f09c86ee01
- SEC-42: JWT algorithm HS256 명시 (sign 5곳, verify 3곳) - SEC-44: MariaDB/PhpMyAdmin 포트 127.0.0.1 바인딩 - SEC-29: escHtml = escapeHtml alias 추가 (XSS 방지) - SEC-39: Python Dockerfile 4개 non-root user + chown - SEC-43: deploy-remote.sh 삭제 (평문 비밀번호 포함) - SEC-11,12: SQL SET ? → 명시적 컬럼 whitelist + IN절 parameterized - QA-34: vacation approveRequest/cancelRequest 트랜잭션 래핑 - SEC-32,34: material_comparison.py 5개 엔드포인트 인증 + confirmed_by - SEC-33: files.py 17개 미인증 엔드포인트 인증 추가 - SEC-37: chatbot 프롬프트 인젝션 방어 (sanitize + XML 구분자) - SEC-38: fastapi-bridge 프록시 JWT 검증 + 캐시 키 user_id 포함 - SEC-58/QA-98: monthly-comparison API_BASE_URL 수정 + 401 처리 - SEC-61: monthlyComparisonModel SELECT FOR UPDATE 추가 - SEC-63: proxyInputController 에러 메시지 노출 제거 - QA-103: pageAccessRoutes error→message 통일 - SEC-62: tbm-create onclick 인젝션 → data-attribute event delegation - QA-99: tbm-mobile/create 캐시 버스팅 갱신 - QA-100,101: ESC 키 리스너 cleanup 추가 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
185 lines
6.0 KiB
JavaScript
185 lines
6.0 KiB
JavaScript
const { getPool } = require('../middleware/auth');
|
|
|
|
const ALLOWED_CREATE_COLUMNS = ['user_id', 'vacation_type_id', 'start_date', 'end_date', 'days_used', 'reason', 'status', 'reviewed_by', 'review_note'];
|
|
const ALLOWED_UPDATE_COLUMNS = ['vacation_type_id', 'start_date', 'end_date', 'days_used', 'reason'];
|
|
|
|
const vacationRequestModel = {
|
|
async create(data, conn) {
|
|
const db = conn || getPool();
|
|
const filtered = {};
|
|
for (const key of ALLOWED_CREATE_COLUMNS) {
|
|
if (data[key] !== undefined) filtered[key] = data[key];
|
|
}
|
|
const columns = Object.keys(filtered);
|
|
const placeholders = columns.map(() => '?').join(', ');
|
|
const values = columns.map(c => filtered[c]);
|
|
const [result] = await db.query(
|
|
`INSERT INTO sp_vacation_requests (${columns.join(', ')}) VALUES (${placeholders})`,
|
|
values
|
|
);
|
|
return result;
|
|
},
|
|
|
|
async getAll(filters = {}) {
|
|
const db = getPool();
|
|
let query = `
|
|
SELECT
|
|
vr.*,
|
|
su.name as user_name,
|
|
su.username,
|
|
COALESCE(d.department_name, '미배정') as department_name,
|
|
vt.type_name as vacation_type_name,
|
|
vt.type_code,
|
|
reviewer.name as reviewer_name
|
|
FROM sp_vacation_requests vr
|
|
INNER JOIN sso_users su ON vr.user_id = su.user_id
|
|
LEFT JOIN departments d ON su.department_id = d.department_id
|
|
INNER JOIN vacation_types vt ON vr.vacation_type_id = vt.id
|
|
LEFT JOIN sso_users reviewer ON vr.reviewed_by = reviewer.user_id
|
|
WHERE 1=1
|
|
`;
|
|
const params = [];
|
|
|
|
if (filters.user_id) {
|
|
query += ' AND vr.user_id = ?';
|
|
params.push(filters.user_id);
|
|
}
|
|
if (filters.status) {
|
|
query += ' AND vr.status = ?';
|
|
params.push(filters.status);
|
|
}
|
|
if (filters.start_date) {
|
|
query += ' AND vr.start_date >= ?';
|
|
params.push(filters.start_date);
|
|
}
|
|
if (filters.end_date) {
|
|
query += ' AND vr.end_date <= ?';
|
|
params.push(filters.end_date);
|
|
}
|
|
if (filters.vacation_type_id) {
|
|
query += ' AND vr.vacation_type_id = ?';
|
|
params.push(filters.vacation_type_id);
|
|
}
|
|
if (filters.department_id) {
|
|
query += ' AND su.department_id = ?';
|
|
params.push(filters.department_id);
|
|
}
|
|
|
|
query += ' ORDER BY vr.created_at DESC';
|
|
|
|
const [rows] = await db.query(query, params);
|
|
return rows;
|
|
},
|
|
|
|
async getById(requestId) {
|
|
const db = getPool();
|
|
const [rows] = await db.query(`
|
|
SELECT
|
|
vr.*,
|
|
su.name as user_name,
|
|
su.username,
|
|
COALESCE(d.department_name, '미배정') as department_name,
|
|
vt.type_name as vacation_type_name,
|
|
vt.type_code,
|
|
reviewer.name as reviewer_name
|
|
FROM sp_vacation_requests vr
|
|
INNER JOIN sso_users su ON vr.user_id = su.user_id
|
|
LEFT JOIN departments d ON su.department_id = d.department_id
|
|
INNER JOIN vacation_types vt ON vr.vacation_type_id = vt.id
|
|
LEFT JOIN sso_users reviewer ON vr.reviewed_by = reviewer.user_id
|
|
WHERE vr.request_id = ?
