spin-backend/internal/httpapi/handlers_projects.go
theorose49 f83724b995
All checks were successful
build-and-push / build (push) Successful in 39s
feat: spin 백엔드 전체 구현 (근무·프로젝트·인센티브·회계)
- config/db/storage/auth/router/perms: eQMS 규약 미러링, 권한 2-tier
  (관리자 전체 / 구성원 본인·신청만), oauth2-proxy 헤더 인증 + DEV_AUTH mock
- 모델: 구성원/부서, 근무(출퇴근·휴가·공가·초과), 프로젝트(회사/제품/버전·
  작업자portion·담당자·태스크·계약·첨부·분할입금), 인센티브(설정·단계·
  유저배분·분기정산), 회계(거래·세금)
- internal/worktime: 근로기준법 월 집계 엔진
- internal/incentive: BE/non-BE × 계약금/중도금/잔금 3단계 계산 + 시뮬레이션
- 시드 데이터, Go 멀티스테이지 Dockerfile
- ADMIN_GROUPS 기본값 'admin' (전 내부 앱 공통 그룹)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-28 08:57:35 +09:00

508 lines
14 KiB
Go

package httpapi
import (
"fmt"
"net/http"
"strings"
"time"
"spin/internal/models"
"github.com/go-chi/chi/v5"
)
// ---- company / product / version (master data) ----------------------------
func (s *Server) handleListCompanies(w http.ResponseWriter, r *http.Request) {
var out []models.Company
s.db.Order("name asc").Find(&out)
writeJSON(w, http.StatusOK, out)
}
func (s *Server) handleCreateCompany(w http.ResponseWriter, r *http.Request) {
if !s.requireAdmin(w, r) {
return
}
var c models.Company
if err := decodeJSON(r, &c); err != nil {
writeError(w, http.StatusBadRequest, err.Error())
return
}
s.db.Create(&c)
writeJSON(w, http.StatusCreated, c)
}
func (s *Server) handleListProducts(w http.ResponseWriter, r *http.Request) {
q := s.db.Order("name asc")
if cid := r.URL.Query().Get("companyId"); cid != "" {
q = q.Where("company_id = ?", cid)
}
var out []models.Product
q.Find(&out)
writeJSON(w, http.StatusOK, out)
}
func (s *Server) handleCreateProduct(w http.ResponseWriter, r *http.Request) {
if !s.requireAdmin(w, r) {
return
}
var p models.Product
if err := decodeJSON(r, &p); err != nil {
writeError(w, http.StatusBadRequest, err.Error())
return
}
s.db.Create(&p)
writeJSON(w, http.StatusCreated, p)
}
func (s *Server) handleListVersions(w http.ResponseWriter, r *http.Request) {
q := s.db.Order("label asc")
if pid := r.URL.Query().Get("productId"); pid != "" {
q = q.Where("product_id = ?", pid)
}
var out []models.Version
q.Find(&out)
writeJSON(w, http.StatusOK, out)
}
func (s *Server) handleCreateVersion(w http.ResponseWriter, r *http.Request) {
if !s.requireAdmin(w, r) {
return
}
var v models.Version
if err := decodeJSON(r, &v); err != nil {
writeError(w, http.StatusBadRequest, err.Error())
return
}
s.db.Create(&v)
writeJSON(w, http.StatusCreated, v)
}
// ---- projects -------------------------------------------------------------
// myProjectIDs returns the project IDs the caller is a member of (or PM of).
func (s *Server) myProjectIDs(email string) []string {
var ids []string
s.db.Model(&models.ProjectMember{}).Where("lower(member_email) = ?", lc(email)).
Distinct().Pluck("project_id", &ids)
var pmIDs []string
s.db.Model(&models.Project{}).Where("lower(pm_email) = ?", lc(email)).Pluck("id", &pmIDs)
return append(ids, pmIDs...)
}
func (s *Server) handleListProjects(w http.ResponseWriter, r *http.Request) {
q := s.db.Order("created_at desc")
if !s.isAdmin(r) {
ids := s.myProjectIDs(s.email(r))
if len(ids) == 0 {
writeJSON(w, http.StatusOK, []models.Project{})
return
}
q = q.Where("id IN ?", ids)
}
if cid := r.URL.Query().Get("companyId"); cid != "" {
q = q.Where("company_id = ?", cid)
}
if st := r.URL.Query().Get("status"); st != "" {
q = q.Where("status = ?", st)
}
var out []models.Project
q.Find(&out)
writeJSON(w, http.StatusOK, out)
}
// canSeeProject reports whether the caller may view a project (admin or member).
