fix: standardize operator role to uppercase for permission checks

Co-authored-by: aider (openai/DeepSeek-V3.2-Thinking) <aider@aider.chat>
2026-02-27 17:11:29 +08:00
parent c1e4acc1d8
commit 5beb373677
1 changed files with 11 additions and 5 deletions
--- a/inventory-backend/app/services/auth_service.py
+++ b/inventory-backend/app/services/auth_service.py
@ -82,7 +82,9 @@ class AuthService:
        创建新用户
        data 包含: cn_name(张三), username(zhangsan), ...
        """
-        if operator_role not in [UserRole.SUPER_ADMIN, UserRole.SUPERVISOR]:
+        # 标准化操作者角色为全大写
+        operator_role_upper = operator_role.upper() if operator_role else None
+        if operator_role_upper not in [UserRole.SUPER_ADMIN, UserRole.SUPERVISOR]:
            raise Exception("权限不足：只有超级管理员或主管可以创建新用户")

        cn_name = data.get('cn_name')
@ -103,7 +105,7 @@ class AuthService:
        if role not in valid_roles:
            raise Exception(f"角色无效")

-        if operator_role == UserRole.SUPERVISOR and role == UserRole.SUPER_ADMIN:
+        if operator_role_upper == UserRole.SUPERVISOR and role == UserRole.SUPER_ADMIN:
            raise Exception("权限不足：主管无法创建超级管理员")

        email = data.get('email', '')
@ -152,7 +154,9 @@ class AuthService:
        更新用户信息
        注意: 这里暂时不允许修改用户名/账号，因为涉及 split 逻辑较复杂，且通常账号不开通后不改
        """
-        if operator_role not in [UserRole.SUPER_ADMIN, UserRole.SUPERVISOR]:
+        # 标准化操作者角色为全大写
+        operator_role_upper = operator_role.upper() if operator_role else None
+        if operator_role_upper not in [UserRole.SUPER_ADMIN, UserRole.SUPERVISOR]:
            raise Exception("权限不足")

        user = SysUser.query.get(user_id)
@ -169,7 +173,7 @@ class AuthService:
            new_role = new_role_raw.upper() if new_role_raw else None
            if new_role not in valid_roles:
                raise Exception(f"角色无效")
-            if operator_role == UserRole.SUPERVISOR and new_role == UserRole.SUPER_ADMIN:
+            if operator_role_upper == UserRole.SUPERVISOR and new_role == UserRole.SUPER_ADMIN:
                raise Exception("权限不足")
            user.role = new_role

@ -205,7 +209,9 @@ class AuthService:
    @staticmethod
    def delete_user(user_id, operator_role):
        """删除用户"""
-        if operator_role != UserRole.SUPER_ADMIN:
+        # 标准化操作者角色为全大写
+        operator_role_upper = operator_role.upper() if operator_role else None
+        if operator_role_upper != UserRole.SUPER_ADMIN:
            raise Exception("权限不足：只有超级管理员可以删除用户")

        user = SysUser.query.get(user_id)