feat: add field-level data protection for BOM and user management

Co-authored-by: aider (openai/DeepSeek-V3.2-Thinking) <aider@aider.chat>

inventory-backend/app/api/v1/auth.py

@@ -84,6 +84,32 @@ def login():
 def create_user():
     try:
         data = request.get_json()
+        # 数据清洗：移除用户没有权限的字段
+        user_permissions = get_current_user_permissions()
+        # 超级管理员不过滤
+        if 'system_user:*' not in user_permissions:
+            # 字段名到权限码的映射
+            field_to_perm = {
+                'cn_name': 'system_user:username',
+                'username': 'system_user:username',
+                'password': 'system_user:password',
+                'department': 'system_user:department',
+                'role': 'system_user:role',
+                'email': 'system_user:email',
+            }
+            # 对于 password 字段，如果没有对应权限但用户有操作权限，可以保留（由装饰器保证）
+            # 但如果连操作权限都没有，则不会进入此接口。
+            for field in list(data.keys()):
+                perm_code = field_to_perm.get(field)
+                # 密码字段特殊处理：如果没有 password 权限但用户有操作权限，仍允许（不删除）
+                if field == 'password':
+                    # 检查用户是否有操作权限，如果有则保留
+                    if 'system_user:operation' not in user_permissions:
+                        data.pop(field, None)
+                    continue
+                if perm_code and perm_code not in user_permissions:
+                    data.pop(field, None)
+
         claims = get_jwt()
         operator_role = claims.get('role')
 
@@ -102,6 +128,30 @@ def create_user():
 def update_user(user_id):
     try:
         data = request.get_json()
+        # 数据清洗：移除用户没有权限的字段
+        user_permissions = get_current_user_permissions()
+        # 超级管理员不过滤
+        if 'system_user:*' not in user_permissions:
+            # 字段名到权限码的映射
+            field_to_perm = {
+                'cn_name': 'system_user:username',
+                'username': 'system_user:username',
+                'password': 'system_user:password',
+                'department': 'system_user:department',
+                'role': 'system_user:role',
+                'email': 'system_user:email',
+            }
+            for field in list(data.keys()):
+                perm_code = field_to_perm.get(field)
+                # 密码字段特殊处理：如果没有 password 权限但用户有操作权限，仍允许（不删除）
+                if field == 'password':
+                    # 检查用户是否有操作权限，如果有则保留
+                    if 'system_user:operation' not in user_permissions:
+                        data.pop(field, None)
+                    continue
+                if perm_code and perm_code not in user_permissions:
+                    data.pop(field, None)
+
         claims = get_jwt()
         operator_role = claims.get('role')
 

inventory-backend/app/api/v1/bom.py

@@ -113,6 +113,36 @@ def save_bom():
     """保存或更新 BOM 配方（支持自定义 bom_no 和 多版本）"""
     try:
         req_data = request.get_json()
+        # 数据清洗：移除用户没有权限的字段
+        user_permissions = get_current_user_permissions()
+        # 超级管理员不过滤
+        if 'bom_manage:*' not in user_permissions:
+            # 字段名到权限码的映射
+            field_to_perm = {
+                'parent_id': 'bom_manage:parent_id',
+                'version': 'bom_manage:version',
+                'is_enabled': 'bom_manage:status',
+                'bom_no': 'bom_manage:bom_no',
+            }
+            # 清洗顶级字段
+            for field in list(req_data.keys()):
+                perm_code = field_to_perm.get(field)
+                if perm_code and perm_code not in user_permissions:
+                    req_data.pop(field, None)
+            # 清洗 children 中的字段
+            if 'children' in req_data and isinstance(req_data['children'], list):
+                for child in req_data['children']:
+                    # 子件字段映射
+                    child_field_to_perm = {
+                        'child_id': 'bom_manage:child_id',
+                        'dosage': 'bom_manage:dosage',
+                        'remark': 'bom_manage:remark',
+                    }
+                    for field in list(child.keys()):
+                        perm_code = child_field_to_perm.get(field)
+                        if perm_code and perm_code not in user_permissions:
+                            child.pop(field, None)
+
         # 必需字段校验
         if 'parent_id' not in req_data or 'children' not in req_data:
             return jsonify({'code': 400, 'msg': '缺少 parent_id 或 children 字段'}), 400
@@ -216,6 +246,36 @@ def get_bom(parent_id):
 def save_bom_legacy():
     try:
         req_data = request.get_json()
+        # 数据清洗：移除用户没有权限的字段
+        user_permissions = get_current_user_permissions()
+        # 超级管理员不过滤
+        if 'bom_manage:*' not in user_permissions:
+            # 字段名到权限码的映射
+            field_to_perm = {
+                'parent_id': 'bom_manage:parent_id',
+                'version': 'bom_manage:version',
+                'is_enabled': 'bom_manage:status',
+                'bom_no': 'bom_manage:bom_no',
+            }
+            # 清洗顶级字段
+            for field in list(req_data.keys()):
+                perm_code = field_to_perm.get(field)
+                if perm_code and perm_code not in user_permissions:
+                    req_data.pop(field, None)
+            # 清洗 children 中的字段
+            if 'children' in req_data and isinstance(req_data['children'], list):
+                for child in req_data['children']:
+                    # 子件字段映射
+                    child_field_to_perm = {
+                        'child_id': 'bom_manage:child_id',
+                        'dosage': 'bom_manage:dosage',
+                        'remark': 'bom_manage:remark',
+                    }
+                    for field in list(child.keys()):
+                        perm_code = child_field_to_perm.get(field)
+                        if perm_code and perm_code not in user_permissions:
+                            child.pop(field, None)
+
         parent_id = req_data.get('parent_id')
         child_list = req_data.get('children', [])
         if not parent_id or not isinstance(child_list, list):