func (s *Server) canSeeProject(r *http.Request, projectID string) bool {
if s.isAdmin(r) {
return true
}
for _, id := range s.myProjectIDs(s.email(r)) {
if id == projectID {
return true
}
}
return false
}
func (s *Server) handleGetProject(w http.ResponseWriter, r *http.Request) {
id := chi.URLParam(r, "id")
if !s.canSeeProject(r, id) {
writeError(w, http.StatusForbidden, "참여한 프로젝트만 조회할 수 있습니다")
return
}
var p models.Project
if err := s.db.First(&p, "id = ?", id).Error; err != nil {
writeError(w, http.StatusNotFound, "프로젝트를 찾을 수 없습니다")
return
}
writeJSON(w, http.StatusOK, p)
}
func (s *Server) handleCreateProject(w http.ResponseWriter, r *http.Request) {
if !s.requireAdmin(w, r) {
return
}
var p models.Project
if err := decodeJSON(r, &p); err != nil {
writeError(w, http.StatusBadRequest, err.Error())
return
}
if p.Status == "" {
p.Status = "planned"
}
s.db.Create(&p)
s.audit(r, "create", "project", p.ID, p.Name)
writeJSON(w, http.StatusCreated, p)
}
func (s *Server) handlePatchProject(w http.ResponseWriter, r *http.Request) {
if !s.requireAdmin(w, r) {
return
}
var p models.Project
if err := s.db.First(&p, "id = ?", chi.URLParam(r, "id")).Error; err != nil {
writeError(w, http.StatusNotFound, "프로젝트를 찾을 수 없습니다")
return
}
var patch map[string]interface{}
if err := decodeJSON(r, &patch); err != nil {
writeError(w, http.StatusBadRequest, err.Error())
return
}
delete(patch, "id")
if err := s.db.Model(&p).Updates(patch).Error; err != nil {
writeError(w, http.StatusInternalServerError, err.Error())
return
}
s.db.First(&p, "id = ?", p.ID)
writeJSON(w, http.StatusOK, p)
}
func (s *Server) handleDeleteProject(w http.ResponseWriter, r *http.Request) {
if !s.requireAdmin(w, r) {
return
}
s.db.Delete(&models.Project{}, "id = ?", chi.URLParam(r, "id"))
writeJSON(w, http.StatusOK, map[string]bool{"ok": true})
}
// ---- project members (portion) -------------------------------------------
func (s *Server) handleListProjectMembers(w http.ResponseWriter, r *http.Request) {
id := chi.URLParam(r, "id")
if !s.canSeeProject(r, id) {
writeError(w, http.StatusForbidden, "권한이 없습니다")
return
}
var out []models.ProjectMember
s.db.Where("project_id = ?", id).Find(&out)
writeJSON(w, http.StatusOK, out)
}
func (s *Server) handleUpsertProjectMember(w http.ResponseWriter, r *http.Request) {
if !s.requireAdmin(w, r) {
return
}
var pm models.ProjectMember
if err := decodeJSON(r, &pm); err != nil {
writeError(w, http.StatusBadRequest, err.Error())
return
}
pm.ProjectID = chi.URLParam(r, "id")
if pm.ID != "" {
s.db.Save(&pm)
} else {
s.db.Create(&pm)
}
writeJSON(w, http.StatusOK, pm)
}
func (s *Server) handleDeleteProjectMember(w http.ResponseWriter, r *http.Request) {
if !s.requireAdmin(w, r) {
return
}
s.db.Delete(&models.ProjectMember{}, "id = ?", chi.URLParam(r, "pmId"))
writeJSON(w, http.StatusOK, map[string]bool{"ok": true})
}
// ---- client contacts ------------------------------------------------------
func (s *Server) handleListContacts(w http.ResponseWriter, r *http.Request) {
id := chi.URLParam(r, "id")
if !s.canSeeProject(r, id) {
writeError(w, http.StatusForbidden, "권한이 없습니다")
return
}
var out []models.ClientContact
s.db.Where("project_id = ?", id).Find(&out)
writeJSON(w, http.StatusOK, out)
}
func (s *Server) handleUpsertContact(w http.ResponseWriter, r *http.Request) {
if !s.requireAdmin(w, r) {
return
}
var c models.ClientContact
if err := decodeJSON(r, &c); err != nil {
writeError(w, http.StatusBadRequest, err.Error())
return
}
c.ProjectID = chi.URLParam(r, "id")
if c.ID != "" {
s.db.Save(&c)
} else {
s.db.Create(&c)
