From 38f0bbe41d358f025be02f11827dd08f7166819a Mon Sep 17 00:00:00 2001
From: dxc <duxingchen@iris-rs.cn>
Date: Fri, 27 Feb 2026 13:36:10 +0800
Subject: [PATCH] feat: add RBAC for inventory stocktake module

Co-authored-by: aider (openai/DeepSeek-V3.2-Thinking) <aider@aider.chat>
---
 inventory-backend/app/api/v1/inbound/stock.py     |  9 ++++++++-
 inventory-web/src/views/stock/stocktake/index.vue | 11 ++++++-----
 2 files changed, 14 insertions(+), 6 deletions(-)

diff --git a/inventory-backend/app/api/v1/inbound/stock.py b/inventory-backend/app/api/v1/inbound/stock.py
index 777b2c0..0c49ea7 100644
--- a/inventory-backend/app/api/v1/inbound/stock.py
+++ b/inventory-backend/app/api/v1/inbound/stock.py
@@ -2,6 +2,7 @@ from flask import Blueprint, jsonify, request
 from app.extensions import db
 # ★★★ 修复点：必须引入 datetime，否则下方更新时间时会报错 500 ★★★
 from datetime import datetime
+from app.utils.decorators import permission_required
 
 # 导入模型
 from app.models.inbound.buy import StockBuy
@@ -24,6 +25,7 @@ bp = Blueprint('stock_ops', __name__)
 
 
 @bp.route('/all', methods=['GET'])
+@permission_required('inventory_stocktake')
 def get_all_stock():
     """
     获取所有库存 > 0 的物品
@@ -63,6 +65,7 @@ def get_all_stock():
 # --- 草稿箱接口 ---
 
 @bp.route('/draft/list', methods=['GET'])
+@permission_required('inventory_stocktake')
 def get_drafts():
     """获取当前用户的盘点进度"""
     user_id = request.args.get('user_id', 'admin')
@@ -71,6 +74,7 @@ def get_drafts():
 
 
 @bp.route('/draft/add', methods=['POST'])
+@permission_required('inventory_stocktake:operation')
 def add_draft():
     """扫码同步 (支持更新数量)"""
     try:
@@ -100,6 +104,7 @@ def add_draft():
 
 
 @bp.route('/draft/clear', methods=['POST'])
+@permission_required('inventory_stocktake:operation')
 def clear_draft():
     """清空进度"""
     data = request.json
@@ -113,6 +118,7 @@ def clear_draft():
 # --- 打印接口 ---
 
 @bp.route('/print/selection', methods=['POST'])
+@permission_required('inventory_stocktake:operation')
 def print_selection():
     try:
         data = request.json
@@ -126,6 +132,7 @@ def print_selection():
 
 
 @bp.route('/print/stocktake', methods=['POST'])
+@permission_required('inventory_stocktake:operation')
 def print_stocktake():
     try:
         data = request.json
@@ -133,4 +140,4 @@ def print_stocktake():
         success, msg = printer.print_stocktake_report(data)
         return jsonify({"message": "盘点报告已发送" if success else msg}), 200 if success else 500
     except Exception as e:
-        return jsonify({"message": str(e)}), 500
\ No newline at end of file
+        return jsonify({"message": str(e)}), 500
diff --git a/inventory-web/src/views/stock/stocktake/index.vue b/inventory-web/src/views/stock/stocktake/index.vue
index 6d656fb..edfc853 100644
--- a/inventory-web/src/views/stock/stocktake/index.vue
+++ b/inventory-web/src/views/stock/stocktake/index.vue
@@ -43,7 +43,7 @@
             <el-tag v-else-if="syncStatus === 'syncing'" type="warning" size="small" effect="dark" round>同步中...</el-tag>
             <el-tag v-else type="danger" size="small" effect="dark" round>同步失败</el-tag>
           </div>
-          <el-button type="info" text bg size="small" @click="pauseSession" :icon="VideoPause">
+          <el-button v-if="userStore.hasPermission('inventory_stocktake:operation')" type="info" text bg size="small" @click="pauseSession" :icon="VideoPause">
             暂停
           </el-button>
         </div>
@@ -84,7 +84,7 @@
             </el-button>
           </el-col>
           <el-col :span="12">
-            <el-button type="danger" size="large" class="w-100 action-btn" @click="openFinishDialog" :icon="Checked">
+            <el-button v-if="userStore.hasPermission('inventory_stocktake:operation')" type="danger" size="large" class="w-100 action-btn" @click="openFinishDialog" :icon="Checked">
               结束盘点
             </el-button>
           </el-col>
@@ -139,7 +139,7 @@
       <template #footer>
         <div class="dialog-footer">
           <el-button @click="showQtyDialog = false">取消</el-button>
-          <el-button type="primary" @click="handleManualConfirm" size="large">确认数量</el-button>
+          <el-button v-if="userStore.hasPermission('inventory_stocktake:operation')" type="primary" @click="handleManualConfirm" size="large">确认数量</el-button>
         </div>
       </template>
     </el-dialog>
@@ -190,6 +190,7 @@
             <el-table-column label="操作" width="90" align="center" fixed="right">
               <template #default="scope">
                 <el-button
+                    v-if="userStore.hasPermission('inventory_stocktake:operation')"
                     type="primary"
                     link
                     icon="Edit"
@@ -237,7 +238,7 @@
           <el-button @click="showFinishDialog = false">返回修改</el-button>
           <div class="footer-right">
             <el-button type="success" @click="exportToExcel" :icon="Download">导出Excel</el-button>
-            <el-button type="danger" @click="finishStocktake" :loading="printing" :icon="Checked">结束</el-button>
+            <el-button v-if="userStore.hasPermission('inventory_stocktake:operation')" type="danger" @click="finishStocktake" :loading="printing" :icon="Checked">结束</el-button>
           </div>
         </div>
       </template>
@@ -690,4 +691,4 @@ const finishStocktake = async () => {
 .missing-list-header { font-weight: bold; margin-bottom: 8px; font-size: 13px; border-left: 3px solid #f56c6c; padding-left: 8px; }
 .dialog-footer { display: flex; justify-content: space-between; align-items: center; margin-top: 10px; }
 .footer-right { display: flex; gap: 10px; }
-</style>
\ No newline at end of file
+</style>