From db077a603396a9ff99528973c991a7da4e7b3227 Mon Sep 17 00:00:00 2001
From: DXC <duxingchen@iris-rs.cn>
Date: Tue, 14 Apr 2026 09:28:46 +0800
Subject: [PATCH] fix(security): resolve incorrect field-level desensitization
 causing null values for authorized columns

---
 inventory-backend/app/services/auth_service.py | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/inventory-backend/app/services/auth_service.py b/inventory-backend/app/services/auth_service.py
index cc426af..6e8ee8a 100644
--- a/inventory-backend/app/services/auth_service.py
+++ b/inventory-backend/app/services/auth_service.py
@@ -359,6 +359,7 @@ class AuthService:
             }
 
         # 1. 查菜单权限
+        # 使用 func.upper() 处理数据库字段的大小写
         menu_perms = SysRolePermission.query.filter(
             func.upper(SysRolePermission.role_code) == role_code.upper(),
             SysRolePermission.type == 'menu'
@@ -371,12 +372,14 @@ class AuthService:
             func.upper(SysRolePermission.role_code) == role_code.upper(),
             SysRolePermission.type == 'element'
         ).all()
-
-        # 这里的 target_code 就是列的 code (如 unit_price)
-        # 为了防止不同页面有相同列名导致的混淆，我们之前数据库设计是做了隔离的
-        # 但为了前端处理方便，我们直接返回列的 code 集合
         element_codes = [p.target_code for p in element_perms]
 
+        # 调试日志：输出查询结果便于排查字段权限问题
+        from flask import current_app
+        current_app.logger.info(
+            f"[权限查询] role={role_code}, 查询到菜单权限={menu_codes}, 元素权限={element_codes}"
+        )
+
         return {
             'menus': menu_codes,
             'elements': element_codes