duxingchen/KCGL
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: duxingchen:5bc3dab31cd12ddc442e5ff2dedbe132938c7cab
Branches Tags
duxingchen:master duxingchen:2.0权限管理 duxingchen:1.0入库操作 duxingchen:1.0
..
compare: duxingchen:4324e5a688a62c4526e29e6a5c7c60cdbbe7cc03
Branches Tags
duxingchen:2.0权限管理 duxingchen:1.0入库操作 duxingchen:master duxingchen:1.0

3 Commits
5bc3dab31c ... 4324e5a688

Author SHA1 Message Date
dxc
4324e5a688 feat: add field-level data protection for BOM and user management 
Co-authored-by: aider (openai/DeepSeek-V3.2-Thinking) <aider@aider.chat>
 2026-02-27 15:16:11 +08:00
dxc
1fe00a8ba3 feat: Add field permission checks to outbound and transaction APIs 
Co-authored-by: aider (openai/DeepSeek-V3.2-Thinking) <aider@aider.chat>
 2026-02-27 15:11:10 +08:00
dxc
afcf90a859 feat: enforce field-level permissions for buy and service modules 
Co-authored-by: aider (openai/DeepSeek-V3.2-Thinking) <aider@aider.chat>
 2026-02-27 15:03:44 +08:00
10 changed files with 459 additions and 29 deletions
Expand all files Collapse all files

50
inventory-backend/app/api/v1/auth.py
View File

@ -84,6 +84,32 @@ def login():
def create_user(): def create_user():
try: try:
data = request.get_json() data = request.get_json()
# 数据清洗:移除用户没有权限的字段
user_permissions = get_current_user_permissions()
# 超级管理员不过滤
if 'system_user:*' not in user_permissions:
# 字段名到权限码的映射
field_to_perm = {
'cn_name': 'system_user:username',
'username': 'system_user:username',
'password': 'system_user:password',
'department': 'system_user:department',
'role': 'system_user:role',
'email': 'system_user:email',
}
# 对于 password 字段,如果没有对应权限但用户有操作权限,可以保留(由装饰器保证)
# 但如果连操作权限都没有,则不会进入此接口。
for field in list(data.keys()):
perm_code = field_to_perm.get(field)
# 密码字段特殊处理:如果没有 password 权限但用户有操作权限,仍允许(不删除)
if field == 'password':
# 检查用户是否有操作权限,如果有则保留
if 'system_user:operation' not in user_permissions:
data.pop(field, None)
continue
if perm_code and perm_code not in user_permissions:
data.pop(field, None)
claims = get_jwt() claims = get_jwt()
operator_role = claims.get('role') operator_role = claims.get('role')
@ -102,6 +128,30 @@ def create_user():
def update_user(user_id): def update_user(user_id):
try: try:
data = request.get_json() data = request.get_json()
# 数据清洗:移除用户没有权限的字段
user_permissions = get_current_user_permissions()
# 超级管理员不过滤
if 'system_user:*' not in user_permissions:
# 字段名到权限码的映射
field_to_perm = {
'cn_name': 'system_user:username',
'username': 'system_user:username',
'password': 'system_user:password',
'department': 'system_user:department',
'role': 'system_user:role',
'email': 'system_user:email',
}
for field in list(data.keys()):
perm_code = field_to_perm.get(field)
# 密码字段特殊处理:如果没有 password 权限但用户有操作权限,仍允许(不删除)
if field == 'password':
# 检查用户是否有操作权限,如果有则保留
if 'system_user:operation' not in user_permissions:
data.pop(field, None)
continue
if perm_code and perm_code not in user_permissions:
data.pop(field, None)
claims = get_jwt() claims = get_jwt()
operator_role = claims.get('role') operator_role = claims.get('role')

