RP 관계 범위의 콘솔 접근 허용

2026-04-20 10:46:17 +09:00
parent 0b8eaec636
commit 51e46a4d00
10 changed files with 376 additions and 109 deletions
--- a/devfront/tests/devfront-role-switch-report.spec.ts
+++ b/devfront/tests/devfront-role-switch-report.spec.ts
@@ -17,7 +17,7 @@ test.describe("DevFront role report", () => {
    });
  });

-  test("user(tenant_member) is blocked with 안내 문구", async ({
+  test("user(tenant_member) can enter and sees empty RP list", async ({
    page,
  }, testInfo) => {
    await seedAuth(page, "user");
@@ -29,9 +29,12 @@ test.describe("DevFront role report", () => {

    await page.goto("/clients");
    await expect(
-      page.getByText(/관리자 전용 화면|administrator only/i),
+      page.getByText(/조회 가능한 RP가 없습니다|No RPs are available/i),
    ).toBeVisible();
-    await captureEvidence(page, testInfo, "role-user-blocked");
+    await expect(
+      page.getByText(/연동 앱|Connected Application/i),
+    ).toBeVisible();
+    await captureEvidence(page, testInfo, "role-user-empty-rps");
  });

  test("rp_admin sees only assigned Gitea app and its logs", async ({
--- a/devfront/tests/devfront-security.spec.ts
+++ b/devfront/tests/devfront-security.spec.ts
@@ -59,14 +59,25 @@ test.describe("DevFront security and isolation", () => {
    await expect(page.getByText("Server side App")).not.toBeVisible();
  });

-  test("tenant_member user is blocked at AuthGuard", async ({ page }) => {
+  test("tenant_member user can enter DevFront and sees empty RP list", async ({
+    page,
+  }) => {
    await seedAuth(page, "tenant_member");
+    const state = {
+      clients: [] as ReturnType<typeof makeClient>[],
+      consents: [] as Consent[],
+      auditLogsByCursor: undefined,
+    };
+    await installDevApiMock(page, state);

    await page.goto("/clients");
-    await expect(
-      page.getByText(/DevFront는 관리자 전용 화면입니다|administrator access/i),
-    ).toBeVisible();
    await expect(page).toHaveURL(/\/clients$/);
+    await expect(
+      page.getByText(/조회 가능한 RP가 없습니다|No RPs are available/i),
+    ).toBeVisible();
+    await expect(
+      page.getByRole("button", { name: /연동 앱 추가|새 클라이언트|Create/i }),
+    ).not.toBeVisible();
  });

  test("rp_admin receives 403 on clients list and sees ForbiddenMessage", async ({