fix(auth): keep admin out of personal workbench

2026-06-03 16:31:27 +08:00
parent 04f0951b3d
commit 59d3bf0f00
2 changed files with 47 additions and 16 deletions
--- a/web/src/utils/accessControl.js
+++ b/web/src/utils/accessControl.js
@@ -230,18 +230,22 @@ export function isCurrentDirectManagerForRequest(request, user) {
  return managerNames.length > 0 && identityIntersects(managerNames, currentNames)
 }

-export function canAccessAppView(user, viewId) {
-  if (!viewId || !user) {
-    return false
-  }
-
-  if (!DEFAULT_APP_VIEW_ORDER.includes(viewId)) {
-    return false
-  }
-
-  if (viewId === 'budget') {
-    if (isPlatformAdminUser(user)) {
-      return true
+export function canAccessAppView(user, viewId) {
+  if (!viewId || !user) {
+    return false
+  }
+
+  if (!DEFAULT_APP_VIEW_ORDER.includes(viewId)) {
+    return false
+  }
+
+  if (viewId === 'workbench' && isPlatformAdminUser(user)) {
+    return false
+  }
+
+  if (viewId === 'budget') {
+    if (isPlatformAdminUser(user)) {
+      return true
    }
    const roleCodes = normalizedRoleCodes(user)
    return VIEW_ROLE_RULES.budget.some((roleCode) => roleCodes.includes(roleCode))
@@ -268,7 +272,11 @@ export function filterNavItemsByAccess(navItems, user) {
  return navItems.filter((item) => canAccessAppView(user, item.id))
 }

-export function resolveDefaultAuthorizedRoute(user) {
-  const firstVisibleView = getAccessibleViewIds(user)[0]
-  return { name: `app-${firstVisibleView || 'workbench'}` }
-}
+export function resolveDefaultAuthorizedRoute(user) {
+  if (isPlatformAdminUser(user) && canAccessAppView(user, 'overview')) {
+    return { name: 'app-overview' }
+  }
+
+  const firstVisibleView = getAccessibleViewIds(user)[0]
+  return { name: `app-${firstVisibleView || 'workbench'}` }
+}