60
inventory-backend/app/api/v1/bom.py
View File

@ -113,6 +113,36 @@ def save_bom():
"""保存或更新 BOM 配方(支持自定义 bom_no 和 多版本)""" """保存或更新 BOM 配方(支持自定义 bom_no 和 多版本)"""
try: try:
req_data = request.get_json() req_data = request.get_json()
# 数据清洗:移除用户没有权限的字段
user_permissions = get_current_user_permissions()
# 超级管理员不过滤
if 'bom_manage:*' not in user_permissions:
# 字段名到权限码的映射
field_to_perm = {
'parent_id': 'bom_manage:parent_id',
'version': 'bom_manage:version',
'is_enabled': 'bom_manage:status',
'bom_no': 'bom_manage:bom_no',
}
# 清洗顶级字段
for field in list(req_data.keys()):
perm_code = field_to_perm.get(field)
if perm_code and perm_code not in user_permissions:
req_data.pop(field, None)
# 清洗 children 中的字段
if 'children' in req_data and isinstance(req_data['children'], list):
for child in req_data['children']:
# 子件字段映射
child_field_to_perm = {
'child_id': 'bom_manage:child_id',
'dosage': 'bom_manage:dosage',
'remark': 'bom_manage:remark',
}
for field in list(child.keys()):
perm_code = child_field_to_perm.get(field)
if perm_code and perm_code not in user_permissions:
child.pop(field, None)
# 必需字段校验 # 必需字段校验
if 'parent_id' not in req_data or 'children' not in req_data: if 'parent_id' not in req_data or 'children' not in req_data:
return jsonify({'code': 400, 'msg': '缺少 parent_id 或 children 字段'}), 400 return jsonify({'code': 400, 'msg': '缺少 parent_id 或 children 字段'}), 400
@ -216,6 +246,36 @@ def get_bom(parent_id):
def save_bom_legacy(): def save_bom_legacy():
try: try:
req_data = request.get_json() req_data = request.get_json()
# 数据清洗:移除用户没有权限的字段
user_permissions = get_current_user_permissions()
# 超级管理员不过滤
if 'bom_manage:*' not in user_permissions:
# 字段名到权限码的映射
field_to_perm = {
'parent_id': 'bom_manage:parent_id',
'version': 'bom_manage:version',
'is_enabled': 'bom_manage:status',
'bom_no': 'bom_manage:bom_no',
}
# 清洗顶级字段
for field in list(req_data.keys()):
perm_code = field_to_perm.get(field)
if perm_code and perm_code not in user_permissions:
req_data.pop(field, None)
# 清洗 children 中的字段
if 'children' in req_data and isinstance(req_data['children'], list):
for child in req_data['children']:
# 子件字段映射
child_field_to_perm = {
'child_id': 'bom_manage:child_id',
'dosage': 'bom_manage:dosage',
'remark': 'bom_manage:remark',
}
for field in list(child.keys()):
perm_code = child_field_to_perm.get(field)
if perm_code and perm_code not in user_permissions:
child.pop(field, None)
parent_id = req_data.get('parent_id') parent_id = req_data.get('parent_id')
child_list = req_data.get('children', []) child_list = req_data.get('children', [])
if not parent_id or not isinstance(child_list, list): if not parent_id or not isinstance(child_list, list):

89
inventory-backend/app/api/v1/inbound/buy.py
View File

@ -145,6 +145,51 @@ def submit():
if not data: if not data:
return jsonify({"code": 400, "msg": "No data"}), 400 return jsonify({"code": 400, "msg": "No data"}), 400
# 数据清洗:移除用户没有权限的字段
user_permissions = get_current_user_permissions()
# 超级管理员不过滤
if 'inbound_buy:*' not in user_permissions:
# 字段名到权限码的映射(与前端 permissionMap 保持一致)
field_to_perm = {
'id': 'inbound_buy:id',
'base_id': 'inbound_buy:base_id',
'global_print_id': 'inbound_buy:global_print_id',
'sku': 'inbound_buy:sku',
'barcode': 'inbound_buy:barcode',
'in_date': 'inbound_buy:in_date',
'serial_number': 'inbound_buy:serial_number',
'batch_number': 'inbound_buy:batch_number',
'status': 'inbound_buy:status',
'in_quantity': 'inbound_buy:in_quantity',
'stock_quantity': 'inbound_buy:stock_quantity',
'available_quantity': 'inbound_buy:available_quantity',
'inspection_status': 'inbound_buy:inspection_status',
'warehouse_location': 'inbound_buy:warehouse_location',
'unit_price': 'inbound_buy:unit_price',
'tax_rate': 'inbound_buy:tax_rate',
'total_price': 'inbound_buy:total_price',
'currency': 'inbound_buy:currency',
'exchange_rate': 'inbound_buy:exchange_rate',
'supplier_name': 'inbound_buy:supplier_name',
'buyer_name': 'inbound_buy:buyer_name',
'buyer_email': 'inbound_buy:buyer_email',
'original_link': 'inbound_buy:original_link',
'detail_link': 'inbound_buy:detail_link',
'arrival_photo': 'inbound_buy:arrival_photo',
'inspection_report': 'inbound_buy:inspection_report',
'material_name': 'inbound_buy:material_name',
'spec_model': 'inbound_buy:spec_model',
'category': 'inbound_buy:category',
'unit': 'inbound_buy:unit',
'material_type': 'inbound_buy:material_type',
'company_name': 'inbound_buy:company_name',
}
# 复制一份,避免遍历时修改字典
for field in list(data.keys()):
perm_code = field_to_perm.get(field)
if perm_code and perm_code not in user_permissions:
data.pop(field, None)
new_stock = BuyInboundService.handle_inbound(data) new_stock = BuyInboundService.handle_inbound(data)
return jsonify({ return jsonify({
@ -165,6 +210,50 @@ def submit():
def update_buy(id): def update_buy(id):
try: try:
data = request.get_json() data = request.get_json()
# 数据清洗:移除用户没有权限的字段
user_permissions = get_current_user_permissions()
# 超级管理员不过滤
if 'inbound_buy:*' not in user_permissions:
field_to_perm = {
'id': 'inbound_buy:id',
'base_id': 'inbound_buy:base_id',
'global_print_id': 'inbound_buy:global_print_id',
'sku': 'inbound_buy:sku',
'barcode': 'inbound_buy:barcode',
'in_date': 'inbound_buy:in_date',
'serial_number': 'inbound_buy:serial_number',
'batch_number': 'inbound_buy:batch_number',
'status': 'inbound_buy:status',
'in_quantity': 'inbound_buy:in_quantity',
'stock_quantity': 'inbound_buy:stock_quantity',
'available_quantity': 'inbound_buy:available_quantity',
'inspection_status': 'inbound_buy:inspection_status',
'warehouse_location': 'inbound_buy:warehouse_location',
'unit_price': 'inbound_buy:unit_price',
'tax_rate': 'inbound_buy:tax_rate',
'total_price': 'inbound_buy:total_price',
'currency': 'inbound_buy:currency',
'exchange_rate': 'inbound_buy:exchange_rate',
'supplier_name': 'inbound_buy:supplier_name',
'buyer_name': 'inbound_buy:buyer_name',
'buyer_email': 'inbound_buy:buyer_email',
'original_link': 'inbound_buy:original_link',
'detail_link': 'inbound_buy:detail_link',
'arrival_photo': 'inbound_buy:arrival_photo',
'inspection_report': 'inbound_buy:inspection_report',
'material_name': 'inbound_buy:material_name',
'spec_model': 'inbound_buy:spec_model',
'category': 'inbound_buy:category',
'unit': 'inbound_buy:unit',
'material_type': 'inbound_buy:material_type',
'company_name': 'inbound_buy:company_name',
}
# 复制一份,避免遍历时修改字典
for field in list(data.keys()):
perm_code = field_to_perm.get(field)
if perm_code and perm_code not in user_permissions:
data.pop(field, None)
BuyInboundService.update_inbound(id, data) BuyInboundService.update_inbound(id, data)
return jsonify({"code": 200, "msg": "更新成功"}) return jsonify({"code": 200, "msg": "更新成功"})
except Exception as e: except Exception as e:

