feat: apply RBAC read/write separation to outbound_create module

Co-authored-by: aider (openai/DeepSeek-V3.2-Thinking) <aider@aider.chat>

inventory-backend/app/api/v1/outbound.py

@@ -1,7 +1,8 @@
 from flask import Blueprint, request, jsonify
 from app.services.outbound_service import OutboundService
-from flask_jwt_extended import jwt_required, get_jwt_identity
+from flask_jwt_extended import jwt_required, get_jwt_identity, get_jwt
 from app.utils.decorators import permission_required
+from app.services.auth_service import AuthService
 import traceback
 
 outbound_bp = Blueprint('outbound', __name__, url_prefix='/outbound')
@@ -46,8 +47,20 @@ def scan_barcode():
 # --------------------------------------------------------
 @outbound_bp.route('', methods=['POST'])
 @jwt_required()
-@permission_required('outbound_selection:operation')
 def create_outbound():
+    # 权限检查：需要 outbound_create:operation 或 outbound_selection:operation 之一
+    claims = get_jwt()
+    user_role = claims.get('role')
+    if not user_role:
+        return jsonify({'code': 403, 'msg': '未授权'}), 403
+
+    # 超级管理员直接放行
+    if user_role != 'super_admin':
+        perm_dict = AuthService.get_user_permissions(user_role)
+        perms = perm_dict.get('menus', []) + perm_dict.get('elements', [])
+        if ('outbound_create:operation' not in perms) and ('outbound_selection:operation' not in perms):
+            return jsonify({'code': 403, 'msg': '权限不足'}), 403
+
     data = request.get_json()
     if not data:
         return jsonify({'code': 400, 'msg': '无有效数据'}), 400