feat(tkuser): requireAdmin → requireAdminOrPermission 전환 — 권한 기반 접근 제어

- 9개 라우트 파일의 쓰기 작업을 requireAdminOrPermission으로 전환 - 권한 관리에서 tkuser.* 권한 부여 시 일반 사용자도 해당 탭 접근 가능 - GET(참조 데이터)은 requireAuth 유지, permissionRoutes는 admin 전용 유지 - 기존 partnerRoutes.js 패턴과 동일한 방식 적용 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-25 14:29:28 +09:00
parent d663b9bfa6
commit a6724b2a20
9 changed files with 66 additions and 52 deletions
--- a/user-management/api/routes/departmentRoutes.js
+++ b/user-management/api/routes/departmentRoutes.js
@@ -5,17 +5,19 @@
 const express = require('express');
 const router = express.Router();
 const departmentController = require('../controllers/departmentController');
-const { requireAuth, requireAdmin } = require('../middleware/auth');
+const { requireAuth, requireAdminOrPermission } = require('../middleware/auth');
+
+const deptPerm = requireAdminOrPermission('tkuser.departments');

 router.get('/', requireAuth, departmentController.getAll);
 router.get('/:id', requireAuth, departmentController.getById);
-router.post('/', requireAdmin, departmentController.create);
-router.put('/:id', requireAdmin, departmentController.update);
-router.delete('/:id', requireAdmin, departmentController.remove);
+router.post('/', deptPerm, departmentController.create);
+router.put('/:id', deptPerm, departmentController.update);
+router.delete('/:id', deptPerm, departmentController.remove);

 // 승인권한 (Approval Authority)
 router.get('/:id/approval-authorities', requireAuth, departmentController.getApprovalAuthorities);
-router.post('/:id/approval-authorities', requireAdmin, departmentController.createApprovalAuthority);
-router.delete('/:id/approval-authorities/:authId', requireAdmin, departmentController.deleteApprovalAuthority);
+router.post('/:id/approval-authorities', deptPerm, departmentController.createApprovalAuthority);
+router.delete('/:id/approval-authorities/:authId', deptPerm, departmentController.deleteApprovalAuthority);

 module.exports = router;