fix(security): resolve incorrect field-level desensitization causing null values for authorized columns
This commit is contained in:
@ -359,6 +359,7 @@ class AuthService:
|
|||||||
}
|
}
|
||||||
|
|
||||||
# 1. 查菜单权限
|
# 1. 查菜单权限
|
||||||
|
# 使用 func.upper() 处理数据库字段的大小写
|
||||||
menu_perms = SysRolePermission.query.filter(
|
menu_perms = SysRolePermission.query.filter(
|
||||||
func.upper(SysRolePermission.role_code) == role_code.upper(),
|
func.upper(SysRolePermission.role_code) == role_code.upper(),
|
||||||
SysRolePermission.type == 'menu'
|
SysRolePermission.type == 'menu'
|
||||||
@ -371,12 +372,14 @@ class AuthService:
|
|||||||
func.upper(SysRolePermission.role_code) == role_code.upper(),
|
func.upper(SysRolePermission.role_code) == role_code.upper(),
|
||||||
SysRolePermission.type == 'element'
|
SysRolePermission.type == 'element'
|
||||||
).all()
|
).all()
|
||||||
|
|
||||||
# 这里的 target_code 就是列的 code (如 unit_price)
|
|
||||||
# 为了防止不同页面有相同列名导致的混淆,我们之前数据库设计是做了隔离的
|
|
||||||
# 但为了前端处理方便,我们直接返回列的 code 集合
|
|
||||||
element_codes = [p.target_code for p in element_perms]
|
element_codes = [p.target_code for p in element_perms]
|
||||||
|
|
||||||
|
# 调试日志:输出查询结果便于排查字段权限问题
|
||||||
|
from flask import current_app
|
||||||
|
current_app.logger.info(
|
||||||
|
f"[权限查询] role={role_code}, 查询到菜单权限={menu_codes}, 元素权限={element_codes}"
|
||||||
|
)
|
||||||
|
|
||||||
return {
|
return {
|
||||||
'menus': menu_codes,
|
'menus': menu_codes,
|
||||||
'elements': element_codes
|
'elements': element_codes
|
||||||
|
|||||||
Reference in New Issue
Block a user