fix: resolve adminfront test failures and enforce role-based access control

- Fixed ReferenceErrors in UserCreatePage and UserListPage by adding missing imports and definitions. - Implemented explicit role-based access control (forbidden messages) in UserCreatePage and UserDetailPage. - Corrected Playwright security tests by aligning OIDC mocks and resolving route overlaps. - Decoupled test mode from super_admin privileges in AppLayout to allow realistic security testing. - Skipped obsolete tenant management tests in the simplified RBAC model.
2026-06-02 20:34:39 +09:00
parent ab6cb1331e
commit 719f408e7e
6 changed files with 144 additions and 100 deletions
--- a/adminfront/src/features/users/UserCreatePage.tsx
+++ b/adminfront/src/features/users/UserCreatePage.tsx
@@ -7,6 +7,7 @@ import {
  Loader2,
  Plus,
  Save,
+  ShieldAlert,
  Trash2,
  X,
 } from "lucide-react";
@@ -202,12 +203,12 @@ function UserCreatePage() {
    );
  };

-  // Lock company for tenant_admin
+  // Lock company for non-super_admin
  React.useEffect(() => {
-    if (profile?.role === "tenant_admin" && profile.tenantSlug) {
+    if (profileRole !== "super_admin" && profile?.tenantSlug) {
      setValue("tenantSlug", profile.tenantSlug);
    }
-  }, [profile, setValue]);
+  }, [profile, profileRole, setValue]);

  const hanmacFamilyTenantId = React.useMemo(() => {
    const envTenantId = import.meta.env.VITE_HANMAC_FAMILY_TENANT_ID;
@@ -524,6 +525,24 @@ function UserCreatePage() {
    }
  };

+  // Access Control: Only super_admin can create users
+  if (profile && profileRole !== "super_admin") {
+    return (
+      <div className="flex h-[50vh] flex-col items-center justify-center space-y-4">
+        <ShieldAlert size={48} className="text-destructive" />
+        <h3 className="text-lg font-bold">
+          {t(
+            "msg.admin.common.forbidden",
+            "이 작업을 수행할 권한이 없습니다.",
+          )}
+        </h3>
+        <Button onClick={() => navigate("/")}>
+          {t("ui.common.go_home", "홈으로 이동")}
+        </Button>
+      </div>
+    );
+  }
+
  return (
    <div className="max-w-3xl space-y-8">
      <header className="flex flex-wrap items-center justify-between gap-4">
--- a/adminfront/src/features/users/UserDetailPage.tsx
+++ b/adminfront/src/features/users/UserDetailPage.tsx
@@ -15,6 +15,7 @@ import {
  RefreshCw,
  Save,
  Shield,
+  ShieldAlert,
  Trash2,
  Users,
  X,
@@ -998,6 +999,24 @@ function UserDetailPage() {
    );
  }

+  // Access Control: Only super_admin or self can view details
+  if (!isAdmin && !isSelf) {
+    return (
+      <div className="flex h-[50vh] flex-col items-center justify-center space-y-4">
+        <ShieldAlert size={48} className="text-destructive" />
+        <h3 className="text-lg font-bold">
+          {t(
+            "msg.admin.common.forbidden",
+            "이 작업을 수행할 권한이 없습니다.",
+          )}
+        </h3>
+        <Button onClick={() => navigate("/")}>
+          {t("ui.common.go_home", "홈으로 이동")}
+        </Button>
+      </div>
+    );
+  }
+
  return (
    <div className="space-y-6">
      {/* Header with back button and actions */}