50
inventory-backend/app/api/v1/inbound/service.py
View File

@ -118,6 +118,31 @@ def create_service():
if not data: if not data:
return jsonify({'code': 400, 'msg': '请求数据为空'}), 400 return jsonify({'code': 400, 'msg': '请求数据为空'}), 400
# 数据清洗:移除用户没有权限的字段
user_permissions = get_current_user_permissions()
# 超级管理员不过滤
if 'inbound_service:*' not in user_permissions:
# 字段名到权限码的映射(与前端 permissionMap 保持一致)
field_to_perm = {
'id': 'inbound_service:id',
'base_id': 'inbound_service:base_id',
'sku': 'inbound_service:sku',
'material_name': 'inbound_service:material_name',
'provider_name': 'inbound_service:provider_name',
'sale_price': 'inbound_service:sale_price',
'description': 'inbound_service:description',
'created_at': 'inbound_service:created_at',
'material_type': 'inbound_service:material_type',
'category': 'inbound_service:category',
'spec_model': 'inbound_service:spec_model',
'unit': 'inbound_service:unit',
}
# 复制一份,避免遍历时修改字典
for field in list(data.keys()):
perm_code = field_to_perm.get(field)
if perm_code and perm_code not in user_permissions:
data.pop(field, None)
# 基础校验 # 基础校验
if not data.get('base_id'): if not data.get('base_id'):
return jsonify({'code': 400, 'msg': '请选择基础物料'}), 400 return jsonify({'code': 400, 'msg': '请选择基础物料'}), 400
@ -169,6 +194,31 @@ def update_service(service_id):
if not data: if not data:
return jsonify({'code': 400, 'msg': '请求数据为空'}), 400 return jsonify({'code': 400, 'msg': '请求数据为空'}), 400
# 数据清洗:移除用户没有权限的字段
user_permissions = get_current_user_permissions()
# 超级管理员不过滤
if 'inbound_service:*' not in user_permissions:
# 字段名到权限码的映射(与前端 permissionMap 保持一致)
field_to_perm = {
'id': 'inbound_service:id',
'base_id': 'inbound_service:base_id',
'sku': 'inbound_service:sku',
'material_name': 'inbound_service:material_name',
'provider_name': 'inbound_service:provider_name',
'sale_price': 'inbound_service:sale_price',
'description': 'inbound_service:description',
'created_at': 'inbound_service:created_at',
'material_type': 'inbound_service:material_type',
'category': 'inbound_service:category',
'spec_model': 'inbound_service:spec_model',
'unit': 'inbound_service:unit',
}
# 复制一份,避免遍历时修改字典
for field in list(data.keys()):
perm_code = field_to_perm.get(field)
if perm_code and perm_code not in user_permissions:
data.pop(field, None)
# 允许更新的字段 # 允许更新的字段
allowed_fields = { allowed_fields = {
'sale_price', 'provider_name', 'description', 'sale_price', 'provider_name', 'description',

