feat: apply RBAC permission control to product module

Co-authored-by: aider (openai/DeepSeek-V3.2-Thinking) <aider@aider.chat>
2026-02-27 13:03:27 +08:00
parent 246fb45cde
commit 1d2e8feced
2 changed files with 163 additions and 6 deletions
--- a/inventory-backend/app/api/v1/inbound/product.py
+++ b/inventory-backend/app/api/v1/inbound/product.py
@ -1,15 +1,90 @@
 # inventory-backend/app/api/v1/inbound/product.py
 from flask import Blueprint, request, jsonify
 from app.services.inbound.product_service import ProductInboundService
+from app.utils.decorators import permission_required
 import traceback

 inbound_product_bp = Blueprint('stock_product', __name__)


+# ==============================================================================
+# 辅助函数：获取当前用户的完整权限列表（基于角色查询）
+# ==============================================================================
+def get_current_user_permissions():
+    """
+    返回当前用户拥有的所有权限码列表（包括菜单和元素）
+    此函数根据角色查询数据库得到权限。
+    """
+    from flask_jwt_extended import get_jwt
+    from app.services.auth_service import AuthService
+    claims = get_jwt()
+    user_role = claims.get('role')
+    if not user_role:
+        return []
+    # 超级管理员返回所有字段权限
+    if user_role == 'super_admin':
+        # 返回所有以 inbound_product: 开头的权限码（这里我们返回一个特殊标记，表示全部）
+        # 为了简单，我们返回 ['inbound_product:*']，在过滤函数中特殊处理
+        return ['inbound_product:*']
+    perm_dict = AuthService.get_user_permissions(user_role)
+    # 合并菜单和元素权限
+    perms = perm_dict.get('menus', []) + perm_dict.get('elements', [])
+    return perms
+
+
+def filter_item_by_permissions(item_dict, user_permissions):
+    """
+    根据用户权限过滤 item 字典，无权限的字段值置为 None
+    """
+    # 字段名到权限码的映射（与前端 permissionMap 保持一致）
+    field_to_perm = {
+        'id': 'inbound_product:id',
+        'base_id': 'inbound_product:base_id',
+        'company_name': 'inbound_product:company_name',
+        'material_name': 'inbound_product:material_name',
+        'category': 'inbound_product:category',
+        'material_type': 'inbound_product:material_type',
+        'spec_model': 'inbound_product:spec_model',
+        'unit': 'inbound_product:unit',
+        'sku': 'inbound_product:sku',
+        'inbound_date': 'inbound_product:inbound_date',
+        'barcode': 'inbound_product:barcode',
+        'serial_number': 'inbound_product:serial_number',
+        'status': 'inbound_product:status',
+        'quality_status': 'inbound_product:quality_status',
+        'in_quantity': 'inbound_product:in_quantity',
+        'stock_quantity': 'inbound_product:stock_quantity',
+        'available_quantity': 'inbound_product:available_quantity',
+        'warehouse_location': 'inbound_product:warehouse_location',
+        'bom_code': 'inbound_product:bom_code',
+        'bom_version': 'inbound_product:bom_version',
+        'work_order_code': 'inbound_product:work_order_code',
+        'order_id': 'inbound_product:order_id',
+        'production_manager': 'inbound_product:production_manager',
+        'production_start_time': 'inbound_product:production_start_time',
+        'production_end_time': 'inbound_product:production_end_time',
+        'raw_material_cost': 'inbound_product:raw_material_cost',
+        'manual_cost': 'inbound_product:manual_cost',
+        'sale_price': 'inbound_product:sale_price',
+        'product_photo': 'inbound_product:product_photo',
+        'quality_report_link': 'inbound_product:quality_report_link',
+        'inspection_report_link': 'inbound_product:inspection_report_link',
+        'detail_link': 'inbound_product:detail_link',
+    }
+    # 如果用户是超级管理员且有 'inbound_product:*'，则不过滤
+    if 'inbound_product:*' in user_permissions:
+        return item_dict
+    for field, perm_code in field_to_perm.items():
+        if field in item_dict and perm_code not in user_permissions:
+            item_dict[field] = None
+    return item_dict
+
+
 # ------------------------------------------------------------------
 # 0. 基础物料搜索 (关键接口：配合 Service 实现自动回填)
 # ------------------------------------------------------------------
@inbound_product_bp.route('/search-base', methods=['GET'])
+@permission_required('inbound_product')
 def search_base():
    """
    对应前端 API: /inbound/product/search-base
@ -19,7 +94,10 @@ def search_base():
        keyword = request.args.get('keyword', '')
        # 调用 Service 层已修复的 search_base_material 方法
        data = ProductInboundService.search_base_material(keyword)
-        return jsonify({"code": 200, "msg": "success", "data": data})
+        # 字段级脱敏
+        user_permissions = get_current_user_permissions()
+        filtered_data = [filter_item_by_permissions(item, user_permissions) for item in data]
+        return jsonify({"code": 200, "msg": "success", "data": filtered_data})
    except Exception as e:
        # 捕获异常并打印堆栈，方便调试
        traceback.print_exc()
@ -29,6 +107,7 @@ def search_base():
 # 0.5 [新增] BOM 搜索接口
 # ------------------------------------------------------------------
@inbound_product_bp.route('/search-bom', methods=['GET'])
+@permission_required('inbound_product')
 def search_bom():
    """
    供前端下拉框远程搜索使用 (搜索BOM)
@ -50,6 +129,7 @@ def search_bom():
 # 1. 获取列表 (支持 status 多选筛选)
 # ------------------------------------------------------------------
@inbound_product_bp.route('/list', methods=['GET'])
+@permission_required('inbound_product')
 def get_list():
    try:
        page = request.args.get('page', 1, type=int)
@ -61,6 +141,10 @@ def get_list():
        statuses = statuses_str.split(',') if statuses_str else []

