SamProject/sam-api
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: API 메뉴 권한 로직을 mng와 동일하게 수정

Browse Source 
- MenuService, MemberService 권한 조회 로직 재작성
- 부서 권한: permission_overrides 테이블 사용 (Department 타입)
- 개인 권한: permission_overrides 테이블 사용 (User 타입)
- 권한 계산: (역할 ∪ 부서 ∪ 개인ALLOW) - 개인DENY
- User model_type을 'App\Models\User'로 하드코딩 (mng 호환)
This commit is contained in:
권혁성
2025-12-09 20:18:32 +09:00
parent d16f0410b8
commit da44168464
2 changed files with 204 additions and 78 deletions
Download Patch File Download Diff File Expand all files Collapse all files

158
app/Services/MemberService.php
View File

@@ -237,88 +237,96 @@ public static function getUserInfoForLogin(int $userId): array
})->values()->toArray(),
];
// 4. 메뉴 권한 체크 (menu:{menu_id}.view 패턴)
// 4-1. 사용자 역할 기반 권한
$userRolePermissions = DB::table('model_has_roles')
->join('role_has_permissions', 'model_has_roles.role_id', '=', 'role_has_permissions.role_id')
// 4. 메뉴 권한 체크 (mng UserPermissionService와 동일한 로직)
$now = now();
// 4-1. 역할 권한 (user_roles 테이블)
$rolePermissions = DB::table('user_roles')
->join('role_has_permissions', 'user_roles.role_id', '=', 'role_has_permissions.role_id')
->join('permissions', 'role_has_permissions.permission_id', '=', 'permissions.id')
->where('model_has_roles.model_type', User::class)
->where('model_has_roles.model_id', $userId)
->where('model_has_roles.tenant_id', $tenant->id)
->where('user_roles.user_id', $userId)
->where('user_roles.tenant_id', $tenant->id)
->whereNull('user_roles.deleted_at')
->where('permissions.name', 'like', 'menu:%.view')
->select('permissions.name');
// 4-2. 사용자 직접 권한
$userDirectPermissions = DB::table('model_has_permissions')
->join('permissions', 'model_has_permissions.permission_id', '=', 'permissions.id')
->where('model_has_permissions.model_type', User::class)
->where('model_has_permissions.model_id', $userId)
->where('model_has_permissions.tenant_id', $tenant->id)
->where('permissions.name', 'like', 'menu:%.view')
->select('permissions.name');
// 4-3. 부서 역할 기반 권한 (User → department_user → Department → role → permissions)
$departmentRolePermissions = DB::table('department_user')
->join('model_has_roles', function ($join) {
$join->on('department_user.department_id', '=', 'model_has_roles.model_id')
->where('model_has_roles.model_type', '=', Department::class);
})
->join('role_has_permissions', 'model_has_roles.role_id', '=', 'role_has_permissions.role_id')
->join('permissions', 'role_has_permissions.permission_id', '=', 'permissions.id')
->where('department_user.user_id', $userId)
->where('department_user.tenant_id', $tenant->id)
->where('permissions.name', 'like', 'menu:%.view')
->select('permissions.name');
// 4-4. 모든 권한 통합 (UNION)
$rolePermissions = $userRolePermissions
->union($userDirectPermissions)
->union($departmentRolePermissions)
->pluck('name')
->pluck('permissions.name')
->toArray();
// 4-2. Override 권한 (명시적 허용/차단)
$overrides = DB::table('permission_overrides')
->join('permissions', 'permission_overrides.permission_id', '=', 'permissions.id')
// 4-2. 부서 권한 (permission_overrides에서 Department 타입, effect=1)
$deptPermissions = DB::table('department_user')
->join('permission_overrides', function ($join) use ($now) {
$join->on('permission_overrides.model_id', '=', 'department_user.department_id')
->where('permission_overrides.model_type', '=', Department::class)
->whereNull('permission_overrides.deleted_at')
->where('permission_overrides.effect', 1)
->where(function ($q) use ($now) {
$q->whereNull('permission_overrides.effective_from')
->orWhere('permission_overrides.effective_from', '<=', $now);
})
->where(function ($q) use ($now) {
$q->whereNull('permission_overrides.effective_to')
->orWhere('permission_overrides.effective_to', '>=', $now);
});
})
->join('permissions', 'permissions.id', '=', 'permission_overrides.permission_id')
->whereNull('department_user.deleted_at')
->where('department_user.user_id', $userId)
->where('department_user.tenant_id', $tenant->id)
