feat: add field-level data protection for BOM and user management

Co-authored-by: aider (openai/DeepSeek-V3.2-Thinking) <aider@aider.chat>

inventory-backend/app/api/v1/bom.py

@@ -113,6 +113,36 @@ def save_bom():
     """保存或更新 BOM 配方（支持自定义 bom_no 和 多版本）"""
     try:
         req_data = request.get_json()
+        # 数据清洗：移除用户没有权限的字段
+        user_permissions = get_current_user_permissions()
+        # 超级管理员不过滤
+        if 'bom_manage:*' not in user_permissions:
+            # 字段名到权限码的映射
+            field_to_perm = {
+                'parent_id': 'bom_manage:parent_id',
+                'version': 'bom_manage:version',
+                'is_enabled': 'bom_manage:status',
+                'bom_no': 'bom_manage:bom_no',
+            }
+            # 清洗顶级字段
+            for field in list(req_data.keys()):
+                perm_code = field_to_perm.get(field)
+                if perm_code and perm_code not in user_permissions:
+                    req_data.pop(field, None)
+            # 清洗 children 中的字段
+            if 'children' in req_data and isinstance(req_data['children'], list):
+                for child in req_data['children']:
+                    # 子件字段映射
+                    child_field_to_perm = {
+                        'child_id': 'bom_manage:child_id',
+                        'dosage': 'bom_manage:dosage',
+                        'remark': 'bom_manage:remark',
+                    }
+                    for field in list(child.keys()):
+                        perm_code = child_field_to_perm.get(field)
+                        if perm_code and perm_code not in user_permissions:
+                            child.pop(field, None)
+
         # 必需字段校验
         if 'parent_id' not in req_data or 'children' not in req_data:
             return jsonify({'code': 400, 'msg': '缺少 parent_id 或 children 字段'}), 400
@@ -216,6 +246,36 @@ def get_bom(parent_id):
 def save_bom_legacy():
     try:
         req_data = request.get_json()
+        # 数据清洗：移除用户没有权限的字段
+        user_permissions = get_current_user_permissions()
+        # 超级管理员不过滤
+        if 'bom_manage:*' not in user_permissions:
+            # 字段名到权限码的映射
+            field_to_perm = {
+                'parent_id': 'bom_manage:parent_id',
+                'version': 'bom_manage:version',
+                'is_enabled': 'bom_manage:status',
+                'bom_no': 'bom_manage:bom_no',
+            }
+            # 清洗顶级字段
+            for field in list(req_data.keys()):
+                perm_code = field_to_perm.get(field)
+                if perm_code and perm_code not in user_permissions:
+                    req_data.pop(field, None)
+            # 清洗 children 中的字段
+            if 'children' in req_data and isinstance(req_data['children'], list):
+                for child in req_data['children']:
+                    # 子件字段映射
+                    child_field_to_perm = {
+                        'child_id': 'bom_manage:child_id',
+                        'dosage': 'bom_manage:dosage',
+                        'remark': 'bom_manage:remark',
+                    }
+                    for field in list(child.keys()):
+                        perm_code = child_field_to_perm.get(field)
+                        if perm_code and perm_code not in user_permissions:
+                            child.pop(field, None)
+
         parent_id = req_data.get('parent_id')
         child_list = req_data.get('children', [])
         if not parent_id or not isinstance(child_list, list):