feat: add field-level permission control for inbound modules

Co-authored-by: aider (openai/DeepSeek-V3.2-Thinking) <aider@aider.chat>
2026-02-27 14:52:12 +08:00
parent 079987e7f3
commit 5bc3dab31c
4 changed files with 289 additions and 14 deletions
--- a/inventory-backend/app/api/v1/inbound/product.py
+++ b/inventory-backend/app/api/v1/inbound/product.py
@ -158,8 +158,56 @@ def get_list():
@permission_required('inbound_product:operation')
 def submit():
    try:
+        data = request.get_json()
+        if not data:
+            return jsonify({"code": 400, "msg": "No data"}), 400
+
+        # 数据清洗：移除用户没有权限的字段
+        user_permissions = get_current_user_permissions()
+        # 超级管理员不过滤
+        if 'inbound_product:*' not in user_permissions:
+            field_to_perm = {
+                'id': 'inbound_product:id',
+                'base_id': 'inbound_product:base_id',
+                'company_name': 'inbound_product:company_name',
+                'material_name': 'inbound_product:material_name',
+                'category': 'inbound_product:category',
+                'material_type': 'inbound_product:material_type',
+                'spec_model': 'inbound_product:spec_model',
+                'unit': 'inbound_product:unit',
+                'sku': 'inbound_product:sku',
+                'inbound_date': 'inbound_product:inbound_date',
+                'barcode': 'inbound_product:barcode',
+                'serial_number': 'inbound_product:serial_number',
+                'status': 'inbound_product:status',
+                'quality_status': 'inbound_product:quality_status',
+                'in_quantity': 'inbound_product:in_quantity',
+                'stock_quantity': 'inbound_product:stock_quantity',
+                'available_quantity': 'inbound_product:available_quantity',
+                'warehouse_location': 'inbound_product:warehouse_location',
+                'bom_code': 'inbound_product:bom_code',
+                'bom_version': 'inbound_product:bom_version',
+                'work_order_code': 'inbound_product:work_order_code',
+                'order_id': 'inbound_product:order_id',
+                'production_manager': 'inbound_product:production_manager',
+                'production_start_time': 'inbound_product:production_start_time',
+                'production_end_time': 'inbound_product:production_end_time',
+                'raw_material_cost': 'inbound_product:raw_material_cost',
+                'manual_cost': 'inbound_product:manual_cost',
+                'sale_price': 'inbound_product:sale_price',
+                'product_photo': 'inbound_product:product_photo',
+                'quality_report_link': 'inbound_product:quality_report_link',
+                'inspection_report_link': 'inbound_product:inspection_report_link',
+                'detail_link': 'inbound_product:detail_link',
+            }
+            # 复制一份，避免遍历时修改字典
+            for field in list(data.keys()):
+                perm_code = field_to_perm.get(field)
+                if perm_code and perm_code not in user_permissions:
+                    data.pop(field, None)
+
        # 调用 Service 处理入库，获取新创建的对象
-        new_stock = ProductInboundService.handle_inbound(request.get_json())
+        new_stock = ProductInboundService.handle_inbound(data)

        # 返回成功信息以及新创建的数据（包含生成的ID和SKU），供前端自动打印使用
        return jsonify({
@ -179,7 +227,52 @@ def submit():
@permission_required('inbound_product:operation')
 def update(id):
    try:
-        ProductInboundService.update_inbound(id, request.get_json())
+        data = request.get_json()
+        # 数据清洗：移除用户没有权限的字段
+        user_permissions = get_current_user_permissions()
+        # 超级管理员不过滤
+        if 'inbound_product:*' not in user_permissions:
+            field_to_perm = {
+                'id': 'inbound_product:id',
+                'base_id': 'inbound_product:base_id',
+                'company_name': 'inbound_product:company_name',
+                'material_name': 'inbound_product:material_name',
+                'category': 'inbound_product:category',
+                'material_type': 'inbound_product:material_type',
