fix(plugin): 修复插件 schema API、动态表 JSONB 和 SQL 注入防护

- get_schema 端点同时返回 entities 和 ui 页面配置，修复前端无法生成动态菜单的问题 - 动态表 INSERT/UPDATE 添加 ::jsonb 类型转换，修复 PostgreSQL 类型推断错误 - JSONB 索引创建改为非致命（warn 跳过），避免索引冲突阻断安装流程 - 权限注册/注销改用参数化查询，消除 SQL 注入风险 - DDL 语句改用 execute_unprepared，避免不必要的安全检查开销 - clear_plugin 支持已上传状态的清理 - 添加关键步骤 tracing 日志便于排查安装问题
2026-04-16 23:42:40 +08:00
parent b482230a07
commit 3483395f5e
6 changed files with 225 additions and 176 deletions
--- a/crates/erp-plugin/src/handler/data_handler.rs
+++ b/crates/erp-plugin/src/handler/data_handler.rs
@@ -11,17 +11,17 @@ use crate::data_dto::{
    AggregateItem, AggregateQueryParams, CountQueryParams, CreatePluginDataReq,
    PluginDataListParams, PluginDataResp, UpdatePluginDataReq,
 };
-use crate::data_service::PluginDataService;
+use crate::data_service::{PluginDataService, resolve_manifest_id};
 use crate::state::PluginState;

 /// 计算插件数据操作所需的权限码
-/// 格式：{plugin_id}.{entity}.{action}，如 crm.customer.list
-fn compute_permission_code(plugin_id: &str, entity_name: &str, action: &str) -> String {
+/// 格式：{manifest_id}.{entity}.{action}，如 erp-crm.customer.list
+fn compute_permission_code(manifest_id: &str, entity_name: &str, action: &str) -> String {
    let action_suffix = match action {
        "list" | "get" => "list",
        _ => "manage",
    };
-    format!("{}.{}.{}", plugin_id, entity_name, action_suffix)
+    format!("{}.{}.{}", manifest_id, entity_name, action_suffix)
 }

 #[utoipa::path(
@@ -45,8 +45,8 @@ where
    PluginState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
-    // 动态权限检查：先尝试精细权限，回退到通用权限
-    let fine_perm = compute_permission_code(&plugin_id.to_string(), &entity, "list");
+    let manifest_id = resolve_manifest_id(plugin_id, ctx.tenant_id, &state.db).await?;
+    let fine_perm = compute_permission_code(&manifest_id, &entity, "list");
    if require_permission(&ctx, &fine_perm).is_err() {
        require_permission(&ctx, "plugin.list")?;
    }
@@ -104,7 +104,8 @@ where
    PluginState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
-    let fine_perm = compute_permission_code(&plugin_id.to_string(), &entity, "create");
+    let manifest_id = resolve_manifest_id(plugin_id, ctx.tenant_id, &state.db).await?;
+    let fine_perm = compute_permission_code(&manifest_id, &entity, "create");
    if require_permission(&ctx, &fine_perm).is_err() {
        require_permission(&ctx, "plugin.admin")?;
    }
@@ -142,7 +143,8 @@ where
    PluginState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
-    let fine_perm = compute_permission_code(&plugin_id.to_string(), &entity, "get");
+    let manifest_id = resolve_manifest_id(plugin_id, ctx.tenant_id, &state.db).await?;
+    let fine_perm = compute_permission_code(&manifest_id, &entity, "get");
    if require_permission(&ctx, &fine_perm).is_err() {
        require_permission(&ctx, "plugin.list")?;
    }
@@ -174,7 +176,8 @@ where
    PluginState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
-    let fine_perm = compute_permission_code(&plugin_id.to_string(), &entity, "update");
+    let manifest_id = resolve_manifest_id(plugin_id, ctx.tenant_id, &state.db).await?;
+    let fine_perm = compute_permission_code(&manifest_id, &entity, "update");
    if require_permission(&ctx, &fine_perm).is_err() {
        require_permission(&ctx, "plugin.admin")?;
    }
@@ -214,7 +217,8 @@ where
    PluginState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
-    let fine_perm = compute_permission_code(&plugin_id.to_string(), &entity, "delete");
+    let manifest_id = resolve_manifest_id(plugin_id, ctx.tenant_id, &state.db).await?;
+    let fine_perm = compute_permission_code(&manifest_id, &entity, "delete");
    if require_permission(&ctx, &fine_perm).is_err() {
        require_permission(&ctx, "plugin.admin")?;
    }
@@ -253,7 +257,8 @@ where
    PluginState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
-    let fine_perm = compute_permission_code(&plugin_id.to_string(), &entity, "list");
+    let manifest_id = resolve_manifest_id(plugin_id, ctx.tenant_id, &state.db).await?;
+    let fine_perm = compute_permission_code(&manifest_id, &entity, "list");
    if require_permission(&ctx, &fine_perm).is_err() {
        require_permission(&ctx, "plugin.list")?;
    }
@@ -298,7 +303,8 @@ where
    PluginState: FromRef<S>,
    S: Clone + Send + Sync + 'static,
 {
-    let fine_perm = compute_permission_code(&plugin_id.to_string(), &entity, "list");
+    let manifest_id = resolve_manifest_id(plugin_id, ctx.tenant_id, &state.db).await?;
+    let fine_perm = compute_permission_code(&manifest_id, &entity, "list");
    if require_permission(&ctx, &fine_perm).is_err() {
        require_permission(&ctx, "plugin.list")?;
    }
--- a/crates/erp-plugin/src/handler/plugin_handler.rs
+++ b/crates/erp-plugin/src/handler/plugin_handler.rs
@@ -199,7 +199,11 @@ where
        &state.db,
        &state.engine,
    )
-    .await?;
+    .await
+    .map_err(|e| {
+        tracing::error!(error = %e, "Install failed");
+        e
+    })?;
    Ok(Json(ApiResponse::ok(result)))
 }