fix-security-field-permission-matching

2026-04-14 15:09:15 +08:00
parent ae1fd1afd4
commit ae05f3bb75
1 changed files with 8 additions and 2 deletions
--- a/inventory-backend/app/api/v1/inbound/buy.py
+++ b/inventory-backend/app/api/v1/inbound/buy.py
@ -213,7 +213,10 @@ def submit():
            # 复制一份，避免遍历时修改字典
            for field in list(data.keys()):
                perm_code = field_to_perm.get(field)
-                if perm_code and perm_code not in user_permissions:
+                # 提取不带前缀的基础权限码（如 'serial_number'）
+                base_perm_code = perm_code.split(':')[-1] if ':' in perm_code else perm_code
+                # 如果用户的权限列表中，既没有长格式，也没有短格式，才移除该字段
+                if perm_code and perm_code not in user_permissions and base_perm_code not in user_permissions:
                    data.pop(field, None)

        # 库位必填校验（安全兜底）
@ -289,7 +292,10 @@ def update_buy(id):
            # 复制一份，避免遍历时修改字典
            for field in list(data.keys()):
                perm_code = field_to_perm.get(field)
-                if perm_code and perm_code not in user_permissions:
+                # 提取不带前缀的基础权限码（如 'serial_number'）
+                base_perm_code = perm_code.split(':')[-1] if ':' in perm_code else perm_code
+                # 如果用户的权限列表中，既没有长格式，也没有短格式，才移除该字段
+                if perm_code and perm_code not in user_permissions and base_perm_code not in user_permissions:
                    data.pop(field, None)

        BuyInboundService.update_inbound(id, data)