From 11fafde5e34d696384de50f8d1c4b6d39bf5780e Mon Sep 17 00:00:00 2001 From: dxc Date: Fri, 27 Feb 2026 10:29:15 +0800 Subject: [PATCH] fix: remove temporary role whitelist and add permission denial logging Co-authored-by: aider (openai/DeepSeek-V3.2-Thinking) --- inventory-backend/app/utils/decorators.py | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/inventory-backend/app/utils/decorators.py b/inventory-backend/app/utils/decorators.py index acc60d6..41fe2f7 100644 --- a/inventory-backend/app/utils/decorators.py +++ b/inventory-backend/app/utils/decorators.py @@ -67,12 +67,6 @@ def permission_required(permission_code): if user_role == 'super_admin': return fn(*args, **kwargs) - # TODO: 临时开发白名单 - 在数据库权限配置完备后,请删除此段代码 - # 允许 admin 和 manager 角色直接访问所有接口,避免开发阶段阻塞 - if user_role in ['admin', 'manager']: - logging.info(f"临时白名单放行: 角色 {user_role} 访问需要权限 {permission_code}") - return fn(*args, **kwargs) - # 根据角色查询数据库中的权限 try: from app.services.auth_service import AuthService @@ -85,6 +79,7 @@ def permission_required(permission_code): all_perms = perm_dict.get('menus', []) + perm_dict.get('elements', []) if permission_code not in all_perms: # 详细的调试日志 + print(f"🔴 [权限拦截] 角色 '{user_role}' 访问被拒!需要权限码: '{permission_code}', 但该角色实际拥有: {all_perms}") logging.warning( f"权限检查失败: 角色={user_role}, 所需权限={permission_code}, 实际权限列表={all_perms}") return jsonify(msg='权限不足:您没有访问此资源的权限'), 403