        result = ProductInboundService.get_list(page, limit, keyword, statuses)
+        # 字段级脱敏
+        user_permissions = get_current_user_permissions()
+        if result.get('items'):
+            result['items'] = [filter_item_by_permissions(item, user_permissions) for item in result['items']]
        return jsonify({"code": 200, "msg": "success", "data": result})
    except Exception as e:
        traceback.print_exc()
@ -71,6 +155,7 @@ def get_list():
 # 2. 新增入库
 # ------------------------------------------------------------------
@inbound_product_bp.route('/submit', methods=['POST'])
+@permission_required('inbound_product:operation')
 def submit():
    try:
        # 调用 Service 处理入库，获取新创建的对象
@ -91,6 +176,7 @@ def submit():
 # 3. 更新入库
 # ------------------------------------------------------------------
@inbound_product_bp.route('/<int:id>', methods=['PUT'])
+@permission_required('inbound_product:operation')
 def update(id):
    try:
        ProductInboundService.update_inbound(id, request.get_json())
@ -104,6 +190,7 @@ def update(id):
 # 4. 删除
 # ------------------------------------------------------------------
@inbound_product_bp.route('/<int:id>', methods=['DELETE'])
+@permission_required('inbound_product:operation')
 def delete(id):
    try:
        ProductInboundService.delete_inbound(id)
@ -117,6 +204,7 @@ def delete(id):
 # 5. 获取出库历史
 # ------------------------------------------------------------------
@inbound_product_bp.route('/<int:id>/history', methods=['GET'])
+@permission_required('inbound_product')
 def get_history(id):
    try:
        data = ProductInboundService.get_outbound_history(id)
@ -130,6 +218,7 @@ def get_history(id):
 # 6. 系统用户建议
 # ------------------------------------------------------------------
@inbound_product_bp.route('/suggestions/users', methods=['GET'])
+@permission_required('inbound_product')
 def get_user_suggestions():
    keyword = request.args.get('keyword', '')
    data = ProductInboundService.search_system_users(keyword)
@ -140,9 +229,10 @@ def get_user_suggestions():
 # 7. 获取筛选选项
 # ------------------------------------------------------------------
@inbound_product_bp.route('/options', methods=['GET'])
+@permission_required('inbound_product')
 def get_options():
    try:
        data = ProductInboundService.get_filter_options()
        return jsonify({"code": 200, "msg": "success", "data": data})
    except Exception as e:
-        return jsonify({"code": 500, "msg": str(e)}), 500
+        return jsonify({"code": 500, "msg": str(e)}), 500