feat: implement clean global cross-organization permission node and backend service isolation logic

2026-04-17 08:59:55 +08:00
parent 477da7c434
commit bd93a3d70b
2 changed files with 31 additions and 5 deletions
--- a/inventory-backend/app/services/inbound/buy_service.py
+++ b/inventory-backend/app/services/inbound/buy_service.py
@ -351,11 +351,20 @@ class BuyInboundService:
            # ============================================================
            # 【行级数据隔离】基于 JWT 中的 company_name 进行过滤
            # ============================================================
+            from flask_jwt_extended import get_jwt
+            
            claims = get_jwt()
            user_role = claims.get('role', '').upper() if claims.get('role') else ''
            user_company = claims.get('company_name', '')

-            if user_role != 'SUPER_ADMIN':
+            # 获取用户权限列表（用于检查 global:cross_company 特权）
+            from app.services.auth_service import AuthService
+            user_perms = AuthService.get_user_permissions(user_role) if user_role else []
+            # 合并菜单和元素权限
+            all_perms = user_perms.get('menus', []) + user_perms.get('elements', [])
+            has_cross_company = 'global:cross_company' in all_perms or ('inbound_buy:*' in all_perms)
+
+            if user_role != 'SUPER_ADMIN' and not has_cross_company:
                # 【显式拒绝越权】如果前端传了公司参数，且不是当前用户的公司，返回403
                if company and company.strip() and company.strip() != user_company:
                    from flask import abort
@ -364,7 +373,7 @@ class BuyInboundService:
                if user_company:
                    query = query.filter(MaterialBase.company_name == user_company)
            else:
-                # 超级管理员：允许跨公司视角
+                # 超级管理员或拥有跨域特权：允许跨公司视角
                if company and company.strip():
                    query = query.filter(MaterialBase.company_name == company.strip())