duxingchen/KCGL
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: duxingchen:3f83e8742b5a64c807f7c43425bfbb1349fd5335
Branches Tags
duxingchen:master duxingchen:2.0权限管理 duxingchen:1.0入库操作 duxingchen:1.0
...
compare: duxingchen:079987e7f3466f3cc53b66b47ed41e651d76cd87
Branches Tags
duxingchen:2.0权限管理 duxingchen:1.0入库操作 duxingchen:master duxingchen:1.0

3 Commits
3f83e8742b ... 079987e7f3

Author SHA1 Message Date
dxc
079987e7f3 feat: enforce field-level permissions for material creation and update 
Co-authored-by: aider (openai/DeepSeek-V3.2-Thinking) <aider@aider.chat>
 2026-02-27 14:41:27 +08:00
dxc
00c45c72fb inventory-web/src/views/system/UserCreate.vue 
```vue
<<<<<<< SEARCH
          <el-button type="primary" @click="handleCreate">
            + 新增员工
          </el-button>
=======
          <el-button v-if="userStore.hasPermission('system_user:operation')" type="primary" @click="handleCreate">
            + 新增员工
          </el-button>
>>>>>>> REPLACE
```

Co-authored-by: aider (openai/DeepSeek-V3.2-Thinking) <aider@aider.chat>
 2026-02-27 14:34:48 +08:00
dxc
6fa5233ea6 feat: implement RBAC and field masking for system_user module 
Co-authored-by: aider (openai/DeepSeek-V3.2-Thinking) <aider@aider.chat>
 2026-02-27 14:28:48 +08:00
4 changed files with 186 additions and 27 deletions
Expand all files Collapse all files

57
inventory-backend/app/api/v1/auth.py
View File

@ -2,10 +2,56 @@
from flask import Blueprint, request, jsonify, current_app
from flask_jwt_extended import jwt_required, get_jwt
from app.services.auth_service import AuthService
from app.utils.decorators import permission_required
auth_bp = Blueprint('auth', __name__)
# ==============================================================================
# 辅助函数:获取当前用户的完整权限列表(基于角色查询)
# ==============================================================================
def get_current_user_permissions():
"""
返回当前用户拥有的所有权限码列表(包括菜单和元素)
此函数根据角色查询数据库得到权限。
"""
claims = get_jwt()
user_role = claims.get('role')
if not user_role:
return []
# 超级管理员返回所有字段权限
if user_role == 'super_admin':
return ['system_user:*']
perm_dict = AuthService.get_user_permissions(user_role)
# 合并菜单和元素权限
perms = perm_dict.get('menus', []) + perm_dict.get('elements', [])
return perms
def filter_item_by_permissions(item_dict, user_permissions):
"""
根据用户权限过滤 item 字典,无权限的字段值置为 None
"""
# 字段名到权限码的映射(与前端 permissionMap 保持一致)
field_to_perm = {
'id': 'system_user:id',
'username': 'system_user:username',
'account_id': 'system_user:account_id',
'email': 'system_user:email',
'department': 'system_user:department',
'role': 'system_user:role',
'status': 'system_user:status',
'created_at': 'system_user:created_at',
}
# 如果用户是超级管理员且有 'system_user:*',则不过滤
if 'system_user:*' in user_permissions:
return item_dict
for field, perm_code in field_to_perm.items():
if field in item_dict and perm_code not in user_permissions:
item_dict[field] = None
return item_dict
@auth_bp.route('/login', methods=['POST'])
def login():
try:
@ -34,6 +80,7 @@ def login():
@auth_bp.route('/user/create', methods=['POST'])
@jwt_required()
@permission_required('system_user:operation')
def create_user():
try:
data = request.get_json()
@ -51,6 +98,7 @@ def create_user():
# [新增] 更新用户
@auth_bp.route('/user/<int:user_id>', methods=['PUT'])
@jwt_required()
@permission_required('system_user:operation')
def update_user(user_id):
try:
data = request.get_json()
@ -67,10 +115,14 @@ def update_user(user_id):
@auth_bp.route('/users', methods=['GET'])
@jwt_required()
@permission_required('system_user')
def get_users():
try:
users = AuthService.get_all_users()
return jsonify({'msg': '获取成功', 'data': users}), 200
# 字段级脱敏
user_permissions = get_current_user_permissions()
filtered_users = [filter_item_by_permissions(user, user_permissions) for user in users]
return jsonify({'msg': '获取成功', 'data': filtered_users}), 200
except Exception as e:
current_app.logger.error(f"Get Users Failed: {str(e)}")
return jsonify({'msg': '获取用户列表失败'}), 500
@ -78,6 +130,7 @@ def get_users():
@auth_bp.route('/user/<int:user_id>', methods=['DELETE'])
@jwt_required()
@permission_required('system_user:operation')
def delete_user(user_id):
try:
claims = get_jwt()
@ -104,4 +157,4 @@ def get_my_permissions():
return jsonify({'msg': '获取成功', 'data': permissions}), 200
except Exception as e:
current_app.logger.error(f"Get Permissions Failed: {str(e)}")
return jsonify({'msg': '获取权限失败'}), 500
return jsonify({'msg': '获取权限失败'}), 500

