🔒 fix: Enforce admin-only column visibility in logs tables

Ensure non-admin users cannot enable columns reserved for administrators across the following hooks: * web/src/hooks/usage-logs/useUsageLogsData.js - Force-hide CHANNEL, USERNAME and RETRY columns for non-admins. * web/src/hooks/mj-logs/useMjLogsData.js - Force-hide CHANNEL and SUBMIT_RESULT columns for non-admins. * web/src/hooks/task-logs/useTaskLogsData.js - Force-hide CHANNEL column for non-admins. The checks run when loading column preferences from localStorage, overriding any tampered settings to keep sensitive information hidden from unauthorized users.
2025-07-25 20:31:20 +08:00
parent 1430c05b6c
commit fe16d05fbb
3 changed files with 15 additions and 0 deletions
--- a/web/src/hooks/mj-logs/useMjLogsData.js
+++ b/web/src/hooks/mj-logs/useMjLogsData.js
@@ -94,6 +94,11 @@ export const useMjLogsData = () => {
        const parsed = JSON.parse(savedColumns);
        const defaults = getDefaultColumnVisibility();
        const merged = { ...defaults, ...parsed };
+        // If not admin, force hide columns only visible to admins
+        if (!isAdminUser) {
+          merged[COLUMN_KEYS.CHANNEL] = false;
+          merged[COLUMN_KEYS.SUBMIT_RESULT] = false;
+        }
        setVisibleColumns(merged);
      } catch (e) {
        console.error('Failed to parse saved column preferences', e);
--- a/web/src/hooks/task-logs/useTaskLogsData.js
+++ b/web/src/hooks/task-logs/useTaskLogsData.js
@@ -92,6 +92,10 @@ export const useTaskLogsData = () => {
        const parsed = JSON.parse(savedColumns);
        const defaults = getDefaultColumnVisibility();
        const merged = { ...defaults, ...parsed };
+        // If not admin, force hide columns only visible to admins
+        if (!isAdminUser) {
+          merged[COLUMN_KEYS.CHANNEL] = false;
+        }
        setVisibleColumns(merged);
      } catch (e) {
        console.error('Failed to parse saved column preferences', e);
--- a/web/src/hooks/usage-logs/useUsageLogsData.js
+++ b/web/src/hooks/usage-logs/useUsageLogsData.js
@@ -116,6 +116,12 @@ export const useLogsData = () => {
        const parsed = JSON.parse(savedColumns);
        const defaults = getDefaultColumnVisibility();
        const merged = { ...defaults, ...parsed };
+        // If not admin, force hide columns only visible to admins
+        if (!isAdminUser) {
+          merged[COLUMN_KEYS.CHANNEL] = false;
+          merged[COLUMN_KEYS.USERNAME] = false;
+          merged[COLUMN_KEYS.RETRY] = false;
+        }
        setVisibleColumns(merged);
      } catch (e) {
        console.error('Failed to parse saved column preferences', e);