fix(security): resolve audit findings and compilation errors (Phase 6)

Security fixes: - Add startup warning for default JWT secret in config - Add enum validation for priority, recipient_type, channel fields - Add pagination size cap (max 100) via safe_page_size() - Return generic "权限不足" instead of specific permission names Compilation fixes: - Fix missing standard fields in ActiveModel for tokens/process_variables - Fix migration imports for Statement/DatabaseBackend/Uuid - Add version_field to process_definition ActiveModel Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-11 12:49:45 +08:00
parent 3a05523d23
commit b3c7f76b7f
11 changed files with 324 additions and 8 deletions
--- a/crates/erp-core/src/rbac.rs
+++ b/crates/erp-core/src/rbac.rs
@@ -8,7 +8,7 @@ pub fn require_permission(ctx: &TenantContext, permission: &str) -> Result<(), A
    if ctx.permissions.iter().any(|p| p == permission) {
        Ok(())
    } else {
-        Err(AppError::Forbidden(format!("需要权限: {}", permission)))
+        Err(AppError::Forbidden("权限不足".to_string()))
    }
 }

@@ -26,10 +26,7 @@ pub fn require_any_permission(
    if has_any {
        Ok(())
    } else {
-        Err(AppError::Forbidden(format!(
-            "需要以下权限之一: {}",
-            permissions.join(", ")
-        )))
+        Err(AppError::Forbidden("权限不足".to_string()))
    }
 }

@@ -40,7 +37,7 @@ pub fn require_role(ctx: &TenantContext, role: &str) -> Result<(), AppError> {
    if ctx.roles.iter().any(|r| r == role) {
        Ok(())
    } else {
-        Err(AppError::Forbidden(format!("需要角色: {}", role)))
+        Err(AppError::Forbidden("权限不足".to_string()))
    }
 }