feat(backend): apply global cross-company data isolation logic across all inbound, outbound, and stock services
This commit is contained in:
@ -408,8 +408,34 @@ class SemiInboundService:
|
||||
if material_type and material_type.strip():
|
||||
query = query.filter(MaterialBase.material_type == material_type.strip())
|
||||
|
||||
if company and company.strip():
|
||||
query = query.filter(MaterialBase.company_name == company.strip())
|
||||
# ============================================================
|
||||
# 【全局特权】基于 JWT 与 global:cross_company_op 的跨组织隔离
|
||||
# ============================================================
|
||||
from flask_jwt_extended import get_jwt
|
||||
|
||||
claims = get_jwt()
|
||||
user_role = claims.get('role', '').upper() if claims.get('role') else ''
|
||||
user_company = claims.get('company_name', '')
|
||||
|
||||
# 获取用户权限列表(用于检查 global:cross_company_op 特权)
|
||||
from app.api.v1.inbound.base import get_current_user_permissions
|
||||
user_perms = get_current_user_permissions() or []
|
||||
normalized_perms = set(p.lower().replace('_', '').replace(':', '') for p in user_perms)
|
||||
|
||||
# 检查是否拥有全局特权或超管角色
|
||||
has_cross_company = 'globalcrosscompanyop' in normalized_perms
|
||||
|
||||
if user_role != 'SUPER_ADMIN' and not has_cross_company:
|
||||
# 无特权:严禁查其他公司,强制绑定本公司
|
||||
if company and company.strip() and company.strip() != user_company:
|
||||
from flask import abort
|
||||
abort(403, description=f'越权访问:您无权查询 {company} 的数据')
|
||||
if user_company:
|
||||
query = query.filter(MaterialBase.company_name == user_company)
|
||||
elif user_role == 'SUPER_ADMIN' or has_cross_company:
|
||||
# 有特权:允许下拉框传过来的 company 参数生效
|
||||
if company and company.strip():
|
||||
query = query.filter(MaterialBase.company_name == company.strip())
|
||||
|
||||
if not statuses:
|
||||
statuses = ['在库', '借库']
|
||||
|
||||
Reference in New Issue
Block a user