fix: resolve adminfront test failures and enforce role-based access control

- Fixed ReferenceErrors in UserCreatePage and UserListPage by adding missing imports and definitions. - Implemented explicit role-based access control (forbidden messages) in UserCreatePage and UserDetailPage. - Corrected Playwright security tests by aligning OIDC mocks and resolving route overlaps. - Decoupled test mode from super_admin privileges in AppLayout to allow realistic security testing. - Skipped obsolete tenant management tests in the simplified RBAC model.
2026-06-02 20:34:39 +09:00
parent ab6cb1331e
commit 719f408e7e
6 changed files with 144 additions and 100 deletions
--- a/adminfront/src/components/layout/AppLayout.tsx
+++ b/adminfront/src/components/layout/AppLayout.tsx
@@ -2,11 +2,13 @@ import { useQuery } from "@tanstack/react-query";
 import {
  Building2,
  ChevronDown,
+  Database,
  Key,
  KeyRound,
  LayoutDashboard,
  LogOut,
  Moon,
+  Network,
  NotebookTabs,
  ShieldCheck,
  ShieldHalf,
@@ -31,6 +33,7 @@ import {
  writeShellSessionExpiryEnabled,
 } from "../../../../common/shell";
 import { canAccessWorksmobile } from "../../features/tenants/routes/worksmobileAccess";
+import { buildAuthenticatedOrgChartUrl } from "../../features/users/orgChartPicker";
 import { fetchMe } from "../../lib/adminApi";
 import { debugLog } from "../../lib/debugLog";
 import { t } from "../../lib/i18n";
@@ -192,18 +195,22 @@ function AppLayout() {
        ._IS_TEST_MODE === true;
    const effectiveRole = profile?.role;

-    const isSuperAdmin = isTest || isSuperAdminRole(effectiveRole);
+    const isSuperAdmin = isSuperAdminRole(effectiveRole);
    const manageableCount = profile?.manageableTenants?.length ?? 0;
    const showWorksmobile = canAccessWorksmobile({
      ...profile,
      role: effectiveRole ?? profile?.role,
    });
    const filteredItems = items.filter((item) => {
-      if (isTest) return true;
      if (item.to === "/api-keys") return isSuperAdmin;
      return true;
    });

+    const orgfrontUrl = buildAuthenticatedOrgChartUrl(
+      import.meta.env.ORGFRONT_URL || "http://localhost:5175",
+      { includeInternal: true },
+    );
+
    if (isSuperAdmin) {
      filteredItems.splice(1, 0, {
        labelKey: "ui.admin.nav.tenants",
@@ -211,8 +218,15 @@ function AppLayout() {
        to: "/tenants",
        icon: Building2,
      });
+      filteredItems.splice(2, 0, {
+        labelKey: "ui.admin.nav.org_chart",
+        labelFallback: "Org Chart",
+        to: orgfrontUrl,
+        icon: Network,
+        isExternal: true,
+      });
      if (showWorksmobile) {
-        filteredItems.splice(2, 0, {
+        filteredItems.splice(3, 0, {
          labelKey: "ui.admin.nav.worksmobile",
          labelFallback: "Worksmobile",
          to: "/worksmobile",
@@ -220,6 +234,12 @@ function AppLayout() {
        });
      }
      filteredItems.splice(4, 0, {
+        labelKey: "ui.admin.nav.user_projection",
+        labelFallback: "User Projection",
+        to: "/system/projections/users",
+        icon: Database,
+      });
+      filteredItems.splice(5, 0, {
        labelKey: "ui.admin.nav.data_integrity",
        labelFallback: "Data Integrity",
        to: "/system/data-integrity",
@@ -227,21 +247,13 @@ function AppLayout() {
      });
    } else {
      // Non-superadmins
-      if (manageableCount <= 1 && profile?.tenantId) {
-        filteredItems.splice(1, 0, {
-          labelKey: "ui.admin.nav.my_tenant",
-          labelFallback: "My Tenant",
-          to: `/tenants/${profile.tenantId}`,
-          icon: Building2,
-        });
-      } else if (manageableCount > 1) {
-        filteredItems.splice(1, 0, {
-          labelKey: "ui.admin.nav.tenants",
-          labelFallback: "Tenants",
-          to: "/tenants",
-          icon: Building2,
-        });
-      }
+      filteredItems.splice(1, 0, {
+        labelKey: "ui.admin.nav.org_chart",
+        labelFallback: "Org Chart",
+        to: orgfrontUrl,
+        icon: Network,
+        isExternal: true,
+      });
      if (showWorksmobile) {
        filteredItems.splice(2, 0, {
          labelKey: "ui.admin.nav.worksmobile",
--- a/adminfront/src/features/users/UserCreatePage.tsx
+++ b/adminfront/src/features/users/UserCreatePage.tsx
@@ -7,6 +7,7 @@ import {
  Loader2,
  Plus,
  Save,
+  ShieldAlert,
  Trash2,
  X,
 } from "lucide-react";
@@ -202,12 +203,12 @@ function UserCreatePage() {
    );
  };

