hyungi/tk-factory-services
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(tkuser): 협력업체 CRUD 권한을 permission 시스템으로 확장

Browse Source 
tkuser.partners 권한이 부여된 일반 사용자도 업체/작업자 등록·수정·비활성화 가능.
완전삭제는 admin 전용 유지.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Hyungi Ahn
2026-03-16 11:23:17 +09:00
parent 5a911f1d4b
commit f711a721ec
3 changed files with 48 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
user-management/api/middleware/auth.js
View File

@@ -55,4 +55,25 @@ function requireAdmin(req, res, next) {
}
}
module.exports = { extractToken, requireAuth, requireAdmin };
/**
* 관리자 또는 특정 페이지 권한 보유자 미들웨어 팩토리
*/
function requireAdminOrPermission(pageName) {
return async (req, res, next) => {
const token = extractToken(req);
if (!token) return res.status(401).json({ success: false, error: '인증이 필요합니다' });
try {
const decoded = jwt.verify(token, JWT_SECRET);
req.user = decoded;
if (['admin', 'system'].includes((decoded.role || '').toLowerCase())) return next();
const { checkAccess } = require('../models/permissionModel');
const result = await checkAccess(decoded.user_id || decoded.id, pageName);
if (result.can_access) return next();
return res.status(403).json({ success: false, error: '권한이 없습니다' });
} catch {
return res.status(401).json({ success: false, error: '유효하지 않은 토큰입니다' });
}
};
}
module.exports = { extractToken, requireAuth, requireAdmin, requireAdminOrPermission };

15
user-management/api/routes/partnerRoutes.js
View File

@@ -1,7 +1,8 @@
const express = require('express');
const router = express.Router();
const { requireAuth, requireAdmin } = require('../middleware/auth');
const { requireAuth, requireAdmin, requireAdminOrPermission } = require('../middleware/auth');
const ctrl = require('../controllers/partnerController');
const partnerPerm = requireAdminOrPermission('tkuser.partners');
router.use(requireAuth);
@@ -9,13 +10,13 @@ router.get('/', ctrl.list);
router.get('/:id/delete-info', requireAdmin, ctrl.getDeleteInfo);
router.delete('/:id/permanent', requireAdmin, ctrl.permanentDelete);
router.get('/:id', ctrl.getById);
router.post('/', requireAdmin, ctrl.create);
router.put('/:id', requireAdmin, ctrl.update);
router.delete('/:id', requireAdmin, ctrl.deactivate);
router.post('/', partnerPerm, ctrl.create);
router.put('/:id', partnerPerm, ctrl.update);
router.delete('/:id', partnerPerm, ctrl.deactivate);
router.get('/:id/workers', ctrl.listWorkers);
router.post('/:id/workers', requireAdmin, ctrl.createWorker);
router.put('/workers/:id', requireAdmin, ctrl.updateWorker);
router.delete('/workers/:id', requireAdmin, ctrl.deactivateWorker);
router.post('/:id/workers', partnerPerm, ctrl.createWorker);
router.put('/workers/:id', partnerPerm, ctrl.updateWorker);
router.delete('/workers/:id', partnerPerm, ctrl.deactivateWorker);
module.exports = router;