->where('permission_overrides.tenant_id', $tenant->id)
->where('permission_overrides.model_type', User::class)
->where('permission_overrides.model_id', $userId)
->where('permissions.name', 'like', 'menu:%.view')
->where(function ($q) {
->pluck('permissions.name')
->toArray();
// 4-3. 개인 ALLOW 권한 (permission_overrides에서 User 타입, effect=1)
// Note: mng는 App\Models\User를 사용하므로 하드코딩
$personalAllows = DB::table('permission_overrides')
->join('permissions', 'permissions.id', '=', 'permission_overrides.permission_id')
->where('permission_overrides.model_type', 'App\\Models\\User')
->where('permission_overrides.model_id', $userId)
->where('permission_overrides.tenant_id', $tenant->id)
->where('permission_overrides.effect', 1)
->whereNull('permission_overrides.deleted_at')
->where(function ($q) use ($now) {
$q->whereNull('permission_overrides.effective_from')
->orWhere('permission_overrides.effective_from', '<=', now());
->orWhere('permission_overrides.effective_from', '<=', $now);
})
->where(function ($q) {
->where(function ($q) use ($now) {
$q->whereNull('permission_overrides.effective_to')
->orWhere('permission_overrides.effective_to', '>=', now());
->orWhere('permission_overrides.effective_to', '>=', $now);
})
->select('permissions.name', 'permission_overrides.effect')
->get()
->keyBy('name');
->where('permissions.name', 'like', 'menu:%.view')
->pluck('permissions.name')
->toArray();
// 4-3. 최종 권한 계산: (기본 || override allow) && !override deny
// 4-4. 개인 DENY 권한 (permission_overrides에서 User 타입, effect=0)
// Note: mng는 App\Models\User를 사용하므로 하드코딩
$personalDenies = DB::table('permission_overrides')
->join('permissions', 'permissions.id', '=', 'permission_overrides.permission_id')
->where('permission_overrides.model_type', 'App\\Models\\User')
->where('permission_overrides.model_id', $userId)
->where('permission_overrides.tenant_id', $tenant->id)
->where('permission_overrides.effect', 0)
->whereNull('permission_overrides.deleted_at')
->where(function ($q) use ($now) {
$q->whereNull('permission_overrides.effective_from')
->orWhere('permission_overrides.effective_from', '<=', $now);
})
->where(function ($q) use ($now) {
$q->whereNull('permission_overrides.effective_to')
->orWhere('permission_overrides.effective_to', '>=', $now);
})
->where('permissions.name', 'like', 'menu:%.view')
->pluck('permissions.name')
->toArray();
// 4-5. 최종 권한 계산: (역할 OR 부서 OR 개인ALLOW) - 개인DENY
$allAllowed = array_unique(array_merge($rolePermissions, $deptPermissions, $personalAllows));
$effectivePermissions = array_diff($allAllowed, $personalDenies);
// 메뉴 ID 추출
$allowedMenuIds = [];
$allMenuPermissions = array_unique(array_merge(
$rolePermissions,
$overrides->keys()->toArray()
));
foreach ($allMenuPermissions as $permName) {
foreach ($effectivePermissions as $permName) {
if (preg_match('/^menu:(\d+)\.view$/', $permName, $matches)) {
$menuId = (int) $matches[1];
// Override deny 체크
if (isset($overrides[$permName]) && $overrides[$permName]->effect === -1) {
continue; // 강제 차단
}
// Override allow 또는 기본 Role 권한
if (
(isset($overrides[$permName]) && $overrides[$permName]->effect === 1) ||
in_array($permName, $rolePermissions, true)
) {
$allowedMenuIds[] = $menuId;
}
$allowedMenuIds[] = (int) $matches[1];
}
}
@@ -334,12 +342,12 @@ public static function getUserInfoForLogin(int $userId): array
->toArray();
}
// 6. 역할(Role) 정보 조회
$roles = DB::table('model_has_roles')
->join('roles', 'model_has_roles.role_id', '=', 'roles.id')
->where('model_has_roles.model_type', User::class)
->where('model_has_roles.model_id', $userId)
->where('model_has_roles.tenant_id', $tenant->id)
// 6. 역할(Role) 정보 조회 (user_roles 테이블 사용 - mng와 동일)
$roles = DB::table('user_roles')
->join('roles', 'user_roles.role_id', '=', 'roles.id')
->where('user_roles.user_id', $userId)
->where('user_roles.tenant_id', $tenant->id)
->whereNull('user_roles.deleted_at')
->select('roles.id', 'roles.name', 'roles.description')
->get()
->toArray();