web/src/utils/accessControl.js

export const DEFAULT_APP_VIEW_ORDER = [
  'overview',
  'workbench',
  'documents',
  'budget',
  'policies',
  'audit',
  'logs',
  'employees',
  'settings'
]

const ALWAYS_VISIBLE_VIEWS = new Set(['workbench', 'documents', 'policies'])
const VIEW_ROLE_RULES = {
  overview: ['finance', 'executive'],
  budget: ['finance', 'executive'],
  audit: ['auditor', 'finance'],
  logs: ['manager'],
  employees: ['manager'],
  settings: ['manager']
}
const CLAIM_MANAGER_ROLE_CODES = new Set(['executive'])
const CLAIM_RETURN_ROLE_CODES = new Set(['finance', 'executive', 'manager', 'approver'])
const CLAIM_LEADER_APPROVAL_ROLE_CODES = new Set(['manager', 'approver'])

function normalizedRoleCodes(user) {
  if (!user) {
    return []
  }

  return Array.isArray(user.roleCodes)
    ? user.roleCodes.map((item) => String(item || '').trim().toLowerCase()).filter(Boolean)
    : []
}

export function isManagerUser(user) {
  return Boolean(user?.isAdmin) || normalizedRoleCodes(user).includes('manager')
}

export function isFinanceUser(user) {
  return normalizedRoleCodes(user).includes('finance')
}

export function isExecutiveUser(user) {
  return normalizedRoleCodes(user).includes('executive')
}

export function canManageExpenseClaims(user) {
  if (Boolean(user?.isAdmin)) {
    return true
  }

  return normalizedRoleCodes(user).some((roleCode) => CLAIM_MANAGER_ROLE_CODES.has(roleCode))
}

export function canDeleteArchivedExpenseClaims(user) {
  return Boolean(user?.isAdmin)
}

export function canReturnExpenseClaims(user) {
  if (Boolean(user?.isAdmin)) {
    return true
  }

  return normalizedRoleCodes(user).some((roleCode) => CLAIM_RETURN_ROLE_CODES.has(roleCode))
}

export function canApproveLeaderExpenseClaims(user) {
  if (Boolean(user?.isAdmin)) {
    return true
  }

  return normalizedRoleCodes(user).some((roleCode) => CLAIM_LEADER_APPROVAL_ROLE_CODES.has(roleCode))
}

export function canAccessAppView(user, viewId) {
  if (!viewId || !user) {
    return false
  }

  if (!DEFAULT_APP_VIEW_ORDER.includes(viewId)) {
    return false
  }

  if (isManagerUser(user)) {
    return true
  }

  if (ALWAYS_VISIBLE_VIEWS.has(viewId)) {
    return true
  }

  const requiredRoles = VIEW_ROLE_RULES[viewId] || []
  const roleCodes = normalizedRoleCodes(user)
  return requiredRoles.some((roleCode) => roleCodes.includes(roleCode))
}

export function getAccessibleViewIds(user) {
  return DEFAULT_APP_VIEW_ORDER.filter((viewId) => canAccessAppView(user, viewId))
}

export function filterNavItemsByAccess(navItems, user) {
  return navItems.filter((item) => canAccessAppView(user, item.id))
}

export function resolveDefaultAuthorizedRoute(user) {
  const firstVisibleView = getAccessibleViewIds(user)[0]
  return { name: `app-${firstVisibleView || 'workbench'}` }
}
feat: 增强风险规则生成引擎与预算中心页面后端拆分风险规则生成为解释器、语义分析、本体对齐等子模块，优化模板执行和流程图生成，完善员工种子数据和导入逻辑，增强报销单权限策略和草稿持久化，前端新增预算中心视图和趋势图组件，重构审计页面和风险规则测试对话框交互，完善文档中心和报销创建页面细节，补充单元测试覆盖。 2026-05-26 09:15:14 +08:00			`export const DEFAULT_APP_VIEW_ORDER = [`
			`'overview',`
			`'workbench',`
			`'documents',`
			`'budget',`
			`'policies',`
			`'audit',`
feat: 新增归档中心页面并完善知识库与报销查询能力新增前端归档中心视图及相关工具函数，扩充知识库文档分类和提取器支持多种格式，增强编排器报销查询的多维度检索，优化本体规则和用户代理审核消息，前端完善报销创建和审批详情交互细节，补充单元测试覆盖。 2026-05-22 16:00:19 +08:00			`'logs',`
			`'employees',`
			`'settings'`
			`]`

feat: 增强风险规则生成引擎与预算中心页面后端拆分风险规则生成为解释器、语义分析、本体对齐等子模块，优化模板执行和流程图生成，完善员工种子数据和导入逻辑，增强报销单权限策略和草稿持久化，前端新增预算中心视图和趋势图组件，重构审计页面和风险规则测试对话框交互，完善文档中心和报销创建页面细节，补充单元测试覆盖。 2026-05-26 09:15:14 +08:00			`const ALWAYS_VISIBLE_VIEWS = new Set(['workbench', 'documents', 'policies'])`
			`const VIEW_ROLE_RULES = {`
			`overview: ['finance', 'executive'],`
			`budget: ['finance', 'executive'],`
			`audit: ['auditor', 'finance'],`
feat: 新增归档中心页面并完善知识库与报销查询能力新增前端归档中心视图及相关工具函数，扩充知识库文档分类和提取器支持多种格式，增强编排器报销查询的多维度检索，优化本体规则和用户代理审核消息，前端完善报销创建和审批详情交互细节，补充单元测试覆盖。 2026-05-22 16:00:19 +08:00			`logs: ['manager'],`
			`employees: ['manager'],`
			`settings: ['manager']`
			`}`
			`const CLAIM_MANAGER_ROLE_CODES = new Set(['executive'])`
			`const CLAIM_RETURN_ROLE_CODES = new Set(['finance', 'executive', 'manager', 'approver'])`
			`const CLAIM_LEADER_APPROVAL_ROLE_CODES = new Set(['manager', 'approver'])`
feat: 完善知识库、策略预览与OnlyOffice集成，增强后端启动依赖检查 2026-05-09 05:59:46 +00:00
			`function normalizedRoleCodes(user) {`
			`if (!user) {`
			`return []`
			`}`