38
inventory-backend/app/api/v1/outbound.py
View File

@ -143,6 +143,44 @@ def create_outbound():
if not data.get('consumer_name') or not data.get('signature_path'): if not data.get('consumer_name') or not data.get('signature_path'):
return jsonify({'code': 400, 'msg': '领用人及签名信息缺失'}), 400 return jsonify({'code': 400, 'msg': '领用人及签名信息缺失'}), 400
# 数据清洗:移除用户没有权限的字段
user_permissions = get_current_user_permissions()
# 超级管理员不过滤
if 'outbound_list:*' not in user_permissions:
# 字段名到权限码的映射(与前端 permissionMap 保持一致)
field_to_perm = {
'outbound_no': 'outbound_list:outbound_no',
'outbound_time': 'outbound_list:outbound_time',
'outbound_type': 'outbound_list:outbound_type',
'total_amount': 'outbound_list:total_amount',
'consumer_name': 'outbound_list:consumer_name',
'operator_name': 'outbound_list:operator_name',
'remark': 'outbound_list:remark',
'signature_path': 'outbound_list:signature_path',
# 明细字段
'sku': 'outbound_list:sku',
'name': 'outbound_list:name',
'material_type': 'outbound_list:material_type',
'category': 'outbound_list:category',
'spec_model': 'outbound_list:spec_model',
'quantity': 'outbound_list:quantity',
'unit_price': 'outbound_list:unit_price',
'price': 'outbound_list:unit_price', # 兼容 price 字段
'subtotal': 'outbound_list:subtotal',
}
# 清洗顶层字段
for field in list(data.keys()):
perm_code = field_to_perm.get(field)
if perm_code and perm_code not in user_permissions:
data.pop(field, None)
# 清洗 items 中的每个商品字段
if 'items' in data and isinstance(data['items'], list):
for item in data['items']:
for field in list(item.keys()):
perm_code = field_to_perm.get(field)
if perm_code and perm_code not in user_permissions:
item.pop(field, None)
try: try:
# ★ [修改] 调用批量创建服务 # ★ [修改] 调用批量创建服务
outbound_no = OutboundService.create_outbound_batch(data, operator_name=final_operator) outbound_no = OutboundService.create_outbound_batch(data, operator_name=final_operator)

40
inventory-backend/app/api/v1/transactions.py
View File

@ -61,6 +61,26 @@ def filter_item_by_permissions(item_dict, user_permissions, prefix='op_records')
@permission_required('op_borrow:operation') @permission_required('op_borrow:operation')
def create_borrow(): def create_borrow():
data = request.get_json() data = request.get_json()
# 数据清洗:移除用户没有权限的字段
user_permissions = get_current_user_permissions()
# 超级管理员不过滤
if '*' not in user_permissions:
field_to_perm = {
'borrow_no': 'op_records:borrow_no',
'borrower_name': 'op_records:borrower_name',
'sku': 'op_records:sku',
'borrow_time': 'op_records:borrow_time',
'return_time': 'op_records:return_time',
'status': 'op_records:status',
'expected_return_time': 'op_records:expected_return_time',
'return_location': 'op_records:return_location',
'borrow_signature': 'op_records:borrow_signature',
'return_signature': 'op_records:return_signature',
}
for field in list(data.keys()):
perm_code = field_to_perm.get(field)
if perm_code and perm_code not in user_permissions:
data.pop(field, None)
try: try:
no = TransService.create_borrow(data) no = TransService.create_borrow(data)
return jsonify({'code': 200, 'msg': '借用成功', 'data': {'borrow_no': no}}) return jsonify({'code': 200, 'msg': '借用成功', 'data': {'borrow_no': no}})
@ -90,6 +110,26 @@ def scan_borrowed_item():
@permission_required('op_return:operation') @permission_required('op_return:operation')
def submit_return(): def submit_return():
data = request.get_json() data = request.get_json()
# 数据清洗:移除用户没有权限的字段
user_permissions = get_current_user_permissions()
# 超级管理员不过滤
if '*' not in user_permissions:
field_to_perm = {
'borrow_no': 'op_records:borrow_no',
'borrower_name': 'op_records:borrower_name',
'sku': 'op_records:sku',
'borrow_time': 'op_records:borrow_time',
'return_time': 'op_records:return_time',
'status': 'op_records:status',
'expected_return_time': 'op_records:expected_return_time',
'return_location': 'op_records:return_location',
'borrow_signature': 'op_records:borrow_signature',
'return_signature': 'op_records:return_signature',
}
for field in list(data.keys()):
perm_code = field_to_perm.get(field)
if perm_code and perm_code not in user_permissions:
data.pop(field, None)
user = get_jwt_identity() # 库管 user = get_jwt_identity() # 库管
try: try:
TransService.process_return(data, operator_name=user) TransService.process_return(data, operator_name=user)

