feat: add field-level data protection for BOM and user management

Co-authored-by: aider (openai/DeepSeek-V3.2-Thinking) <aider@aider.chat>
2026-02-27 15:16:11 +08:00
parent 1fe00a8ba3
commit 4324e5a688
4 changed files with 153 additions and 15 deletions
--- a/inventory-backend/app/api/v1/auth.py
+++ b/inventory-backend/app/api/v1/auth.py
@ -84,6 +84,32 @@ def login():
 def create_user():
    try:
        data = request.get_json()
+        # 数据清洗：移除用户没有权限的字段
+        user_permissions = get_current_user_permissions()
+        # 超级管理员不过滤
+        if 'system_user:*' not in user_permissions:
+            # 字段名到权限码的映射
+            field_to_perm = {
+                'cn_name': 'system_user:username',
+                'username': 'system_user:username',
+                'password': 'system_user:password',
+                'department': 'system_user:department',
+                'role': 'system_user:role',
+                'email': 'system_user:email',
+            }
+            # 对于 password 字段，如果没有对应权限但用户有操作权限，可以保留（由装饰器保证）
+            # 但如果连操作权限都没有，则不会进入此接口。
+            for field in list(data.keys()):
+                perm_code = field_to_perm.get(field)
+                # 密码字段特殊处理：如果没有 password 权限但用户有操作权限，仍允许（不删除）
+                if field == 'password':
+                    # 检查用户是否有操作权限，如果有则保留
+                    if 'system_user:operation' not in user_permissions:
+                        data.pop(field, None)
+                    continue
+                if perm_code and perm_code not in user_permissions:
+                    data.pop(field, None)
+
        claims = get_jwt()
        operator_role = claims.get('role')

@ -102,6 +128,30 @@ def create_user():
 def update_user(user_id):
    try:
        data = request.get_json()
+        # 数据清洗：移除用户没有权限的字段
+        user_permissions = get_current_user_permissions()
+        # 超级管理员不过滤
+        if 'system_user:*' not in user_permissions:
+            # 字段名到权限码的映射
+            field_to_perm = {
+                'cn_name': 'system_user:username',
+                'username': 'system_user:username',
+                'password': 'system_user:password',
+                'department': 'system_user:department',
+                'role': 'system_user:role',
+                'email': 'system_user:email',
+            }
+            for field in list(data.keys()):
+                perm_code = field_to_perm.get(field)
+                # 密码字段特殊处理：如果没有 password 权限但用户有操作权限，仍允许（不删除）
+                if field == 'password':
+                    # 检查用户是否有操作权限，如果有则保留
+                    if 'system_user:operation' not in user_permissions:
+                        data.pop(field, None)
+                    continue
+                if perm_code and perm_code not in user_permissions:
+                    data.pop(field, None)
+
        claims = get_jwt()
        operator_role = claims.get('role')