fix(auth): error 类型 + auth_service 小修复

crates/erp-auth/src/error.rs

@@ -27,6 +27,9 @@ pub enum AuthError {
     #[error("{0}")]
     Validation(String),
 
+    #[error("{0}")]
+    Forbidden(String),
+
     #[error("版本冲突: 数据已被其他操作修改，请刷新后重试")]
     VersionMismatch,
 }
@@ -39,6 +42,7 @@ impl From<AuthError> for AppError {
             AuthError::TokenRevoked => AppError::Unauthorized,
             AuthError::UserDisabled(s) => AppError::Forbidden(s),
             AuthError::Validation(s) => AppError::Validation(s),
+            AuthError::Forbidden(s) => AppError::Forbidden(s),
             AuthError::DbError(_) => AppError::Internal(err.to_string()),
             AuthError::HashError(_) => AppError::Internal(err.to_string()),
             AuthError::JwtError(_) => AppError::Unauthorized,

crates/erp-auth/src/service/auth_service.rs

@@ -113,6 +113,16 @@ impl AuthService {
 
         // 5. Get roles and permissions
         let roles: Vec<String> = TokenService::get_user_roles(user_model.id, tenant_id, db).await?;
+
+        // 纯患者角色不允许登录管理端（同时拥有医护角色则放行）
+        let medical_roles = ["doctor", "nurse", "admin", "health_manager", "operator"];
+        let is_pure_patient =
+            roles.iter().all(|r| r == "patient") && roles.iter().any(|r| r == "patient");
+        let has_medical_role = roles.iter().any(|r| medical_roles.contains(&r.as_str()));
+        if is_pure_patient && !has_medical_role {
+            return Err(AuthError::Forbidden("患者账号请使用小程序登录".to_string()));
+        }
+
         let permissions = TokenService::get_user_permissions(user_model.id, tenant_id, db).await?;
 
         // 6. Sign tokens