34
inventory-web/src/views/bom/BomManage.vue
View File

@ -54,7 +54,7 @@
<el-row :gutter="20"> <el-row :gutter="20">
<el-col :span="16"> <el-col :span="16">
<el-form-item label="父件 (成品)" prop="parent_id"> <el-form-item label="父件 (成品)" prop="parent_id" v-if="hasFormFieldPermission('parent_id')">
<el-select <el-select
v-model="form.parent_id" v-model="form.parent_id"
placeholder="请搜索并选择父件" placeholder="请搜索并选择父件"
@ -79,7 +79,7 @@
</el-form-item> </el-form-item>
</el-col> </el-col>
<el-col :span="8"> <el-col :span="8">
<el-form-item label="是否启用" prop="is_enabled"> <el-form-item label="是否启用" prop="is_enabled" v-if="hasFormFieldPermission('is_enabled')">
<el-switch v-model="form.is_enabled" active-text="启用" inactive-text="禁用" :disabled="!userStore.hasPermission('bom_manage:operation')" /> <el-switch v-model="form.is_enabled" active-text="启用" inactive-text="禁用" :disabled="!userStore.hasPermission('bom_manage:operation')" />
</el-form-item> </el-form-item>
</el-col> </el-col>
@ -87,7 +87,7 @@
<el-row :gutter="20"> <el-row :gutter="20">
<el-col :span="14"> <el-col :span="14">
<el-form-item label="BOM 编号" required> <el-form-item label="BOM 编号" required v-if="hasFormFieldPermission('bom_suffix')">
<el-input v-model="form.bom_suffix" placeholder="输入后缀 (如 -001)" :disabled="isEditMode"> <el-input v-model="form.bom_suffix" placeholder="输入后缀 (如 -001)" :disabled="isEditMode">
<template #prepend v-if="form.bom_prefix">{{ form.bom_prefix }}</template> <template #prepend v-if="form.bom_prefix">{{ form.bom_prefix }}</template>
</el-input> </el-input>
@ -97,7 +97,7 @@
</el-form-item> </el-form-item>
</el-col> </el-col>
<el-col :span="10"> <el-col :span="10">
<el-form-item label="版本号" prop="version"> <el-form-item label="版本号" prop="version" v-if="hasFormFieldPermission('version')">
<el-input v-model="form.version" placeholder="如: V1.0" /> <el-input v-model="form.version" placeholder="如: V1.0" />
</el-form-item> </el-form-item>
</el-col> </el-col>
@ -106,7 +106,7 @@
<div style="font-weight: bold; margin: 15px 0 10px 0; border-left: 4px solid #409EFF; padding-left: 10px;">子件列表</div> <div style="font-weight: bold; margin: 15px 0 10px 0; border-left: 4px solid #409EFF; padding-left: 10px;">子件列表</div>
<el-table :data="form.children" border style="width: 100%; margin-bottom: 15px" max-height="300"> <el-table :data="form.children" border style="width: 100%; margin-bottom: 15px" max-height="300">
<el-table-column label="子件物料" min-width="280"> <el-table-column label="子件物料" min-width="280" v-if="hasFormFieldPermission('child_id')">
<template #default="{ row, $index }"> <template #default="{ row, $index }">
<el-select <el-select
v-model="row.child_id" v-model="row.child_id"
@ -129,26 +129,26 @@
</template> </template>
</el-table-column> </el-table-column>
<el-table-column label="用量" width="140"> <el-table-column label="用量" width="140" v-if="hasFormFieldPermission('dosage')">
<template #default="{ row }"> <template #default="{ row }">
<el-input-number v-model="row.dosage" :min="0" :precision="4" style="width: 100%" controls-position="right" /> <el-input-number v-model="row.dosage" :min="0" :precision="4" style="width: 100%" controls-position="right" />
</template> </template>
</el-table-column> </el-table-column>
<el-table-column label="备注" width="150"> <el-table-column label="备注" width="150" v-if="hasFormFieldPermission('remark')">
<template #default="{ row }"> <template #default="{ row }">
<el-input v-model="row.remark" placeholder="备注" /> <el-input v-model="row.remark" placeholder="备注" />
</template> </template>
</el-table-column> </el-table-column>
<el-table-column label="操作" width="60" align="center"> <el-table-column label="操作" width="60" align="center" v-if="userStore.hasPermission('bom_manage:operation')">
<template #default="{ $index }"> <template #default="{ $index }">
<el-button type="danger" link @click="removeChild($index)"></el-button> <el-button type="danger" link @click="removeChild($index)"></el-button>
</template> </template>
</el-table-column> </el-table-column>
</el-table> </el-table>
<div style="margin-top: 10px; text-align: center;"> <div style="margin-top: 10px; text-align: center;" v-if="hasFormFieldPermission('child_id')">
<el-button type="primary" plain :icon="Plus" @click="addChild" style="width: 100%">添加一行子件</el-button> <el-button type="primary" plain :icon="Plus" @click="addChild" style="width: 100%">添加一行子件</el-button>
</div> </div>
</el-form> </el-form>
@ -209,6 +209,13 @@ const permissionMap: Record<string, string> = {
version: 'bom_manage:version', version: 'bom_manage:version',
status: 'bom_manage:status', status: 'bom_manage:status',
child_count: 'bom_manage:child_count', child_count: 'bom_manage:child_count',
// 表单字段
parent_id: 'bom_manage:parent_id',
is_enabled: 'bom_manage:status',
bom_suffix: 'bom_manage:bom_no',
child_id: 'bom_manage:child_id',
dosage: 'bom_manage:dosage',
remark: 'bom_manage:remark',
} }
// 检查列权限 // 检查列权限
@ -220,6 +227,15 @@ const hasColumnPermission = (prop: string) => {
return code ? userStore.hasPermission(code) : false return code ? userStore.hasPermission(code) : false
} }
// 检查表单字段权限
const hasFormFieldPermission = (fieldName: string) => {
if (userStore.role === 'SUPER_ADMIN' || userStore.username === 'IRIS') {
return true
}
const code = permissionMap[fieldName]
return code ? userStore.hasPermission(code) : false
}
const formRef = ref<FormInstance>() const formRef = ref<FormInstance>()
const form = reactive({ const form = reactive({
bom_prefix: '', // 自动生成的父件规格前缀 bom_prefix: '', // 自动生成的父件规格前缀

