sam-api/app/Services/Authz/AccessService.php

<?php

namespace App\Services\Authz;

use App\Models\Members\User;
use Illuminate\Support\Facades\Cache;
use Illuminate\Support\Facades\DB;

final class AccessService
{
    public static function allows(User $user, string $permission, int $tenantId, ?string $guardName = null): bool
    {
        $guard = $guardName ?? config('auth.defaults.guard', 'api'); // ★ 기본 가드
        $ver = Cache::get("access:version:$tenantId", 1);          // ★ 버전 토큰

        $key = "access:$tenantId:{$user->id}:$guard:$permission:v{$ver}"; // ★ 키 강화

        return Cache::remember($key, now()->addSeconds(20), function () use ($user, $permission, $tenantId, $guard) {

            // 1) 개인 DENY
            if (self::hasUserOverride($user->id, $permission, $tenantId, false, $guard)) {
                return false;
            }

            // 2) Spatie can (팀 컨텍스트는 미들웨어에서 이미 세팅됨)
            if ($user->can($permission)) {
                return true;
            }

            // 3) 부서 ALLOW
            if (self::departmentAllows($user->id, $permission, $tenantId, $guard)) {
                return true;
            }

            // 4) 개인 ALLOW
            if (self::hasUserOverride($user->id, $permission, $tenantId, true, $guard)) {
                return true;
            }

            return false;
        });
    }

    protected static function hasUserOverride(
        int $userId,
        string $permissionName,
        int $tenantId,
        bool $allow,
        ?string $guardName = null
    ): bool {
        $now = now();
        $guard = $guardName ?? config('auth.defaults.guard', 'api'); // ★

        $q = DB::table('permission_overrides as po')
            ->join('permissions as p', 'p.id', '=', 'po.permission_id')
            ->whereNull('po.deleted_at')
            ->where('po.model_type', 'App\\Models\\Members\\User')
            ->where('po.model_id', $userId)
            ->where('po.tenant_id', $tenantId)
            ->where('p.name', $permissionName)
            ->where('p.tenant_id', $tenantId)              // ★ 테넌트 일치
            ->where('p.guard_name', $guard)                // ★ 가드 일치
            ->where(function ($w) use ($now) {
                $w->whereNull('po.effective_from')->orWhere('po.effective_from', '<=', $now);
            })
            ->where(function ($w) use ($now) {
                $w->whereNull('po.effective_to')->orWhere('po.effective_to', '>=', $now);
            })
            ->where('po.effect', $allow ? 1 : 0);

        return $q->exists();
    }

    protected static function departmentAllows(
        int $userId,
        string $permissionName,
        int $tenantId,
        ?string $guardName = null
    ): bool {
        $now = now();
        $guard = $guardName ?? config('auth.defaults.guard', 'api'); // ★

        $q = DB::table('department_user as du')
            ->join('permission_overrides as po', function ($j) use ($now) {
                $j->on('po.model_id', '=', 'du.department_id')
                    ->where('po.model_type', 'App\\Models\\Tenants\\Department')
                    ->whereNull('po.deleted_at')
                    ->where('po.effect', 1)
                    ->where(function ($w) use ($now) {
                        $w->whereNull('po.effective_from')->orWhere('po.effective_from', '<=', $now);
                    })
                    ->where(function ($w) use ($now) {
                        $w->whereNull('po.effective_to')->orWhere('po.effective_to', '>=', $now);
                    });
            })
            ->join('permissions as p', 'p.id', '=', 'po.permission_id')
            ->whereNull('du.deleted_at')
            ->where('du.user_id', $userId)
            ->where('du.tenant_id', $tenantId)
            ->where('po.tenant_id', $tenantId)
            ->where('p.tenant_id', $tenantId)              // ★ 테넌트 일치
            ->where('p.guard_name', $guard)                // ★ 가드 일치
            ->where('p.name', $permissionName);

        return $q->exists();
    }

    public static function allowsOrAbort(User $user, string $permission, int $tenantId, ?string $guardName = null): void
    {
        if (! self::allows($user, $permission, $tenantId, $guardName)) {
            abort(403, 'Forbidden');
        }
    }

    // (선택) 권한 변경 시 호출해 캐시 무효화
    public static function bumpVersion(int $tenantId): void
    {
        Cache::increment("access:version:$tenantId");
    }
}