feat(backend): apply global cross-company data isolation logic across all inbound, outbound, and stock services

2026-04-17 09:57:00 +08:00
parent 6c0e13e52d
commit 8291a89898
5 changed files with 118 additions and 21 deletions
--- a/inventory-backend/app/services/inbound/repair_service.py
+++ b/inventory-backend/app/services/inbound/repair_service.py
@ -91,6 +91,30 @@ class RepairInboundService:
        
        # 按接收时间升序（先进先出）+ id 升序
        query = query.order_by(db.asc(TransRepair.arrival_date), db.asc(TransRepair.id))
+
+        # ============================================================
+        # 【全局特权】基于 JWT 与 global:cross_company_op 的跨组织隔离
+        # ============================================================
+        from flask_jwt_extended import get_jwt
+        
+        claims = get_jwt()
+        user_role = claims.get('role', '').upper() if claims.get('role') else ''
+        user_company = claims.get('company_name', '')
+
+        # 获取用户权限列表（用于检查 global:cross_company_op 特权）
+        from app.api.v1.inbound.base import get_current_user_permissions
+        user_perms = get_current_user_permissions() or []
+        normalized_perms = set(p.lower().replace('_', '').replace(':', '') for p in user_perms)
+        
+        # 检查是否拥有全局特权或超管角色
+        has_cross_company = 'globalcrosscompanyop' in normalized_perms
+
+        # 维修表需要通过 base_id 关联 MaterialBase 进行公司过滤
+        if user_role != 'SUPER_ADMIN' and not has_cross_company:
+            # 无特权：强制绑定本公司
+            query = query.outerjoin(MaterialBase, TransRepair.base_id == MaterialBase.id)
+            if user_company:
+                query = query.filter(MaterialBase.company_name == user_company)
        
        # 分页
        pagination = query.paginate(page=page, per_page=page_size, error_out=False)