feat(security): implement strict row-level data isolation based on user company

2026-04-14 08:38:50 +08:00
parent 81bfb29b50
commit 0e8ddd0851
3 changed files with 60 additions and 11 deletions
--- a/inventory-backend/app/services/inbound/buy_service.py
+++ b/inventory-backend/app/services/inbound/buy_service.py
@ -1,4 +1,5 @@
 # inventory-backend/app/services/inbound/buy_service.py
+from flask_jwt_extended import get_jwt
 from app.extensions import db
 from app.models.inbound.buy import StockBuy
 from app.models.inbound.product import StockProduct
@ -347,9 +348,21 @@ class BuyInboundService:
            if material_type and material_type.strip():
                query = query.filter(MaterialBase.material_type == material_type.strip())

-            # 3.1 公司独立搜索 [新增]
-            if company and company.strip():
-                query = query.filter(MaterialBase.company_name == company.strip())
+            # ============================================================
+            # 【行级数据隔离】基于 JWT 中的 company_name 进行过滤
+            # ============================================================
+            claims = get_jwt()
+            user_role = claims.get('role', '').upper() if claims.get('role') else ''
+            user_company = claims.get('company_name', '')
+
+            if user_role != 'SUPER_ADMIN':
+                # 普通用户：强制隔离！无视前端传的 company 参数
+                if user_company:
+                    query = query.filter(MaterialBase.company_name == user_company)
+            else:
+                # 超级管理员：允许跨公司视角
+                if company and company.strip():
+                    query = query.filter(MaterialBase.company_name == company.strip())

            # 4. 状态筛选
            if not statuses: statuses = ['在库', '借库']