Merge remote-tracking branch 'origin/master'

2026-06-02 16:14:54 +03:00
parent 5f3e975b6d
commit b4e87cfd47
25 changed files with 4918 additions and 287 deletions
--- a/svc/routes/brand_classification.go
+++ b/svc/routes/brand_classification.go
@@ -0,0 +1,218 @@
+package routes
+
+import (
+	"bssapp-backend/db"
+	"bssapp-backend/queries"
+	"bssapp-backend/utils"
+	"database/sql"
+	"encoding/json"
+	"log"
+	"net/http"
+	"strings"
+
+	"github.com/gorilla/mux"
+)
+
+type BrandClassificationLookupResponse struct {
+	Groups []queries.BrandGroupOption `json:"groups"`
+}
+
+type BrandSyncResponse struct {
+	Upserted int `json:"upserted"`
+	Deleted  int `json:"deleted"`
+	Total    int `json:"total"`
+}
+
+type BrandSetGroupPayload struct {
+	GroupID int `json:"group_id"`
+}
+
+type BrandBulkItem struct {
+	BrandCode string `json:"brand_code"`
+	GroupID   int    `json:"group_id"`
+}
+
+type BrandBulkPayload struct {
+	Items []BrandBulkItem `json:"items"`
+}
+
+func GetBrandClassificationLookupsHandler(pg *sql.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json; charset=utf-8")
+		if err := queries.EnsureBrandClassificationTables(pg); err != nil {
+			http.Error(w, "brand tables bootstrap error", http.StatusInternalServerError)
+			return
+		}
+
+		traceID := utils.TraceIDFromRequest(r)
+		ctx := utils.ContextWithTraceID(r.Context(), traceID)
+
+		groups, err := queries.ListBrandGroups(ctx, pg)
+		if err != nil {
+			http.Error(w, "brand groups lookup error", http.StatusInternalServerError)
+			return
+		}
+
+		_ = json.NewEncoder(w).Encode(BrandClassificationLookupResponse{Groups: groups})
+	}
+}
+
+func ListBrandsHandler(pg *sql.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json; charset=utf-8")
+		if err := queries.EnsureBrandClassificationTables(pg); err != nil {
+			http.Error(w, "brand tables bootstrap error", http.StatusInternalServerError)
+			return
+		}
+
+		q := strings.TrimSpace(r.URL.Query().Get("q"))
+		traceID := utils.TraceIDFromRequest(r)
+		ctx := utils.ContextWithTraceID(r.Context(), traceID)
+
+		rows, err := queries.ListBrandsWithGroups(ctx, pg, q, 20000)
+		if err != nil {
+			http.Error(w, "brand list error", http.StatusInternalServerError)
+			return
+		}
+		_ = json.NewEncoder(w).Encode(rows)
+	}
+}
+
+func SyncBrandsFromMSSQLHandler(pg *sql.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json; charset=utf-8")
+
+		mssql := db.GetDB()
+		if mssql == nil {
+			http.Error(w, "mssql connection not available", http.StatusServiceUnavailable)
+			return
+		}
+
+		traceID := utils.TraceIDFromRequest(r)
+		ctx := utils.ContextWithTraceID(r.Context(), traceID)
+
+		res, err := queries.SyncBrandsFromMSSQL(ctx, mssql, pg)
+		if err != nil {
+			log.Printf("brand sync error trace=%s err=%v", traceID, err)
+			http.Error(w, "brand sync error", http.StatusInternalServerError)
+			return
+		}
+
+		_ = json.NewEncoder(w).Encode(BrandSyncResponse{
+			Upserted: res.Upserted,
+			Deleted:  res.Deleted,
+			Total:    res.Total,
+		})
+	}
+}
+
+func SetBrandGroupHandler(pg *sql.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json; charset=utf-8")
+
+		if err := queries.EnsureBrandClassificationTables(pg); err != nil {