}
writeJSON(w, http.StatusOK, c)
}
func (s *Server) handleDeleteContact(w http.ResponseWriter, r *http.Request) {
if !s.requireAdmin(w, r) {
return
}
s.db.Delete(&models.ClientContact{}, "id = ?", chi.URLParam(r, "cId"))
writeJSON(w, http.StatusOK, map[string]bool{"ok": true})
}
// ---- tasks (gantt / kanban) ----------------------------------------------
func (s *Server) handleListTasks(w http.ResponseWriter, r *http.Request) {
id := chi.URLParam(r, "id")
if !s.canSeeProject(r, id) {
writeError(w, http.StatusForbidden, "권한이 없습니다")
return
}
var out []models.ProjectTask
s.db.Where("project_id = ?", id).Order("order_idx asc, start asc").Find(&out)
writeJSON(w, http.StatusOK, out)
}
func (s *Server) handleCreateTask(w http.ResponseWriter, r *http.Request) {
id := chi.URLParam(r, "id")
if !s.canSeeProject(r, id) {
writeError(w, http.StatusForbidden, "권한이 없습니다")
return
}
var t models.ProjectTask
if err := decodeJSON(r, &t); err != nil {
writeError(w, http.StatusBadRequest, err.Error())
return
}
t.ProjectID = id
if t.Lane == "" {
t.Lane = "todo"
}
s.db.Create(&t)
writeJSON(w, http.StatusCreated, t)
}
func (s *Server) handlePatchTask(w http.ResponseWriter, r *http.Request) {
var t models.ProjectTask
if err := s.db.First(&t, "id = ?", chi.URLParam(r, "tId")).Error; err != nil {
writeError(w, http.StatusNotFound, "작업을 찾을 수 없습니다")
return
}
if !s.canSeeProject(r, t.ProjectID) {
writeError(w, http.StatusForbidden, "권한이 없습니다")
return
}
var patch map[string]interface{}
if err := decodeJSON(r, &patch); err != nil {
writeError(w, http.StatusBadRequest, err.Error())
return
}
delete(patch, "id")
delete(patch, "projectId")
s.db.Model(&t).Updates(patch)
s.db.First(&t, "id = ?", t.ID)
writeJSON(w, http.StatusOK, t)
}
func (s *Server) handleDeleteTask(w http.ResponseWriter, r *http.Request) {
var t models.ProjectTask
if err := s.db.First(&t, "id = ?", chi.URLParam(r, "tId")).Error; err != nil {
writeError(w, http.StatusNotFound, "작업을 찾을 수 없습니다")
return
}
if !s.isAdmin(r) && !s.canSeeProject(r, t.ProjectID) {
writeError(w, http.StatusForbidden, "권한이 없습니다")
return
}
s.db.Delete(&models.ProjectTask{}, "id = ?", t.ID)
writeJSON(w, http.StatusOK, map[string]bool{"ok": true})
}
// ---- contract (ADMIN ONLY) ------------------------------------------------
func (s *Server) handleGetContract(w http.ResponseWriter, r *http.Request) {
if !s.requireAdmin(w, r) {
return
}
var c models.Contract
if err := s.db.First(&c, "project_id = ?", chi.URLParam(r, "id")).Error; err != nil {
writeJSON(w, http.StatusOK, nil) // no contract yet
return
}
writeJSON(w, http.StatusOK, c)
}
func (s *Server) handlePutContract(w http.ResponseWriter, r *http.Request) {
if !s.requireAdmin(w, r) {
return
}
pid := chi.URLParam(r, "id")
var in models.Contract
if err := decodeJSON(r, &in); err != nil {
writeError(w, http.StatusBadRequest, err.Error())
return
}
in.ProjectID = pid
var existing models.Contract
if err := s.db.First(&existing, "project_id = ?", pid).Error; err == nil {
in.ID = existing.ID
s.db.Save(&in)
} else {
s.db.Create(&in)
}
s.audit(r, "update", "contract", pid, "")
writeJSON(w, http.StatusOK, in)
}
// ---- contract files (ADMIN ONLY, S3) -------------------------------------
func (s *Server) handleListContractFiles(w http.ResponseWriter, r *http.Request) {
if !s.requireAdmin(w, r) {
return
}
var out []models.ContractFile
s.db.Where("project_id = ?", chi.URLParam(r, "id")).Order("created_at desc").Find(&out)
writeJSON(w, http.StatusOK, out)
}
func (s *Server) handleUploadContractFile(w http.ResponseWriter, r *http.Request) {
