fix(health): 修复 5 角色深度测试发现的权限越权和告警端点缺失
- auth: token_service 查询 role_permissions/user_roles 添加 deleted_at 过滤,
修复软删除的权限仍被加载到 JWT 的越权漏洞
- health: 新增 GET /health/alerts/{id} 告警详情端点(含 handler + service + 路由)
- web: AlertList 操作按钮增加 active 状态判断,修复按钮不显示
- migration: 新增 000127 清理 doctor 角色多余的 health-data.manage/ai.analysis.manage
This commit is contained in:
iven
@@ -200,7 +200,7 @@ export default function AlertList() {
|
||||
render: (_: unknown, record: Alert) => (
|
||||
<AuthButton code="health.alerts.manage">
|
||||
<Space size={4}>
|
||||
{record.status === 'pending' && (
|
||||
{(record.status === 'pending' || record.status === 'active') && (
|
||||
<Popconfirm
|
||||
title="确认处理该告警?"
|
||||
onConfirm={() => handleAcknowledge(record)}
|
||||
@@ -218,6 +218,7 @@ export default function AlertList() {
|
||||
</Popconfirm>
|
||||
)}
|
||||
{(record.status === 'pending' ||
|
||||
record.status === 'active' ||
|
||||
record.status === 'acknowledged') && (
|
||||
<Popconfirm
|
||||
title="确认忽略该告警?"
|
||||
|
||||
@@ -207,6 +207,7 @@ impl TokenService {
|
||||
let user_role_rows = user_role::Entity::find()
|
||||
.filter(user_role::Column::UserId.eq(user_id))
|
||||
.filter(user_role::Column::TenantId.eq(tenant_id))
|
||||
.filter(user_role::Column::DeletedAt.is_null())
|
||||
.all(db)
|
||||
.await
|
||||
.map_err(|e| AuthError::Validation(e.to_string()))?;
|
||||
@@ -219,6 +220,7 @@ impl TokenService {
|
||||
let role_perm_rows = role_permission::Entity::find()
|
||||
.filter(role_permission::Column::RoleId.is_in(role_ids))
|
||||
.filter(role_permission::Column::TenantId.eq(tenant_id))
|
||||
.filter(role_permission::Column::DeletedAt.is_null())
|
||||
.all(db)
|
||||
.await
|
||||
.map_err(|e| AuthError::Validation(e.to_string()))?;
|
||||
@@ -247,6 +249,7 @@ impl TokenService {
|
||||
let user_role_rows = user_role::Entity::find()
|
||||
.filter(user_role::Column::UserId.eq(user_id))
|
||||
.filter(user_role::Column::TenantId.eq(tenant_id))
|
||||
.filter(user_role::Column::DeletedAt.is_null())
|
||||
.all(db)
|
||||
.await
|
||||
.map_err(|e| AuthError::Validation(e.to_string()))?;
|
||||
|
||||
@@ -49,6 +49,20 @@ where
|
||||
})))
|
||||
}
|
||||
|
||||
pub async fn get_alert<S>(
|
||||
State(state): State<HealthState>,
|
||||
Extension(ctx): Extension<TenantContext>,
|
||||
Path(id): Path<Uuid>,
|
||||
) -> Result<impl IntoResponse, AppError>
|
||||
where
|
||||
HealthState: FromRef<S>,
|
||||
S: Clone + Send + Sync + 'static,
|
||||
{
|
||||
require_permission(&ctx, "health.alerts.list")?;
|
||||
let alert = alert_service::get_alert(&state, ctx.tenant_id, id).await?;
|
||||
Ok(axum::Json(ApiResponse::ok(alert)))
|
||||
}
|
||||
|
||||
pub async fn acknowledge<S>(
|
||||
State(state): State<HealthState>,
|
||||
Extension(ctx): Extension<TenantContext>,
|
||||
|
||||
@@ -760,6 +760,10 @@ impl HealthModule {
|
||||
"/health/alerts",
|
||||
axum::routing::get(alert_handler::list_alerts),
|
||||
)
|
||||
.route(
|
||||
"/health/alerts/{id}",
|
||||
axum::routing::get(alert_handler::get_alert),
|
||||
)
|
||||
.route(
|
||||
"/health/alerts/{id}/acknowledge",
|
||||
axum::routing::put(alert_handler::acknowledge),
|
||||
|
||||
@@ -13,6 +13,21 @@ use crate::error::{HealthError, HealthResult};
|
||||
use crate::service::validation;
|
||||
use crate::state::HealthState;
|
||||
|
||||
pub async fn get_alert(
|
||||
state: &HealthState,
|
||||
tenant_id: Uuid,
|
||||
alert_id: Uuid,
|
||||
) -> HealthResult<AlertResponse> {
|
||||
let model = alerts::Entity::find_by_id(alert_id)
|
||||
.filter(alerts::Column::TenantId.eq(tenant_id))
|
||||
.filter(alerts::Column::DeletedAt.is_null())
|
||||
.one(&state.db)
|
||||
.await?