+			http.Error(w, "brand tables bootstrap error", http.StatusInternalServerError)
+			return
+		}
+
+		brandCode := strings.TrimSpace(mux.Vars(r)["code"])
+		if brandCode == "" {
+			http.Error(w, "invalid brand_code", http.StatusBadRequest)
+			return
+		}
+
+		var payload BrandSetGroupPayload
+		if err := json.NewDecoder(r.Body).Decode(&payload); err != nil {
+			http.Error(w, "invalid payload", http.StatusBadRequest)
+			return
+		}
+		if payload.GroupID < 0 || payload.GroupID > 3 {
+			http.Error(w, "invalid group_id", http.StatusBadRequest)
+			return
+		}
+
+		traceID := utils.TraceIDFromRequest(r)
+		ctx := utils.ContextWithTraceID(r.Context(), traceID)
+
+		tx, err := pg.BeginTx(ctx, nil)
+		if err != nil {
+			http.Error(w, "pg transaction start error", http.StatusInternalServerError)
+			return
+		}
+		defer tx.Rollback()
+
+		if err := queries.SetBrandGroup(ctx, tx, brandCode, payload.GroupID); err != nil {
+			http.Error(w, "brand group save error", http.StatusInternalServerError)
+			return
+		}
+
+		if err := tx.Commit(); err != nil {
+			http.Error(w, "pg transaction commit error", http.StatusInternalServerError)
+			return
+		}
+
+		_ = json.NewEncoder(w).Encode(map[string]any{
+			"success":    true,
+			"brand_code": brandCode,
+			"group_id":   payload.GroupID,
+		})
+	}
+}
+
+func SetBrandGroupsBulkHandler(pg *sql.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json; charset=utf-8")
+
+		if err := queries.EnsureBrandClassificationTables(pg); err != nil {
+			http.Error(w, "brand tables bootstrap error", http.StatusInternalServerError)
+			return
+		}
+
+		var payload BrandBulkPayload
+		if err := json.NewDecoder(r.Body).Decode(&payload); err != nil {
+			http.Error(w, "invalid payload", http.StatusBadRequest)
+			return
+		}
+		if len(payload.Items) == 0 {
+			_ = json.NewEncoder(w).Encode(map[string]any{"success": true, "updated": 0})
+			return
+		}
+
+		traceID := utils.TraceIDFromRequest(r)
+		ctx := utils.ContextWithTraceID(r.Context(), traceID)
+
+		tx, err := pg.BeginTx(ctx, nil)
+		if err != nil {
+			http.Error(w, "pg transaction start error", http.StatusInternalServerError)
+			return
+		}
+		defer tx.Rollback()
+
+		updated := 0
+		for _, it := range payload.Items {
+			code := strings.TrimSpace(it.BrandCode)
+			if code == "" {
+				continue
+			}
+			if it.GroupID < 0 || it.GroupID > 3 {
+				http.Error(w, "invalid group_id", http.StatusBadRequest)
+				return
+			}
+			if err := queries.SetBrandGroup(ctx, tx, code, it.GroupID); err != nil {
+				http.Error(w, "brand group save error", http.StatusInternalServerError)
+				return
+			}
+			updated++
+		}
+
+		if err := tx.Commit(); err != nil {
+			http.Error(w, "pg transaction commit error", http.StatusInternalServerError)
+			return
+		}
+
+		_ = json.NewEncoder(w).Encode(map[string]any{
+			"success": true,
+			"updated": updated,
+		})
+	}
+}
--- a/svc/routes/pricing_rules.go
+++ b/svc/routes/pricing_rules.go
@@ -0,0 +1,163 @@
+package routes
+
+import (
+	"bssapp-backend/queries"
+	"bssapp-backend/utils"
+	"database/sql"
+	"encoding/json"
+	"net/http"
+	"strconv"
+	"strings"
+)
+
+// Step-1/2 scope (distinct+cascade) comes from the PostgreSQL parameter cache.
