fix-security-correct-field-permission-mapping-and-403-denial
This commit is contained in:
@ -43,8 +43,8 @@ def filter_item_by_permissions(item_dict, user_permissions):
|
||||
'sku': 'inbound_buy:sku',
|
||||
'barcode': 'inbound_buy:barcode',
|
||||
'in_date': 'inbound_buy:in_date',
|
||||
'serial_number': 'inbound_buy:serial_number',
|
||||
'batch_number': 'inbound_buy:batch_number',
|
||||
'serial_number': 'inbound_buy:sn_bn',
|
||||
'batch_number': 'inbound_buy:sn_bn',
|
||||
'status': 'inbound_buy:status',
|
||||
'in_quantity': 'inbound_buy:in_quantity',
|
||||
'stock_quantity': 'inbound_buy:stock_quantity',
|
||||
|
||||
@ -221,7 +221,11 @@ class MaterialBaseService:
|
||||
req_company = filters.get('company') if filters else None
|
||||
|
||||
if user_role != 'SUPER_ADMIN':
|
||||
# 普通用户:强制隔离!无视前端传的 company 参数
|
||||
# 【显式拒绝越权】如果前端传了公司参数,且不是当前用户的公司,返回403
|
||||
if req_company and req_company != user_company:
|
||||
from flask import abort
|
||||
abort(403, description=f'越权访问:您无权查询 {req_company} 的数据')
|
||||
# 正常查询本公司数据
|
||||
if user_company:
|
||||
query = query.filter(MaterialBase.company_name == user_company)
|
||||
# 如果用户没有所属公司字段,则只显示公司为空的记录(或不允许查看)
|
||||
|
||||
@ -356,7 +356,11 @@ class BuyInboundService:
|
||||
user_company = claims.get('company_name', '')
|
||||
|
||||
if user_role != 'SUPER_ADMIN':
|
||||
# 普通用户:强制隔离!无视前端传的 company 参数
|
||||
# 【显式拒绝越权】如果前端传了公司参数,且不是当前用户的公司,返回403
|
||||
if company and company.strip() and company.strip() != user_company:
|
||||
from flask import abort
|
||||
abort(403, description=f'越权访问:您无权查询 {company} 的数据')
|
||||
# 正常查询本公司数据
|
||||
if user_company:
|
||||
query = query.filter(MaterialBase.company_name == user_company)
|
||||
else:
|
||||
|
||||
Reference in New Issue
Block a user