From a0993767fe388e91345e28100b7a3ed1ed5a34f8 Mon Sep 17 00:00:00 2001
From: dxc <duxingchen@iris-rs.cn>
Date: Fri, 27 Feb 2026 17:04:22 +0800
Subject: [PATCH] fix: make SUPER_ADMIN role checks case-insensitive across app

Co-authored-by: aider (openai/DeepSeek-V3.2-Thinking) <aider@aider.chat>
---
 inventory-backend/app/api/v1/auth.py            |  4 ++--
 inventory-backend/app/api/v1/bom.py             |  4 ++--
 inventory-backend/app/api/v1/inbound/buy.py     |  4 ++--
 inventory-backend/app/api/v1/inbound/product.py |  4 ++--
 inventory-backend/app/api/v1/inbound/semi.py    |  4 ++--
 inventory-backend/app/api/v1/inbound/service.py |  4 ++--
 inventory-backend/app/api/v1/outbound.py        |  4 ++--
 inventory-backend/app/api/v1/transactions.py    |  4 ++--
 inventory-backend/app/services/auth_service.py  | 11 ++++++++++-
 inventory-backend/app/utils/decorators.py       |  4 ++--
 inventory-web/src/stores/user.ts                |  4 ++++
 11 files changed, 32 insertions(+), 19 deletions(-)