+// For now we implement:
+// - Postgres tables (bootstrap)
+// - List/Save rules (bulk)
+// - Options endpoint for cascade (mk_urunpricingprmtr)
+
+type PricingRuleBulkSavePayload struct {
+	Items []queries.PricingRuleSaveItem `json:"items"`
+}
+
+func GetPricingRulesHandler(pg *sql.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json; charset=utf-8")
+		traceID := utils.TraceIDFromRequest(r)
+		ctx := utils.ContextWithTraceID(r.Context(), traceID)
+
+		rows, err := queries.ListPricingRules(ctx, pg)
+		if err != nil {
+			http.Error(w, "pricing rules list error", http.StatusInternalServerError)
+			return
+		}
+		_ = json.NewEncoder(w).Encode(rows)
+	}
+}
+
+// Very small “bulk upsert” for step-1/2: we only need to persist the multipliers+roundings for now.
+// Rules are identified by UUID; new rows can be created via empty id (server generates).
+func SavePricingRulesBulkHandler(pg *sql.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json; charset=utf-8")
+
+		var payload PricingRuleBulkSavePayload
+		if err := json.NewDecoder(r.Body).Decode(&payload); err != nil {
+			http.Error(w, "invalid payload", http.StatusBadRequest)
+			return
+		}
+
+		traceID := utils.TraceIDFromRequest(r)
+		ctx := utils.ContextWithTraceID(r.Context(), traceID)
+
+		tx, err := pg.BeginTx(ctx, nil)
+		if err != nil {
+			http.Error(w, "pg transaction start error", http.StatusInternalServerError)
+			return
+		}
+		defer tx.Rollback()
+
+		updated := 0
+		for _, it := range payload.Items {
+			// Zero means that no rounding rule has been configured yet.
+			if it.TryStep < 0 || it.UsdStep < 0 || it.EurStep < 0 {
+				http.Error(w, "invalid rounding step", http.StatusBadRequest)
+				return
+			}
+			id, err := queries.UpsertPricingRule(ctx, tx, it)
+			if err != nil {
+				http.Error(w, "pricing rule save error", http.StatusInternalServerError)
+				return
+			}
+			if id != "" {
+				updated++
+			}
+		}
+
+		if err := tx.Commit(); err != nil {
+			http.Error(w, "pg transaction commit error", http.StatusInternalServerError)
+			return
+		}
+		_ = json.NewEncoder(w).Encode(map[string]any{"success": true, "updated": updated})
+	}
+}
+
+func GetPricingRuleOptionsHandler(pg *sql.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json; charset=utf-8")
+
+		field := strings.TrimSpace(r.URL.Query().Get("field"))
+		if field == "" {
+			http.Error(w, "missing field", http.StatusBadRequest)
+			return
+		}
+
+		limit := 500
+		if raw := strings.TrimSpace(r.URL.Query().Get("limit")); raw != "" {
+			if n, err := strconv.Atoi(raw); err == nil && n > 0 && n <= 5000 {
+				limit = n
+			}
+		}
+
+		f := pricingRuleFiltersFromRequest(r)
+
+		traceID := utils.TraceIDFromRequest(r)
+		ctx := utils.ContextWithTraceID(r.Context(), traceID)
+
+		opts, err := queries.ListPricingParameterDistinctOptions(ctx, pg, field, f, limit)
+		if err != nil {
+			http.Error(w, "options lookup error", http.StatusInternalServerError)
+			return
+		}
+
+		_ = json.NewEncoder(w).Encode(map[string]any{
+			"field":   field,
+			"options": opts,
+		})
+	}
+}
+
+func GetPricingParameterRulesHandler(pg *sql.DB) http.HandlerFunc {
+	return func(w http.ResponseWriter, r *http.Request) {
+		w.Header().Set("Content-Type", "application/json; charset=utf-8")
