feat: implement permission checking and field-level data masking

Co-authored-by: aider (openai/DeepSeek-V3.2-Thinking) <aider@aider.chat>

inventory-backend/app/utils/decorators.py

@@ -67,15 +67,20 @@ def permission_required(permission_code):
             if user_role == 'super_admin':
                 return fn(*args, **kwargs)
 
-            # TODO: 根据角色和 permission_code 查询数据库验证权限
-            # 此处为示例逻辑：假设角色 'admin' 和 'manager' 拥有所有权限
-            # 实际项目中应替换为真实的权限查询
-            if user_role in ['admin', 'manager']:
-                return fn(*args, **kwargs)
+            # 根据角色查询数据库中的权限
+            try:
+                from app.services.auth_service import AuthService
+                perm_dict = AuthService.get_user_permissions(user_role)
+            except Exception as e:
+                logging.warning(f"Failed to fetch permissions for role {user_role}: {e}")
+                return jsonify(msg='权限查询失败'), 403
 
-            # 其他角色暂时拒绝，并记录日志
-            logging.warning(
-                f'Permission check not implemented for {permission_code}, user role {user_role}. Access denied.')
-            return jsonify(msg='权限不足：您没有访问此资源的权限'), 403
+            # 合并菜单和元素权限
+            all_perms = perm_dict.get('menus', []) + perm_dict.get('elements', [])
+            if permission_code not in all_perms:
+                logging.warning(
+                    f'Permission check failed for {permission_code}, user role {user_role}.')
+                return jsonify(msg='权限不足：您没有访问此资源的权限'), 403
+            return fn(*args, **kwargs)
         return decorator
     return wrapper