feat: enforce field-level permissions for material creation and update

Co-authored-by: aider (openai/DeepSeek-V3.2-Thinking) <aider@aider.chat>

inventory-backend/app/api/v1/auth.py

@@ -2,10 +2,56 @@
 from flask import Blueprint, request, jsonify, current_app
 from flask_jwt_extended import jwt_required, get_jwt
 from app.services.auth_service import AuthService
+from app.utils.decorators import permission_required
 
 auth_bp = Blueprint('auth', __name__)
 
 
+# ==============================================================================
+# 辅助函数：获取当前用户的完整权限列表（基于角色查询）
+# ==============================================================================
+def get_current_user_permissions():
+    """
+    返回当前用户拥有的所有权限码列表（包括菜单和元素）
+    此函数根据角色查询数据库得到权限。
+    """
+    claims = get_jwt()
+    user_role = claims.get('role')
+    if not user_role:
+        return []
+    # 超级管理员返回所有字段权限
+    if user_role == 'super_admin':
+        return ['system_user:*']
+    perm_dict = AuthService.get_user_permissions(user_role)
+    # 合并菜单和元素权限
+    perms = perm_dict.get('menus', []) + perm_dict.get('elements', [])
+    return perms
+
+
+def filter_item_by_permissions(item_dict, user_permissions):
+    """
+    根据用户权限过滤 item 字典，无权限的字段值置为 None
+    """
+    # 字段名到权限码的映射（与前端 permissionMap 保持一致）
+    field_to_perm = {
+        'id': 'system_user:id',
+        'username': 'system_user:username',
+        'account_id': 'system_user:account_id',
+        'email': 'system_user:email',
+        'department': 'system_user:department',
+        'role': 'system_user:role',
+        'status': 'system_user:status',
+        'created_at': 'system_user:created_at',
+    }
+    # 如果用户是超级管理员且有 'system_user:*'，则不过滤
+    if 'system_user:*' in user_permissions:
+        return item_dict
+    for field, perm_code in field_to_perm.items():
+        if field in item_dict and perm_code not in user_permissions:
+            item_dict[field] = None
+    return item_dict
+
+
 @auth_bp.route('/login', methods=['POST'])
 def login():
     try:
@@ -34,6 +80,7 @@ def login():
 
 @auth_bp.route('/user/create', methods=['POST'])
 @jwt_required()
+@permission_required('system_user:operation')
 def create_user():
     try:
         data = request.get_json()
@@ -51,6 +98,7 @@ def create_user():
 # [新增] 更新用户
 @auth_bp.route('/user/<int:user_id>', methods=['PUT'])
 @jwt_required()
+@permission_required('system_user:operation')
 def update_user(user_id):
     try:
         data = request.get_json()
@@ -67,10 +115,14 @@ def update_user(user_id):
 
 @auth_bp.route('/users', methods=['GET'])
 @jwt_required()
+@permission_required('system_user')
 def get_users():
     try:
         users = AuthService.get_all_users()
-        return jsonify({'msg': '获取成功', 'data': users}), 200
+        # 字段级脱敏
+        user_permissions = get_current_user_permissions()
+        filtered_users = [filter_item_by_permissions(user, user_permissions) for user in users]
+        return jsonify({'msg': '获取成功', 'data': filtered_users}), 200
     except Exception as e:
         current_app.logger.error(f"Get Users Failed: {str(e)}")
         return jsonify({'msg': '获取用户列表失败'}), 500
@@ -78,6 +130,7 @@ def get_users():
 
 @auth_bp.route('/user/<int:user_id>', methods=['DELETE'])
 @jwt_required()
+@permission_required('system_user:operation')
 def delete_user(user_id):
     try:
         claims = get_jwt()

inventory-backend/app/api/v1/inbound/base.py

@@ -170,7 +170,37 @@ def create():
         if not data:
             return jsonify({"code": 400, "msg": "No data provided"}), 400
 