25
user-management/web/static/js/tkuser-partners.js
View File

@@ -1,4 +1,13 @@
/* ===== tkuser 협력업체 CRUD ===== */
function hasPartnerPermission() {
if (!currentUser) return false;
if (['admin', 'system'].includes(currentUser.role)) return true;
return typeof currentUserAllowedTabs !== 'undefined' && currentUserAllowedTabs.has('partners');
}
function isAdminOnly() {
return currentUser && ['admin', 'system'].includes(currentUser.role);
}
let partnersLoaded = false;
let partnersList = [];
let partnerWorkersList = [];
@@ -8,7 +17,7 @@ let editingWorkerIdTkuser = null;
async function loadPartnersTab() {
if (partnersLoaded) return;
partnersLoaded = true;
if (currentUser && ['admin', 'system'].includes(currentUser.role)) {
if (hasPartnerPermission()) {
document.getElementById('btnAddPartnerTkuser')?.classList.remove('hidden');
}
await loadPartnersList();
@@ -35,7 +44,8 @@ function renderPartnersListTkuser() {
c.innerHTML = '<p class="text-gray-400 text-center py-4 text-sm">등록된 협력업체가 없습니다.</p>';
return;
}
const isAdmin = currentUser && ['admin', 'system'].includes(currentUser.role);
const canManage = hasPartnerPermission();
const isAdmin = isAdminOnly();
c.innerHTML = partnersList.map(p => {
const types = tryParseJsonTkuser(p.business_type) || [];
const typeStr = types.map(t => `<span class="px-1.5 py-0.5 rounded text-xs bg-blue-50 text-blue-600">${escHtml(t)}</span>`).join(' ');
@@ -53,10 +63,10 @@ function renderPartnersListTkuser() {
${typeStr}
</div>
</div>
${isAdmin ? `<div class="flex gap-1 ml-2 flex-shrink-0">
${canManage ? `<div class="flex gap-1 ml-2 flex-shrink-0">
<button onclick="event.stopPropagation(); openEditPartnerTkuser(${p.id})" class="p-1.5 text-slate-500 hover:text-slate-700 hover:bg-slate-200 rounded" title="수정"><i class="fas fa-pen text-xs"></i></button>
${p.is_active ? `<button onclick="event.stopPropagation(); deactivatePartnerTkuser(${p.id}, '${escHtml(p.company_name).replace(/'/g, "\\'")}')" class="p-1.5 text-red-400 hover:text-red-600 hover:bg-red-100 rounded" title="비활성화"><i class="fas fa-ban text-xs"></i></button>` : ''}
<button onclick="event.stopPropagation(); hardDeletePartnerTkuser(${p.id})" class="p-1.5 text-red-300 hover:text-red-600 hover:bg-red-100 rounded" title="완전삭제"><i class="fas fa-trash text-xs"></i></button>
${isAdmin ? `<button onclick="event.stopPropagation(); hardDeletePartnerTkuser(${p.id})" class="p-1.5 text-red-300 hover:text-red-600 hover:bg-red-100 rounded" title="완전삭제"><i class="fas fa-trash text-xs"></i></button>` : ''}
</div>` : ''}
</div>`;
}).join('');
@@ -80,7 +90,8 @@ async function selectPartnerTkuser(id) {
function renderPartnerDetailTkuser(p) {
const types = tryParseJsonTkuser(p.business_type) || [];
const workers = p.workers || [];
const isAdmin = currentUser && ['admin', 'system'].includes(currentUser.role);
const canManage = hasPartnerPermission();
const isAdmin = isAdminOnly();
document.getElementById('partnerDetailTkuser').innerHTML = `
<div class="bg-white rounded-xl shadow-sm p-5 mb-4">
<div class="flex items-center justify-between mb-3">
@@ -101,7 +112,7 @@ function renderPartnerDetailTkuser(p) {
<div class="bg-white rounded-xl shadow-sm p-5">
<div class="flex items-center justify-between mb-3">
<h4 class="text-base font-semibold text-gray-800"><i class="fas fa-users text-gray-400 mr-2"></i>소속 작업자 (${workers.length}명)</h4>
${isAdmin ? `<button onclick="openAddWorkerTkuser()" class="px-3 py-1.5 bg-slate-700 text-white rounded-lg text-xs hover:bg-slate-800"><i class="fas fa-user-plus mr-1"></i>작업자 등록</button>` : ''}
${canManage ? `<button onclick="openAddWorkerTkuser()" class="px-3 py-1.5 bg-slate-700 text-white rounded-lg text-xs hover:bg-slate-800"><i class="fas fa-user-plus mr-1"></i>작업자 등록</button>` : ''}
</div>
${workers.length ? workers.map(w => `
<div class="flex items-center justify-between p-2 bg-gray-50 rounded hover:bg-gray-100 mb-1">
@@ -116,7 +127,7 @@ function renderPartnerDetailTkuser(p) {
${w.phone ? `<span>${escHtml(w.phone)}</span>` : ''}
${w.safety_training_date ? `<span>안전교육: ${formatDate(w.safety_training_date)}</span>` : ''}
</div>
${isAdmin ? `<div class="flex gap-1 ml-2">
${canManage ? `<div class="flex gap-1 ml-2">
<button onclick="openEditWorkerTkuser(${w.id})" class="p-1 text-slate-500 hover:text-slate-700 rounded" title="수정"><i class="fas fa-pen text-xs"></i></button>
${w.is_active ? `<button onclick="deactivateWorkerTkuser(${w.id})" class="p-1 text-red-400 hover:text-red-600 rounded" title="비활성화"><i class="fas fa-ban text-xs"></i></button>` : ''}
</div>` : ''}