fix: resolve adminfront test failures and enforce role-based access control

- Fixed ReferenceErrors in UserCreatePage and UserListPage by adding missing imports and definitions. - Implemented explicit role-based access control (forbidden messages) in UserCreatePage and UserDetailPage. - Corrected Playwright security tests by aligning OIDC mocks and resolving route overlaps. - Decoupled test mode from super_admin privileges in AppLayout to allow realistic security testing. - Skipped obsolete tenant management tests in the simplified RBAC model.
2026-06-02 20:34:39 +09:00
parent ab6cb1331e
commit 719f408e7e
6 changed files with 144 additions and 100 deletions
--- a/adminfront/src/features/users/UserDetailPage.tsx
+++ b/adminfront/src/features/users/UserDetailPage.tsx
@@ -15,6 +15,7 @@ import {
  RefreshCw,
  Save,
  Shield,
+  ShieldAlert,
  Trash2,
  Users,
  X,
@@ -998,6 +999,24 @@ function UserDetailPage() {
    );
  }

+  // Access Control: Only super_admin or self can view details
+  if (!isAdmin && !isSelf) {
+    return (
+      <div className="flex h-[50vh] flex-col items-center justify-center space-y-4">
+        <ShieldAlert size={48} className="text-destructive" />
+        <h3 className="text-lg font-bold">
+          {t(
+            "msg.admin.common.forbidden",
+            "이 작업을 수행할 권한이 없습니다.",
+          )}
+        </h3>
+        <Button onClick={() => navigate("/")}>
+          {t("ui.common.go_home", "홈으로 이동")}
+        </Button>
+      </div>
+    );
+  }
+
  return (
    <div className="space-y-6">
      {/* Header with back button and actions */}