feat: Add field permission checks to outbound and transaction APIs

Co-authored-by: aider (openai/DeepSeek-V3.2-Thinking) <aider@aider.chat>
2026-02-27 15:11:10 +08:00
parent afcf90a859
commit 1fe00a8ba3
2 changed files with 78 additions and 0 deletions
--- a/inventory-backend/app/api/v1/transactions.py
+++ b/inventory-backend/app/api/v1/transactions.py
@ -61,6 +61,26 @@ def filter_item_by_permissions(item_dict, user_permissions, prefix='op_records')
@permission_required('op_borrow:operation')
 def create_borrow():
    data = request.get_json()
+    # 数据清洗：移除用户没有权限的字段
+    user_permissions = get_current_user_permissions()
+    # 超级管理员不过滤
+    if '*' not in user_permissions:
+        field_to_perm = {
+            'borrow_no': 'op_records:borrow_no',
+            'borrower_name': 'op_records:borrower_name',
+            'sku': 'op_records:sku',
+            'borrow_time': 'op_records:borrow_time',
+            'return_time': 'op_records:return_time',
+            'status': 'op_records:status',
+            'expected_return_time': 'op_records:expected_return_time',
+            'return_location': 'op_records:return_location',
+            'borrow_signature': 'op_records:borrow_signature',
+            'return_signature': 'op_records:return_signature',
+        }
+        for field in list(data.keys()):
+            perm_code = field_to_perm.get(field)
+            if perm_code and perm_code not in user_permissions:
+                data.pop(field, None)
    try:
        no = TransService.create_borrow(data)
        return jsonify({'code': 200, 'msg': '借用成功', 'data': {'borrow_no': no}})
@ -90,6 +110,26 @@ def scan_borrowed_item():
@permission_required('op_return:operation')
 def submit_return():
    data = request.get_json()
+    # 数据清洗：移除用户没有权限的字段
+    user_permissions = get_current_user_permissions()
+    # 超级管理员不过滤
+    if '*' not in user_permissions:
+        field_to_perm = {
+            'borrow_no': 'op_records:borrow_no',
+            'borrower_name': 'op_records:borrower_name',
+            'sku': 'op_records:sku',
+            'borrow_time': 'op_records:borrow_time',
+            'return_time': 'op_records:return_time',
+            'status': 'op_records:status',
+            'expected_return_time': 'op_records:expected_return_time',
+            'return_location': 'op_records:return_location',
+            'borrow_signature': 'op_records:borrow_signature',
+            'return_signature': 'op_records:return_signature',
+        }
+        for field in list(data.keys()):
+            perm_code = field_to_perm.get(field)
+            if perm_code and perm_code not in user_permissions:
+                data.pop(field, None)
    user = get_jwt_identity()  # 库管
    try:
        TransService.process_return(data, operator_name=user)