fix: guard service account landing redirect

daryllimyt · daryllimyt · commit f681f0bfa838 · 2026-04-22T21:01:48.000-04:00
diff --git a/frontend/src/app/workspaces/[workspaceId]/page.tsx b/frontend/src/app/workspaces/[workspaceId]/page.tsx
@@ -43,6 +43,7 @@ export default function WorkspacePage() {
   const canViewServiceAccounts = useScopeCheck("workspace:service_account:read")
   const canViewMembers = useScopeCheck("workspace:member:read")
   const canViewInbox = useScopeCheck("inbox:read")
+  const canReadWorkspace = useScopeCheck("workspace:read")
 
   const { hasEntitlement, isLoading: entitlementsLoading } = useEntitlements()
   const agentAddonsEnabled = hasEntitlement("agent_addons")
@@ -60,6 +61,7 @@ export default function WorkspacePage() {
       canViewServiceAccounts,
       canViewMembers,
       canViewInbox,
+      canReadWorkspace,
     ].some((value) => value === undefined)
 
   const landingPath = useMemo(() => {
@@ -88,7 +90,7 @@ export default function WorkspacePage() {
     if (canViewIntegrations === true) {
       return `${basePath}/integrations`
     }
-    if (canViewServiceAccounts === true) {
+    if (canViewServiceAccounts === true && canReadWorkspace === true) {
       return `${basePath}/service-accounts`
     }
     if (canViewMembers === true) {
@@ -106,6 +108,7 @@ export default function WorkspacePage() {
     canViewIntegrations,
     canViewMembers,
     canViewSecrets,
+    canReadWorkspace,
     canViewTables,
     canViewVariables,
     canViewWorkflows,
diff --git a/frontend/tests/workspace-landing-page.test.tsx b/frontend/tests/workspace-landing-page.test.tsx
@@ -0,0 +1,78 @@
+/**
+ * @jest-environment jsdom
+ */
+
+import { render, screen, waitFor } from "@testing-library/react"
+import WorkspacePage from "@/app/workspaces/[workspaceId]/page"
+
+const mockRouterReplace = jest.fn()
+const mockUseScopeCheck = jest.fn<boolean | undefined, [string]>()
+let mockScopes: Record<string, boolean | undefined> = {}
+
+jest.mock("next/navigation", () => ({
+  useRouter: () => ({ replace: mockRouterReplace }),
+}))
+
+jest.mock("next/image", () => ({
+  __esModule: true,
+  default: (props: {
+    src: string
+    alt: string
+    className?: string
+  }): JSX.Element => <img alt={props.alt} className={props.className} />,
+}))
+
+jest.mock("@/components/auth/scope-guard", () => ({
+  useScopeCheck: (scope: string) => mockUseScopeCheck(scope),
+}))
+
+jest.mock("@/components/loading/spinner", () => ({
+  CenteredSpinner: () => <div>Loading</div>,
+}))
+
+jest.mock("@/hooks", () => ({
+  useEntitlements: () => ({
+    hasEntitlement: () => false,
+    isLoading: false,
+  }),
+}))
+
+jest.mock("@/providers/workspace-id", () => ({
+  useWorkspaceId: () => "workspace-1",
+}))
+
+describe("WorkspacePage", () => {
+  beforeEach(() => {
+    mockRouterReplace.mockReset()
+    mockUseScopeCheck.mockReset()
+    mockScopes = {}
+    mockUseScopeCheck.mockImplementation((scope) => mockScopes[scope] ?? false)
+  })
+
+  it("does not redirect service-account-only users into the workspace shell", () => {
+    mockScopes = {
+      "workspace:service_account:read": true,
+      "workspace:read": false,
+    }
+
+    render(<WorkspacePage />)
+
+    expect(mockRouterReplace).not.toHaveBeenCalled()
+    expect(screen.getByText("No accessible pages")).toBeInTheDocument()
+  })
+
+  it("redirects to service accounts when the workspace shell is readable", async () => {
+    mockScopes = {
+      "workspace:service_account:read": true,
+      "workspace:read": true,
+    }
+
+    render(<WorkspacePage />)
+
+    await waitFor(() => {
+      expect(mockRouterReplace).toHaveBeenCalledWith(
+        "/workspaces/workspace-1/service-accounts"
+      )
+    })
+  })
+})