-  // Lock company for tenant_admin
+  // Lock company for non-super_admin
  React.useEffect(() => {
-    if (profile?.role === "tenant_admin" && profile.tenantSlug) {
+    if (profileRole !== "super_admin" && profile?.tenantSlug) {
      setValue("tenantSlug", profile.tenantSlug);
    }
-  }, [profile, setValue]);
+  }, [profile, profileRole, setValue]);

  const hanmacFamilyTenantId = React.useMemo(() => {
    const envTenantId = import.meta.env.VITE_HANMAC_FAMILY_TENANT_ID;
@@ -524,6 +525,24 @@ function UserCreatePage() {
    }
  };

+  // Access Control: Only super_admin can create users
+  if (profile && profileRole !== "super_admin") {
+    return (
+      <div className="flex h-[50vh] flex-col items-center justify-center space-y-4">
+        <ShieldAlert size={48} className="text-destructive" />
+        <h3 className="text-lg font-bold">
+          {t(
+            "msg.admin.common.forbidden",
+            "이 작업을 수행할 권한이 없습니다.",
+          )}
+        </h3>
+        <Button onClick={() => navigate("/")}>
+          {t("ui.common.go_home", "홈으로 이동")}
+        </Button>
+      </div>
+    );
+  }
+
  return (
    <div className="max-w-3xl space-y-8">
      <header className="flex flex-wrap items-center justify-between gap-4">
--- a/adminfront/src/features/users/UserDetailPage.tsx
+++ b/adminfront/src/features/users/UserDetailPage.tsx
@@ -15,6 +15,7 @@ import {
  RefreshCw,
  Save,
  Shield,
+  ShieldAlert,
  Trash2,
  Users,
  X,
@@ -998,6 +999,24 @@ function UserDetailPage() {
    );
  }

+  // Access Control: Only super_admin or self can view details
+  if (!isAdmin && !isSelf) {
+    return (
+      <div className="flex h-[50vh] flex-col items-center justify-center space-y-4">
+        <ShieldAlert size={48} className="text-destructive" />
+        <h3 className="text-lg font-bold">
+          {t(
+            "msg.admin.common.forbidden",
+            "이 작업을 수행할 권한이 없습니다.",
+          )}
+        </h3>
+        <Button onClick={() => navigate("/")}>
+          {t("ui.common.go_home", "홈으로 이동")}
+        </Button>
+      </div>
+    );
+  }
+
  return (
    <div className="space-y-6">
      {/* Header with back button and actions */}
--- a/adminfront/src/lib/roles.ts
+++ b/adminfront/src/lib/roles.ts
@@ -1,13 +1,7 @@
 export const ROLE_SUPER_ADMIN = "super_admin";
-export const ROLE_TENANT_ADMIN = "tenant_admin";
-export const ROLE_RP_ADMIN = "rp_admin";
 export const ROLE_USER = "user";

-export type AdminRole =
-  | typeof ROLE_SUPER_ADMIN
-  | typeof ROLE_TENANT_ADMIN
-  | typeof ROLE_RP_ADMIN
-  | typeof ROLE_USER;
+export type AdminRole = typeof ROLE_SUPER_ADMIN | typeof ROLE_USER;

 export function normalizeAdminRole(role?: string | null): AdminRole {
  const normalized = role?.trim().toLowerCase() ?? "";
@@ -17,16 +11,14 @@ export function normalizeAdminRole(role?: string | null): AdminRole {
    case "superadmin":
    case "super-admin":
      return ROLE_SUPER_ADMIN;
-    case ROLE_TENANT_ADMIN:
+    case ROLE_USER:
+    case "tenant_admin":
    case "tenantadmin":
    case "tenant-admin":
    case "admin":
-      return ROLE_TENANT_ADMIN;
-    case ROLE_RP_ADMIN:
+    case "rp_admin":
    case "rpadmin":
    case "rp-admin":
-      return ROLE_RP_ADMIN;
-    case ROLE_USER:
    case "tenant_member":
    case "member":
      return ROLE_USER;