diff --git a/shared/middleware/pagePermission.js b/shared/middleware/pagePermission.js new file mode 100644 index 0000000..03a9232 --- /dev/null +++ b/shared/middleware/pagePermission.js @@ -0,0 +1,61 @@ +/** + * 페이지 권한 미들웨어 (shared) + * admin/system 역할은 자동 통과, 일반 사용자는 개인/부서 권한 체크 + * + * 사용법: + * const { createRequirePage } = require('../../shared/middleware/pagePermission'); + * const requirePage = createRequirePage(() => getPool()); + * router.get('/some', requirePage('page_name'), controller.handler); + */ + +function createRequirePage(getPool) { + return function requirePage(pageName) { + return async (req, res, next) => { + const userId = req.user.user_id || req.user.id; + const role = (req.user.role || '').toLowerCase(); + + // admin/system 자동 통과 + if (role === 'admin' || role === 'system') return next(); + + try { + const db = typeof getPool === 'function' ? getPool() : getPool; + + // 1. 개인 권한 체크 + const [rows] = await db.query( + 'SELECT can_access FROM user_page_permissions WHERE user_id = ? AND page_name = ?', + [userId, pageName] + ); + if (rows.length > 0) { + return rows[0].can_access + ? next() + : res.status(403).json({ success: false, error: '접근 권한이 없습니다' }); + } + + // 2. 부서 권한 체크 + const [userRows] = await db.query( + 'SELECT department_id FROM sso_users WHERE user_id = ?', + [userId] + ); + if (userRows.length > 0 && userRows[0].department_id) { + const [deptRows] = await db.query( + 'SELECT can_access FROM department_page_permissions WHERE department_id = ? AND page_name = ?', + [userRows[0].department_id, pageName] + ); + if (deptRows.length > 0) { + return deptRows[0].can_access + ? next() + : res.status(403).json({ success: false, error: '접근 권한이 없습니다' }); + } + } + + // 3. 권한 레코드 없음 → 거부 + return res.status(403).json({ success: false, error: '접근 권한이 없습니다' }); + } catch (err) { + console.error('Permission check error:', err); + return res.status(500).json({ success: false, error: '권한 확인 실패' }); + } + }; + }; +} + +module.exports = { createRequirePage }; diff --git a/tksupport/api/middleware/auth.js b/tksupport/api/middleware/auth.js index 0cf54fc..f86011e 100644 --- a/tksupport/api/middleware/auth.js +++ b/tksupport/api/middleware/auth.js @@ -42,38 +42,9 @@ function requireAdmin(req, res, next) { } } -function requirePage(pageName) { - return async (req, res, next) => { - const userId = req.user.user_id || req.user.id; - const role = (req.user.role || '').toLowerCase(); - if (role === 'admin' || role === 'system') return next(); - - try { - const db = getPool(); - const [rows] = await db.query( - 'SELECT can_access FROM user_page_permissions WHERE user_id = ? AND page_name = ?', - [userId, pageName] - ); - if (rows.length > 0) { - return rows[0].can_access ? next() : res.status(403).json({ success: false, error: '접근 권한이 없습니다' }); - } - const [userRows] = await db.query('SELECT department_id FROM sso_users WHERE user_id = ?', [userId]); - if (userRows.length > 0 && userRows[0].department_id) { - const [deptRows] = await db.query( - 'SELECT can_access FROM department_page_permissions WHERE department_id = ? AND page_name = ?', - [userRows[0].department_id, pageName] - ); - if (deptRows.length > 0) { - return deptRows[0].can_access ? next() : res.status(403).json({ success: false, error: '접근 권한이 없습니다' }); - } - } - return res.status(403).json({ success: false, error: '접근 권한이 없습니다' }); - } catch (err) { - console.error('Permission check error:', err); - return res.status(500).json({ success: false, error: '권한 확인 실패' }); - } - }; -} +// requirePage: shared 미들웨어 사용 +const { createRequirePage } = require('../../../shared/middleware/pagePermission'); +const requirePage = createRequirePage(() => getPool()); function requireSupportTeam(req, res, next) { const token = extractToken(req);