fix(auth): keep admin out of personal workbench

2026-06-03 16:31:27 +08:00
parent 04f0951b3d
commit 59d3bf0f00
2 changed files with 47 additions and 16 deletions
--- a/web/src/utils/accessControl.js
+++ b/web/src/utils/accessControl.js
@@ -239,6 +239,10 @@ export function canAccessAppView(user, viewId) {
    return false
  }

+  if (viewId === 'workbench' && isPlatformAdminUser(user)) {
+    return false
+  }
+
  if (viewId === 'budget') {
    if (isPlatformAdminUser(user)) {
      return true
@@ -269,6 +273,10 @@ export function filterNavItemsByAccess(navItems, user) {
 }

 export function resolveDefaultAuthorizedRoute(user) {
+  if (isPlatformAdminUser(user) && canAccessAppView(user, 'overview')) {
+    return { name: 'app-overview' }
+  }
+
  const firstVisibleView = getAccessibleViewIds(user)[0]
  return { name: `app-${firstVisibleView || 'workbench'}` }
 }
--- a/web/tests/accessControl.test.mjs
+++ b/web/tests/accessControl.test.mjs
@@ -7,10 +7,13 @@ import {
  canAccessAppView,
  canDeleteArchivedExpenseClaims,
  canEditBudgetCenter,
+  filterNavItemsByAccess,
+  getAccessibleViewIds,
  isCurrentDirectManagerForRequest,
  isCurrentRequestApplicant,
  canManageExpenseClaims,
  canReturnExpenseClaims,
+  resolveDefaultAuthorizedRoute,
  canSwitchBudgetDepartments
 } from '../src/utils/accessControl.js'
 import { canProcessApprovalRequest } from '../src/utils/approvalInbox.js'
@@ -71,6 +74,26 @@ test('legacy reimbursement approval and archive centers are no longer accessible
  assert.equal(canAccessAppView(adminUser, 'documents'), true)
 })

+test('platform admin users do not enter the personal workbench', () => {
+  const adminUser = { username: 'admin', isAdmin: true, roleCodes: ['manager', 'finance'] }
+  const employeeUser = { username: 'employee@example.com', roleCodes: [] }
+  const navItems = [
+    { id: 'workbench', label: '个人工作台' },
+    { id: 'documents', label: '单据中心' },
+    { id: 'overview', label: '分析看板' },
+    { id: 'settings', label: '系统设置' }
+  ]
+
+  assert.equal(canAccessAppView(adminUser, 'workbench'), false)
+  assert.equal(canAccessAppView(employeeUser, 'workbench'), true)
+  assert.equal(getAccessibleViewIds(adminUser).includes('workbench'), false)
+  assert.deepEqual(resolveDefaultAuthorizedRoute(adminUser), { name: 'app-overview' })
+  assert.deepEqual(
+    filterNavItemsByAccess(navItems, adminUser).map((item) => item.id),
+    ['documents', 'overview', 'settings']
+  )
+})
+
 test('budget center is visible to platform admin, budget monitor, and executive roles only', () => {
  assert.equal(canAccessAppView({ isAdmin: true, roleCodes: ['manager'] }, 'budget'), true)
  assert.equal(canAccessAppView({ username: 'admin', roleCodes: ['manager'] }, 'budget'), true)