+
+		traceID := utils.TraceIDFromRequest(r)
+		ctx := utils.ContextWithTraceID(r.Context(), traceID)
+		rows, err := queries.ListPricingParameterRules(ctx, pg, pricingRuleFiltersFromRequest(r))
+		if err != nil {
+			http.Error(w, "pricing parameter rules list error", http.StatusInternalServerError)
+			return
+		}
+		_ = json.NewEncoder(w).Encode(rows)
+	}
+}
+
+func pricingRuleFiltersFromRequest(r *http.Request) queries.PricingRuleOptionFilters {
+	return queries.PricingRuleOptionFilters{
+		AskiliYan:     splitCSV(r.URL.Query().Get("askili_yan")),
+		Kategori:      splitCSV(r.URL.Query().Get("kategori")),
+		UrunIlkGrubu:  splitCSV(r.URL.Query().Get("urun_ilk_grubu")),
+		UrunAnaGrubu:  splitCSV(r.URL.Query().Get("urun_ana_grubu")),
+		UrunAltGrubu:  splitCSV(r.URL.Query().Get("urun_alt_grubu")),
+		Icerik:        splitCSV(r.URL.Query().Get("icerik")),
+		Marka:         splitCSV(r.URL.Query().Get("marka")),
+		BrandCode:     splitCSV(r.URL.Query().Get("brand_code")),
+		BrandGroupSec: splitCSV(r.URL.Query().Get("brand_group")),
+	}
+}
+
+func splitCSV(raw string) []string {
+	raw = strings.TrimSpace(raw)
+	if raw == "" {
+		return nil
+	}
+	parts := strings.Split(raw, ",")
+	out := make([]string, 0, len(parts))
+	for _, p := range parts {
+		p = strings.TrimSpace(p)
+		if p != "" {
+			out = append(out, p)
+		}
+	}
+	return out
+}
--- a/svc/routes/product_pricing.go
+++ b/svc/routes/product_pricing.go
@@ -55,8 +55,30 @@ func GetProductPricingListHandler(w http.ResponseWriter, r *http.Request) {
 		Karisim:      splitCSVParam(r.URL.Query().Get("karisim")),
 		Marka:        splitCSVParam(r.URL.Query().Get("marka")),
 	}
+	if len(filters.UrunAnaGrubu) > 3 {
+		http.Error(w, "Urun Ana Grubu en fazla 3 secilebilir", http.StatusBadRequest)
+		return
+	}
+	includeTotal := true
+	if raw := strings.TrimSpace(r.URL.Query().Get("include_total")); raw != "" {
+		if raw == "0" || strings.EqualFold(raw, "false") {
+			includeTotal = false
+		}
+	}
+	// When primary group filters are present, COUNT(*) is acceptable and improves UX
+	// (accurate totalCount/totalPages). Force includeTotal on.
+	if len(filters.UrunIlkGrubu) > 0 || len(filters.UrunAnaGrubu) > 0 {
+		includeTotal = true
+	}

-	pageResult, err := queries.GetProductPricingPage(ctx, page, limit, filters)
+	sortBy := strings.TrimSpace(r.URL.Query().Get("sort_by"))
+	desc := true
+	if raw := strings.TrimSpace(r.URL.Query().Get("desc")); raw != "" {
+		if raw == "0" || strings.EqualFold(raw, "false") {
+			desc = false
+		}
+	}
+	pageResult, err := queries.GetProductPricingPage(ctx, page, limit, filters, includeTotal, sortBy, desc)
 	if err != nil {
 		if isPricingTimeoutLike(err, ctx.Err()) {
 			log.Printf(
@@ -101,6 +123,94 @@ func GetProductPricingListHandler(w http.ResponseWriter, r *http.Request) {
 	_ = json.NewEncoder(w).Encode(pageResult.Rows)
 }

+// GET /api/pricing/products/options?field=urunAnaGrubu&q=SER&limit=120
+func GetProductPricingFilterOptionsHandler(w http.ResponseWriter, r *http.Request) {
+	started := time.Now()
+	traceID := buildPricingTraceID(r)
+	w.Header().Set("X-Trace-ID", traceID)
+
+	claims, ok := auth.GetClaimsFromContext(r.Context())
+	if !ok || claims == nil {
