SamProject/sam-api
6
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: API 메뉴 권한 로직을 mng와 동일하게 수정

Browse Source 
- MenuService, MemberService 권한 조회 로직 재작성
- 부서 권한: permission_overrides 테이블 사용 (Department 타입)
- 개인 권한: permission_overrides 테이블 사용 (User 타입)
- 권한 계산: (역할 ∪ 부서 ∪ 개인ALLOW) - 개인DENY
- User model_type을 'App\Models\User'로 하드코딩 (mng 호환)
This commit is contained in:
권혁성
2025-12-09 20:18:32 +09:00
parent d16f0410b8
commit da44168464
2 changed files with 204 additions and 78 deletions
Download Patch File Download Diff File Expand all files Collapse all files

124
app/Services/MenuService.php
View File

@@ -3,6 +3,8 @@
namespace App\Services;
use App\Models\Commons\Menu;
use App\Models\Members\User;
use App\Models\Tenants\Department;
use Illuminate\Support\Arr;
use Illuminate\Support\Facades\DB;
use Illuminate\Support\Facades\Validator;
@@ -16,20 +18,32 @@ protected static function tenantId(): ?int
protected static function actorId(): ?int
{
$user = app('api_user'); // 컨테이너에 주입된 인증 사용자(객체 or 배열)
$uid = app('api_user');
return is_object($user) ? ($user->id ?? null) : ($user['id'] ?? null);
return $uid ? (int) $uid : null;
}
/**
* 메뉴 목록 조회
* 메뉴 목록 조회 (사용자 권한 기반 필터링)
*/
public static function index(array $params)
{
$tenantId = self::tenantId();
$userId = self::actorId();
// 권한이 있는 메뉴 ID 목록 조회
$allowedMenuIds = self::getAllowedMenuIds($userId, $tenantId);
$q = Menu::query()->withShared($tenantId);
// 권한 기반 필터링 적용
if (! empty($allowedMenuIds)) {
$q->whereIn('id', $allowedMenuIds);
} else {
// 권한이 없으면 빈 결과 반환
$q->whereRaw('1 = 0');
}
if (array_key_exists('parent_id', $params)) {
$q->where('parent_id', $params['parent_id']);
}
@@ -46,6 +60,110 @@ public static function index(array $params)
return $q->get();
}
/**
* 사용자가 접근 가능한 메뉴 ID 목록 조회 (mng UserPermissionService와 동일한 로직)
*/
protected static function getAllowedMenuIds(?int $userId, ?int $tenantId): array
{
if (! $userId || ! $tenantId) {
return [];
}
$now = now();
// 1. 역할 권한 (user_roles 테이블)
$rolePermissions = DB::table('user_roles')
->join('role_has_permissions', 'user_roles.role_id', '=', 'role_has_permissions.role_id')
->join('permissions', 'role_has_permissions.permission_id', '=', 'permissions.id')
->where('user_roles.user_id', $userId)
->where('user_roles.tenant_id', $tenantId)
->whereNull('user_roles.deleted_at')
->where('permissions.name', 'like', 'menu:%.view')
->pluck('permissions.name')
->toArray();
// 2. 부서 권한 (permission_overrides에서 Department 타입, effect=1)
$deptPermissions = DB::table('department_user')
->join('permission_overrides', function ($join) use ($now) {
$join->on('permission_overrides.model_id', '=', 'department_user.department_id')
->where('permission_overrides.model_type', '=', Department::class)
->whereNull('permission_overrides.deleted_at')
->where('permission_overrides.effect', 1)
->where(function ($q) use ($now) {
$q->whereNull('permission_overrides.effective_from')
->orWhere('permission_overrides.effective_from', '<=', $now);
})
->where(function ($q) use ($now) {
$q->whereNull('permission_overrides.effective_to')
->orWhere('permission_overrides.effective_to', '>=', $now);
});
})
->join('permissions', 'permissions.id', '=', 'permission_overrides.permission_id')
->whereNull('department_user.deleted_at')
->where('department_user.user_id', $userId)
->where('department_user.tenant_id', $tenantId)
->where('permission_overrides.tenant_id', $tenantId)
->where('permissions.name', 'like', 'menu:%.view')
->pluck('permissions.name')
->toArray();
// 3. 개인 ALLOW 권한 (permission_overrides에서 User 타입, effect=1)
// Note: mng는 App\Models\User를 사용하므로 하드코딩
$personalAllows = DB::table('permission_overrides')
->join('permissions', 'permissions.id', '=', 'permission_overrides.permission_id')
->where('permission_overrides.model_type', 'App\\Models\\User')
->where('permission_overrides.model_id', $userId)
->where('permission_overrides.tenant_id', $tenantId)
->where('permission_overrides.effect', 1)
->whereNull('permission_overrides.deleted_at')
->where(function ($q) use ($now) {
$q->whereNull('permission_overrides.effective_from')
->orWhere('permission_overrides.effective_from', '<=', $now);
})
->where(function ($q) use ($now) {
$q->whereNull('permission_overrides.effective_to')
->orWhere('permission_overrides.effective_to', '>=', $now);
})
->where('permissions.name', 'like', 'menu:%.view')
->pluck('permissions.name')
->toArray();
// 4. 개인 DENY 권한 (permission_overrides에서 User 타입, effect=0)
// Note: mng는 App\Models\User를 사용하므로 하드코딩
$personalDenies = DB::table('permission_overrides')
->join('permissions', 'permissions.id', '=', 'permission_overrides.permission_id')
->where('permission_overrides.model_type', 'App\\Models\\User')
->where('permission_overrides.model_id', $userId)
->where('permission_overrides.tenant_id', $tenantId)
->where('permission_overrides.effect', 0)
->whereNull('permission_overrides.deleted_at')
->where(function ($q) use ($now) {
$q->whereNull('permission_overrides.effective_from')
->orWhere('permission_overrides.effective_from', '<=', $now);
})
->where(function ($q) use ($now) {
$q->whereNull('permission_overrides.effective_to')
->orWhere('permission_overrides.effective_to', '>=', $now);
})
->where('permissions.name', 'like', 'menu:%.view')
->pluck('permissions.name')
->toArray();
// 5. 최종 권한 계산: (역할 OR 부서 OR 개인ALLOW) - 개인DENY
$allAllowed = array_unique(array_merge($rolePermissions, $deptPermissions, $personalAllows));
$effectivePermissions = array_diff($allAllowed, $personalDenies);
// 메뉴 ID 추출
$allowedMenuIds = [];
foreach ($effectivePermissions as $permName) {
if (preg_match('/^menu:(\d+)\.view$/', $permName, $matches)) {
$allowedMenuIds[] = (int) $matches[1];
}
}
return $allowedMenuIds;
}
/**
* 메뉴 단건 조회
*/