iven/hms
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(health): 修复 5 角色深度测试发现的权限越权和告警端点缺失
Some checks failed
CI / security-audit (push) Has been cancelled
Details
CI / rust-check (push) Has been cancelled
Details
CI / rust-test (push) Has been cancelled
Details
CI / frontend-build (push) Has been cancelled
Details

Browse Source 
- auth: token_service 查询 role_permissions/user_roles 添加 deleted_at 过滤,
  修复软删除的权限仍被加载到 JWT 的越权漏洞
- health: 新增 GET /health/alerts/{id} 告警详情端点(含 handler + service + 路由)
- web: AlertList 操作按钮增加 active 状态判断,修复按钮不显示
- migration: 新增 000127 清理 doctor 角色多余的 health-data.manage/ai.analysis.manage
This commit is contained in:
iven
2026-05-07 13:51:16 +08:00
parent 85a7dacd16
commit 60dc4dba7a
7 changed files with 76 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
crates/erp-server/migration/src/lib.rs
View File

@@ -126,6 +126,7 @@ mod m20260505_000123_update_ai_prompts_system_instruction;
mod m20260505_000124_freeze_deferred_menus;
mod m20260506_000125_restructure_menus_and_roles;
mod m20260506_000126_fix_role_permissions_cleanup;
mod m20260507_000127_fix_doctor_extra_permissions;
pub struct Migrator;
@@ -259,6 +260,7 @@ impl MigratorTrait for Migrator {
Box::new(m20260505_000124_freeze_deferred_menus::Migration),
Box::new(m20260506_000125_restructure_menus_and_roles::Migration),
Box::new(m20260506_000126_fix_role_permissions_cleanup::Migration),
Box::new(m20260507_000127_fix_doctor_extra_permissions::Migration),
]
}
}

36
crates/erp-server/migration/src/m20260507_000127_fix_doctor_extra_permissions.rs Normal file
View File

@@ -0,0 +1,36 @@
use sea_orm_migration::prelude::*;
#[derive(DeriveMigrationName)]
pub struct Migration;
#[async_trait::async_trait]
impl MigrationTrait for Migration {
async fn up(&self, manager: &SchemaManager) -> Result<(), DbErr> {
let db = manager.get_connection();
// Doctor 移除 health.health-data.manage 和 ai.analysis.manage
// 000125 正确分配了 health.health-data.list 和 ai.analysis.list
// 但早期迁移分配了 .manage 权限且未被 000126 清理
let doctor_remove = vec![
"health.health-data.manage",
"ai.analysis.manage",
];
for code in &doctor_remove {
db.execute(sea_orm::Statement::from_string(
sea_orm::DatabaseBackend::Postgres,
format!(
"UPDATE role_permissions SET deleted_at = NOW() \
FROM roles r, permissions p \
WHERE role_permissions.role_id = r.id AND role_permissions.permission_id = p.id \
AND r.code = 'doctor' AND p.code = '{code}' AND role_permissions.deleted_at IS NULL",
),
)).await?;
}
Ok(())
}
async fn down(&self, _manager: &SchemaManager) -> Result<(), DbErr> {
Ok(())
}
}