+		log.Printf("[ProductPricingOptions] trace=%s unauthorized method=%s path=%s", traceID, r.Method, r.URL.Path)
+		http.Error(w, "unauthorized", http.StatusUnauthorized)
+		return
+	}
+
+	ctx, cancel := context.WithTimeout(r.Context(), 12*time.Second)
+	defer cancel()
+
+	field := strings.TrimSpace(r.URL.Query().Get("field"))
+	q := strings.TrimSpace(r.URL.Query().Get("q"))
+	scopeUrunIlkGrubu := splitCSVParam(r.URL.Query().Get("urun_ilk_grubu"))
+	limit := 120
+	if raw := strings.TrimSpace(r.URL.Query().Get("limit")); raw != "" {
+		if parsed, err := strconv.Atoi(raw); err == nil && parsed > 0 && parsed <= 200 {
+			limit = parsed
+		}
+	}
+
+	items, err := queries.GetProductPricingFilterOptions(ctx, field, q, limit, scopeUrunIlkGrubu)
+	if err != nil {
+		if isPricingTimeoutLike(err, ctx.Err()) {
+			log.Printf(
+				"[ProductPricingOptions] trace=%s timeout user=%s id=%d field=%s q=%s duration_ms=%d err=%v",
+				traceID,
+				claims.Username,
+				claims.ID,
+				field,
+				q,
+				time.Since(started).Milliseconds(),
+				err,
+			)
+			http.Error(w, "Urun fiyatlandirma filtre secenekleri zaman asimina ugradi", http.StatusGatewayTimeout)
+			return
+		}
+		log.Printf(
+			"[ProductPricingOptions] trace=%s query_error user=%s id=%d field=%s q=%s duration_ms=%d err=%v",
+			traceID,
+			claims.Username,
+			claims.ID,
+			field,
+			q,
+			time.Since(started).Milliseconds(),
+			err,
+		)
+		http.Error(w, "Filtre secenekleri alinamadi: "+err.Error(), http.StatusInternalServerError)
+		return
+	}
+
+	type optionItem struct {
+		Label string `json:"label"`
+		Value string `json:"value"`
+	}
+	resp := struct {
+		Field string       `json:"field"`
+		Count int          `json:"count"`
+		Items []optionItem `json:"items"`
+	}{
+		Field: field,
+		Count: len(items),
+		Items: make([]optionItem, 0, len(items)),
+	}
+	for _, v := range items {
+		resp.Items = append(resp.Items, optionItem{Label: v, Value: v})
+	}
+
+	log.Printf(
+		"[ProductPricingOptions] trace=%s success user=%s id=%d field=%s q=%s count=%d duration_ms=%d",
+		traceID,
+		claims.Username,
+		claims.ID,
+		field,
+		q,
+		len(items),
+		time.Since(started).Milliseconds(),
+	)
+
+	w.Header().Set("Content-Type", "application/json; charset=utf-8")
+	_ = json.NewEncoder(w).Encode(resp)
+}
+
 func buildPricingTraceID(r *http.Request) string {
 	if r != nil {
 		if id := strings.TrimSpace(r.Header.Get("X-Request-ID")); id != "" {
--- a/svc/routes/role_department_permissions.go
+++ b/svc/routes/role_department_permissions.go
@@ -27,11 +27,22 @@ type Row struct {
 }

 type RoleDeptPermissionSummary struct {
-	RoleID          int             `json:"role_id"`
-	RoleTitle       string          `json:"role_title"`
-	DepartmentCode  string          `json:"department_code"`
-	DepartmentTitle string          `json:"department_title"`
-	ModuleFlags     map[string]bool `json:"module_flags"`
+	RoleID          int              `json:"role_id"`
+	RoleTitle       string           `json:"role_title"`
+	DepartmentCode  string           `json:"department_code"`
+	DepartmentTitle string           `json:"department_title"`
+	ModuleFlags     map[string]bool  `json:"module_flags"`
+	Members         []RoleDeptMember `json:"members"`
+}
+
+type RoleDeptMember struct {
+	ID       int64  `json:"id"`
