duxingchen/KCGL
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add MaterialBase permission control with field-level filtering

Browse Source 
Co-authored-by: aider (openai/DeepSeek-V3.2-Thinking) <aider@aider.chat>
This commit is contained in:
dxc
2026-02-27 10:16:43 +08:00
parent c86e67b793
commit 73ee163352
3 changed files with 131 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
inventory-backend/app/utils/decorators.py
View File

@ -1,7 +1,8 @@
# app/utils/decorators.py
from functools import wraps
from flask_jwt_extended import get_jwt
from flask import jsonify
from flask_jwt_extended import get_jwt, verify_jwt_in_request
from flask import jsonify, g
import logging
def role_required(*roles):
@ -27,4 +28,54 @@ def role_required(*roles):
return decorator
return wrapper
return wrapper
def login_required(fn):
"""
验证 JWT 令牌是否存在且有效
"""
@wraps(fn)
def decorator(*args, **kwargs):
try:
verify_jwt_in_request()
except Exception as e:
logging.warning(f"JWT verification failed: {e}")
return jsonify(msg='登录已过期,请重新登录'), 401
return fn(*args, **kwargs)
return decorator
def permission_required(permission_code):
"""
检查当前用户是否拥有指定权限码
使用方法: @permission_required('material:base:read')
"""
def wrapper(fn):
@wraps(fn)
def decorator(*args, **kwargs):
# 首先验证 JWT
try:
verify_jwt_in_request()
except Exception as e:
logging.warning(f"JWT verification failed: {e}")
return jsonify(msg='登录已过期,请重新登录'), 401
claims = get_jwt()
user_role = claims.get('role')
# 超级管理员放行
if user_role == 'super_admin':
return fn(*args, **kwargs)
# TODO: 根据角色和 permission_code 查询数据库验证权限
# 此处为示例逻辑:假设角色 'admin' 和 'manager' 拥有所有权限
# 实际项目中应替换为真实的权限查询
if user_role in ['admin', 'manager']:
return fn(*args, **kwargs)
# 其他角色暂时拒绝,并记录日志
logging.warning(
f'Permission check not implemented for {permission_code}, user role {user_role}. Access denied.')
return jsonify(msg='权限不足:您没有访问此资源的权限'), 403
return decorator
return wrapper