id}:$guard:$permission:v{$ver}"; // ★ 키 강화 return Cache::remember($key, now()->addSeconds(20), function () use ($user, $permission, $tenantId, $guard) { // 1) 개인 DENY if (self::hasUserOverride($user->id, $permission, $tenantId, false, $guard)) { return false; } // 2) Spatie can (팀 컨텍스트는 미들웨어에서 이미 세팅됨) if ($user->can($permission)) { return true; } // 3) 부서 ALLOW if (self::departmentAllows($user->id, $permission, $tenantId, $guard)) { return true; } // 4) 개인 ALLOW if (self::hasUserOverride($user->id, $permission, $tenantId, true, $guard)) { return true; } return false; }); } protected static function hasUserOverride( int $userId, string $permissionName, int $tenantId, bool $allow, ?string $guardName = null ): bool { $now = now(); $guard = $guardName ?? config('auth.defaults.guard', 'api'); // ★ $q = DB::table('user_permission_overrides as uo') ->join('permissions as p', 'p.id', '=', 'uo.permission_id') ->whereNull('uo.deleted_at') ->where('uo.user_id', $userId) ->where('uo.tenant_id', $tenantId) ->where('p.name', $permissionName) ->where('p.tenant_id', $tenantId) // ★ 테넌트 일치 ->where('p.guard_name', $guard) // ★ 가드 일치 ->where(function ($w) use ($now) { $w->whereNull('uo.effective_from')->orWhere('uo.effective_from', '<=', $now); }) ->where(function ($w) use ($now) { $w->whereNull('uo.effective_to')->orWhere('uo.effective_to', '>=', $now); }) ->where('uo.is_allowed', $allow ? 1 : 0); return $q->exists(); } protected static function departmentAllows( int $userId, string $permissionName, int $tenantId, ?string $guardName = null ): bool { $guard = $guardName ?? config('auth.defaults.guard', 'api'); // ★ $q = DB::table('department_user as du') ->join('department_permissions as dp', function ($j) { $j->on('dp.department_id', '=', 'du.department_id') ->whereNull('dp.deleted_at') ->where('dp.is_allowed', 1); }) ->join('permissions as p', 'p.id', '=', 'dp.permission_id') ->whereNull('du.deleted_at') ->where('du.user_id', $userId) ->where('du.tenant_id', $tenantId) ->where('dp.tenant_id', $tenantId) ->where('p.tenant_id', $tenantId) // ★ 테넌트 일치 ->where('p.guard_name', $guard) // ★ 가드 일치 ->where('p.name', $permissionName); return $q->exists(); } public static function allowsOrAbort(User $user, string $permission, int $tenantId, ?string $guardName = null): void { if (! self::allows($user, $permission, $tenantId, $guardName)) { abort(403, 'Forbidden'); } } // (선택) 권한 변경 시 호출해 캐시 무효화 public static function bumpVersion(int $tenantId): void { Cache::increment("access:version:$tenantId"); } }