fix(security): resolve audit findings and compilation errors (Phase 6)

Security fixes: - Add startup warning for default JWT secret in config - Add enum validation for priority, recipient_type, channel fields - Add pagination size cap (max 100) via safe_page_size() - Return generic "权限不足" instead of specific permission names Compilation fixes: - Fix missing standard fields in ActiveModel for tokens/process_variables - Fix migration imports for Statement/DatabaseBackend/Uuid - Add version_field to process_definition ActiveModel Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-04-11 12:49:45 +08:00
parent 3a05523d23
commit b3c7f76b7f
11 changed files with 324 additions and 8 deletions
--- a/crates/erp-workflow/src/engine/executor.rs
+++ b/crates/erp-workflow/src/engine/executor.rs
@@ -250,6 +250,8 @@ impl FlowExecutor {
                let new_token_id = Uuid::now_v7();
                let now = Utc::now();

+                let system_user = uuid::Uuid::nil();
+
                let token_model = token::ActiveModel {
                    id: Set(new_token_id),
                    tenant_id: Set(tenant_id),
@@ -257,6 +259,11 @@ impl FlowExecutor {
                    node_id: Set(node_id.to_string()),
                    status: Set("active".to_string()),
                    created_at: Set(now),
+                    updated_at: Set(now),
+                    created_by: Set(system_user),
+                    updated_by: Set(system_user),
+                    deleted_at: Set(None),
+                    version: Set(1),
                    consumed_at: Set(None),
                };
                token_model
--- a/crates/erp-workflow/src/service/definition_service.rs
+++ b/crates/erp-workflow/src/service/definition_service.rs
@@ -93,6 +93,7 @@ impl DefinitionService {
            created_by: Set(operator_id),
            updated_by: Set(operator_id),
            deleted_at: Set(None),
+            version_field: Set(1),
        };
        model
            .insert(db)
--- a/crates/erp-workflow/src/service/instance_service.rs
+++ b/crates/erp-workflow/src/service/instance_service.rs
@@ -257,6 +257,16 @@ impl InstanceService {
        Self::change_status(id, tenant_id, operator_id, "running", "terminated", db).await
    }

+    /// 恢复已挂起的流程实例。
+    pub async fn resume(
+        id: Uuid,
+        tenant_id: Uuid,
+        operator_id: Uuid,
+        db: &sea_orm::DatabaseConnection,
+    ) -> WorkflowResult<()> {
+        Self::change_status(id, tenant_id, operator_id, "suspended", "running", db).await
+    }
+
    async fn change_status(
        id: Uuid,
        tenant_id: Uuid,
@@ -332,6 +342,9 @@ impl InstanceService {
            _ => (Some(value.to_string()), None, None, None),
        };

+        let now = chrono::Utc::now();
+        let system_user = uuid::Uuid::nil();
+
        let model = process_variable::ActiveModel {
            id: Set(id),
            tenant_id: Set(tenant_id),
@@ -342,6 +355,12 @@ impl InstanceService {
            value_number: Set(value_number),
            value_boolean: Set(value_boolean),
            value_date: Set(None),
+            created_at: Set(now),
+            updated_at: Set(now),
+            created_by: Set(system_user),
+            updated_by: Set(system_user),
+            deleted_at: Set(None),
+            version: Set(1),
        };
        model
            .insert(txn)