+                'spec_model': 'inbound_product:spec_model',
+                'unit': 'inbound_product:unit',
+                'sku': 'inbound_product:sku',
+                'inbound_date': 'inbound_product:inbound_date',
+                'barcode': 'inbound_product:barcode',
+                'serial_number': 'inbound_product:serial_number',
+                'status': 'inbound_product:status',
+                'quality_status': 'inbound_product:quality_status',
+                'in_quantity': 'inbound_product:in_quantity',
+                'stock_quantity': 'inbound_product:stock_quantity',
+                'available_quantity': 'inbound_product:available_quantity',
+                'warehouse_location': 'inbound_product:warehouse_location',
+                'bom_code': 'inbound_product:bom_code',
+                'bom_version': 'inbound_product:bom_version',
+                'work_order_code': 'inbound_product:work_order_code',
+                'order_id': 'inbound_product:order_id',
+                'production_manager': 'inbound_product:production_manager',
+                'production_start_time': 'inbound_product:production_start_time',
+                'production_end_time': 'inbound_product:production_end_time',
+                'raw_material_cost': 'inbound_product:raw_material_cost',
+                'manual_cost': 'inbound_product:manual_cost',
+                'sale_price': 'inbound_product:sale_price',
+                'product_photo': 'inbound_product:product_photo',
+                'quality_report_link': 'inbound_product:quality_report_link',
+                'inspection_report_link': 'inbound_product:inspection_report_link',
+                'detail_link': 'inbound_product:detail_link',
+            }
+            # 复制一份，避免遍历时修改字典
+            for field in list(data.keys()):
+                perm_code = field_to_perm.get(field)
+                if perm_code and perm_code not in user_permissions:
+                    data.pop(field, None)
+
+        ProductInboundService.update_inbound(id, data)
        return jsonify({"code": 200, "msg": "更新成功"})
    except Exception as e:
        traceback.print_exc()
--- a/inventory-backend/app/api/v1/inbound/semi.py
+++ b/inventory-backend/app/api/v1/inbound/semi.py
@ -167,6 +167,50 @@ def submit():
        if not data:
            return jsonify({"code": 400, "msg": "No data"}), 400

+        # 数据清洗：移除用户没有权限的字段
+        user_permissions = get_current_user_permissions()
+        # 超级管理员不过滤
+        if 'inbound_semi:*' not in user_permissions:
+            # 字段名到权限码的映射（与前端 permissionMap 保持一致）
+            field_to_perm = {
+                'id': 'inbound_semi:id',
+                'base_id': 'inbound_semi:base_id',
+                'company_name': 'inbound_semi:company_name',
+                'material_name': 'inbound_semi:material_name',
+                'category': 'inbound_semi:category',
+                'material_type': 'inbound_semi:material_type',
+                'spec_model': 'inbound_semi:spec_model',
+                'unit': 'inbound_semi:unit',
+                'sku': 'inbound_semi:sku',
+                'inbound_date': 'inbound_semi:inbound_date',
+                'barcode': 'inbound_semi:barcode',
+                'serial_number': 'inbound_semi:serial_number',
+                'batch_number': 'inbound_semi:batch_number',
+                'status': 'inbound_semi:status',
+                'quality_status': 'inbound_semi:quality_status',
+                'in_quantity': 'inbound_semi:in_quantity',
+                'stock_quantity': 'inbound_semi:stock_quantity',
+                'available_quantity': 'inbound_semi:available_quantity',
+                'warehouse_location': 'inbound_semi:warehouse_location',
+                'bom_code': 'inbound_semi:bom_code',
+                'bom_version': 'inbound_semi:bom_version',
+                'work_order_code': 'inbound_semi:work_order_code',
+                'raw_material_cost': 'inbound_semi:raw_material_cost',
+                'manual_cost': 'inbound_semi:manual_cost',
+                'unit_total_cost': 'inbound_semi:unit_total_cost',
