정합성 위반사항 확인 및 조치기능 추가

adminfront/tests/bulk_actions.spec.ts

@@ -235,6 +235,135 @@ test.describe("Bulk Actions and Tree Search", () => {
     await expect(selectionBar).not.toBeVisible({ timeout: 10000 });
   });
 
+  test("should only expose super admin grant and revoke options in bulk permission select", async ({
+    page,
+  }) => {
+    await page.goto("/users");
+    await expect(page.locator("table")).toContainText("User One", {
+      timeout: 20000,
+    });
+
+    await page.locator('table input[type="checkbox"]').nth(1).click();
+    await expect(page.getByTestId("bulk-action-bar")).toBeVisible({
+      timeout: 15000,
+    });
+
+    await page.getByTestId("bulk-permission-select").click();
+    await expect(
+      page.getByRole("option", { name: /시스템 관리자|Super Admin/i }),
+    ).toBeVisible();
+    await expect(
+      page.getByRole("option", { name: /일반 사용자|User/i }),
+    ).toBeVisible();
+    await expect(
+      page.getByRole("option", { name: /테넌트 관리자|Tenant Admin/i }),
+    ).toHaveCount(0);
+    await expect(
+      page.getByRole("option", {
+        name: /서비스 관리자|RP Admin|Service Admin/i,
+      }),
+    ).toHaveCount(0);
+  });
+
+  test("should let super admins revoke selected super admin permission", async ({
+    page,
+  }) => {
+    let capturedPayload: unknown = null;
+    await page.route("**/api/v1/admin/users/bulk", async (route) => {
+      if (route.request().method() === "PUT") {
+        capturedPayload = route.request().postDataJSON();
+        return route.fulfill({
+          json: { results: [{ id: "u-1", success: true }] },
+          headers: { "Access-Control-Allow-Origin": "*" },
+        });
+      }
+      return route.fallback();
+    });
+
+    await page.goto("/users");
+    await expect(page.locator("table")).toContainText("User One", {
+      timeout: 20000,
+    });
+
+    await page.locator('table input[type="checkbox"]').nth(1).click();
+    await expect(page.getByTestId("bulk-action-bar")).toBeVisible({
+      timeout: 15000,
+    });
+
+    await page.getByTestId("bulk-permission-select").click();
+    await page.getByRole("option", { name: /일반 사용자|User/i }).click();
+    await page.getByTestId("bulk-apply-permission-btn").click();
+
+    await expect
+      .poll(() => capturedPayload)
+      .toEqual({
+        userIds: ["u-1"],
+        role: "user",
+      });
+  });
+
+  test("should not render role field on user detail page", async ({ page }) => {
+    await page.unroute("**/api/v1/**");
+    await page.route("**/api/v1/**", async (route) => {
+      const url = route.request().url();
+      const headers = { "Access-Control-Allow-Origin": "*" };
+
+      if (url.includes("/user/me")) {
+        return route.fulfill({
+          json: {
+            id: "admin",
+            role: "super_admin",
+            name: "Admin",
+            manageableTenants: [],
+          },
+          headers,
+        });
+      }
+      if (url.includes("/auth/password/policy")) {
+        return route.fulfill({ json: { minLength: 12 }, headers });
+      }
+      if (url.includes("/admin/users/u-1/rp-history")) {
+        return route.fulfill({ json: [], headers });
+      }
+      if (url.includes("/admin/users/u-1")) {
+        return route.fulfill({
+          json: {
+            id: "u-1",
+            name: "User One",
+            email: "u1@test.com",
+            phone: "",
+            status: "active",
+            role: "user",
+            tenantSlug: "main",
+            createdAt: new Date().toISOString(),
+            metadata: {},
+          },
+          headers,
+        });
+      }
+      if (url.includes("/admin/tenants")) {
+        return route.fulfill({
+          json: {
+            items: [
+              { id: "t-1", name: "Main Tenant", slug: "main", type: "COMPANY" },
+            ],
+            total: 1,
+          },
+          headers,
+        });
+      }
+
+      return route.fulfill({ json: { items: [], total: 0 }, headers });
+    });
+
+    await page.goto("/users/u-1");
+    await expect(page.getByRole("heading", { name: "User One" })).toBeVisible({
+      timeout: 20000,
+    });
+    await expect(page.locator("#role")).toHaveCount(0);
+    await expect(page.getByLabel("역할")).toHaveCount(0);
+  });
+
   test("should let canonical super admin aliases promote selected users", async ({
     page,
   }) => {