fix: standardize role case handling in permission logic

Co-authored-by: aider (openai/DeepSeek-V3.2-Thinking) <aider@aider.chat>

inventory-backend/app/api/v1/outbound.py

@@ -115,7 +115,7 @@ def create_outbound():
         return jsonify({'code': 403, 'msg': '未授权'}), 403
 
     # 超级管理员直接放行
-    if user_role != 'super_admin':
+    if user_role.upper() != 'SUPER_ADMIN':
         perm_dict = AuthService.get_user_permissions(user_role)
         perms = perm_dict.get('menus', []) + perm_dict.get('elements', [])
         if ('outbound_create:operation' not in perms) and ('outbound_selection:operation' not in perms):

inventory-backend/app/services/auth_service.py

@@ -1,6 +1,7 @@
 # app/services/auth_service.py
 from app.models.system import SysUser, SysRolePermission # <== 引入 SysRolePermission
 from app.extensions import db
+from sqlalchemy import func
 from flask_jwt_extended import create_access_token
 from app.utils.constants import UserRole
 from datetime import timedelta
@@ -51,9 +52,10 @@ class AuthService:
             if user.status != 'active':
                 raise ValueError("账号已被禁用，请联系管理员")
 
-            user_role = user.role
+            user_role = user.role.upper() if user.role else None
             user_id = user.id
             user_info = user.to_dict()
+            user_info['role'] = user_role
 
         # 3. 生成 Token
         # Token 中 identity 存数据库ID，claims 存登录账号ID
@@ -89,7 +91,8 @@ class AuthService:
         if not cn_name or not pinyin_base:
             raise Exception("姓名和账号不能为空")
 
-        role = data.get('role')
+        role_raw = data.get('role')
+        role = role_raw.upper() if role_raw else None
 
         # 验证角色合法性
         valid_roles = [
@@ -162,7 +165,8 @@ class AuthService:
                 v for k, v in UserRole.__dict__.items()
                 if not k.startswith('__') and isinstance(v, str)
             ]
-            new_role = data['role']
+            new_role_raw = data['role']
+            new_role = new_role_raw.upper() if new_role_raw else None
             if new_role not in valid_roles:
                 raise Exception(f"角色无效")
             if operator_role == UserRole.SUPERVISOR and new_role == UserRole.SUPER_ADMIN:
@@ -223,7 +227,7 @@ class AuthService:
         """
         # 超级管理员返回所有权限（通配符）
         from app.utils.constants import UserRole
-        if role_code == UserRole.SUPER_ADMIN:
+        if role_code and role_code.upper() == UserRole.SUPER_ADMIN:
             # 返回通配符，表示拥有所有菜单和元素权限
             return {
                 'menus': ['*'],
@@ -231,17 +235,17 @@ class AuthService:
             }
 
         # 1. 查菜单权限
-        menu_perms = SysRolePermission.query.filter_by(
+        menu_perms = SysRolePermission.query.filter(
-            role_code=role_code,
+            func.upper(SysRolePermission.role_code) == role_code.upper(),
-            type='menu'
+            SysRolePermission.type == 'menu'
         ).all()
         menu_codes = [p.target_code for p in menu_perms]
 
         # 2. 查元素(列)权限
         # 注意：这里我们只返回用户拥有的。前端逻辑是："如果列配置了Key且用户没这个Key，则隐藏"
-        element_perms = SysRolePermission.query.filter_by(
+        element_perms = SysRolePermission.query.filter(
-            role_code=role_code,
+            func.upper(SysRolePermission.role_code) == role_code.upper(),
-            type='element'
+            SysRolePermission.type == 'element'
         ).all()
 
         # 这里的 target_code 就是列的 code (如 unit_price)

inventory-backend/app/utils/decorators.py

@@ -16,12 +16,13 @@ def role_required(*roles):
         def decorator(*args, **kwargs):
             claims = get_jwt()
             user_role = claims.get('role')
+            user_role_upper = user_role.upper() if user_role else None
 
             # 如果是超级管理员，拥有上帝视角，直接放行 (可选)
-            if user_role == 'super_admin':
+            if user_role_upper == 'SUPER_ADMIN':
                 return fn(*args, **kwargs)
 
-            if user_role not in roles:
+            if user_role_upper not in [r.upper() for r in roles]:
                 return jsonify(msg='权限不足：您没有访问此资源的权限'), 403
 
             return fn(*args, **kwargs)

inventory-web/src/stores/user.ts

@@ -35,7 +35,8 @@ export const useUserStore = defineStore('user', () => {
 
         // 处理用户信息 (确保后端返回结构中有 user 字段)
         if (data.user) {
-            role.value = data.user.role || 'user' // 默认给个 user 角色防止空
+            const rawRole = data.user.role || 'user'
+            role.value = rawRole.toUpperCase() // 角色统一转换为大写
             username.value = data.user.username || '用户'
 
             // 持久化存储用户信息