if !s.requireAdmin(w, r) {
return
}
pid := chi.URLParam(r, "id")
if err := r.ParseMultipartForm(50 << 20); err != nil {
writeError(w, http.StatusBadRequest, err.Error())
return
}
file, hdr, err := r.FormFile("file")
if err != nil {
writeError(w, http.StatusBadRequest, "file 필드가 필요합니다")
return
}
defer file.Close()
kind := r.FormValue("kind")
if kind == "" {
kind = "contract"
}
key := fmt.Sprintf("contracts/%s/%d-%s", pid, time.Now().UnixNano(), hdr.Filename)
if s.store != nil {
if err := s.store.Upload(r.Context(), key, hdr.Header.Get("Content-Type"), file, hdr.Size); err != nil {
writeError(w, http.StatusInternalServerError, "업로드 실패: "+err.Error())
return
}
}
cf := models.ContractFile{ProjectID: pid, Kind: kind, Filename: hdr.Filename, S3Key: key,
Size: hdr.Size, UploadedBy: currentUser(r.Context()).Email}
s.db.Create(&cf)
s.audit(r, "upload", "contract_file", cf.ID, hdr.Filename)
writeJSON(w, http.StatusCreated, cf)
}
func (s *Server) handleDownloadContractFile(w http.ResponseWriter, r *http.Request) {
if !s.requireAdmin(w, r) {
return
}
var cf models.ContractFile
if err := s.db.First(&cf, "id = ?", chi.URLParam(r, "fId")).Error; err != nil {
writeError(w, http.StatusNotFound, "파일을 찾을 수 없습니다")
return
}
if s.store == nil {
writeError(w, http.StatusServiceUnavailable, "스토리지가 비활성화되어 있습니다")
return
}
url, err := s.store.PresignGet(r.Context(), cf.S3Key)
if err != nil {
writeError(w, http.StatusInternalServerError, err.Error())
return
}
writeJSON(w, http.StatusOK, map[string]string{"url": url})
}
func (s *Server) handleDeleteContractFile(w http.ResponseWriter, r *http.Request) {
if !s.requireAdmin(w, r) {
return
}
var cf models.ContractFile
if err := s.db.First(&cf, "id = ?", chi.URLParam(r, "fId")).Error; err != nil {
writeError(w, http.StatusNotFound, "파일을 찾을 수 없습니다")
return
}
if s.store != nil {
_ = s.store.Delete(r.Context(), cf.S3Key)
}
s.db.Delete(&models.ContractFile{}, "id = ?", cf.ID)
writeJSON(w, http.StatusOK, map[string]bool{"ok": true})
}
// ---- payment splits (ADMIN ONLY) -----------------------------------------
func (s *Server) handleListPayments(w http.ResponseWriter, r *http.Request) {
if !s.requireAdmin(w, r) {
return
}
var out []models.PaymentSplit
s.db.Where("project_id = ?", chi.URLParam(r, "id")).Order("order_idx asc, expected_date asc").Find(&out)
writeJSON(w, http.StatusOK, out)
}
func (s *Server) handleCreatePayment(w http.ResponseWriter, r *http.Request) {
if !s.requireAdmin(w, r) {
return
}
var p models.PaymentSplit
if err := decodeJSON(r, &p); err != nil {
writeError(w, http.StatusBadRequest, err.Error())
return
}
p.ProjectID = chi.URLParam(r, "id")
s.db.Create(&p)
writeJSON(w, http.StatusCreated, p)
}
func (s *Server) handlePatchPayment(w http.ResponseWriter, r *http.Request) {
if !s.requireAdmin(w, r) {
return
}
var p models.PaymentSplit
if err := s.db.First(&p, "id = ?", chi.URLParam(r, "payId")).Error; err != nil {
writeError(w, http.StatusNotFound, "분할 항목을 찾을 수 없습니다")
return
}
var patch map[string]interface{}
if err := decodeJSON(r, &patch); err != nil {
writeError(w, http.StatusBadRequest, err.Error())
return
}
delete(patch, "id")
delete(patch, "projectId")
s.db.Model(&p).Updates(patch)
s.db.First(&p, "id = ?", p.ID)
writeJSON(w, http.StatusOK, p)
}
func (s *Server) handleDeletePayment(w http.ResponseWriter, r *http.Request) {
if !s.requireAdmin(w, r) {
return
}
s.db.Delete(&models.PaymentSplit{}, "id = ?", chi.URLParam(r, "payId"))
writeJSON(w, http.StatusOK, map[string]bool{"ok": true})
}
// guard against unused import when trimming
var _ = strings.TrimSpace