fix(auth): keep admin out of personal workbench

This commit is contained in:
caoxiaozhu
2026-06-03 16:31:27 +08:00
parent 04f0951b3d
commit 59d3bf0f00
2 changed files with 47 additions and 16 deletions

View File

@@ -7,10 +7,13 @@ import {
canAccessAppView,
canDeleteArchivedExpenseClaims,
canEditBudgetCenter,
filterNavItemsByAccess,
getAccessibleViewIds,
isCurrentDirectManagerForRequest,
isCurrentRequestApplicant,
canManageExpenseClaims,
canReturnExpenseClaims,
resolveDefaultAuthorizedRoute,
canSwitchBudgetDepartments
} from '../src/utils/accessControl.js'
import { canProcessApprovalRequest } from '../src/utils/approvalInbox.js'
@@ -71,6 +74,26 @@ test('legacy reimbursement approval and archive centers are no longer accessible
assert.equal(canAccessAppView(adminUser, 'documents'), true)
})
test('platform admin users do not enter the personal workbench', () => {
const adminUser = { username: 'admin', isAdmin: true, roleCodes: ['manager', 'finance'] }
const employeeUser = { username: 'employee@example.com', roleCodes: [] }
const navItems = [
{ id: 'workbench', label: '个人工作台' },
{ id: 'documents', label: '单据中心' },
{ id: 'overview', label: '分析看板' },
{ id: 'settings', label: '系统设置' }
]
assert.equal(canAccessAppView(adminUser, 'workbench'), false)
assert.equal(canAccessAppView(employeeUser, 'workbench'), true)
assert.equal(getAccessibleViewIds(adminUser).includes('workbench'), false)
assert.deepEqual(resolveDefaultAuthorizedRoute(adminUser), { name: 'app-overview' })
assert.deepEqual(
filterNavItemsByAccess(navItems, adminUser).map((item) => item.id),
['documents', 'overview', 'settings']
)
})
test('budget center is visible to platform admin, budget monitor, and executive roles only', () => {
assert.equal(canAccessAppView({ isAdmin: true, roleCodes: ['manager'] }, 'budget'), true)
assert.equal(canAccessAppView({ username: 'admin', roleCodes: ['manager'] }, 'budget'), true)