fix: prevent price data leak in inventory export

Co-authored-by: aider (openai/DeepSeek-V3.2-Thinking) <aider@aider.chat>
2026-02-28 11:32:21 +08:00
parent c3e2494b3e
commit d78ef22251
1 changed files with 40 additions and 0 deletions
--- a/inventory-backend/app/services/inbound/base_service.py
+++ b/inventory-backend/app/services/inbound/base_service.py
@ -537,6 +537,16 @@ class MaterialBaseService:
                    col_idx['inventoryCount'] = idx
                elif header == "可用数量":
                    col_idx['availableCount'] = idx
+                elif header == "单价/成本 (不含税)":
+                    col_idx['price_excl'] = idx
+                elif header == "资产总额 (不含税)":
+                    col_idx['total_val_excl'] = idx
+                elif header == "税率 (%)":
+                    col_idx['tax'] = idx
+                elif header == "单价/成本 (含税)":
+                    col_idx['price_incl'] = idx
+                elif header == "资产总额 (含税)":
+                    col_idx['total_val'] = idx

            # 样式
            header_fill = PatternFill(start_color="D7E4BC", end_color="D7E4BC", fill_type="solid")
@ -603,6 +613,36 @@ class MaterialBaseService:
                            elif field in col_idx:
                                row_val[col_idx[field]] = ''

+                # 联动脱敏：根据数据来源，校验对应模块的价格/成本权限
+                if user_permissions is not None:
+                    # 超级管理员拥有所有权限，跳过价格脱敏
+                    if 'material_list:*' in user_permissions:
+                        # 拥有通配符权限，不隐藏价格列
+                        pass
+                    else:
+                        has_price_perm = True
+                        row_type = r['type_name']
+
+                        # 根据数据来源检查对应模块的权限
+                        if row_type == '采购件':
+                            # 校验采购模块的价格权限
+                            has_price_perm = any(p in user_permissions for p in ['inbound_buy:postTaxUnitPrice', 'inbound_buy:preTaxUnitPrice', 'inbound_buy:totalAmount'])
+                        elif row_type == '半成品':
+                            # 校验半成品模块的成本权限
+                            has_price_perm = any(p in user_permissions for p in ['inbound_semi:rawMaterialCost', 'inbound_semi:manualCost'])
+                        elif row_type == '成品':
+                            # 校验成品模块的成本权限
+                            has_price_perm = any(p in user_permissions for p in ['inbound_product:rawMaterialCost', 'inbound_product:manualCost'])
+                        else:
+                            # 未知类型，默认隐藏价格列
+                            has_price_perm = False
+
+                        # 如果没有对应模块的价格查看权限，则清空涉密的5个列
+                        if not has_price_perm:
+                            for p_col in ['price_excl', 'total_val_excl', 'tax', 'price_incl', 'total_val']:
+                                if p_col in col_idx:
+                                    row_val[col_idx[p_col]] = ''
+
                ws.append(row_val)

            # 列宽调整