feat(security): implement strict row-level data isolation based on user company

2026-04-14 08:38:50 +08:00
parent 81bfb29b50
commit 0e8ddd0851
3 changed files with 60 additions and 11 deletions
--- a/inventory-backend/app/services/auth_service.py
+++ b/inventory-backend/app/services/auth_service.py
@ -104,6 +104,8 @@ class AuthService:
            user_id = user.id
            user_info = user.to_dict()
            user_info['role'] = user_role
+            # 获取用户所属公司（存于 department 字段）
+            user_company = user.department or ''

        # 3. 生成 Token
        # Token 中 identity 存数据库ID，claims 存登录账号ID
@ -115,7 +117,8 @@ class AuthService:
            additional_claims={
                'role': user_role,
                'username': account_id,  # 存纯账号ID
-                'display_name': user_info.get('username')  # 存显示名
+                'display_name': user_info.get('username'),  # 存显示名
+                'company_name': user_company  # 存所属公司
            }
        )

@ -125,7 +128,8 @@ class AuthService:
            additional_claims={
                'role': user_role,
                'username': account_id,
-                'display_name': user_info.get('display_name', account_id)
+                'display_name': user_info.get('display_name', account_id),
+                'company_name': user_company
            }
        )