feat: enforce field-level permissions for buy and service modules

Co-authored-by: aider (openai/DeepSeek-V3.2-Thinking) <aider@aider.chat>
2026-02-27 15:03:44 +08:00
parent 5bc3dab31c
commit afcf90a859
4 changed files with 228 additions and 14 deletions
--- a/inventory-backend/app/api/v1/inbound/service.py
+++ b/inventory-backend/app/api/v1/inbound/service.py
@ -118,6 +118,31 @@ def create_service():
    if not data:
        return jsonify({'code': 400, 'msg': '请求数据为空'}), 400

+    # 数据清洗：移除用户没有权限的字段
+    user_permissions = get_current_user_permissions()
+    # 超级管理员不过滤
+    if 'inbound_service:*' not in user_permissions:
+        # 字段名到权限码的映射（与前端 permissionMap 保持一致）
+        field_to_perm = {
+            'id': 'inbound_service:id',
+            'base_id': 'inbound_service:base_id',
+            'sku': 'inbound_service:sku',
+            'material_name': 'inbound_service:material_name',
+            'provider_name': 'inbound_service:provider_name',
+            'sale_price': 'inbound_service:sale_price',
+            'description': 'inbound_service:description',
+            'created_at': 'inbound_service:created_at',
+            'material_type': 'inbound_service:material_type',
+            'category': 'inbound_service:category',
+            'spec_model': 'inbound_service:spec_model',
+            'unit': 'inbound_service:unit',
+        }
+        # 复制一份，避免遍历时修改字典
+        for field in list(data.keys()):
+            perm_code = field_to_perm.get(field)
+            if perm_code and perm_code not in user_permissions:
+                data.pop(field, None)
+
    # 基础校验
    if not data.get('base_id'):
        return jsonify({'code': 400, 'msg': '请选择基础物料'}), 400
@ -169,6 +194,31 @@ def update_service(service_id):
    if not data:
        return jsonify({'code': 400, 'msg': '请求数据为空'}), 400

+    # 数据清洗：移除用户没有权限的字段
+    user_permissions = get_current_user_permissions()
+    # 超级管理员不过滤
+    if 'inbound_service:*' not in user_permissions:
+        # 字段名到权限码的映射（与前端 permissionMap 保持一致）
+        field_to_perm = {
+            'id': 'inbound_service:id',
+            'base_id': 'inbound_service:base_id',
+            'sku': 'inbound_service:sku',
+            'material_name': 'inbound_service:material_name',
+            'provider_name': 'inbound_service:provider_name',
+            'sale_price': 'inbound_service:sale_price',
+            'description': 'inbound_service:description',
+            'created_at': 'inbound_service:created_at',
+            'material_type': 'inbound_service:material_type',
+            'category': 'inbound_service:category',
+            'spec_model': 'inbound_service:spec_model',
+            'unit': 'inbound_service:unit',
+        }
+        # 复制一份，避免遍历时修改字典
+        for field in list(data.keys()):
+            perm_code = field_to_perm.get(field)
+            if perm_code and perm_code not in user_permissions:
+                data.pop(field, None)
+
    # 允许更新的字段
    allowed_fields = {
        'sale_price', 'provider_name', 'description',