|
|
`, [requestId]);
|
|
return rows;
|
|
},
|
|
|
|
async update(requestId, data) {
|
|
const db = getPool();
|
|
const filtered = {};
|
|
for (const key of ALLOWED_UPDATE_COLUMNS) {
|
|
if (data[key] !== undefined) filtered[key] = data[key];
|
|
}
|
|
const columns = Object.keys(filtered);
|
|
if (columns.length === 0) return { affectedRows: 0 };
|
|
const setClause = columns.map(c => `${c} = ?`).join(', ');
|
|
const values = [...columns.map(c => filtered[c]), requestId];
|
|
const [result] = await db.query(`UPDATE sp_vacation_requests SET ${setClause} WHERE request_id = ?`, values);
|
|
return result;
|
|
},
|
|
|
|
async updateStatus(requestId, statusData, conn) {
|
|
const db = conn || getPool();
|
|
const [result] = await db.query(`
|
|
UPDATE sp_vacation_requests
|
|
SET status = ?, reviewed_by = ?, reviewed_at = NOW(), review_note = ?
|
|
WHERE request_id = ?
|
|
`, [statusData.status, statusData.reviewed_by, statusData.review_note || null, requestId]);
|
|
return result;
|
|
},
|
|
|
|
async checkOverlap(userId, startDate, endDate, excludeRequestId = null) {
|
|
const db = getPool();
|
|
let query = `
|
|
SELECT COUNT(*) as count FROM sp_vacation_requests
|
|
WHERE user_id = ?
|
|
AND status IN ('pending', 'approved')
|
|
AND start_date <= ? AND end_date >= ?
|
|
`;
|
|
const params = [userId, endDate, startDate];
|
|
|
|
if (excludeRequestId) {
|
|
query += ' AND request_id != ?';
|
|
params.push(excludeRequestId);
|
|
}
|
|
|
|
const [rows] = await db.query(query, params);
|
|
return rows;
|
|
},
|
|
|
|
async getAllPending() {
|
|
const db = getPool();
|
|
const [rows] = await db.query(`
|
|
SELECT
|
|
vr.*,
|
|
su.name as user_name,
|
|
su.username,
|
|
COALESCE(d.department_name, '미배정') as department_name,
|
|
vt.type_name as vacation_type_name,
|
|
vt.type_code
|
|
FROM sp_vacation_requests vr
|
|
INNER JOIN sso_users su ON vr.user_id = su.user_id
|
|
LEFT JOIN departments d ON su.department_id = d.department_id
|
|
INNER JOIN vacation_types vt ON vr.vacation_type_id = vt.id
|
|
WHERE vr.status = 'pending'
|
|
ORDER BY vr.created_at ASC
|
|
`);
|
|
return rows;
|
|
},
|
|
|
|
async runMigration() {
|
|
const db = getPool();
|
|
const fs = require('fs');
|
|
const path = require('path');
|
|
const migrationFiles = ['001_create_sp_tables.sql', '002_section_c_additions.sql'];
|
|
for (const file of migrationFiles) {
|
|
const sqlFile = path.join(__dirname, '..', 'db', 'migrations', file);
|
|
if (!fs.existsSync(sqlFile)) continue;
|
|
const sql = fs.readFileSync(sqlFile, 'utf8');
|
|
const statements = sql.split(';').map(s => s.trim()).filter(s => s.length > 0);
|
|
for (const stmt of statements) {
|
|
try {
|
|
await db.query(stmt);
|
|
} catch (err) {
|
|
if (err.code === 'ER_DUP_FIELDNAME' || err.code === 'ER_TABLE_EXISTS_ERROR') {
|
|
// Already migrated
|
|
} else {
|
|
throw err;
|
|
}
|
|
}
|
|
}
|
|
}
|
|
console.log('[tksupport] Migration completed');
|
|
}
|
|
};
|
|
|
|
module.exports = vacationRequestModel;
|