theorose49 a904cbf9b9
All checks were successful
build-and-push / build (push) Successful in 33s
feat: 메일함·근무상태 기록·프로필 사진·자동 프로비저닝 + 인센티브 유저 노출 제한
- 알림(Notification) 모델/이벤트 발행(프로젝트 추가·휴가/초과근무 승인·인센티브 반영/지급·정산 확정) + 메일함 API
- 근무상태 기록(WorkStatusEvent: 출근/퇴근/휴식/미팅/이동), 출퇴근은 Attendance도 갱신
- 남은 연차(소수점) 엔드포인트, 관리자 근무관리용 집계/로그 조회
- 프로필 사진(Member.AvatarKey) 업로드/스트리밍
- Keycloak 최초 로그인 자동 Member 프로비저닝(ensureMember, rank/부서 nullable)
- 프로젝트 scope=mine(나의 업무는 관리자도 본인 참여분만), nav에 메일함·근무관리·프로젝트관리·내프로필 추가
- 운영 안전: SEED 기본값 false(로컬만 SEED=true), ADMIN_GROUPS 기본 'admin'

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 09:38:33 +09:00

105 lines
3.4 KiB
Go

package httpapi
import (
"net/http"
"strings"
"spin/internal/models"
)
// spin is a single internal company, so authorization is a 2-tier model rather
// than eQMS's per-company membership matrix:
//
// - admin → super-admin (Keycloak group ∩ ADMIN_GROUPS) OR Member.Role==admin.
// Sees and manages everything: approvals, incentive console,
// accounting, all member/project data, the bracketed [admin-only]
// contract & payment fields.
// - member → sees only their OWN data and may only SUBMIT requests.
//
// Ownership is enforced per-handler by comparing the row's member email to the
// caller's email (case-insensitive).
// isSuperAdmin reports the Keycloak/dev super-admin flag from the auth middleware.
func (s *Server) isSuperAdmin(r *http.Request) bool {
return currentUser(r.Context()).IsSuperAdmin
}
// isAdmin reports whether the caller may manage company-wide data: either a
// super-admin or a Member whose Role is admin.
func (s *Server) isAdmin(r *http.Request) bool {
if s.isSuperAdmin(r) {
return true
}
m := s.lookupMember(currentUser(r.Context()).Email)
return m != nil && m.Role == models.RoleAdmin
}
// requireAdmin writes 403 and returns false when the caller is not an admin.
func (s *Server) requireAdmin(w http.ResponseWriter, r *http.Request) bool {
if s.isAdmin(r) {
return true
}
writeError(w, http.StatusForbidden, "관리자 권한이 필요합니다")
return false
}
// email returns the caller's (lowercased) email.
func (s *Server) email(r *http.Request) string {
return strings.ToLower(strings.TrimSpace(currentUser(r.Context()).Email))
}
// owns reports whether the given member email belongs to the caller.
func (s *Server) owns(r *http.Request, memberEmail string) bool {
return strings.EqualFold(strings.TrimSpace(memberEmail), s.email(r))
}
// lookupMember loads the Member row matched to an email (nil if none).
func (s *Server) lookupMember(email string) *models.Member {
email = strings.TrimSpace(email)
if email == "" {
return nil
}
var m models.Member
if err := s.db.Where("lower(email) = lower(?)", email).First(&m).Error; err != nil {
return nil
}
return &m
}
// ensureMember auto-provisions a spin Member the first time an authenticated
// identity is seen (Keycloak first login). rank/department stay empty (nullable)
// for an admin to fill in later. Account lifecycle itself remains Keycloak's job.
func (s *Server) ensureMember(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
u := currentUser(r.Context())
if e := strings.TrimSpace(u.Email); e != "" && s.lookupMember(e) == nil {
s.db.Create(&models.Member{
Email: e,
DisplayName: firstNonEmpty(u.Name, e),
Role: models.RoleMember,
Status: "active",
})
}
next.ServeHTTP(w, r)
})
}
// notify writes an inbox Notification (best-effort).
func (s *Server) notify(recipient, typ, title, body, link string) {
if strings.TrimSpace(recipient) == "" {
return
}
s.db.Create(&models.Notification{Recipient: recipient, Type: typ, Title: title, Body: body, Link: link})
}
// audit writes an AuditLog row (best-effort).
func (s *Server) audit(r *http.Request, action, entity, entityID, detail string) {
s.db.Create(&models.AuditLog{
Actor: currentUser(r.Context()).Email,
Action: action,
Entity: entity,
EntityID: entityID,
Detail: detail,
})
}