feat: add RBAC and field masking for borrow/return/records pages

Co-authored-by: aider (openai/DeepSeek-V3.2-Thinking) <aider@aider.chat>
2026-02-27 14:05:52 +08:00
parent 5065410662
commit a2b1a62132
4 changed files with 170 additions and 23 deletions
--- a/inventory-web/src/views/transaction/records.vue
+++ b/inventory-web/src/views/transaction/records.vue
@ -88,6 +88,32 @@ import request from '@/utils/request'
 import dayjs from 'dayjs' // 建议使用 dayjs 处理日期，如果没有安装，可以用原生 Date
 import 'dayjs/locale/zh-cn' // 导入中文包
 dayjs.locale('zh-cn')
+import { useUserStore } from '@/stores/user'
+
+const userStore = useUserStore()
+
+// 列与权限Code的映射关系（数据库中的code）
+const permissionMap: Record<string, string> = {
+  borrow_no: 'op_records:borrow_no',
+  borrower_name: 'op_records:borrower_name',
+  sku: 'op_records:sku',
+  borrow_time: 'op_records:borrow_time',
+  return_time: 'op_records:return_time',
+  status: 'op_records:status',
+  expected_return_time: 'op_records:expected_return_time',
+  return_location: 'op_records:return_location',
+  borrow_signature: 'op_records:borrow_signature',
+  return_signature: 'op_records:return_signature',
+}
+
+// 检查列权限
+const hasColumnPermission = (prop: string) => {
+  if (userStore.role === 'SUPER_ADMIN' || userStore.username === 'IRIS') {
+    return true
+  }
+  const code = permissionMap[prop]
+  return code ? userStore.hasPermission(code) : false
+}

 const list = ref<any[]>([])
 const total = ref(0)
@ -195,4 +221,4 @@ onMounted(fetchData)
 .text-normal {
  color: #909399;
 }
-</style>
+</style>