From 9efb8c881a05fe39fa9c0dce3da34d044d987065 Mon Sep 17 00:00:00 2001 From: Hyungi Ahn Date: Wed, 1 Apr 2026 11:12:50 +0900 Subject: [PATCH] =?UTF-8?q?fix(auth):=20TBM=20=ED=8E=98=EC=9D=B4=EC=A7=80?= =?UTF-8?q?=20=EA=B6=8C=ED=95=9C=20=EC=A0=9C=EC=96=B4=20=E2=80=94=20restri?= =?UTF-8?q?cted=20=ED=94=8C=EB=9E=98=EA=B7=B8=20=EC=B6=94=EA=B0=80?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit NAV_MENU의 비admin 페이지가 모두 publicPageKeys에 포함되어 개별 권한(user_page_permissions) 체크가 우회되던 기존 설계 이슈 수정. - work.tbm에 restricted: true 추가 - publicPageKeys 생성 시 restricted 항목 제외 - restricted 페이지는 DB 개별 권한으로만 접근 제어 Co-Authored-By: Claude Opus 4.6 (1M context) --- system1-factory/web/static/js/tkfb-core.js | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/system1-factory/web/static/js/tkfb-core.js b/system1-factory/web/static/js/tkfb-core.js index 643c95d..cac9291 100644 --- a/system1-factory/web/static/js/tkfb-core.js +++ b/system1-factory/web/static/js/tkfb-core.js @@ -117,7 +117,7 @@ async function _fetchPageAccess(userId) { const NAV_MENU = [ { cat: null, href: '/pages/dashboard-new.html', icon: 'fa-home', label: '대시보드', key: 'dashboard' }, { cat: '작업 관리', items: [ - { href: '/pages/work/tbm-mobile.html', icon: 'fa-clipboard-list', label: 'TBM 관리', key: 'work.tbm' }, + { href: '/pages/work/tbm-mobile.html', icon: 'fa-clipboard-list', label: 'TBM 관리', key: 'work.tbm', restricted: true }, { href: '/pages/work/report-create-mobile.html', icon: 'fa-file-alt', label: '작업보고서 작성', key: 'work.report_create' }, { href: '/pages/work/analysis.html', icon: 'fa-chart-bar', label: '작업 분석', key: 'work.analysis', admin: true }, { href: `${_tkqcBase}/`, icon: 'fa-exclamation-triangle', label: '부적합 현황', key: 'work.nonconformity', external: true }, @@ -282,11 +282,11 @@ async function initAuth() { let accessibleKeys = []; if (!isAdmin) { accessibleKeys = await _fetchPageAccess(currentUser.id); - // NAV_MENU에서 admin이 아닌 페이지는 모든 인증 사용자에게 공개 + // NAV_MENU에서 admin/restricted가 아닌 페이지는 모든 인증 사용자에게 공개 const publicPageKeys = NAV_MENU.flatMap(entry => { if (!entry.items) return entry.key ? [entry.key] : []; if (entry.admin) return []; - return entry.items.filter(item => !item.admin).map(item => item.key); + return entry.items.filter(item => !item.admin && !item.restricted).map(item => item.key); }); // 현재 페이지 접근 권한 확인 const pageKey = _getCurrentPageKey();