diff --git a/inventory-backend/app/api/v1/auth.py b/inventory-backend/app/api/v1/auth.py
index 5c54c1c..1cf7480 100644
--- a/inventory-backend/app/api/v1/auth.py
+++ b/inventory-backend/app/api/v1/auth.py
@@ -19,8 +19,8 @@ def get_current_user_permissions():
     user_role = claims.get('role')
     if not user_role:
         return []
-    # 超级管理员返回所有字段权限
-    if user_role == 'super_admin':
+    # 超级管理员返回所有字段权限 (忽略大小写)
+    if user_role.upper() == 'SUPER_ADMIN':
         return ['system_user:*']
     perm_dict = AuthService.get_user_permissions(user_role)
     # 合并菜单和元素权限
diff --git a/inventory-backend/app/api/v1/bom.py b/inventory-backend/app/api/v1/bom.py
index 0610679..217d35f 100644
--- a/inventory-backend/app/api/v1/bom.py
+++ b/inventory-backend/app/api/v1/bom.py
@@ -22,8 +22,8 @@ def get_current_user_permissions():
     user_role = claims.get('role')
     if not user_role:
         return []
-    # 超级管理员返回所有字段权限
-    if user_role == 'super_admin':
+    # 超级管理员返回所有字段权限 (忽略大小写)
+    if user_role.upper() == 'SUPER_ADMIN':
         return ['bom_manage:*']
     perm_dict = AuthService.get_user_permissions(user_role)
     # 合并菜单和元素权限
diff --git a/inventory-backend/app/api/v1/inbound/buy.py b/inventory-backend/app/api/v1/inbound/buy.py
index 56e711c..ec8b85f 100644
--- a/inventory-backend/app/api/v1/inbound/buy.py
+++ b/inventory-backend/app/api/v1/inbound/buy.py
@@ -20,8 +20,8 @@ def get_current_user_permissions():
     user_role = claims.get('role')
     if not user_role:
         return []
-    # 超级管理员返回所有字段权限
-    if user_role == 'super_admin':
+    # 超级管理员返回所有字段权限 (忽略大小写)
+    if user_role.upper() == 'SUPER_ADMIN':
         # 返回所有以 inbound_buy: 开头的权限码（这里我们返回一个特殊标记，表示全部）
         # 为了简单，我们返回 ['inbound_buy:*']，在过滤函数中特殊处理
         return ['inbound_buy:*']
diff --git a/inventory-backend/app/api/v1/inbound/product.py b/inventory-backend/app/api/v1/inbound/product.py
index 3a1318e..527adb7 100644
--- a/inventory-backend/app/api/v1/inbound/product.py
+++ b/inventory-backend/app/api/v1/inbound/product.py
@@ -21,8 +21,8 @@ def get_current_user_permissions():
     user_role = claims.get('role')
     if not user_role:
         return []
-    # 超级管理员返回所有字段权限
-    if user_role == 'super_admin':
+    # 超级管理员返回所有字段权限 (忽略大小写)
+    if user_role.upper() == 'SUPER_ADMIN':
         # 返回所有以 inbound_product: 开头的权限码（这里我们返回一个特殊标记，表示全部）
         # 为了简单，我们返回 ['inbound_product:*']，在过滤函数中特殊处理
         return ['inbound_product:*']
diff --git a/inventory-backend/app/api/v1/inbound/semi.py b/inventory-backend/app/api/v1/inbound/semi.py
index 8bb7f23..4e9b940 100644
--- a/inventory-backend/app/api/v1/inbound/semi.py
+++ b/inventory-backend/app/api/v1/inbound/semi.py
@@ -22,8 +22,8 @@ def get_current_user_permissions():
     user_role = claims.get('role')
     if not user_role:
         return []
-    # 超级管理员返回所有字段权限
-    if user_role == 'super_admin':
+    # 超级管理员返回所有字段权限 (忽略大小写)
+    if user_role.upper() == 'SUPER_ADMIN':
         # 返回所有以 inbound_semi: 开头的权限码（这里我们返回一个特殊标记，表示全部）
         # 为了简单，我们返回 ['inbound_semi:*']，在过滤函数中特殊处理
         return ['inbound_semi:*']
diff --git a/inventory-backend/app/api/v1/inbound/service.py b/inventory-backend/app/api/v1/inbound/service.py
index 6d2f9fc..a8100cf 100644
--- a/inventory-backend/app/api/v1/inbound/service.py
+++ b/inventory-backend/app/api/v1/inbound/service.py
@@ -21,8 +21,8 @@ def get_current_user_permissions():
     user_role = claims.get('role')
     if not user_role:
         return []
-    # 超级管理员返回所有字段权限
-    if user_role == 'super_admin':
+    # 超级管理员返回所有字段权限 (忽略大小写)
+    if user_role.upper() == 'SUPER_ADMIN':
         return ['inbound_service:*']
     perm_dict = AuthService.get_user_permissions(user_role)
     # 合并菜单和元素权限
diff --git a/inventory-backend/app/api/v1/outbound.py b/inventory-backend/app/api/v1/outbound.py
index 32c1ed9..b89bbf2 100644
--- a/inventory-backend/app/api/v1/outbound.py
+++ b/inventory-backend/app/api/v1/outbound.py
@@ -22,8 +22,8 @@ def get_current_user_permissions():
     user_role = claims.get('role')
     if not user_role:
         return []
-    # 超级管理员返回所有字段权限
-    if user_role == 'super_admin':
+    # 超级管理员返回所有字段权限 (忽略大小写)
+    if user_role.upper() == 'SUPER_ADMIN':
         return ['outbound_list:*']
     perm_dict = AuthService.get_user_permissions(user_role)
     # 合并菜单和元素权限
diff --git a/inventory-backend/app/api/v1/transactions.py b/inventory-backend/app/api/v1/transactions.py
index acbef7d..825027e 100644
--- a/inventory-backend/app/api/v1/transactions.py
+++ b/inventory-backend/app/api/v1/transactions.py
@@ -20,8 +20,8 @@ def get_current_user_permissions():
     user_role = claims.get('role')
     if not user_role:
         return []
-    # 超级管理员返回所有字段权限
-    if user_role == 'super_admin':
+    # 超级管理员返回所有字段权限 (忽略大小写)
+    if user_role.upper() == 'SUPER_ADMIN':
         return ['*']
     perm_dict = AuthService.get_user_permissions(user_role)
     # 合并菜单和元素权限
diff --git a/inventory-backend/app/services/auth_service.py b/inventory-backend/app/services/auth_service.py
index 27d9063..2921e38 100644
--- a/inventory-backend/app/services/auth_service.py
+++ b/inventory-backend/app/services/auth_service.py
@@ -221,6 +221,15 @@ class AuthService:
             'elements': ['inbound_buy:unit_price', ...]
         }
         """
+        # 超级管理员返回所有权限（通配符）
+        from app.utils.constants import UserRole
+        if role_code == UserRole.SUPER_ADMIN:
+            # 返回通配符，表示拥有所有菜单和元素权限
+            return {
+                'menus': ['*'],
+                'elements': ['*']
+            }
+
         # 1. 查菜单权限
         menu_perms = SysRolePermission.query.filter_by(
             role_code=role_code,
@@ -243,4 +252,4 @@ class AuthService:
         return {
             'menus': menu_codes,
             'elements': element_codes
-        }
\ No newline at end of file
+        }
diff --git a/inventory-backend/app/utils/decorators.py b/inventory-backend/app/utils/decorators.py
index 41fe2f7..c58336d 100644
--- a/inventory-backend/app/utils/decorators.py
+++ b/inventory-backend/app/utils/decorators.py
@@ -63,8 +63,8 @@ def permission_required(permission_code):
 
             claims = get_jwt()
             user_role = claims.get('role')
-            # 超级管理员放行
-            if user_role == 'super_admin':
+            # 超级管理员放行 (忽略大小写)
+            if user_role and user_role.upper() == 'SUPER_ADMIN':
                 return fn(*args, **kwargs)
 
             # 根据角色查询数据库中的权限
diff --git a/inventory-web/src/stores/user.ts b/inventory-web/src/stores/user.ts
index fc1ba62..2c5d2c2 100644
--- a/inventory-web/src/stores/user.ts
+++ b/inventory-web/src/stores/user.ts
@@ -114,6 +114,10 @@ export const useUserStore = defineStore('user', () => {
 
     // 判断当前用户是否拥有某个权限（菜单或元素）
     const hasPermission = (code: string) => {
+        // 超级管理员拥有所有权限
+        if (role.value && role.value.toUpperCase() === 'SUPER_ADMIN') {
+            return true
+        }
         return permissions.value.includes(code)
     }