-        MaterialBaseService.create_material(data)
+        # 获取当前用户权限
+        user_permissions = get_current_user_permissions()
+        # 字段到权限码的映射（与 filter_item_by_permissions 一致）
+        field_to_perm = {
+            'id': 'material_list:id',
+            'companyName': 'material_list:companyName',
+            'name': 'material_list:name',
+            'commonName': 'material_list:commonName',
+            'category': 'material_list:category',
+            'type': 'material_list:type',
+            'spec': 'material_list:spec',
+            'unit': 'material_list:unit',
+            'inventoryCount': 'material_list:inventoryCount',
+            'availableCount': 'material_list:availableCount',
+            'generalManual': 'material_list:files',
+            'generalImage': 'material_list:files',
+            'isEnabled': 'material_list:isEnabled'
+        }
+        # 过滤用户没有权限的字段
+        filtered_data = {}
+        for key, value in data.items():
+            if key in field_to_perm:
+                perm_code = field_to_perm[key]
+                if perm_code in user_permissions:
+                    filtered_data[key] = value
+                # 没有权限则跳过，不包含在 filtered_data 中
+            else:
+                # 不在映射中的字段，默认允许（例如 visibilityLevel）
+                filtered_data[key] = value
+
+        MaterialBaseService.create_material(filtered_data)
         return jsonify({"code": 200, "msg": "新增成功"})
     except ValueError as e:
         # 捕获业务逻辑验证错误 (如名称为空)
@@ -189,7 +219,37 @@ def create():
 def update(id):
     try:
         data = request.get_json()
-        MaterialBaseService.update_material(id, data)
+        # 获取当前用户权限
+        user_permissions = get_current_user_permissions()
+        # 字段到权限码的映射（与 filter_item_by_permissions 一致）
+        field_to_perm = {
+            'id': 'material_list:id',
+            'companyName': 'material_list:companyName',
+            'name': 'material_list:name',
+            'commonName': 'material_list:commonName',
+            'category': 'material_list:category',
+            'type': 'material_list:type',
+            'spec': 'material_list:spec',
+            'unit': 'material_list:unit',
+            'inventoryCount': 'material_list:inventoryCount',
+            'availableCount': 'material_list:availableCount',
+            'generalManual': 'material_list:files',
+            'generalImage': 'material_list:files',
+            'isEnabled': 'material_list:isEnabled'
+        }
+        # 过滤用户没有权限的字段
+        filtered_data = {}
+        for key, value in data.items():
+            if key in field_to_perm:
+                perm_code = field_to_perm[key]
+                if perm_code in user_permissions:
+                    filtered_data[key] = value
+                # 没有权限则跳过，不包含在 filtered_data 中
+            else:
+                # 不在映射中的字段，默认允许（例如 visibilityLevel）
+                filtered_data[key] = value
+        # 使用过滤后的数据调用服务
+        MaterialBaseService.update_material(id, filtered_data)
         return jsonify({"code": 200, "msg": "修改成功"})
     except Exception as e:
         traceback.print_exc()

inventory-web/src/views/material/list.vue

@@ -247,12 +247,12 @@
 
           <el-row>
             <el-col :span="12">
-              <el-form-item label="名称" prop="name">
+              <el-form-item label="名称" prop="name" v-if="hasFieldPermission('name')">
                 <el-input v-model="form.name" placeholder="内部名称" />
               </el-form-item>
             </el-col>
             <el-col :span="12">
-              <el-form-item label="俗名" prop="commonName">
+              <el-form-item label="俗名" prop="commonName" v-if="hasFieldPermission('commonName')">
                 <el-input v-model="form.commonName" placeholder="标准名称" />
               </el-form-item>
             </el-col>
@@ -260,7 +260,7 @@
 
           <el-row>
             <el-col :span="12">
-              <el-form-item label="所属公司" prop="companyName">
+              <el-form-item label="所属公司" prop="companyName" v-if="hasFieldPermission('companyName')">
                 <el-autocomplete
                     v-model="form.companyName"
                     :fetch-suggestions="querySearchCompany"
@@ -271,7 +271,7 @@
               </el-form-item>
             </el-col>
             <el-col :span="12">
-              <el-form-item label="类别" prop="category">
+              <el-form-item label="类别" prop="category" v-if="hasFieldPermission('category')">
                 <div style="display: flex; width: 100%; align-items: center;">
                   <el-cascader
                       v-model="tempCategoryPrefix"
@@ -299,7 +299,7 @@
 
           <el-row>
             <el-col :span="12">
-              <el-form-item label="类型" prop="type">
+              <el-form-item label="类型" prop="type" v-if="hasFieldPermission('type')">
                 <el-autocomplete
                     v-model="form.type"
                     :fetch-suggestions="querySearchType"
@@ -310,7 +310,7 @@
               </el-form-item>
             </el-col>
             <el-col :span="12">
-              <el-form-item label="规格型号" prop="spec">
+              <el-form-item label="规格型号" prop="spec" v-if="hasFieldPermission('spec')">
                 <el-input v-model="form.spec" placeholder="请输入规格型号" />
               </el-form-item>
             </el-col>
@@ -318,7 +318,7 @@
 