64
inventory-backend/app/api/v1/inbound/base.py
View File

@ -170,7 +170,37 @@ def create():
if not data:
return jsonify({"code": 400, "msg": "No data provided"}), 400
MaterialBaseService.create_material(data)
# 获取当前用户权限
user_permissions = get_current_user_permissions()
# 字段到权限码的映射(与 filter_item_by_permissions 一致)
field_to_perm = {
'id': 'material_list:id',
'companyName': 'material_list:companyName',
'name': 'material_list:name',
'commonName': 'material_list:commonName',
'category': 'material_list:category',
'type': 'material_list:type',
'spec': 'material_list:spec',
'unit': 'material_list:unit',
'inventoryCount': 'material_list:inventoryCount',
'availableCount': 'material_list:availableCount',
'generalManual': 'material_list:files',
'generalImage': 'material_list:files',
'isEnabled': 'material_list:isEnabled'
}
# 过滤用户没有权限的字段
filtered_data = {}
for key, value in data.items():
if key in field_to_perm:
perm_code = field_to_perm[key]
if perm_code in user_permissions:
filtered_data[key] = value
# 没有权限则跳过,不包含在 filtered_data 中
else:
# 不在映射中的字段,默认允许(例如 visibilityLevel
filtered_data[key] = value
MaterialBaseService.create_material(filtered_data)
return jsonify({"code": 200, "msg": "新增成功"})
except ValueError as e:
# 捕获业务逻辑验证错误 (如名称为空)
@ -189,7 +219,37 @@ def create():
def update(id):
try:
data = request.get_json()
MaterialBaseService.update_material(id, data)
# 获取当前用户权限
user_permissions = get_current_user_permissions()
# 字段到权限码的映射(与 filter_item_by_permissions 一致)
field_to_perm = {
'id': 'material_list:id',
'companyName': 'material_list:companyName',
'name': 'material_list:name',
'commonName': 'material_list:commonName',
'category': 'material_list:category',
'type': 'material_list:type',
'spec': 'material_list:spec',
'unit': 'material_list:unit',
'inventoryCount': 'material_list:inventoryCount',
'availableCount': 'material_list:availableCount',
'generalManual': 'material_list:files',
'generalImage': 'material_list:files',
'isEnabled': 'material_list:isEnabled'
}
# 过滤用户没有权限的字段
filtered_data = {}
for key, value in data.items():
if key in field_to_perm:
perm_code = field_to_perm[key]
if perm_code in user_permissions:
filtered_data[key] = value
# 没有权限则跳过,不包含在 filtered_data 中
else:
# 不在映射中的字段,默认允许(例如 visibilityLevel
filtered_data[key] = value
# 使用过滤后的数据调用服务
MaterialBaseService.update_material(id, filtered_data)
return jsonify({"code": 200, "msg": "修改成功"})
except Exception as e:
traceback.print_exc()