61
inventory-web/src/views/stock/inbound/buy.vue
View File

@ -272,12 +272,12 @@
<div class="read-only-grid"> <div class="read-only-grid">
<el-row :gutter="20"> <el-row :gutter="20">
<el-col :span="8"><el-form-item label="所属公司"><el-input v-model="form.company_name" readonly class="is-text-view"/></el-form-item></el-col> <el-col :span="8"><el-form-item label="所属公司" v-if="hasFormFieldPermission('company_name')"><el-input v-model="form.company_name" readonly class="is-text-view"/></el-form-item></el-col>
<el-col :span="8"><el-form-item label="名称"><el-input v-model="form.material_name" readonly class="is-text-view"/></el-form-item></el-col> <el-col :span="8"><el-form-item label="名称" v-if="hasFormFieldPermission('material_name')"><el-input v-model="form.material_name" readonly class="is-text-view"/></el-form-item></el-col>
<el-col :span="8"><el-form-item label="类型"><el-input v-model="form.material_type" readonly class="is-text-view"/></el-form-item></el-col> <el-col :span="8"><el-form-item label="类型" v-if="hasFormFieldPermission('material_type')"><el-input v-model="form.material_type" readonly class="is-text-view"/></el-form-item></el-col>
<el-col :span="8"><el-form-item label="类别"><el-input v-model="form.category" readonly class="is-text-view"/></el-form-item></el-col> <el-col :span="8"><el-form-item label="类别" v-if="hasFormFieldPermission('category')"><el-input v-model="form.category" readonly class="is-text-view"/></el-form-item></el-col>
<el-col :span="8"><el-form-item label="规格型号"><el-input v-model="form.spec_model" readonly class="is-text-view"/></el-form-item></el-col> <el-col :span="8"><el-form-item label="规格型号" v-if="hasFormFieldPermission('spec_model')"><el-input v-model="form.spec_model" readonly class="is-text-view"/></el-form-item></el-col>
<el-col :span="8"><el-form-item label="单位"><el-input v-model="form.unit" readonly class="is-text-view"/></el-form-item></el-col> <el-col :span="8"><el-form-item label="单位" v-if="hasFormFieldPermission('unit')"><el-input v-model="form.unit" readonly class="is-text-view"/></el-form-item></el-col>
</el-row> </el-row>
</div> </div>
</div> </div>
@ -611,6 +611,55 @@ const vLoadmore = {
} }
} }
// ------------------------------------
// 表单字段权限检查
// ------------------------------------
const hasFormFieldPermission = (fieldName: string) => {
// 超级管理员直接返回true
if (userStore.role === 'SUPER_ADMIN' || userStore.username === 'IRIS') {
return true
}
// 根据字段名映射到权限码
const map: Record<string, string> = {
company_name: 'inbound_buy:company_name',
material_name: 'inbound_buy:material_name',
spec_model: 'inbound_buy:spec_model',
category: 'inbound_buy:category',
material_type: 'inbound_buy:material_type',
unit: 'inbound_buy:unit',
sku: 'inbound_buy:sku',
barcode: 'inbound_buy:barcode',
in_date: 'inbound_buy:in_date',
serial_number: 'inbound_buy:serial_number',
batch_number: 'inbound_buy:batch_number',
status: 'inbound_buy:status',
inspection_status: 'inbound_buy:inspection_status',
in_quantity: 'inbound_buy:in_quantity',
stock_quantity: 'inbound_buy:stock_quantity',
available_quantity: 'inbound_buy:available_quantity',
warehouse_location: 'inbound_buy:warehouse_location',
unit_price: 'inbound_buy:unit_price',
tax_rate: 'inbound_buy:tax_rate',
total_price: 'inbound_buy:total_price',
currency: 'inbound_buy:currency',
exchange_rate: 'inbound_buy:exchange_rate',
supplier_name: 'inbound_buy:supplier_name',
purchaser: 'inbound_buy:purchaser',
purchaser_email: 'inbound_buy:purchaser_email',
source_link: 'inbound_buy:original_link',
detail_link: 'inbound_buy:detail_link',
arrival_photo: 'inbound_buy:arrival_photo',
inspection_report: 'inbound_buy:inspection_report',
print_copies: 'inbound_buy:print_copies',
}
const code = map[fieldName]
if (!code) {
// 没有映射的字段默认显示
return true
}
return userStore.hasPermission(code)
}
// ------------------------------------ // ------------------------------------
// 状态与变量 // 状态与变量
// ------------------------------------ // ------------------------------------