feat: 新增归档中心页面并完善知识库与报销查询能力新增前端归档中心视图及相关工具函数，扩充知识库文档分类和提取器支持多种格式，增强编排器报销查询的多维度检索，优化本体规则和用户代理审核消息，前端完善报销创建和审批详情交互细节，补充单元测试覆盖。 2026-05-22 16:00:19 +08:00			`return Array.isArray(user.roleCodes)`
			`? user.roleCodes.map((item) => String(item \|\| '').trim().toLowerCase()).filter(Boolean)`
			`: []`
			`}`

			`export function isManagerUser(user) {`
			`return Boolean(user?.isAdmin) \|\| normalizedRoleCodes(user).includes('manager')`
			`}`

			`export function isFinanceUser(user) {`
			`return normalizedRoleCodes(user).includes('finance')`
			`}`

			`export function isExecutiveUser(user) {`
			`return normalizedRoleCodes(user).includes('executive')`
			`}`

feat: 增强风险规则生成引擎与预算中心页面后端拆分风险规则生成为解释器、语义分析、本体对齐等子模块，优化模板执行和流程图生成，完善员工种子数据和导入逻辑，增强报销单权限策略和草稿持久化，前端新增预算中心视图和趋势图组件，重构审计页面和风险规则测试对话框交互，完善文档中心和报销创建页面细节，补充单元测试覆盖。 2026-05-26 09:15:14 +08:00			`export function canManageExpenseClaims(user) {`
			`if (Boolean(user?.isAdmin)) {`
			`return true`
			`}`

			`return normalizedRoleCodes(user).some((roleCode) => CLAIM_MANAGER_ROLE_CODES.has(roleCode))`
			`}`

			`export function canDeleteArchivedExpenseClaims(user) {`
			`return Boolean(user?.isAdmin)`
			`}`

			`export function canReturnExpenseClaims(user) {`
			`if (Boolean(user?.isAdmin)) {`
			`return true`
			`}`
feat: 新增归档中心页面并完善知识库与报销查询能力新增前端归档中心视图及相关工具函数，扩充知识库文档分类和提取器支持多种格式，增强编排器报销查询的多维度检索，优化本体规则和用户代理审核消息，前端完善报销创建和审批详情交互细节，补充单元测试覆盖。 2026-05-22 16:00:19 +08:00
			`return normalizedRoleCodes(user).some((roleCode) => CLAIM_RETURN_ROLE_CODES.has(roleCode))`
			`}`

			`export function canApproveLeaderExpenseClaims(user) {`
			`if (Boolean(user?.isAdmin)) {`
			`return true`
			`}`

			`return normalizedRoleCodes(user).some((roleCode) => CLAIM_LEADER_APPROVAL_ROLE_CODES.has(roleCode))`
			`}`

feat: 增强风险规则生成引擎与预算中心页面后端拆分风险规则生成为解释器、语义分析、本体对齐等子模块，优化模板执行和流程图生成，完善员工种子数据和导入逻辑，增强报销单权限策略和草稿持久化，前端新增预算中心视图和趋势图组件，重构审计页面和风险规则测试对话框交互，完善文档中心和报销创建页面细节，补充单元测试覆盖。 2026-05-26 09:15:14 +08:00			`export function canAccessAppView(user, viewId) {`
			`if (!viewId \|\| !user) {`
			`return false`
			`}`

			`if (!DEFAULT_APP_VIEW_ORDER.includes(viewId)) {`
			`return false`
			`}`

			`if (isManagerUser(user)) {`
			`return true`
			`}`
feat: 完善知识库、策略预览与OnlyOffice集成，增强后端启动依赖检查 2026-05-09 05:59:46 +00:00
			`if (ALWAYS_VISIBLE_VIEWS.has(viewId)) {`
			`return true`
			`}`

			`const requiredRoles = VIEW_ROLE_RULES[viewId] \|\| []`
			`const roleCodes = normalizedRoleCodes(user)`
			`return requiredRoles.some((roleCode) => roleCodes.includes(roleCode))`
			`}`

			`export function getAccessibleViewIds(user) {`
			`return DEFAULT_APP_VIEW_ORDER.filter((viewId) => canAccessAppView(user, viewId))`
			`}`

			`export function filterNavItemsByAccess(navItems, user) {`
			`return navItems.filter((item) => canAccessAppView(user, item.id))`
			`}`

			`export function resolveDefaultAuthorizedRoute(user) {`
			`const firstVisibleView = getAccessibleViewIds(user)[0]`
			return { name: `app-${firstVisibleView \|\| 'workbench'}` }
			`}`