33
inventory-web/src/views/material/list.vue
View File

@ -247,12 +247,12 @@
<el-row>
<el-col :span="12">
<el-form-item label="名称" prop="name">
<el-form-item label="名称" prop="name" v-if="hasFieldPermission('name')">
<el-input v-model="form.name" placeholder="内部名称" />
</el-form-item>
</el-col>
<el-col :span="12">
<el-form-item label="俗名" prop="commonName">
<el-form-item label="俗名" prop="commonName" v-if="hasFieldPermission('commonName')">
<el-input v-model="form.commonName" placeholder="标准名称" />
</el-form-item>
</el-col>
@ -260,7 +260,7 @@
<el-row>
<el-col :span="12">
<el-form-item label="所属公司" prop="companyName">
<el-form-item label="所属公司" prop="companyName" v-if="hasFieldPermission('companyName')">
<el-autocomplete
v-model="form.companyName"
:fetch-suggestions="querySearchCompany"
@ -271,7 +271,7 @@
</el-form-item>
</el-col>
<el-col :span="12">
<el-form-item label="类别" prop="category">
<el-form-item label="类别" prop="category" v-if="hasFieldPermission('category')">
<div style="display: flex; width: 100%; align-items: center;">
<el-cascader
v-model="tempCategoryPrefix"
@ -299,7 +299,7 @@
<el-row>
<el-col :span="12">
<el-form-item label="类型" prop="type">
<el-form-item label="类型" prop="type" v-if="hasFieldPermission('type')">
<el-autocomplete
v-model="form.type"
:fetch-suggestions="querySearchType"
@ -310,7 +310,7 @@
</el-form-item>
</el-col>
<el-col :span="12">
<el-form-item label="规格型号" prop="spec">
<el-form-item label="规格型号" prop="spec" v-if="hasFieldPermission('spec')">
<el-input v-model="form.spec" placeholder="请输入规格型号" />
</el-form-item>
</el-col>
@ -318,7 +318,7 @@
<el-row>
<el-col :span="12">
<el-form-item label="计量单位" prop="unit">
<el-form-item label="计量单位" prop="unit" v-if="hasFieldPermission('unit')">
<el-input v-model="form.unit" placeholder=": , , " />
</el-form-item>
</el-col>
@ -330,7 +330,7 @@
</el-col>
</el-row>
<el-form-item label="产品图" prop="generalImage">
<el-form-item label="产品图" prop="generalImage" v-if="hasFieldPermission('files')">
<div class="upload-container">
<el-upload
v-model:file-list="fileListImage"
@ -358,7 +358,7 @@
</el-input>
</el-form-item>
<el-form-item label="说明书" prop="generalManual">
<el-form-item label="说明书" prop="generalManual" v-if="hasFieldPermission('files')">
<div class="upload-container">
<el-upload
v-model:file-list="fileListManual"
@ -386,7 +386,7 @@
</el-input>
</el-form-item>
<el-form-item label="状态" prop="isEnabled">
<el-form-item label="状态" prop="isEnabled" v-if="hasFieldPermission('isEnabled')">
<el-radio-group v-model="form.isEnabled">
<el-radio :value="1">启用</el-radio>
<el-radio :value="0">禁用</el-radio>
@ -538,6 +538,19 @@ const initColumnPermissions = () => {
});
};
// 检查字段权限(用于表单)
const hasFieldPermission = (field: string) => {
if (userStore.role === 'SUPER_ADMIN' || userStore.username === 'IRIS') {
return true;
}
const code = permissionMap[field];
// 如果permissionMap中没有该字段默认允许
if (!code) {
return true;
}
return userStore.hasPermission(code);
};
const companyOptions = ref<string[]>([]);
const categoryOptions = ref<string[]>([]);
const typeOptions = ref<string[]>([]);