42
inventory-web/src/views/stock/inbound/service.vue
View File

@ -134,11 +134,11 @@
<div class="read-only-grid" v-if="form.base_id"> <div class="read-only-grid" v-if="form.base_id">
<el-row :gutter="20"> <el-row :gutter="20">
<el-col :span="8"><el-form-item label="名称"><el-input v-model="form.material_name" disabled class="is-text-view"/></el-form-item></el-col> <el-col :span="8"><el-form-item label="名称" v-if="hasFormFieldPermission('material_name')"><el-input v-model="form.material_name" disabled class="is-text-view"/></el-form-item></el-col>
<el-col :span="8"><el-form-item label="类型"><el-input v-model="form.material_type" disabled class="is-text-view"/></el-form-item></el-col> <el-col :span="8"><el-form-item label="类型" v-if="hasFormFieldPermission('material_type')"><el-input v-model="form.material_type" disabled class="is-text-view"/></el-form-item></el-col>
<el-col :span="8"><el-form-item label="类别"><el-input v-model="form.category" disabled class="is-text-view"/></el-form-item></el-col> <el-col :span="8"><el-form-item label="类别" v-if="hasFormFieldPermission('category')"><el-input v-model="form.category" disabled class="is-text-view"/></el-form-item></el-col>
<el-col :span="8"><el-form-item label="规格型号"><el-input v-model="form.spec_model" disabled class="is-text-view"/></el-form-item></el-col> <el-col :span="8"><el-form-item label="规格型号" v-if="hasFormFieldPermission('spec_model')"><el-input v-model="form.spec_model" disabled class="is-text-view"/></el-form-item></el-col>
<el-col :span="8"><el-form-item label="单位"><el-input v-model="form.unit" disabled class="is-text-view"/></el-form-item></el-col> <el-col :span="8"><el-form-item label="单位" v-if="hasFormFieldPermission('unit')"><el-input v-model="form.unit" disabled class="is-text-view"/></el-form-item></el-col>
</el-row> </el-row>
</div> </div>
</div> </div>
@ -150,7 +150,7 @@
<span>2. 服务详情</span> <span>2. 服务详情</span>
</div> </div>
<div class="card-content"> <div class="card-content">
<el-form-item label="售价" prop="sale_price"> <el-form-item label="售价" prop="sale_price" v-if="hasFormFieldPermission('sale_price')">
<el-input-number <el-input-number
v-model="form.sale_price" v-model="form.sale_price"
placeholder="请输入售价" placeholder="请输入售价"
@ -160,7 +160,7 @@
style="width: 100%;" style="width: 100%;"
/> />
</el-form-item> </el-form-item>
<el-form-item label="服务商" prop="provider_name"> <el-form-item label="服务商" prop="provider_name" v-if="hasFormFieldPermission('provider_name')">
<el-autocomplete <el-autocomplete
v-model="form.provider_name" v-model="form.provider_name"
:fetch-suggestions="querySearchProvider" :fetch-suggestions="querySearchProvider"
@ -171,7 +171,7 @@
@select="handleProviderSelect" @select="handleProviderSelect"
/> />
</el-form-item> </el-form-item>
<el-form-item label="简介" prop="description"> <el-form-item label="简介" prop="description" v-if="hasFormFieldPermission('description')">
<el-input <el-input
v-model="form.description" v-model="form.description"
type="textarea" type="textarea"
@ -234,6 +234,32 @@ const hasColumnPermission = (prop: string) => {
return code ? userStore.hasPermission(code) : false return code ? userStore.hasPermission(code) : false
} }
// 表单字段权限检查
const hasFormFieldPermission = (fieldName: string) => {
// 超级管理员直接返回true
if (userStore.role === 'SUPER_ADMIN' || userStore.username === 'IRIS') {
return true
}
// 根据字段名映射到权限码
const map: Record<string, string> = {
base_id: 'inbound_service:base_id',
material_name: 'inbound_service:material_name',
spec_model: 'inbound_service:spec_model',
category: 'inbound_service:category',
material_type: 'inbound_service:material_type',
unit: 'inbound_service:unit',
sale_price: 'inbound_service:sale_price',
provider_name: 'inbound_service:provider_name',
description: 'inbound_service:description',
}
const code = map[fieldName]
if (!code) {
// 没有映射的字段默认显示
return true
}
return userStore.hasPermission(code)
}
// 表格数据 // 表格数据
const tableData = ref<ServiceItem[]>([]) const tableData = ref<ServiceItem[]>([])
const loading = ref(false) const loading = ref(false)

