iven/hms
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(health): 修复 5 角色深度测试发现的权限越权和告警端点缺失
Some checks failed
CI / security-audit (push) Has been cancelled
Details
CI / rust-check (push) Has been cancelled
Details
CI / rust-test (push) Has been cancelled
Details
CI / frontend-build (push) Has been cancelled
Details

Browse Source 
- auth: token_service 查询 role_permissions/user_roles 添加 deleted_at 过滤,
  修复软删除的权限仍被加载到 JWT 的越权漏洞
- health: 新增 GET /health/alerts/{id} 告警详情端点(含 handler + service + 路由)
- web: AlertList 操作按钮增加 active 状态判断,修复按钮不显示
- migration: 新增 000127 清理 doctor 角色多余的 health-data.manage/ai.analysis.manage
This commit is contained in:
iven
2026-05-07 13:51:16 +08:00
parent 85a7dacd16
commit 60dc4dba7a
7 changed files with 76 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
apps/web/src/pages/health/AlertList.tsx
View File

@@ -200,7 +200,7 @@ export default function AlertList() {
render: (_: unknown, record: Alert) => ( render: (_: unknown, record: Alert) => (
<AuthButton code="health.alerts.manage"> <AuthButton code="health.alerts.manage">
<Space size={4}> <Space size={4}>
{record.status === 'pending' && ( {(record.status === 'pending' || record.status === 'active') && (
<Popconfirm <Popconfirm
title="确认处理该告警?" title="确认处理该告警?"
onConfirm={() => handleAcknowledge(record)} onConfirm={() => handleAcknowledge(record)}
@@ -218,6 +218,7 @@ export default function AlertList() {
</Popconfirm> </Popconfirm>
)} )}
{(record.status === 'pending' || {(record.status === 'pending' ||
record.status === 'active' ||
record.status === 'acknowledged') && ( record.status === 'acknowledged') && (
<Popconfirm <Popconfirm
title="确认忽略该告警?" title="确认忽略该告警?"

3
crates/erp-auth/src/service/token_service.rs
View File

@@ -207,6 +207,7 @@ impl TokenService {
let user_role_rows = user_role::Entity::find() let user_role_rows = user_role::Entity::find()
.filter(user_role::Column::UserId.eq(user_id)) .filter(user_role::Column::UserId.eq(user_id))
.filter(user_role::Column::TenantId.eq(tenant_id)) .filter(user_role::Column::TenantId.eq(tenant_id))
.filter(user_role::Column::DeletedAt.is_null())
.all(db) .all(db)
.await .await
.map_err(|e| AuthError::Validation(e.to_string()))?; .map_err(|e| AuthError::Validation(e.to_string()))?;
@@ -219,6 +220,7 @@ impl TokenService {
let role_perm_rows = role_permission::Entity::find() let role_perm_rows = role_permission::Entity::find()
.filter(role_permission::Column::RoleId.is_in(role_ids)) .filter(role_permission::Column::RoleId.is_in(role_ids))
.filter(role_permission::Column::TenantId.eq(tenant_id)) .filter(role_permission::Column::TenantId.eq(tenant_id))
.filter(role_permission::Column::DeletedAt.is_null())
.all(db) .all(db)
.await .await
.map_err(|e| AuthError::Validation(e.to_string()))?; .map_err(|e| AuthError::Validation(e.to_string()))?;
@@ -247,6 +249,7 @@ impl TokenService {
let user_role_rows = user_role::Entity::find() let user_role_rows = user_role::Entity::find()
.filter(user_role::Column::UserId.eq(user_id)) .filter(user_role::Column::UserId.eq(user_id))
.filter(user_role::Column::TenantId.eq(tenant_id)) .filter(user_role::Column::TenantId.eq(tenant_id))
.filter(user_role::Column::DeletedAt.is_null())
.all(db) .all(db)
.await .await
.map_err(|e| AuthError::Validation(e.to_string()))?; .map_err(|e| AuthError::Validation(e.to_string()))?;

14
crates/erp-health/src/handler/alert_handler.rs
View File

@@ -49,6 +49,20 @@ where
}))) })))
} }
pub async fn get_alert<S>(
State(state): State<HealthState>,
Extension(ctx): Extension<TenantContext>,
Path(id): Path<Uuid>,
) -> Result<impl IntoResponse, AppError>
where
HealthState: FromRef<S>,
S: Clone + Send + Sync + 'static,
{
require_permission(&ctx, "health.alerts.list")?;
let alert = alert_service::get_alert(&state, ctx.tenant_id, id).await?;
Ok(axum::Json(ApiResponse::ok(alert)))
}
pub async fn acknowledge<S>( pub async fn acknowledge<S>(
State(state): State<HealthState>, State(state): State<HealthState>,
Extension(ctx): Extension<TenantContext>, Extension(ctx): Extension<TenantContext>,