|
||||
.ok_or(HealthError::AlertNotFound)?;
|
||||
|
||||
enrich_alert_response(&state.db, tenant_id, model).await
|
||||
}
|
||||
|
||||
pub async fn list_alerts(
|
||||
state: &HealthState,
|
||||
tenant_id: Uuid,
|
||||
|
||||
@@ -126,6 +126,7 @@ mod m20260505_000123_update_ai_prompts_system_instruction;
|
||||
mod m20260505_000124_freeze_deferred_menus;
|
||||
mod m20260506_000125_restructure_menus_and_roles;
|
||||
mod m20260506_000126_fix_role_permissions_cleanup;
|
||||
mod m20260507_000127_fix_doctor_extra_permissions;
|
||||
|
||||
pub struct Migrator;
|
||||
|
||||
@@ -259,6 +260,7 @@ impl MigratorTrait for Migrator {
|
||||
Box::new(m20260505_000124_freeze_deferred_menus::Migration),
|
||||
Box::new(m20260506_000125_restructure_menus_and_roles::Migration),
|
||||
Box::new(m20260506_000126_fix_role_permissions_cleanup::Migration),
|
||||
Box::new(m20260507_000127_fix_doctor_extra_permissions::Migration),
|
||||
]
|
||||
}
|
||||
}
|
||||
|
||||
@@ -0,0 +1,36 @@
|
||||
use sea_orm_migration::prelude::*;
|
||||
|
||||
#[derive(DeriveMigrationName)]
|
||||
pub struct Migration;
|
||||
|
||||
#[async_trait::async_trait]
|
||||
impl MigrationTrait for Migration {
|
||||
async fn up(&self, manager: &SchemaManager) -> Result<(), DbErr> {
|
||||
let db = manager.get_connection();
|
||||
|
||||
// Doctor 移除 health.health-data.manage 和 ai.analysis.manage
|
||||
// 000125 正确分配了 health.health-data.list 和 ai.analysis.list,
|
||||
// 但早期迁移分配了 .manage 权限且未被 000126 清理
|
||||
let doctor_remove = vec![
|
||||
"health.health-data.manage",
|
||||
"ai.analysis.manage",
|
||||
];
|
||||
for code in &doctor_remove {
|
||||
db.execute(sea_orm::Statement::from_string(
|
||||
sea_orm::DatabaseBackend::Postgres,
|
||||
format!(
|
||||
"UPDATE role_permissions SET deleted_at = NOW() \
|
||||
FROM roles r, permissions p \
|
||||
WHERE role_permissions.role_id = r.id AND role_permissions.permission_id = p.id \
|
||||
AND r.code = 'doctor' AND p.code = '{code}' AND role_permissions.deleted_at IS NULL",
|
||||
),
|
||||
)).await?;
|
||||
}
|
||||
|
||||
Ok(())
|
||||
}
|
||||
|
||||
async fn down(&self, _manager: &SchemaManager) -> Result<(), DbErr> {
|
||||
Ok(())
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user