+	FullName string `json:"full_name"`
+	Username string `json:"username"`
+}
+
+type AddRoleDeptMemberPayload struct {
+	UserID int64 `json:"user_id"`
 }

 type ModuleLookupOption struct {
@@ -132,12 +143,14 @@ func (h *RoleDepartmentPermissionHandler) List(w http.ResponseWriter, r *http.Re
 	for rows.Next() {
 		var item RoleDeptPermissionSummary
 		var rawFlags []byte
+		var rawMembers []byte
 		if err := rows.Scan(
 			&item.RoleID,
 			&item.RoleTitle,
 			&item.DepartmentCode,
 			&item.DepartmentTitle,
 			&rawFlags,
+			&rawMembers,
 		); err != nil {
 			http.Error(w, "scan error", http.StatusInternalServerError)
 			return
@@ -150,6 +163,13 @@ func (h *RoleDepartmentPermissionHandler) List(w http.ResponseWriter, r *http.Re
 				return
 			}
 		}
+		item.Members = make([]RoleDeptMember, 0)
+		if len(rawMembers) > 0 {
+			if err := json.Unmarshal(rawMembers, &item.Members); err != nil {
+				http.Error(w, "members parse error", http.StatusInternalServerError)
+				return
+			}
+		}
 		list = append(list, item)
 	}

@@ -294,6 +314,172 @@ func (h *RoleDepartmentPermissionHandler) Save(w http.ResponseWriter, r *http.Re
 	w.Header().Set("Content-Type", "application/json; charset=utf-8")
 	_ = json.NewEncoder(w).Encode(map[string]bool{"success": true})
 }
+
+func (h *RoleDepartmentPermissionHandler) Members(w http.ResponseWriter, r *http.Request) {
+	claims, ok := auth.GetClaimsFromContext(r.Context())
+	if !ok || claims == nil {
+		http.Error(w, "unauthorized", http.StatusUnauthorized)
+		return
+	}
+
+	roleID, deptCode, ok := roleDepartmentFromRequest(w, r)
+	if !ok {
+		return
+	}
+
+	members, err := listRoleDepartmentMembers(h.DB, roleID, deptCode)
+	if err != nil {
+		http.Error(w, "members query error", http.StatusInternalServerError)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json; charset=utf-8")
+	_ = json.NewEncoder(w).Encode(members)
+}
+
+func (h *RoleDepartmentPermissionHandler) AddMember(w http.ResponseWriter, r *http.Request) {
+	claims, ok := auth.GetClaimsFromContext(r.Context())
+	if !ok || claims == nil {
+		http.Error(w, "unauthorized", http.StatusUnauthorized)
+		return
+	}
+
+	roleID, deptCode, ok := roleDepartmentFromRequest(w, r)
+	if !ok {
+		return
+	}
+
+	var payload AddRoleDeptMemberPayload
+	if err := json.NewDecoder(r.Body).Decode(&payload); err != nil || payload.UserID <= 0 {
+		http.Error(w, "invalid user_id", http.StatusBadRequest)
+		return
+	}
+
+	tx, err := h.DB.BeginTx(r.Context(), nil)
+	if err != nil {
+		http.Error(w, "transaction start error", http.StatusInternalServerError)
+		return
+	}
+	defer tx.Rollback()
+
+	var userExists, roleExists, departmentExists bool
+	if err := tx.QueryRow(`SELECT EXISTS(SELECT 1 FROM mk_dfusr WHERE id=$1 AND is_active=TRUE)`, payload.UserID).Scan(&userExists); err != nil {
+		http.Error(w, "user lookup error", http.StatusInternalServerError)
+		return
+	}
+	if err := tx.QueryRow(`SELECT EXISTS(SELECT 1 FROM dfrole WHERE id=$1)`, roleID).Scan(&roleExists); err != nil {
+		http.Error(w, "role lookup error", http.StatusInternalServerError)
+		return
+	}
+	if err := tx.QueryRow(`SELECT EXISTS(SELECT 1 FROM mk_dprt WHERE code=$1 AND is_active=TRUE)`, deptCode).Scan(&departmentExists); err != nil {