+                'production_manager': 'inbound_semi:production_manager',
+                'production_start_time': 'inbound_semi:production_start_time',
+                'production_end_time': 'inbound_semi:production_end_time',
+                'arrival_photo': 'inbound_semi:arrival_photo',
+                'quality_report_link': 'inbound_semi:quality_report_link',
+                'detail_link': 'inbound_semi:detail_link',
+            }
+            # 复制一份，避免遍历时修改字典
+            for field in list(data.keys()):
+                perm_code = field_to_perm.get(field)
+                if perm_code and perm_code not in user_permissions:
+                    data.pop(field, None)
+
        # 修改：调用 Service 处理入库，获取新创建的对象
        new_stock = SemiInboundService.handle_inbound(data)

@ -189,6 +233,49 @@ def submit():
 def update_semi(id):
    try:
        data = request.get_json()
+        # 数据清洗：移除用户没有权限的字段
+        user_permissions = get_current_user_permissions()
+        # 超级管理员不过滤
+        if 'inbound_semi:*' not in user_permissions:
+            field_to_perm = {
+                'id': 'inbound_semi:id',
+                'base_id': 'inbound_semi:base_id',
+                'company_name': 'inbound_semi:company_name',
+                'material_name': 'inbound_semi:material_name',
+                'category': 'inbound_semi:category',
+                'material_type': 'inbound_semi:material_type',
+                'spec_model': 'inbound_semi:spec_model',
+                'unit': 'inbound_semi:unit',
+                'sku': 'inbound_semi:sku',
+                'inbound_date': 'inbound_semi:inbound_date',
+                'barcode': 'inbound_semi:barcode',
+                'serial_number': 'inbound_semi:serial_number',
+                'batch_number': 'inbound_semi:batch_number',
+                'status': 'inbound_semi:status',
+                'quality_status': 'inbound_semi:quality_status',
+                'in_quantity': 'inbound_semi:in_quantity',
+                'stock_quantity': 'inbound_semi:stock_quantity',
+                'available_quantity': 'inbound_semi:available_quantity',
+                'warehouse_location': 'inbound_semi:warehouse_location',
+                'bom_code': 'inbound_semi:bom_code',
+                'bom_version': 'inbound_semi:bom_version',
+                'work_order_code': 'inbound_semi:work_order_code',
+                'raw_material_cost': 'inbound_semi:raw_material_cost',
+                'manual_cost': 'inbound_semi:manual_cost',
+                'unit_total_cost': 'inbound_semi:unit_total_cost',
+                'production_manager': 'inbound_semi:production_manager',
+                'production_start_time': 'inbound_semi:production_start_time',
+                'production_end_time': 'inbound_semi:production_end_time',
+                'arrival_photo': 'inbound_semi:arrival_photo',
+                'quality_report_link': 'inbound_semi:quality_report_link',
+                'detail_link': 'inbound_semi:detail_link',
+            }
+            # 复制一份，避免遍历时修改字典
+            for field in list(data.keys()):
+                perm_code = field_to_perm.get(field)
+                if perm_code and perm_code not in user_permissions:
+                    data.pop(field, None)
+
        SemiInboundService.update_inbound(id, data)
        return jsonify({"code": 200, "msg": "更新成功"})
    except Exception as e:
--- a/inventory-web/src/views/stock/inbound/product.vue
+++ b/inventory-web/src/views/stock/inbound/product.vue
@ -211,12 +211,12 @@
              </el-row>
              <div class="read-only-grid">
                <el-row :gutter="24">
-                  <el-col :span="8"><el-form-item label="所属公司"><el-input v-model="form.company_name" readonly class="is-text-view" /></el-form-item></el-col>
-                  <el-col :span="8"><el-form-item label="名称"><el-input v-model="form.material_name" readonly class="is-text-view" /></el-form-item></el-col>
-                  <el-col :span="8"><el-form-item label="规格"><el-input v-model="form.spec_model" readonly class="is-text-view" /></el-form-item></el-col>
