iven/erp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
0d7d3af0a8a5b5a1ae233aaeeec16cb010e76ba8
erp/crates/erp-workflow/src/handler/task_handler.rs
iven 0d7d3af0a8 fix(auth): standardize permission codes to dot notation and add missing permissions 
- Change all permission codes from colon (`:`) to dot (`.`) separator
  to match handler require_permission() calls consistently
- Add missing user.list, role.list, permission.list, organization.list,
  department.list, position.list permissions (handlers check for .list
  but seeds only had :read)
- Add missing message module permissions (message.list, message.send,
  message.template.list, message.template.create)
- Add missing setting.delete, numbering.delete permissions
- Fix workflow handlers: workflow: → workflow.
- Fix message handlers: message: → message.
- Update viewer role READ_PERM_INDICES for new permission list

This fixes a critical runtime bug where ALL permission checks in
erp-auth and erp-config handlers would return 403 Forbidden because
the seed data used colon separators but handlers checked for dots.
2026-04-11 14:30:47 +08:00

117 lines
3.3 KiB
Rust
Raw Blame History

use axum::Extension;
use axum::extract::{FromRef, Path, Query, State};
use axum::response::Json;
use validator::Validate;
use erp_core::error::AppError;
use erp_core::rbac::require_permission;
use erp_core::types::{ApiResponse, PaginatedResponse, Pagination, TenantContext};
use uuid::Uuid;
use crate::dto::{CompleteTaskReq, DelegateTaskReq, TaskResp};
use crate::service::task_service::TaskService;
use crate::workflow_state::WorkflowState;
/// GET /api/v1/workflow/tasks/pending
pub async fn list_pending_tasks<S>(
State(state): State<WorkflowState>,
Extension(ctx): Extension<TenantContext>,
Query(pagination): Query<Pagination>,
) -> Result<Json<ApiResponse<PaginatedResponse<TaskResp>>>, AppError>
where
WorkflowState: FromRef<S>,
S: Clone + Send + Sync + 'static,
{
require_permission(&ctx, "workflow.approve")?;
let (tasks, total) =
TaskService::list_pending(ctx.tenant_id, ctx.user_id, &pagination, &state.db).await?;
let page = pagination.page.unwrap_or(1);
let page_size = pagination.limit();
let total_pages = total.div_ceil(page_size);
Ok(Json(ApiResponse::ok(PaginatedResponse {
data: tasks,
total,
page,
page_size,
total_pages,
})))
}
/// GET /api/v1/workflow/tasks/completed
pub async fn list_completed_tasks<S>(
State(state): State<WorkflowState>,
Extension(ctx): Extension<TenantContext>,
Query(pagination): Query<Pagination>,
) -> Result<Json<ApiResponse<PaginatedResponse<TaskResp>>>, AppError>
where
WorkflowState: FromRef<S>,
S: Clone + Send + Sync + 'static,
{
require_permission(&ctx, "workflow.approve")?;
let (tasks, total) =
TaskService::list_completed(ctx.tenant_id, ctx.user_id, &pagination, &state.db).await?;
let page = pagination.page.unwrap_or(1);
let page_size = pagination.limit();
let total_pages = total.div_ceil(page_size);
Ok(Json(ApiResponse::ok(PaginatedResponse {
data: tasks,
total,
page,
page_size,
total_pages,
})))
}
/// POST /api/v1/workflow/tasks/{id}/complete
pub async fn complete_task<S>(
State(state): State<WorkflowState>,
Extension(ctx): Extension<TenantContext>,
Path(id): Path<Uuid>,
Json(req): Json<CompleteTaskReq>,
) -> Result<Json<ApiResponse<TaskResp>>, AppError>
where
WorkflowState: FromRef<S>,
S: Clone + Send + Sync + 'static,
{
require_permission(&ctx, "workflow.approve")?;
req.validate().map_err(|e| AppError::Validation(e.to_string()))?;
let resp = TaskService::complete(
id,
ctx.tenant_id,
ctx.user_id,
&req,
&state.db,
&state.event_bus,
)
.await?;
Ok(Json(ApiResponse::ok(resp)))
}
/// POST /api/v1/workflow/tasks/{id}/delegate
pub async fn delegate_task<S>(
State(state): State<WorkflowState>,
Extension(ctx): Extension<TenantContext>,
Path(id): Path<Uuid>,
Json(req): Json<DelegateTaskReq>,
) -> Result<Json<ApiResponse<TaskResp>>, AppError>
where
WorkflowState: FromRef<S>,
S: Clone + Send + Sync + 'static,
{
require_permission(&ctx, "workflow.delegate")?;
req.validate().map_err(|e| AppError::Validation(e.to_string()))?;
let resp =
TaskService::delegate(id, ctx.tenant_id, ctx.user_id, &req, &state.db).await?;
Ok(Json(ApiResponse::ok(resp)))
}
Reference in New Issue View Git Blame Copy Permalink