fix: standardize role case handling in permission logic

Co-authored-by: aider (openai/DeepSeek-V3.2-Thinking) <aider@aider.chat>
2026-02-27 17:07:45 +08:00
parent a0993767fe
commit c1e4acc1d8
4 changed files with 20 additions and 14 deletions
--- a/inventory-backend/app/utils/decorators.py
+++ b/inventory-backend/app/utils/decorators.py
@ -16,12 +16,13 @@ def role_required(*roles):
        def decorator(*args, **kwargs):
            claims = get_jwt()
            user_role = claims.get('role')
+            user_role_upper = user_role.upper() if user_role else None

            # 如果是超级管理员，拥有上帝视角，直接放行 (可选)
-            if user_role == 'super_admin':
+            if user_role_upper == 'SUPER_ADMIN':
                return fn(*args, **kwargs)

-            if user_role not in roles:
+            if user_role_upper not in [r.upper() for r in roles]:
                return jsonify(msg='权限不足：您没有访问此资源的权限'), 403

            return fn(*args, **kwargs)