-                  <el-col :span="8"><el-form-item label="单位"><el-input v-model="form.unit" readonly class="is-text-view" /></el-form-item></el-col>
-                  <el-col :span="8"><el-form-item label="类型"><el-input v-model="form.material_type" readonly class="is-text-view" /></el-form-item></el-col>
-                  <el-col :span="8"><el-form-item label="类别"><el-input v-model="form.category" readonly class="is-text-view" /></el-form-item></el-col>
+                  <el-col :span="8"><el-form-item label="所属公司" v-if="hasFormFieldPermission('company_name')"><el-input v-model="form.company_name" readonly class="is-text-view" /></el-form-item></el-col>
+                  <el-col :span="8"><el-form-item label="名称" v-if="hasFormFieldPermission('material_name')"><el-input v-model="form.material_name" readonly class="is-text-view" /></el-form-item></el-col>
+                  <el-col :span="8"><el-form-item label="规格" v-if="hasFormFieldPermission('spec_model')"><el-input v-model="form.spec_model" readonly class="is-text-view" /></el-form-item></el-col>
+                  <el-col :span="8"><el-form-item label="单位" v-if="hasFormFieldPermission('unit')"><el-input v-model="form.unit" readonly class="is-text-view" /></el-form-item></el-col>
+                  <el-col :span="8"><el-form-item label="类型" v-if="hasFormFieldPermission('material_type')"><el-input v-model="form.material_type" readonly class="is-text-view" /></el-form-item></el-col>
+                  <el-col :span="8"><el-form-item label="类别" v-if="hasFormFieldPermission('category')"><el-input v-model="form.category" readonly class="is-text-view" /></el-form-item></el-col>
                </el-row>
              </div>
            </div>
@ -625,6 +625,54 @@ const handleBomSelect = (val: string) => {
  form.bom_version = version
 }

+// ------------------------------------
+// 表单字段权限检查
+// ------------------------------------
+const hasFormFieldPermission = (fieldName: string) => {
+  // 超级管理员直接返回true
+  if (userStore.role === 'SUPER_ADMIN' || userStore.username === 'IRIS') {
+    return true
+  }
+  // 根据字段名映射到权限码
+  const map: Record<string, string> = {
+    company_name: 'inbound_product:company_name',
+    material_name: 'inbound_product:material_name',
+    spec_model: 'inbound_product:spec_model',
+    material_type: 'inbound_product:material_type',
+    category: 'inbound_product:category',
+    unit: 'inbound_product:unit',
+    sku: 'inbound_product:sku',
+    barcode: 'inbound_product:barcode',
+    serial_number: 'inbound_product:serial_number',
+    in_date: 'inbound_product:inbound_date',
+    in_quantity: 'inbound_product:in_quantity',
+    stock_quantity: 'inbound_product:stock_quantity',
+    available_quantity: 'inbound_product:available_quantity',
+    warehouse_location: 'inbound_product:warehouse_location',
+    status: 'inbound_product:status',
+    quality_status: 'inbound_product:quality_status',
+    bom_code: 'inbound_product:bom_code',
+    bom_version: 'inbound_product:bom_version',
+    work_order_code: 'inbound_product:work_order_code',
+    order_id: 'inbound_product:order_id',
+    production_manager: 'inbound_product:production_manager',
+    production_time_range: 'inbound_product:production_start_time',
+    raw_material_cost: 'inbound_product:raw_material_cost',
+    manual_cost: 'inbound_product:manual_cost',
+    sale_price: 'inbound_product:sale_price',
+    quality_report_link: 'inbound_product:quality_report_link',
+    inspection_report_link: 'inbound_product:inspection_report_link',
+    product_photo: 'inbound_product:product_photo',
+    detail_link: 'inbound_product:detail_link',
+  }
+  const code = map[fieldName]
+  if (!code) {
+    // 没有映射的字段默认显示
+    return true
+  }
+  return userStore.hasPermission(code)
+}
+
 // ------------------------------------
 // Validation Logic
 // ------------------------------------
--- a/inventory-web/src/views/stock/inbound/semi.vue
+++ b/inventory-web/src/views/stock/inbound/semi.vue
@ -293,12 +293,12 @@

              <div class="read-only-grid">
                <el-row :gutter="24">
-                  <el-col :span="8"><el-form-item label="所属公司"><el-input v-model="form.company_name" readonly class="is-text-view"/></el-form-item></el-col>