24
inventory-web/src/views/system/UserCreate.vue
View File

@ -67,7 +67,7 @@
:rules="rules" :rules="rules"
label-width="100px" label-width="100px"
> >
<el-form-item label="真实姓名" prop="cn_name"> <el-form-item label="真实姓名" prop="cn_name" v-if="hasFormFieldPermission('cn_name')">
<el-input <el-input
v-model="form.cn_name" v-model="form.cn_name"
placeholder="请输入中文姓名 (如: 张三)" placeholder="请输入中文姓名 (如: 张三)"
@ -76,7 +76,7 @@
/> />
</el-form-item> </el-form-item>
<el-form-item label="登录账号" prop="username"> <el-form-item label="登录账号" prop="username" v-if="hasFormFieldPermission('username')">
<el-input <el-input
v-model="form.username" v-model="form.username"
placeholder="自动生成,可修改 (如: zhangsan)" placeholder="自动生成,可修改 (如: zhangsan)"
@ -88,7 +88,7 @@
</el-input> </el-input>
</el-form-item> </el-form-item>
<el-form-item label="密码" prop="password"> <el-form-item label="密码" prop="password" v-if="hasFormFieldPermission('password')">
<el-input <el-input
v-model="form.password" v-model="form.password"
type="password" type="password"
@ -98,7 +98,7 @@
/> />
</el-form-item> </el-form-item>
<el-form-item label="所属部门" prop="department"> <el-form-item label="所属部门" prop="department" v-if="hasFormFieldPermission('department')">
<el-select <el-select
v-model="form.department" v-model="form.department"
placeholder="请输入或选择部门" placeholder="请输入或选择部门"
@ -112,7 +112,7 @@
</el-select> </el-select>
</el-form-item> </el-form-item>
<el-form-item label="系统角色" prop="role"> <el-form-item label="系统角色" prop="role" v-if="hasFormFieldPermission('role')">
<el-select v-model="form.role" placeholder="授予权限" style="width: 100%" :disabled="!userStore.hasPermission('system_user:operation')"> <el-select v-model="form.role" placeholder="授予权限" style="width: 100%" :disabled="!userStore.hasPermission('system_user:operation')">
<el-option <el-option
v-for="option in roleOptions" v-for="option in roleOptions"
@ -123,7 +123,7 @@
</el-select> </el-select>
</el-form-item> </el-form-item>
<el-form-item label="邮箱" prop="email"> <el-form-item label="邮箱" prop="email" v-if="hasFormFieldPermission('email')">
<el-input v-model="form.email" placeholder="请输入邮箱" :disabled="!userStore.hasPermission('system_user:operation')" /> <el-input v-model="form.email" placeholder="请输入邮箱" :disabled="!userStore.hasPermission('system_user:operation')" />
</el-form-item> </el-form-item>
</el-form> </el-form>
@ -157,6 +157,9 @@ const permissionMap: Record<string, string> = {
email: 'system_user:email', email: 'system_user:email',
status: 'system_user:status', status: 'system_user:status',
created_at: 'system_user:created_at', created_at: 'system_user:created_at',
// 表单字段
cn_name: 'system_user:username',
password: 'system_user:password',
} }
// 检查列权限 // 检查列权限
@ -167,6 +170,15 @@ const hasColumnPermission = (prop: string) => {
const code = permissionMap[prop] const code = permissionMap[prop]
return code ? userStore.hasPermission(code) : false return code ? userStore.hasPermission(code) : false
} }
// 检查表单字段权限
const hasFormFieldPermission = (fieldName: string) => {
if (userStore.role === 'SUPER_ADMIN' || userStore.username === 'IRIS') {
return true
}
const code = permissionMap[fieldName]
return code ? userStore.hasPermission(code) : false
}
const tableLoading = ref(false) const tableLoading = ref(false)
const submitLoading = ref(false) const submitLoading = ref(false)
const dialogVisible = ref(false) const dialogVisible = ref(false)