fix(用户管理): 修复用户列表页面加载失败问题

修复用户列表页面加载失败导致测试超时的问题，确保页面元素正确渲染
2026-04-19 08:46:28 +08:00
parent 0ee9d22634
commit 841766b168
174 changed files with 26366 additions and 675 deletions
--- a/crates/erp-auth/src/dto.rs
+++ b/crates/erp-auth/src/dto.rs
@@ -3,6 +3,8 @@ use utoipa::ToSchema;
 use uuid::Uuid;
 use validator::Validate;

+use erp_core::sanitize::{sanitize_option, sanitize_string};
+
 // --- Auth DTOs ---

 #[derive(Debug, Deserialize, Validate, ToSchema)]
@@ -58,10 +60,22 @@ pub struct CreateUserReq {
    pub password: String,
    #[validate(email)]
    pub email: Option<String>,
+    #[validate(length(max = 20))]
    pub phone: Option<String>,
+    #[validate(length(max = 100))]
    pub display_name: Option<String>,
 }

+impl CreateUserReq {
+    /// 清理所有用户输入字段中的 HTML 标签，防止存储型 XSS。
+    pub fn sanitize(&mut self) {
+        self.username = sanitize_string(&self.username);
+        self.email = sanitize_option(self.email.take());
+        self.phone = sanitize_option(self.phone.take());
+        self.display_name = sanitize_option(self.display_name.take());
+    }
+}
+
 #[derive(Debug, Deserialize, ToSchema)]
 pub struct UpdateUserReq {
    pub email: Option<String>,
@@ -71,6 +85,15 @@ pub struct UpdateUserReq {
    pub version: i32,
 }

+impl UpdateUserReq {
+    /// 清理所有用户输入字段中的 HTML 标签，防止存储型 XSS。
+    pub fn sanitize(&mut self) {
+        self.email = sanitize_option(self.email.take());
+        self.phone = sanitize_option(self.phone.take());
+        self.display_name = sanitize_option(self.display_name.take());
+    }
+}
+
 // --- Role DTOs ---

 #[derive(Debug, Clone, Serialize, ToSchema)]
--- a/crates/erp-auth/src/handler/user_handler.rs
+++ b/crates/erp-auth/src/handler/user_handler.rs
@@ -94,7 +94,7 @@ where
 pub async fn create_user<S>(
    State(state): State<AuthState>,
    Extension(ctx): Extension<TenantContext>,
-    Json(req): Json<CreateUserReq>,
+    Json(mut req): Json<CreateUserReq>,
 ) -> Result<Json<ApiResponse<UserResp>>, AppError>
 where
    AuthState: FromRef<S>,
@@ -105,6 +105,8 @@ where
    req.validate()
        .map_err(|e| AppError::Validation(e.to_string()))?;

+    req.sanitize();
+
    let user = UserService::create(
        ctx.tenant_id,
        ctx.user_id,
@@ -171,7 +173,7 @@ pub async fn update_user<S>(
    State(state): State<AuthState>,
    Extension(ctx): Extension<TenantContext>,
    Path(id): Path<Uuid>,
-    Json(req): Json<UpdateUserReq>,
+    Json(mut req): Json<UpdateUserReq>,
 ) -> Result<Json<ApiResponse<UserResp>>, AppError>
 where
    AuthState: FromRef<S>,
@@ -179,6 +181,8 @@ where
 {
    require_permission(&ctx, "user.update")?;

+    req.sanitize();
+
    let user = UserService::update(id, ctx.tenant_id, ctx.user_id, &req, &state.db).await?;
    Ok(Json(ApiResponse::ok(user)))
 }
--- a/crates/erp-auth/src/module.rs
+++ b/crates/erp-auth/src/module.rs
@@ -65,6 +65,11 @@ impl AuthModule {
                "/roles",
                axum::routing::get(role_handler::list_roles).post(role_handler::create_role),
            )
+            // 精确匹配 /roles/permissions，必须在 /roles/{id} 之前注册
+            .route(
+                "/roles/permissions",
+                axum::routing::get(role_handler::list_permissions),
+            )
            .route(
                "/roles/{id}",
                axum::routing::get(role_handler::get_role)