fix(auth): standardize permission codes to dot notation and add missing permissions

- Change all permission codes from colon (`:`) to dot (`.`) separator to match handler require_permission() calls consistently - Add missing user.list, role.list, permission.list, organization.list, department.list, position.list permissions (handlers check for .list but seeds only had :read) - Add missing message module permissions (message.list, message.send, message.template.list, message.template.create) - Add missing setting.delete, numbering.delete permissions - Fix workflow handlers: workflow: → workflow. - Fix message handlers: message: → message. - Update viewer role READ_PERM_INDICES for new permission list This fixes a critical runtime bug where ALL permission checks in erp-auth and erp-config handlers would return 403 Forbidden because the seed data used colon separators but handlers checked for dots.
2026-04-11 14:30:47 +08:00
parent f29f6d76ee
commit 0d7d3af0a8
6 changed files with 99 additions and 139 deletions
--- a/crates/erp-workflow/src/handler/definition_handler.rs
+++ b/crates/erp-workflow/src/handler/definition_handler.rs
@@ -22,7 +22,7 @@ where
    WorkflowState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
-    require_permission(&ctx, "workflow:list")?;
+    require_permission(&ctx, "workflow.list")?;

    let (defs, total) = DefinitionService::list(ctx.tenant_id, &pagination, &state.db).await?;

@@ -49,7 +49,7 @@ where
    WorkflowState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
-    require_permission(&ctx, "workflow:create")?;
+    require_permission(&ctx, "workflow.create")?;
    req.validate()
        .map_err(|e| AppError::Validation(e.to_string()))?;

@@ -75,7 +75,7 @@ where
    WorkflowState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
-    require_permission(&ctx, "workflow:read")?;
+    require_permission(&ctx, "workflow.read")?;

    let resp = DefinitionService::get_by_id(id, ctx.tenant_id, &state.db).await?;
    Ok(Json(ApiResponse::ok(resp)))
@@ -92,7 +92,7 @@ where
    WorkflowState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
-    require_permission(&ctx, "workflow:update")?;
+    require_permission(&ctx, "workflow.update")?;

    let resp =
        DefinitionService::update(id, ctx.tenant_id, ctx.user_id, &req, &state.db).await?;
@@ -109,7 +109,7 @@ where
    WorkflowState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
-    require_permission(&ctx, "workflow:publish")?;
+    require_permission(&ctx, "workflow.publish")?;

    let resp = DefinitionService::publish(
        id,
--- a/crates/erp-workflow/src/handler/instance_handler.rs
+++ b/crates/erp-workflow/src/handler/instance_handler.rs
@@ -22,7 +22,7 @@ where
    WorkflowState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
-    require_permission(&ctx, "workflow:start")?;
+    require_permission(&ctx, "workflow.start")?;
    req.validate().map_err(|e| AppError::Validation(e.to_string()))?;

    let resp = InstanceService::start(
@@ -47,7 +47,7 @@ where
    WorkflowState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
-    require_permission(&ctx, "workflow:list")?;
+    require_permission(&ctx, "workflow.list")?;

    let (instances, total) =
        InstanceService::list(ctx.tenant_id, &pagination, &state.db).await?;
@@ -75,7 +75,7 @@ where
    WorkflowState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
-    require_permission(&ctx, "workflow:read")?;
+    require_permission(&ctx, "workflow.read")?;

    let resp = InstanceService::get_by_id(id, ctx.tenant_id, &state.db).await?;
    Ok(Json(ApiResponse::ok(resp)))
@@ -91,7 +91,7 @@ where
    WorkflowState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
-    require_permission(&ctx, "workflow:update")?;
+    require_permission(&ctx, "workflow.update")?;

    InstanceService::suspend(id, ctx.tenant_id, ctx.user_id, &state.db).await?;
    Ok(Json(ApiResponse::ok(())))
@@ -107,7 +107,7 @@ where
    WorkflowState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
-    require_permission(&ctx, "workflow:update")?;
+    require_permission(&ctx, "workflow.update")?;

    InstanceService::terminate(id, ctx.tenant_id, ctx.user_id, &state.db).await?;
    Ok(Json(ApiResponse::ok(())))
@@ -123,7 +123,7 @@ where
    WorkflowState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
-    require_permission(&ctx, "workflow:update")?;
+    require_permission(&ctx, "workflow.update")?;

    InstanceService::resume(id, ctx.tenant_id, ctx.user_id, &state.db).await?;
    Ok(Json(ApiResponse::ok(())))
--- a/crates/erp-workflow/src/handler/task_handler.rs
+++ b/crates/erp-workflow/src/handler/task_handler.rs
@@ -22,7 +22,7 @@ where
    WorkflowState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
-    require_permission(&ctx, "workflow:approve")?;
+    require_permission(&ctx, "workflow.approve")?;

    let (tasks, total) =
        TaskService::list_pending(ctx.tenant_id, ctx.user_id, &pagination, &state.db).await?;
@@ -50,7 +50,7 @@ where
    WorkflowState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
-    require_permission(&ctx, "workflow:approve")?;
+    require_permission(&ctx, "workflow.approve")?;

    let (tasks, total) =
        TaskService::list_completed(ctx.tenant_id, ctx.user_id, &pagination, &state.db).await?;
@@ -79,7 +79,7 @@ where
    WorkflowState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
-    require_permission(&ctx, "workflow:approve")?;
+    require_permission(&ctx, "workflow.approve")?;
    req.validate().map_err(|e| AppError::Validation(e.to_string()))?;

    let resp = TaskService::complete(
@@ -106,7 +106,7 @@ where
    WorkflowState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
-    require_permission(&ctx, "workflow:delegate")?;
+    require_permission(&ctx, "workflow.delegate")?;
    req.validate().map_err(|e| AppError::Validation(e.to_string()))?;

    let resp =