All checks were successful
build-and-push / build (push) Successful in 33s
- 알림(Notification) 모델/이벤트 발행(프로젝트 추가·휴가/초과근무 승인·인센티브 반영/지급·정산 확정) + 메일함 API - 근무상태 기록(WorkStatusEvent: 출근/퇴근/휴식/미팅/이동), 출퇴근은 Attendance도 갱신 - 남은 연차(소수점) 엔드포인트, 관리자 근무관리용 집계/로그 조회 - 프로필 사진(Member.AvatarKey) 업로드/스트리밍 - Keycloak 최초 로그인 자동 Member 프로비저닝(ensureMember, rank/부서 nullable) - 프로젝트 scope=mine(나의 업무는 관리자도 본인 참여분만), nav에 메일함·근무관리·프로젝트관리·내프로필 추가 - 운영 안전: SEED 기본값 false(로컬만 SEED=true), ADMIN_GROUPS 기본 'admin' Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
105 lines
3.4 KiB
Go
105 lines
3.4 KiB
Go
package httpapi
|
|
|
|
import (
|
|
"net/http"
|
|
"strings"
|
|
|
|
"spin/internal/models"
|
|
)
|
|
|
|
// spin is a single internal company, so authorization is a 2-tier model rather
|
|
// than eQMS's per-company membership matrix:
|
|
//
|
|
// - admin → super-admin (Keycloak group ∩ ADMIN_GROUPS) OR Member.Role==admin.
|
|
// Sees and manages everything: approvals, incentive console,
|
|
// accounting, all member/project data, the bracketed [admin-only]
|
|
// contract & payment fields.
|
|
// - member → sees only their OWN data and may only SUBMIT requests.
|
|
//
|
|
// Ownership is enforced per-handler by comparing the row's member email to the
|
|
// caller's email (case-insensitive).
|
|
|
|
// isSuperAdmin reports the Keycloak/dev super-admin flag from the auth middleware.
|
|
func (s *Server) isSuperAdmin(r *http.Request) bool {
|
|
return currentUser(r.Context()).IsSuperAdmin
|
|
}
|
|
|
|
// isAdmin reports whether the caller may manage company-wide data: either a
|
|
// super-admin or a Member whose Role is admin.
|
|
func (s *Server) isAdmin(r *http.Request) bool {
|
|
if s.isSuperAdmin(r) {
|
|
return true
|
|
}
|
|
m := s.lookupMember(currentUser(r.Context()).Email)
|
|
return m != nil && m.Role == models.RoleAdmin
|
|
}
|
|
|
|
// requireAdmin writes 403 and returns false when the caller is not an admin.
|
|
func (s *Server) requireAdmin(w http.ResponseWriter, r *http.Request) bool {
|
|
if s.isAdmin(r) {
|
|
return true
|
|
}
|
|
writeError(w, http.StatusForbidden, "관리자 권한이 필요합니다")
|
|
return false
|
|
}
|
|
|
|
// email returns the caller's (lowercased) email.
|
|
func (s *Server) email(r *http.Request) string {
|
|
return strings.ToLower(strings.TrimSpace(currentUser(r.Context()).Email))
|
|
}
|
|
|
|
// owns reports whether the given member email belongs to the caller.
|
|
func (s *Server) owns(r *http.Request, memberEmail string) bool {
|
|
return strings.EqualFold(strings.TrimSpace(memberEmail), s.email(r))
|
|
}
|
|
|
|
// lookupMember loads the Member row matched to an email (nil if none).
|
|
func (s *Server) lookupMember(email string) *models.Member {
|
|
email = strings.TrimSpace(email)
|
|
if email == "" {
|
|
return nil
|
|
}
|
|
var m models.Member
|
|
if err := s.db.Where("lower(email) = lower(?)", email).First(&m).Error; err != nil {
|
|
return nil
|
|
}
|
|
return &m
|
|
}
|
|
|
|
// ensureMember auto-provisions a spin Member the first time an authenticated
|
|
// identity is seen (Keycloak first login). rank/department stay empty (nullable)
|
|
// for an admin to fill in later. Account lifecycle itself remains Keycloak's job.
|
|
func (s *Server) ensureMember(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
u := currentUser(r.Context())
|
|
if e := strings.TrimSpace(u.Email); e != "" && s.lookupMember(e) == nil {
|
|
s.db.Create(&models.Member{
|
|
Email: e,
|
|
DisplayName: firstNonEmpty(u.Name, e),
|
|
Role: models.RoleMember,
|
|
Status: "active",
|
|
})
|
|
}
|
|
next.ServeHTTP(w, r)
|
|
})
|
|
}
|
|
|
|
// notify writes an inbox Notification (best-effort).
|
|
func (s *Server) notify(recipient, typ, title, body, link string) {
|
|
if strings.TrimSpace(recipient) == "" {
|
|
return
|
|
}
|
|
s.db.Create(&models.Notification{Recipient: recipient, Type: typ, Title: title, Body: body, Link: link})
|
|
}
|
|
|
|
// audit writes an AuditLog row (best-effort).
|
|
func (s *Server) audit(r *http.Request, action, entity, entityID, detail string) {
|
|
s.db.Create(&models.AuditLog{
|
|
Actor: currentUser(r.Context()).Email,
|
|
Action: action,
|
|
Entity: entity,
|
|
EntityID: entityID,
|
|
Detail: detail,
|
|
})
|
|
}
|