feat(backend): apply global cross-company data isolation logic across all inbound, outbound, and stock services
This commit is contained in:
@ -357,23 +357,23 @@ class BuyInboundService:
|
||||
user_role = claims.get('role', '').upper() if claims.get('role') else ''
|
||||
user_company = claims.get('company_name', '')
|
||||
|
||||
# 获取用户权限列表(用于检查 global:cross_company 特权)
|
||||
from app.services.auth_service import AuthService
|
||||
user_perms = AuthService.get_user_permissions(user_role) if user_role else []
|
||||
# 合并菜单和元素权限
|
||||
all_perms = user_perms.get('menus', []) + user_perms.get('elements', [])
|
||||
has_cross_company = 'global:cross_company' in all_perms or ('inbound_buy:*' in all_perms)
|
||||
# 获取用户权限列表(用于检查 global:cross_company_op 特权)
|
||||
from app.api.v1.inbound.base import get_current_user_permissions
|
||||
user_perms = get_current_user_permissions() or []
|
||||
normalized_perms = set(p.lower().replace('_', '').replace(':', '') for p in user_perms)
|
||||
|
||||
# 检查是否拥有全局特权或超管角色
|
||||
has_cross_company = 'globalcrosscompanyop' in normalized_perms
|
||||
|
||||
if user_role != 'SUPER_ADMIN' and not has_cross_company:
|
||||
# 【显式拒绝越权】如果前端传了公司参数,且不是当前用户的公司,返回403
|
||||
# 无特权:严禁查其他公司,强制绑定本公司
|
||||
if company and company.strip() and company.strip() != user_company:
|
||||
from flask import abort
|
||||
abort(403, description=f'越权访问:您无权查询 {company} 的数据')
|
||||
# 正常查询本公司数据
|
||||
if user_company:
|
||||
query = query.filter(MaterialBase.company_name == user_company)
|
||||
else:
|
||||
# 超级管理员或拥有跨域特权:允许跨公司视角
|
||||
elif user_role == 'SUPER_ADMIN' or has_cross_company:
|
||||
# 有特权:允许下拉框传过来的 company 参数生效
|
||||
if company and company.strip():
|
||||
query = query.filter(MaterialBase.company_name == company.strip())
|
||||
|
||||
|
||||
Reference in New Issue
Block a user