From 5beb373677df71bf239702004551625ba1d928c1 Mon Sep 17 00:00:00 2001
From: dxc <duxingchen@iris-rs.cn>
Date: Fri, 27 Feb 2026 17:11:29 +0800
Subject: [PATCH] fix: standardize operator role to uppercase for permission
 checks

Co-authored-by: aider (openai/DeepSeek-V3.2-Thinking) <aider@aider.chat>
---
 inventory-backend/app/services/auth_service.py | 16 +++++++++++-----
 1 file changed, 11 insertions(+), 5 deletions(-)

diff --git a/inventory-backend/app/services/auth_service.py b/inventory-backend/app/services/auth_service.py
index c2c7f9a..07e7a15 100644
--- a/inventory-backend/app/services/auth_service.py
+++ b/inventory-backend/app/services/auth_service.py
@@ -82,7 +82,9 @@ class AuthService:
         创建新用户
         data 包含: cn_name(张三), username(zhangsan), ...
         """
-        if operator_role not in [UserRole.SUPER_ADMIN, UserRole.SUPERVISOR]:
+        # 标准化操作者角色为全大写
+        operator_role_upper = operator_role.upper() if operator_role else None
+        if operator_role_upper not in [UserRole.SUPER_ADMIN, UserRole.SUPERVISOR]:
             raise Exception("权限不足：只有超级管理员或主管可以创建新用户")
 
         cn_name = data.get('cn_name')
@@ -103,7 +105,7 @@ class AuthService:
         if role not in valid_roles:
             raise Exception(f"角色无效")
 
-        if operator_role == UserRole.SUPERVISOR and role == UserRole.SUPER_ADMIN:
+        if operator_role_upper == UserRole.SUPERVISOR and role == UserRole.SUPER_ADMIN:
             raise Exception("权限不足：主管无法创建超级管理员")
 
         email = data.get('email', '')
@@ -152,7 +154,9 @@ class AuthService:
         更新用户信息
         注意: 这里暂时不允许修改用户名/账号，因为涉及 split 逻辑较复杂，且通常账号不开通后不改
         """
-        if operator_role not in [UserRole.SUPER_ADMIN, UserRole.SUPERVISOR]:
+        # 标准化操作者角色为全大写
+        operator_role_upper = operator_role.upper() if operator_role else None
+        if operator_role_upper not in [UserRole.SUPER_ADMIN, UserRole.SUPERVISOR]:
             raise Exception("权限不足")
 
         user = SysUser.query.get(user_id)
@@ -169,7 +173,7 @@ class AuthService:
             new_role = new_role_raw.upper() if new_role_raw else None
             if new_role not in valid_roles:
                 raise Exception(f"角色无效")
-            if operator_role == UserRole.SUPERVISOR and new_role == UserRole.SUPER_ADMIN:
+            if operator_role_upper == UserRole.SUPERVISOR and new_role == UserRole.SUPER_ADMIN:
                 raise Exception("权限不足")
             user.role = new_role
 
@@ -205,7 +209,9 @@ class AuthService:
     @staticmethod
     def delete_user(user_id, operator_role):
         """删除用户"""
-        if operator_role != UserRole.SUPER_ADMIN:
+        # 标准化操作者角色为全大写
+        operator_role_upper = operator_role.upper() if operator_role else None
+        if operator_role_upper != UserRole.SUPER_ADMIN:
             raise Exception("权限不足：只有超级管理员可以删除用户")
 
         user = SysUser.query.get(user_id)