fix: address Phase 1-2 audit findings

- CORS: replace permissive() with configurable whitelist (default.toml) - Auth store: synchronously restore state at creation to eliminate flash-of-login-page on refresh - MainLayout: menu highlight now tracks current route via useLocation - Add extractErrorMessage() utility to reduce repeated error parsing - Fix all clippy warnings across 4 crates (erp-auth, erp-config, erp-workflow, erp-message): remove unnecessary casts, use div_ceil, collapse nested ifs, reduce function arguments with DTOs
2026-04-11 12:36:34 +08:00
parent 5c899e6f4a
commit 3a05523d23
35 changed files with 283 additions and 187 deletions
--- a/crates/erp-workflow/src/engine/executor.rs
+++ b/crates/erp-workflow/src/engine/executor.rs
@@ -10,7 +10,7 @@ use uuid::Uuid;
 use crate::dto::NodeType;
 use crate::engine::expression::ExpressionEvaluator;
 use crate::engine::model::FlowGraph;
-use crate::entity::{token, process_instance};
+use crate::entity::{token, process_instance, task};
 use crate::error::{WorkflowError, WorkflowResult};

 /// Token 驱动的流程执行引擎。
@@ -264,6 +264,36 @@ impl FlowExecutor {
                    .await
                    .map_err(|e| WorkflowError::Validation(e.to_string()))?;

+                // UserTask: 同时创建 task 记录
+                if node.node_type == NodeType::UserTask {
+                    let task_model = task::ActiveModel {
+                        id: Set(Uuid::now_v7()),
+                        tenant_id: Set(tenant_id),
+                        instance_id: Set(instance_id),
+                        token_id: Set(new_token_id),
+                        node_id: Set(node_id.to_string()),
+                        node_name: Set(Some(node.name.clone())),
+                        assignee_id: Set(node.assignee_id),
+                        candidate_groups: Set(node.candidate_groups.as_ref()
+                            .map(|g| serde_json::to_value(g).unwrap_or_default())),
+                        status: Set("pending".to_string()),
+                        outcome: Set(None),
+                        form_data: Set(None),
+                        due_date: Set(None),
+                        completed_at: Set(None),
+                        created_at: Set(now),
+                        updated_at: Set(now),
+                        created_by: Set(Uuid::nil()),
+                        updated_by: Set(Uuid::nil()),
+                        deleted_at: Set(None),
+                        version: Set(1),
+                    };
+                    task_model
+                        .insert(txn)
+                        .await
+                        .map_err(|e| WorkflowError::Validation(e.to_string()))?;
+                }
+
                Ok(vec![new_token_id])
            }
        }
--- a/crates/erp-workflow/src/engine/expression.rs
+++ b/crates/erp-workflow/src/engine/expression.rs
@@ -164,10 +164,10 @@ impl ExpressionEvaluator {
        if let Ok(n) = token.parse::<i64>() {
            return Ok(serde_json::Value::Number(n.into()));
        }
-        if let Ok(f) = token.parse::<f64>() {
-            if let Some(n) = serde_json::Number::from_f64(f) {
-                return Ok(serde_json::Value::Number(n));
-            }
+        if let Ok(f) = token.parse::<f64>()
+            && let Some(n) = serde_json::Number::from_f64(f)
+        {
+            return Ok(serde_json::Value::Number(n));
        }

        // 布尔字面量