/** * 페이지 권한 미들웨어 (shared) * admin/system 역할은 자동 통과, 일반 사용자는 개인/부서 권한 체크 * * 사용법: * const { createRequirePage } = require('../../shared/middleware/pagePermission'); * const requirePage = createRequirePage(() => getPool()); * router.get('/some', requirePage('page_name'), controller.handler); */ function createRequirePage(getPool) { return function requirePage(pageName) { return async (req, res, next) => { const userId = req.user.user_id || req.user.id; const role = (req.user.role || '').toLowerCase(); // admin/system 자동 통과 if (role === 'admin' || role === 'system') return next(); try { const db = typeof getPool === 'function' ? await getPool() : getPool; // 1. 개인 권한 체크 const [rows] = await db.query( 'SELECT can_access FROM user_page_permissions WHERE user_id = ? AND page_name = ?', [userId, pageName] ); if (rows.length > 0) { return rows[0].can_access ? next() : res.status(403).json({ success: false, error: '접근 권한이 없습니다' }); } // 2. 부서 권한 체크 const [userRows] = await db.query( 'SELECT department_id FROM sso_users WHERE user_id = ?', [userId] ); if (userRows.length > 0 && userRows[0].department_id) { const [deptRows] = await db.query( 'SELECT can_access FROM department_page_permissions WHERE department_id = ? AND page_name = ?', [userRows[0].department_id, pageName] ); if (deptRows.length > 0) { return deptRows[0].can_access ? next() : res.status(403).json({ success: false, error: '접근 권한이 없습니다' }); } } // 3. 권한 레코드 없음 → 거부 return res.status(403).json({ success: false, error: '접근 권한이 없습니다' }); } catch (err) { console.error('Permission check error:', err); return res.status(500).json({ success: false, error: '권한 확인 실패' }); } }; }; } module.exports = { createRequirePage };