음
     const [pageAccess] = await db.query(`
       SELECT
         p.id as page_id,
@@ -77,15 +86,20 @@ router.get('/users/:userId/page-access', requireAuth, async (req, res) => {
         p.page_path,
         p.category,
         p.is_admin_only,
-        COALESCE(upa.can_access, p.is_default_accessible, 0) as can_access,
+        COALESCE(upa.can_access, dpp.can_access, p.is_default_accessible, 0) as can_access,
         upa.granted_at,
         u2.username as granted_by_username
       FROM pages p
       LEFT JOIN user_page_access upa ON p.id = upa.page_id AND upa.user_id = ?
+      LEFT JOIN department_page_permissions dpp
+        ON dpp.department_id = ?
+        AND (dpp.page_name = CONCAT('s1.', p.page_key) OR dpp.page_name = p.page_key)
       LEFT JOIN users u2 ON upa.granted_by = u2.user_id
       WHERE p.is_admin_only = 0
+         OR upa.can_access = 1
+         OR dpp.can_access = 1
       ORDER BY p.display_order, p.page_name
-    `, [userId]);
+    `, [userId, departmentId]);
 
     res.json({ success: true, data: { user, pageAccess } });
   } catch (error) {