           <el-row>
             <el-col :span="12">
-              <el-form-item label="计量单位" prop="unit">
+              <el-form-item label="计量单位" prop="unit" v-if="hasFieldPermission('unit')">
                 <el-input v-model="form.unit" placeholder="如: 个, 台, 米" />
               </el-form-item>
             </el-col>
@@ -330,7 +330,7 @@
             </el-col>
           </el-row>
 
-          <el-form-item label="产品图" prop="generalImage">
+          <el-form-item label="产品图" prop="generalImage" v-if="hasFieldPermission('files')">
             <div class="upload-container">
               <el-upload
                   v-model:file-list="fileListImage"
@@ -358,7 +358,7 @@
             </el-input>
           </el-form-item>
 
-          <el-form-item label="说明书" prop="generalManual">
+          <el-form-item label="说明书" prop="generalManual" v-if="hasFieldPermission('files')">
             <div class="upload-container">
               <el-upload
                   v-model:file-list="fileListManual"
@@ -386,7 +386,7 @@
             </el-input>
           </el-form-item>
 
-          <el-form-item label="状态" prop="isEnabled">
+          <el-form-item label="状态" prop="isEnabled" v-if="hasFieldPermission('isEnabled')">
             <el-radio-group v-model="form.isEnabled">
               <el-radio :value="1">启用</el-radio>
               <el-radio :value="0">禁用</el-radio>
@@ -538,6 +538,19 @@ const initColumnPermissions = () => {
   });
 };
 
+// 检查字段权限（用于表单）
+const hasFieldPermission = (field: string) => {
+  if (userStore.role === 'SUPER_ADMIN' || userStore.username === 'IRIS') {
+    return true;
+  }
+  const code = permissionMap[field];
+  // 如果permissionMap中没有该字段，默认允许
+  if (!code) {
+    return true;
+  }
+  return userStore.hasPermission(code);
+};
+
 const companyOptions = ref<string[]>([]);
 const categoryOptions = ref<string[]>([]);
 const typeOptions = ref<string[]>([]);

inventory-web/src/views/system/UserCreate.vue

@@ -4,7 +4,7 @@
       <template #header>
         <div class="card-header">
           <span style="font-weight: bold;">员工账号管理</span>
-          <el-button type="primary" @click="handleCreate">
+          <el-button v-if="userStore.hasPermission('system_user:operation')" type="primary" @click="handleCreate">
             + 新增员工
           </el-button>
         </div>
@@ -16,23 +16,33 @@
           border
           style="width: 100%"
       >
-        <el-table-column prop="username" label="用户标识" min-width="180" />
+        <el-table-column v-if="hasColumnPermission('username')" prop="username" label="用户标识" min-width="180" />
 
-        <el-table-column prop="department" label="所属部门" width="150">
+        <el-table-column v-if="hasColumnPermission('department')" prop="department" label="所属部门" width="150">
           <template #default="scope">
             <el-tag>{{ scope.row.department }}</el-tag>
           </template>
         </el-table-column>
 
-        <el-table-column prop="role" label="系统角色" width="180">
+        <el-table-column v-if="hasColumnPermission('role')" prop="role" label="系统角色" width="180">
           <template #default="scope">
             {{ formatRole(scope.row.role) }}
           </template>
         </el-table-column>
 
-        <el-table-column prop="email" label="邮箱" min-width="200" />
+        <el-table-column v-if="hasColumnPermission('email')" prop="email" label="邮箱" min-width="200" />
 
