adminfront 및 백엔드: 글로벌 사이드바 11개 전 메뉴별 ReBAC 기반 접근 제어(Admin Control) 스키마, REST API, UI 설정 패널 전격 구현 완료

2026-06-10 16:55:34 +09:00
parent 5b4efae001
commit b4f80a36b0
12 changed files with 976 additions and 113 deletions
--- a/backend/internal/handler/auth_handler.go
+++ b/backend/internal/handler/auth_handler.go
@@ -4770,6 +4770,81 @@ func (h *AuthHandler) hydrateResolvedProfile(ctx context.Context, profile *domai
 		}
 	}

+	if h.KetoService != nil {
+		subject := "User:" + profile.ID
+		var sp domain.SystemPermissions
+
+		if profile.Role == "super_admin" {
+			sp = domain.SystemPermissions{
+				Overview:          true,
+				Tenants:           true,
+				OrgChart:          true,
+				Worksmobile:       true,
+				OrySSOT:           true,
+				DataIntegrity:     true,
+				Users:             true,
+				PermissionsDirect: true,
+				AuthGuard:         true,
+				ApiKeys:           true,
+				AuditLogs:         true,
+			}
+		} else {
+			// Query Keto in parallel for maximum performance
+			type checkResult struct {
+				menu    string
+				allowed bool
+			}
+			menus := map[string]string{
+				"overview":           "access_overview",
+				"tenants":            "access_tenants",
+				"org_chart":          "access_org_chart",
+				"worksmobile":        "access_worksmobile",
+				"ory_ssot":           "access_ory_ssot",
+				"data_integrity":     "access_data_integrity",
+				"users":              "access_users",
+				"permissions_direct": "access_permissions_direct",
+				"auth_guard":         "access_auth_guard",
+				"api_keys":           "access_api_keys",
+				"audit_logs":         "access_audit_logs",
+			}
+			ch := make(chan checkResult, len(menus))
+			for m, rel := range menus {
+				go func(menuName, relation string) {
+					allowed, _ := h.KetoService.CheckPermission(ctx, subject, "System", "system", relation)
+					ch <- checkResult{menu: menuName, allowed: allowed}
+				}(m, rel)
+			}
+			for range menus {
+				res := <-ch
+				switch res.menu {
+				case "overview":
+					sp.Overview = res.allowed
+				case "tenants":
+					sp.Tenants = res.allowed
+				case "org_chart":
+					sp.OrgChart = res.allowed
+				case "worksmobile":
+					sp.Worksmobile = res.allowed
+				case "ory_ssot":
+					sp.OrySSOT = res.allowed
+				case "data_integrity":
+					sp.DataIntegrity = res.allowed
+				case "users":
+					sp.Users = res.allowed
+				case "permissions_direct":
+					sp.PermissionsDirect = res.allowed
+				case "auth_guard":
+					sp.AuthGuard = res.allowed
+				case "api_keys":
+					sp.ApiKeys = res.allowed
+				case "audit_logs":
+					sp.AuditLogs = res.allowed
+				}
+			}
+		}
+		profile.SystemPermissions = &sp
+	}
+
 	return profile
 }