fix(auth): keep admin out of personal workbench

web/tests/accessControl.test.mjs

@@ -7,10 +7,13 @@ import {
   canAccessAppView,
   canDeleteArchivedExpenseClaims,
   canEditBudgetCenter,
+  filterNavItemsByAccess,
+  getAccessibleViewIds,
   isCurrentDirectManagerForRequest,
   isCurrentRequestApplicant,
   canManageExpenseClaims,
   canReturnExpenseClaims,
+  resolveDefaultAuthorizedRoute,
   canSwitchBudgetDepartments
 } from '../src/utils/accessControl.js'
 import { canProcessApprovalRequest } from '../src/utils/approvalInbox.js'
@@ -71,6 +74,26 @@ test('legacy reimbursement approval and archive centers are no longer accessible
   assert.equal(canAccessAppView(adminUser, 'documents'), true)
 })
 
+test('platform admin users do not enter the personal workbench', () => {
+  const adminUser = { username: 'admin', isAdmin: true, roleCodes: ['manager', 'finance'] }
+  const employeeUser = { username: 'employee@example.com', roleCodes: [] }
+  const navItems = [
+    { id: 'workbench', label: '个人工作台' },
+    { id: 'documents', label: '单据中心' },
+    { id: 'overview', label: '分析看板' },
+    { id: 'settings', label: '系统设置' }
+  ]
+
+  assert.equal(canAccessAppView(adminUser, 'workbench'), false)
+  assert.equal(canAccessAppView(employeeUser, 'workbench'), true)
+  assert.equal(getAccessibleViewIds(adminUser).includes('workbench'), false)
+  assert.deepEqual(resolveDefaultAuthorizedRoute(adminUser), { name: 'app-overview' })
+  assert.deepEqual(
+    filterNavItemsByAccess(navItems, adminUser).map((item) => item.id),
+    ['documents', 'overview', 'settings']
+  )
+})
+
 test('budget center is visible to platform admin, budget monitor, and executive roles only', () => {
   assert.equal(canAccessAppView({ isAdmin: true, roleCodes: ['manager'] }, 'budget'), true)
   assert.equal(canAccessAppView({ username: 'admin', roleCodes: ['manager'] }, 'budget'), true)