From b204f14265fed747ed6934015e7d4f1ef5205e86 Mon Sep 17 00:00:00 2001 From: chpark Date: Thu, 14 May 2026 01:03:43 +0900 Subject: [PATCH] =?UTF-8?q?fix(orders):=20=EB=82=B4=20=EC=B6=9C=EA=B3=A0?= =?UTF-8?q?=20=EC=9D=B4=EB=A0=A5=EC=97=90=EC=84=9C=20=EB=B3=B8=EC=9D=B8=20?= =?UTF-8?q?=EB=B0=9C=EC=A3=BC=EB=A7=8C=20=E2=80=94=20user.objid=20undefine?= =?UTF-8?q?d=20=ED=8F=B4=EB=B0=B1?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit USER 권한 사용자의 list API 필터링에서 r.user.objid 가 undefined 인 세션에선 customer_objid 비교가 NULL 매칭 → 필터링 무효화돼 모든 발주가 노출되던 버그. user_id 폴백 + customer_objid 가 user_id 로 박힌 경우 모두 IN 절로 매칭. --- src/app/api/m/orders/list/route.ts | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/src/app/api/m/orders/list/route.ts b/src/app/api/m/orders/list/route.ts index e9bb833..26075a4 100644 --- a/src/app/api/m/orders/list/route.ts +++ b/src/app/api/m/orders/list/route.ts @@ -16,8 +16,11 @@ export async function POST(req: NextRequest) { let i = 1; if (r.user.role === "USER") { - conditions.push(`O.customer_objid = $${i++}`); - params.push(r.user.objid); + // user.objid 가 undefined 인 세션도 있어 user_id 로 폴백. + // customer_objid 가 user_id 형태(예: 'momo075')로 박힌 경우 → 두 값 모두 매칭. + const own = r.user.objid ?? r.user.userId; + conditions.push(`O.customer_objid IN ($${i++}, $${i++})`); + params.push(own, r.user.userId); } else if (customerObjid) { conditions.push(`O.customer_objid = $${i++}`); params.push(customerObjid);