iven/erp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(auth): standardize permission codes to dot notation and add missing permissions

Browse Source 
- Change all permission codes from colon (`:`) to dot (`.`) separator
  to match handler require_permission() calls consistently
- Add missing user.list, role.list, permission.list, organization.list,
  department.list, position.list permissions (handlers check for .list
  but seeds only had :read)
- Add missing message module permissions (message.list, message.send,
  message.template.list, message.template.create)
- Add missing setting.delete, numbering.delete permissions
- Fix workflow handlers: workflow: → workflow.
- Fix message handlers: message: → message.
- Update viewer role READ_PERM_INDICES for new permission list

This fixes a critical runtime bug where ALL permission checks in
erp-auth and erp-config handlers would return 403 Forbidden because
the seed data used colon separators but handlers checked for dots.
This commit is contained in:
iven
2026-04-11 14:30:47 +08:00
parent f29f6d76ee
commit 0d7d3af0a8
6 changed files with 99 additions and 139 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
crates/erp-message/src/handler/message_handler.rs
View File

@@ -22,7 +22,7 @@ where
MessageState: FromRef<S>,
S: Clone + Send + Sync + 'static,
{
require_permission(&ctx, "message:list")?;
require_permission(&ctx, "message.list")?;
let db = &_state.db;
let page = query.page.unwrap_or(1);
@@ -49,7 +49,7 @@ where
MessageState: FromRef<S>,
S: Clone + Send + Sync + 'static,
{
require_permission(&ctx, "message:list")?;
require_permission(&ctx, "message.list")?;
let result = MessageService::unread_count(ctx.tenant_id, ctx.user_id, &_state.db).await?;
Ok(Json(ApiResponse::ok(result)))
@@ -65,7 +65,7 @@ where
MessageState: FromRef<S>,
S: Clone + Send + Sync + 'static,
{
require_permission(&ctx, "message:send")?;
require_permission(&ctx, "message.send")?;
req.validate()
.map_err(|e| AppError::Validation(e.to_string()))?;

4
crates/erp-message/src/handler/template_handler.rs
View File

@@ -28,7 +28,7 @@ where
MessageState: FromRef<S>,
S: Clone + Send + Sync + 'static,
{
require_permission(&ctx, "message:template:list")?;
require_permission(&ctx, "message.template:list")?;
let page = query.page.unwrap_or(1);
let page_size = query.page_size.unwrap_or(20);
@@ -56,7 +56,7 @@ where
MessageState: FromRef<S>,
S: Clone + Send + Sync + 'static,
{
require_permission(&ctx, "message:template:create")?;
require_permission(&ctx, "message.template:create")?;
req.validate()
.map_err(|e| AppError::Validation(e.to_string()))?;