-        <el-table-column label="操作" width="180" fixed="right">
+        <el-table-column v-if="hasColumnPermission('status')" prop="status" label="状态" width="100" align="center">
+          <template #default="scope">
+            <el-tag :type="scope.row.status === 'active' ? 'success' : 'danger'">
+              {{ scope.row.status === 'active' ? '启用' : '禁用' }}
+            </el-tag>
+          </template>
+        </el-table-column>
+
+        <el-table-column v-if="hasColumnPermission('created_at')" prop="created_at" label="创建时间" width="160" />
+
+        <el-table-column v-if="userStore.hasPermission('system_user:operation')" label="操作" width="180" fixed="right">
           <template #default="scope">
             <el-button link type="primary" size="small" @click="handleEdit(scope.row)">编辑</el-button>
             <el-popconfirm title="确定要删除该用户吗？" @confirm="handleDelete(scope.row)">
@@ -61,7 +71,7 @@
           <el-input
               v-model="form.cn_name"
               placeholder="请输入中文姓名 (如: 张三)"
-              :disabled="isEdit"
+              :disabled="isEdit || !userStore.hasPermission('system_user:operation')"
               @input="handleNameInput"
           />
         </el-form-item>
@@ -70,7 +80,7 @@
           <el-input
               v-model="form.username"
               placeholder="自动生成，可修改 (如: zhangsan)"
-              :disabled="isEdit"
+              :disabled="isEdit || !userStore.hasPermission('system_user:operation')"
           >
             <template #append>
               <span v-if="!isEdit" style="font-size: 12px; color: #999;">重复自动+1</span>
@@ -84,6 +94,7 @@
               type="password"
               show-password
               :placeholder="isEdit ? '不修改请留空' : '设置初始密码'"
+              :disabled="!userStore.hasPermission('system_user:operation')"
           />
         </el-form-item>
 
@@ -95,13 +106,14 @@
               filterable
               allow-create
               default-first-option
+              :disabled="!userStore.hasPermission('system_user:operation')"
           >
             <el-option v-for="item in departmentOptions" :key="item" :label="item" :value="item" />
           </el-select>
         </el-form-item>
 
         <el-form-item label="系统角色" prop="role">
-          <el-select v-model="form.role" placeholder="授予权限" style="width: 100%">
+          <el-select v-model="form.role" placeholder="授予权限" style="width: 100%" :disabled="!userStore.hasPermission('system_user:operation')">
             <el-option
                 v-for="option in roleOptions"
                 :key="option.value"
@@ -112,14 +124,14 @@
         </el-form-item>
 
         <el-form-item label="邮箱" prop="email">
-          <el-input v-model="form.email" placeholder="请输入邮箱" />
+          <el-input v-model="form.email" placeholder="请输入邮箱" :disabled="!userStore.hasPermission('system_user:operation')" />
         </el-form-item>
       </el-form>
 
       <template #footer>
         <div class="dialog-footer">
           <el-button @click="dialogVisible = false">取消</el-button>
-          <el-button type="primary" @click="onSubmit" :loading="submitLoading">
+          <el-button v-if="userStore.hasPermission('system_user:operation')" type="primary" @click="onSubmit" :loading="submitLoading">
             {{ isEdit ? '确认修改' : '确认创建' }}
           </el-button>
         </div>
@@ -136,6 +148,25 @@ import { ElMessage } from 'element-plus'
 import { pinyin } from 'pinyin-pro' // ★ 务必安装: npm install pinyin-pro
 
 const userStore = useUserStore()
+
+// 列与权限Code的映射关系（数据库中的code）
+const permissionMap: Record<string, string> = {
+  username: 'system_user:username',
+  department: 'system_user:department',
+  role: 'system_user:role',
+  email: 'system_user:email',
+  status: 'system_user:status',
+  created_at: 'system_user:created_at',
+}
+
+// 检查列权限
+const hasColumnPermission = (prop: string) => {
+  if (userStore.role === 'SUPER_ADMIN' || userStore.username === 'IRIS') {
+    return true
+  }
+  const code = permissionMap[prop]
+  return code ? userStore.hasPermission(code) : false
+}
 const tableLoading = ref(false)
 const submitLoading = ref(false)
 const dialogVisible = ref(false)
@@ -241,6 +272,7 @@ const getList = async () => {
     tableData.value = res.data || []
     extractDepartments(tableData.value)
   } catch (error) {
+    // 错误已由全局拦截器统一处理
     console.error('Fetch users failed:', error)
   } finally {
     tableLoading.value = false
@@ -317,7 +349,7 @@ const onSubmit = async () => {
         dialogVisible.value = false
         getList()
       } catch (error) {
-        // request 拦截器会处理错误
+        // 错误已由全局拦截器统一处理
       } finally {
         submitLoading.value = false
       }
@@ -342,6 +374,7 @@ const handleDelete = async (row: any) => {
     ElMessage.success('删除成功')
     getList()
   } catch (error) {
+    // 错误已由全局拦截器统一处理
   }
 }