fix: standardize role case handling in permission logic

Co-authored-by: aider (openai/DeepSeek-V3.2-Thinking) <aider@aider.chat>
2026-02-27 17:07:45 +08:00
parent a0993767fe
commit c1e4acc1d8
4 changed files with 20 additions and 14 deletions
--- a/inventory-backend/app/services/auth_service.py
+++ b/inventory-backend/app/services/auth_service.py
@ -1,6 +1,7 @@
 # app/services/auth_service.py
 from app.models.system import SysUser, SysRolePermission # <== 引入 SysRolePermission
 from app.extensions import db
+from sqlalchemy import func
 from flask_jwt_extended import create_access_token
 from app.utils.constants import UserRole
 from datetime import timedelta
@ -51,9 +52,10 @@ class AuthService:
            if user.status != 'active':
                raise ValueError("账号已被禁用，请联系管理员")

-            user_role = user.role
+            user_role = user.role.upper() if user.role else None
            user_id = user.id
            user_info = user.to_dict()
+            user_info['role'] = user_role

        # 3. 生成 Token
        # Token 中 identity 存数据库ID，claims 存登录账号ID
@ -89,7 +91,8 @@ class AuthService:
        if not cn_name or not pinyin_base:
            raise Exception("姓名和账号不能为空")

-        role = data.get('role')
+        role_raw = data.get('role')
+        role = role_raw.upper() if role_raw else None

        # 验证角色合法性
        valid_roles = [
@ -162,7 +165,8 @@ class AuthService:
                v for k, v in UserRole.__dict__.items()
                if not k.startswith('__') and isinstance(v, str)
            ]
-            new_role = data['role']
+            new_role_raw = data['role']
+            new_role = new_role_raw.upper() if new_role_raw else None
            if new_role not in valid_roles:
                raise Exception(f"角色无效")
            if operator_role == UserRole.SUPERVISOR and new_role == UserRole.SUPER_ADMIN:
@ -223,7 +227,7 @@ class AuthService:
        """
        # 超级管理员返回所有权限（通配符）
        from app.utils.constants import UserRole
-        if role_code == UserRole.SUPER_ADMIN:
+        if role_code and role_code.upper() == UserRole.SUPER_ADMIN:
            # 返回通配符，表示拥有所有菜单和元素权限
            return {
                'menus': ['*'],
@ -231,17 +235,17 @@ class AuthService:
            }

        # 1. 查菜单权限
-        menu_perms = SysRolePermission.query.filter_by(
-            role_code=role_code,
-            type='menu'
+        menu_perms = SysRolePermission.query.filter(
+            func.upper(SysRolePermission.role_code) == role_code.upper(),
+            SysRolePermission.type == 'menu'
        ).all()
        menu_codes = [p.target_code for p in menu_perms]

        # 2. 查元素(列)权限
        # 注意：这里我们只返回用户拥有的。前端逻辑是："如果列配置了Key且用户没这个Key，则隐藏"
-        element_perms = SysRolePermission.query.filter_by(
-            role_code=role_code,
-            type='element'
+        element_perms = SysRolePermission.query.filter(
+            func.upper(SysRolePermission.role_code) == role_code.upper(),
+            SysRolePermission.type == 'element'
        ).all()

        # 这里的 target_code 就是列的 code (如 unit_price)