-                  <el-col :span="8"><el-form-item label="名称"><el-input v-model="form.material_name" readonly class="is-text-view"/></el-form-item></el-col>
-                  <el-col :span="8"><el-form-item label="规格型号"><el-input v-model="form.spec_model" readonly class="is-text-view"/></el-form-item></el-col>
-                  <el-col :span="8"><el-form-item label="单位"><el-input v-model="form.unit" readonly class="is-text-view"/></el-form-item></el-col>
-                  <el-col :span="8"><el-form-item label="类别"><el-input v-model="form.category" readonly class="is-text-view"/></el-form-item></el-col>
-                  <el-col :span="8"><el-form-item label="类型"><el-input v-model="form.material_type" readonly class="is-text-view"/></el-form-item></el-col>
+                  <el-col :span="8"><el-form-item label="所属公司" v-if="hasFormFieldPermission('company_name')"><el-input v-model="form.company_name" readonly class="is-text-view"/></el-form-item></el-col>
+                  <el-col :span="8"><el-form-item label="名称" v-if="hasFormFieldPermission('material_name')"><el-input v-model="form.material_name" readonly class="is-text-view"/></el-form-item></el-col>
+                  <el-col :span="8"><el-form-item label="规格型号" v-if="hasFormFieldPermission('spec_model')"><el-input v-model="form.spec_model" readonly class="is-text-view"/></el-form-item></el-col>
+                  <el-col :span="8"><el-form-item label="单位" v-if="hasFormFieldPermission('unit')"><el-input v-model="form.unit" readonly class="is-text-view"/></el-form-item></el-col>
+                  <el-col :span="8"><el-form-item label="类别" v-if="hasFormFieldPermission('category')"><el-input v-model="form.category" readonly class="is-text-view"/></el-form-item></el-col>
+                  <el-col :span="8"><el-form-item label="类型" v-if="hasFormFieldPermission('material_type')"><el-input v-model="form.material_type" readonly class="is-text-view"/></el-form-item></el-col>
                </el-row>
              </div>
            </div>
@ -839,6 +839,53 @@ const rules = {
  batch_number: [{validator: validateIdentity, trigger: 'blur'}, {validator: validateUnique, trigger: 'blur'}]
 }

+// ------------------------------------
+// 表单字段权限检查
+// ------------------------------------
+const hasFormFieldPermission = (fieldName: string) => {
+  // 超级管理员直接返回true
+  if (userStore.role === 'SUPER_ADMIN' || userStore.username === 'IRIS') {
+    return true
+  }
+  // 根据字段名映射到权限码
+  const map: Record<string, string> = {
+    company_name: 'inbound_semi:company_name',
+    material_name: 'inbound_semi:material_name',
+    spec_model: 'inbound_semi:spec_model',
+    category: 'inbound_semi:category',
+    material_type: 'inbound_semi:material_type',
+    unit: 'inbound_semi:unit',
+    sku: 'inbound_semi:sku',
+    in_date: 'inbound_semi:inbound_date',
+    barcode: 'inbound_semi:barcode',
+    serial_number: 'inbound_semi:serial_number',
+    batch_number: 'inbound_semi:batch_number',
+    status: 'inbound_semi:status',
+    quality_status: 'inbound_semi:quality_status',
+    in_quantity: 'inbound_semi:in_quantity',
+    stock_quantity: 'inbound_semi:stock_quantity',
+    available_quantity: 'inbound_semi:available_quantity',
+    warehouse_location: 'inbound_semi:warehouse_location',
+    bom_code: 'inbound_semi:bom_code',
+    bom_version: 'inbound_semi:bom_version',
+    work_order_code: 'inbound_semi:work_order_code',
+    raw_material_cost: 'inbound_semi:raw_material_cost',
+    manual_cost: 'inbound_semi:manual_cost',
+    unit_total_cost: 'inbound_semi:unit_total_cost',
+    production_manager: 'inbound_semi:production_manager',
+    production_time_range: 'inbound_semi:production_start_time', // 使用开始时间权限
+    arrival_photo: 'inbound_semi:arrival_photo',
+    quality_report_link: 'inbound_semi:quality_report_link',
+    detail_link: 'inbound_semi:detail_link',
+  }
+  const code = map[fieldName]
+  if (!code) {
+    // 没有映射的字段默认显示
+    return true
+  }
+  return userStore.hasPermission(code)
+}
+
 // ------------------------------------
 // Core Logic
 // ------------------------------------