adminfront 및 백엔드: ReBAC 기반 각 탭별 읽기/쓰기 권한 제어 구현

backend/internal/handler/tenant_handler.go

@@ -84,20 +84,27 @@ func (h *TenantHandler) SetWorksmobileSyncer(syncer service.WorksmobileSyncer) {
 	h.Worksmobile = syncer
 }
 
+type tenantPermissions struct {
+	View         bool `json:"view"`
+	Manage       bool `json:"manage"`
+	ManageAdmins bool `json:"manage_admins"`
+}
+
 type tenantSummary struct {
-	ID               string         `json:"id"`
-	Type             string         `json:"type"`
-	ParentID         *string        `json:"parentId"`
-	Name             string         `json:"name"`
-	Slug             string         `json:"slug"`
-	Description      string         `json:"description"`
-	Status           string         `json:"status"`
-	Domains          []string       `json:"domains,omitempty"`
-	Config           domain.JSONMap `json:"config,omitempty"`
-	MemberCount      int64          `json:"memberCount"`
-	TotalMemberCount int64          `json:"totalMemberCount"`
-	CreatedAt        string         `json:"createdAt"`
-	UpdatedAt        string         `json:"updatedAt"`
+	ID               string             `json:"id"`
+	Type             string             `json:"type"`
+	ParentID         *string            `json:"parentId"`
+	Name             string             `json:"name"`
+	Slug             string             `json:"slug"`
+	Description      string             `json:"description"`
+	Status           string             `json:"status"`
+	Domains          []string           `json:"domains,omitempty"`
+	Config           domain.JSONMap     `json:"config,omitempty"`
+	MemberCount      int64              `json:"memberCount"`
+	TotalMemberCount int64              `json:"totalMemberCount"`
+	UserPermissions  *tenantPermissions `json:"userPermissions,omitempty"`
+	CreatedAt        string             `json:"createdAt"`
+	UpdatedAt        string             `json:"updatedAt"`
 }
 
 type tenantListResponse struct {
@@ -1678,6 +1685,53 @@ func (h *TenantHandler) GetTenant(c *fiber.Ctx) error {
 	summary.MemberCount = memberCounts[tenant.ID]
 	summary.TotalMemberCount = totalMemberCounts[tenant.ID]
 
+	// Populate Keto-based permissions for the current user
+	profile, ok := c.Locals("user_profile").(*domain.UserProfileResponse)
+	if ok && profile != nil {
+		role := domain.NormalizeRole(profile.Role)
+		if role == domain.RoleSuperAdmin {
+			summary.UserPermissions = &tenantPermissions{
+				View:         true,
+				Manage:       true,
+				ManageAdmins: true,
+			}
+		} else {
+			// Query Keto in parallel for maximum performance
+			subject := "User:" + profile.ID
+			type checkResult struct {
+				relation string
+				allowed  bool
+				err      error
+			}
+			ch := make(chan checkResult, 3)
+			relations := []string{"view", "manage", "manage_admins"}
+			for _, rel := range relations {
+				go func(r string) {
+					allowed, err := h.Keto.CheckPermission(c.Context(), subject, "Tenant", tenant.ID, r)
+					ch <- checkResult{relation: r, allowed: allowed, err: err}
+				}(rel)
+			}
+
+			perms := &tenantPermissions{}
+			for range relations {
+				res := <-ch
+				if res.err != nil {
+					slog.Error("Failed to check Keto permission in GetTenant", "error", res.err, "relation", res.relation, "userID", profile.ID, "tenantID", tenant.ID)
+					continue
+				}
+				switch res.relation {
+				case "view":
+					perms.View = res.allowed
+				case "manage":
+					perms.Manage = res.allowed
+				case "manage_admins":
+					perms.ManageAdmins = res.allowed
+				}
+			}
+			summary.UserPermissions = perms
+		}
+	}
+
 	return c.JSON(summary)
 }