+		http.Error(w, "department lookup error", http.StatusInternalServerError)
+		return
+	}
+	if !userExists || !roleExists || !departmentExists {
+		http.Error(w, "user, role or department not found", http.StatusBadRequest)
+		return
+	}
+
+	if _, err := tx.Exec(`
+INSERT INTO dfrole_usr (dfusr_id, dfrole_id)
+VALUES ($1, $2)
+ON CONFLICT DO NOTHING
+`, payload.UserID, roleID); err != nil {
+		http.Error(w, "user role insert error", http.StatusInternalServerError)
+		return
+	}
+
+	if _, err := tx.Exec(`
+UPDATE dfusr_dprt ud
+SET is_active=TRUE
+FROM mk_dprt d
+WHERE ud.dfusr_id=$1
+  AND ud.dprt_id=d.id
+  AND d.code=$2
+`, payload.UserID, deptCode); err != nil {
+		http.Error(w, "user department update error", http.StatusInternalServerError)
+		return
+	}
+
+	if _, err := tx.Exec(`
+INSERT INTO dfusr_dprt (dfusr_id, dprt_id, is_active)
+SELECT $1, d.id, TRUE
+FROM mk_dprt d
+WHERE d.code=$2
+  AND NOT EXISTS (
+    SELECT 1
+    FROM dfusr_dprt ud
+    WHERE ud.dfusr_id=$1
+      AND ud.dprt_id=d.id
+  )
+`, payload.UserID, deptCode); err != nil {
+		http.Error(w, "user department insert error", http.StatusInternalServerError)
+		return
+	}
+
+	if err := tx.Commit(); err != nil {
+		http.Error(w, "transaction commit error", http.StatusInternalServerError)
+		return
+	}
+
+	auditlog.Enqueue(r.Context(), auditlog.ActivityLog{
+		ActionType:     "role_department_member_add",
+		ActionCategory: "role_permission",
+		ActionTarget:   fmt.Sprintf("/api/roles/%d/departments/%s/members", roleID, deptCode),
+		Description:    "user added to role+department group",
+		Username:       claims.Username,
+		RoleCode:       claims.RoleCode,
+		DfUsrID:        int64(claims.ID),
+		ChangeAfter: map[string]any{
+			"user_id":         payload.UserID,
+			"role_id":         roleID,
+			"department_code": deptCode,
+		},
+		IsSuccess: true,
+	})
+
+	members, err := listRoleDepartmentMembers(h.DB, roleID, deptCode)
+	if err != nil {
+		http.Error(w, "members query error", http.StatusInternalServerError)
+		return
+	}
+	w.Header().Set("Content-Type", "application/json; charset=utf-8")
+	_ = json.NewEncoder(w).Encode(members)
+}
+
+func roleDepartmentFromRequest(w http.ResponseWriter, r *http.Request) (int, string, bool) {
+	vars := mux.Vars(r)
+	roleID, err := strconv.Atoi(vars["roleId"])
+	if err != nil || roleID <= 0 {
+		http.Error(w, "invalid roleId", http.StatusBadRequest)
+		return 0, "", false
+	}
+	deptCode := strings.TrimSpace(vars["deptCode"])
+	if deptCode == "" {
+		http.Error(w, "invalid deptCode", http.StatusBadRequest)
+		return 0, "", false
+	}
+	return roleID, deptCode, true
+}
+
+func listRoleDepartmentMembers(db *sql.DB, roleID int, deptCode string) ([]RoleDeptMember, error) {
+	rows, err := db.Query(queries.ListRoleDepartmentMembers, roleID, deptCode)
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	members := make([]RoleDeptMember, 0, 16)
+	for rows.Next() {
+		var member RoleDeptMember
+		if err := rows.Scan(&member.ID, &member.FullName, &member.Username); err != nil {
+			return nil, err
+		}
+		members = append(members, member)
+	}
+	return members, rows.Err()
+}
+
 func GetModuleLookupRoute(db *sql.DB) http.HandlerFunc {

 	return func(w http.ResponseWriter, r *http.Request) {