4
crates/erp-health/src/module.rs
View File

@@ -760,6 +760,10 @@ impl HealthModule {
"/health/alerts", "/health/alerts",
axum::routing::get(alert_handler::list_alerts), axum::routing::get(alert_handler::list_alerts),
) )
.route(
"/health/alerts/{id}",
axum::routing::get(alert_handler::get_alert),
)
.route( .route(
"/health/alerts/{id}/acknowledge", "/health/alerts/{id}/acknowledge",
axum::routing::put(alert_handler::acknowledge), axum::routing::put(alert_handler::acknowledge),

15
crates/erp-health/src/service/alert_service.rs
View File

@@ -13,6 +13,21 @@ use crate::error::{HealthError, HealthResult};
use crate::service::validation; use crate::service::validation;
use crate::state::HealthState; use crate::state::HealthState;
pub async fn get_alert(
state: &HealthState,
tenant_id: Uuid,
alert_id: Uuid,
) -> HealthResult<AlertResponse> {
let model = alerts::Entity::find_by_id(alert_id)
.filter(alerts::Column::TenantId.eq(tenant_id))
.filter(alerts::Column::DeletedAt.is_null())
.one(&state.db)
.await?
.ok_or(HealthError::AlertNotFound)?;
enrich_alert_response(&state.db, tenant_id, model).await
}
pub async fn list_alerts( pub async fn list_alerts(
state: &HealthState, state: &HealthState,
tenant_id: Uuid, tenant_id: Uuid,

2
crates/erp-server/migration/src/lib.rs
View File

@@ -126,6 +126,7 @@ mod m20260505_000123_update_ai_prompts_system_instruction;
mod m20260505_000124_freeze_deferred_menus; mod m20260505_000124_freeze_deferred_menus;
mod m20260506_000125_restructure_menus_and_roles; mod m20260506_000125_restructure_menus_and_roles;
mod m20260506_000126_fix_role_permissions_cleanup; mod m20260506_000126_fix_role_permissions_cleanup;
mod m20260507_000127_fix_doctor_extra_permissions;
pub struct Migrator; pub struct Migrator;
@@ -259,6 +260,7 @@ impl MigratorTrait for Migrator {
Box::new(m20260505_000124_freeze_deferred_menus::Migration), Box::new(m20260505_000124_freeze_deferred_menus::Migration),
Box::new(m20260506_000125_restructure_menus_and_roles::Migration), Box::new(m20260506_000125_restructure_menus_and_roles::Migration),
Box::new(m20260506_000126_fix_role_permissions_cleanup::Migration), Box::new(m20260506_000126_fix_role_permissions_cleanup::Migration),
Box::new(m20260507_000127_fix_doctor_extra_permissions::Migration),
] ]
} }
} }

36
crates/erp-server/migration/src/m20260507_000127_fix_doctor_extra_permissions.rs Normal file
View File

@@ -0,0 +1,36 @@
use sea_orm_migration::prelude::*;
#[derive(DeriveMigrationName)]
pub struct Migration;
#[async_trait::async_trait]
impl MigrationTrait for Migration {
async fn up(&self, manager: &SchemaManager) -> Result<(), DbErr> {
let db = manager.get_connection();
// Doctor 移除 health.health-data.manage 和 ai.analysis.manage
// 000125 正确分配了 health.health-data.list 和 ai.analysis.list
// 但早期迁移分配了 .manage 权限且未被 000126 清理
let doctor_remove = vec![
"health.health-data.manage",
"ai.analysis.manage",
];
for code in &doctor_remove {
db.execute(sea_orm::Statement::from_string(
sea_orm::DatabaseBackend::Postgres,
format!(
"UPDATE role_permissions SET deleted_at = NOW() \
FROM roles r, permissions p \
WHERE role_permissions.role_id = r.id AND role_permissions.permission_id = p.id \
AND r.code = 'doctor' AND p.code = '{code}' AND role_permissions.deleted_at IS NULL",
),
)).await?;
}
Ok(())
}
async fn down(&self, _manager: &SchemaManager) -> Result<(), DbErr> {
Ok(())
}
}