fix(plugin): 移除权限 fallback — 必须显式分配实体级权限

所有 7 个数据 handler 方法不再回退到 plugin.list/plugin.admin 粗粒度权限。现在必须为每个实体显式分配 {plugin}.{entity}.list 或 {plugin}.{entity}.manage 权限，否则返回 403。
2026-04-17 10:38:05 +08:00
parent 314580243e
commit e6aaa18ceb
1 changed files with 7 additions and 21 deletions
--- a/crates/erp-plugin/src/handler/data_handler.rs
+++ b/crates/erp-plugin/src/handler/data_handler.rs
@@ -47,9 +47,7 @@ where
 {
    let manifest_id = resolve_manifest_id(plugin_id, ctx.tenant_id, &state.db).await?;
    let fine_perm = compute_permission_code(&manifest_id, &entity, "list");
-    if require_permission(&ctx, &fine_perm).is_err() {
+    require_permission(&ctx, &fine_perm)?;
        require_permission(&ctx, "plugin.list")?;
    }
    let page = params.page.unwrap_or(1);
    let page_size = params.page_size.unwrap_or(20);
@@ -107,9 +105,7 @@ where
 {
    let manifest_id = resolve_manifest_id(plugin_id, ctx.tenant_id, &state.db).await?;
    let fine_perm = compute_permission_code(&manifest_id, &entity, "create");
-    if require_permission(&ctx, &fine_perm).is_err() {
+    require_permission(&ctx, &fine_perm)?;
        require_permission(&ctx, "plugin.admin")?;
    }
    let result = PluginDataService::create(
        plugin_id,
@@ -146,9 +142,7 @@ where
 {
    let manifest_id = resolve_manifest_id(plugin_id, ctx.tenant_id, &state.db).await?;
    let fine_perm = compute_permission_code(&manifest_id, &entity, "get");
-    if require_permission(&ctx, &fine_perm).is_err() {
+    require_permission(&ctx, &fine_perm)?;
        require_permission(&ctx, "plugin.list")?;
    }
    let result =
        PluginDataService::get_by_id(plugin_id, &entity, id, ctx.tenant_id, &state.db).await?;
@@ -179,9 +173,7 @@ where
 {
    let manifest_id = resolve_manifest_id(plugin_id, ctx.tenant_id, &state.db).await?;
    let fine_perm = compute_permission_code(&manifest_id, &entity, "update");
-    if require_permission(&ctx, &fine_perm).is_err() {
+    require_permission(&ctx, &fine_perm)?;
        require_permission(&ctx, "plugin.admin")?;
    }
    let result = PluginDataService::update(
        plugin_id,
@@ -220,9 +212,7 @@ where
 {
    let manifest_id = resolve_manifest_id(plugin_id, ctx.tenant_id, &state.db).await?;
    let fine_perm = compute_permission_code(&manifest_id, &entity, "delete");
-    if require_permission(&ctx, &fine_perm).is_err() {
+    require_permission(&ctx, &fine_perm)?;
        require_permission(&ctx, "plugin.admin")?;
    }
    PluginDataService::delete(
        plugin_id,
@@ -260,9 +250,7 @@ where
 {
    let manifest_id = resolve_manifest_id(plugin_id, ctx.tenant_id, &state.db).await?;
    let fine_perm = compute_permission_code(&manifest_id, &entity, "list");
-    if require_permission(&ctx, &fine_perm).is_err() {
+    require_permission(&ctx, &fine_perm)?;
        require_permission(&ctx, "plugin.list")?;
    }
    // 解析 filter JSON
    let filter: Option<serde_json::Value> = params
@@ -306,9 +294,7 @@ where
 {
    let manifest_id = resolve_manifest_id(plugin_id, ctx.tenant_id, &state.db).await?;
    let fine_perm = compute_permission_code(&manifest_id, &entity, "list");
-    if require_permission(&ctx, &fine_perm).is_err() {
+    require_permission(&ctx, &fine_perm)?;
        require_permission(&ctx, "plugin.list")?;
    }
    // 解析 filter JSON
    let filter: Option<serde_json::Value> = params