59
inventory-web/src/views/system/UserCreate.vue
View File

@ -4,7 +4,7 @@
<template #header>
<div class="card-header">
<span style="font-weight: bold;">员工账号管理</span>
<el-button type="primary" @click="handleCreate">
<el-button v-if="userStore.hasPermission('system_user:operation')" type="primary" @click="handleCreate">
+ 新增员工
</el-button>
</div>
@ -16,23 +16,33 @@
border
style="width: 100%"
>
<el-table-column prop="username" label="用户标识" min-width="180" />
<el-table-column v-if="hasColumnPermission('username')" prop="username" label="用户标识" min-width="180" />
<el-table-column prop="department" label="所属部门" width="150">
<el-table-column v-if="hasColumnPermission('department')" prop="department" label="所属部门" width="150">
<template #default="scope">
<el-tag>{{ scope.row.department }}</el-tag>
</template>
</el-table-column>
<el-table-column prop="role" label="系统角色" width="180">
<el-table-column v-if="hasColumnPermission('role')" prop="role" label="系统角色" width="180">
<template #default="scope">
{{ formatRole(scope.row.role) }}
</template>
</el-table-column>
<el-table-column prop="email" label="邮箱" min-width="200" />
<el-table-column v-if="hasColumnPermission('email')" prop="email" label="邮箱" min-width="200" />
<el-table-column label="操作" width="180" fixed="right">
<el-table-column v-if="hasColumnPermission('status')" prop="status" label="状态" width="100" align="center">
<template #default="scope">
<el-tag :type="scope.row.status === 'active' ? 'success' : 'danger'">
{{ scope.row.status === 'active' ? '启用' : '禁用' }}
</el-tag>
</template>
</el-table-column>
<el-table-column v-if="hasColumnPermission('created_at')" prop="created_at" label="创建时间" width="160" />
<el-table-column v-if="userStore.hasPermission('system_user:operation')" label="操作" width="180" fixed="right">
<template #default="scope">
<el-button link type="primary" size="small" @click="handleEdit(scope.row)">编辑</el-button>
<el-popconfirm title="确定要删除该用户吗?" @confirm="handleDelete(scope.row)">
@ -61,7 +71,7 @@
<el-input
v-model="form.cn_name"
placeholder="请输入中文姓名 (如: 张三)"
:disabled="isEdit"
:disabled="isEdit || !userStore.hasPermission('system_user:operation')"
@input="handleNameInput"
/>
</el-form-item>
@ -70,7 +80,7 @@
<el-input
v-model="form.username"
placeholder="自动生成,可修改 (如: zhangsan)"
:disabled="isEdit"
:disabled="isEdit || !userStore.hasPermission('system_user:operation')"
>
<template #append>
<span v-if="!isEdit" style="font-size: 12px; color: #999;">重复自动+1</span>
@ -84,6 +94,7 @@
type="password"
show-password
:placeholder="isEdit ? '不修改请留空' : '设置初始密码'"
:disabled="!userStore.hasPermission('system_user:operation')"
/>
</el-form-item>
@ -95,13 +106,14 @@
filterable
allow-create
default-first-option
:disabled="!userStore.hasPermission('system_user:operation')"
>
<el-option v-for="item in departmentOptions" :key="item" :label="item" :value="item" />
</el-select>
</el-form-item>
<el-form-item label="系统角色" prop="role">
<el-select v-model="form.role" placeholder="授予权限" style="width: 100%">
<el-select v-model="form.role" placeholder="授予权限" style="width: 100%" :disabled="!userStore.hasPermission('system_user:operation')">
<el-option
v-for="option in roleOptions"
:key="option.value"
@ -112,14 +124,14 @@
</el-form-item>
<el-form-item label="邮箱" prop="email">
<el-input v-model="form.email" placeholder="请输入邮箱" />
<el-input v-model="form.email" placeholder="请输入邮箱" :disabled="!userStore.hasPermission('system_user:operation')" />
</el-form-item>
</el-form>
<template #footer>
<div class="dialog-footer">
<el-button @click="dialogVisible = false">取消</el-button>
<el-button type="primary" @click="onSubmit" :loading="submitLoading">
<el-button v-if="userStore.hasPermission('system_user:operation')" type="primary" @click="onSubmit" :loading="submitLoading">
{{ isEdit ? '确认修改' : '确认创建' }}
</el-button>
</div>
@ -136,6 +148,25 @@ import { ElMessage } from 'element-plus'
import { pinyin } from 'pinyin-pro' // ★ 务必安装: npm install pinyin-pro
const userStore = useUserStore()
// 列与权限Code的映射关系数据库中的code
const permissionMap: Record<string, string> = {
username: 'system_user:username',
department: 'system_user:department',
role: 'system_user:role',
email: 'system_user:email',
status: 'system_user:status',
created_at: 'system_user:created_at',
}
// 检查列权限
const hasColumnPermission = (prop: string) => {
if (userStore.role === 'SUPER_ADMIN' || userStore.username === 'IRIS') {
return true
}
const code = permissionMap[prop]
return code ? userStore.hasPermission(code) : false
}
const tableLoading = ref(false)
const submitLoading = ref(false)
const dialogVisible = ref(false)
@ -241,6 +272,7 @@ const getList = async () => {
tableData.value = res.data || []
extractDepartments(tableData.value)
} catch (error) {
// 错误已由全局拦截器统一处理
console.error('Fetch users failed:', error)
} finally {
tableLoading.value = false
@ -317,7 +349,7 @@ const onSubmit = async () => {
dialogVisible.value = false
getList()
} catch (error) {
// request 拦截器会处理错误
// 错误已由全局拦截器统一处理
} finally {
submitLoading.value = false
}
@ -342,6 +374,7 @@ const handleDelete = async (row: any) => {
ElMessage.success('删除成功')
getList()
} catch (error) {
// 错误已由全局拦截器统一处理
}
}
@ -378,4 +411,4 @@ onMounted(() => {
text-align: right;
margin-top: 20px;
}
</style>
</style>