fix(server): 添加权限守卫 — 审计日志 + 文件上传 + diary.comment.delete 种子

- audit_log handler: 添加 require_permission("audit.log.list") 守卫
- upload handler: 添加 require_permission("file.upload") 守卫
- 种子数据: 新增 audit.log.list / file.upload / diary.comment.delete 权限定义
- 角色种子: admin 获得 audit.log.list + file.upload + diary.comment.delete 权限
- diary.comment.delete 已在 teacher 列表中（种子定义之前缺失）

审计 ID: 5b-C01, 5b-C02, 4a-C02

crates/erp-server/migration/src/m20260531_000184_diary_seed_data.rs

@@ -56,7 +56,11 @@ impl MigrationTrait for Migration {
             ("diary.class.manage", "管理班级", "class", "manage", "允许创建和管理班级"),
             ("diary.topic.assign", "布置主题", "topic", "assign", "允许老师布置日记主题"),
             ("diary.comment.write", "写评语", "comment", "write", "允许老师点评日记"),
+            ("diary.comment.delete", "删除评语", "comment", "delete", "允许老师删除评语"),
             ("diary.parent.bind", "家长绑定", "parent", "bind", "允许家长绑定孩子账号"),
+            // 基座补充权限（审计日志 + 文件上传端点缺少权限守卫）
+            ("audit.log.list", "查看审计日志", "audit_log", "list", "允许查看系统审计日志"),
+            ("file.upload", "上传文件", "file", "upload", "允许上传文件到服务器"),
         ];
 
         for (code, name, resource, action, desc) in &diary_permissions {

crates/erp-server/migration/src/m20260601_000300_diary_role_seed.rs

@@ -37,6 +37,7 @@ impl MigrationTrait for Migration {
         // teacher 权限: diary.journal.create, diary.journal.read, diary.journal.update, diary.journal.delete,
         //               diary.class.manage, diary.topic.assign, diary.comment.write, diary.comment.delete
         // parent 权限: diary.journal.read, diary.parent.bind
+        // admin 权限: diary.comment.delete, audit.log.list, file.upload（基座 m000149 不含这些新权限）
         let role_permissions = [
             ("student", "diary.journal.create"),
             ("student", "diary.journal.read"),
@@ -52,6 +53,10 @@ impl MigrationTrait for Migration {
             ("teacher", "diary.comment.delete"),
             ("parent", "diary.journal.read"),
             ("parent", "diary.parent.bind"),
+            // admin 补充权限（m000149 之后新增的权限码）
+            ("admin", "diary.comment.delete"),
+            ("admin", "audit.log.list"),
+            ("admin", "file.upload"),
         ];
 
         for (role_code, perm_code) in &role_permissions {

crates/erp-server/src/handlers/audit_log.rs

@@ -7,6 +7,7 @@ use serde::{Deserialize, Serialize};
 
 use erp_core::entity::audit_log;
 use erp_core::error::AppError;
+use erp_core::rbac::require_permission;
 use erp_core::types::{ApiResponse, PaginatedResponse, TenantContext};
 
 #[derive(Debug, Deserialize)]
@@ -97,6 +98,9 @@ where
     sea_orm::DatabaseConnection: FromRef<S>,
     S: Clone + Send + Sync + 'static,
 {
+    // 权限守卫：只有拥有 audit.log.list 权限的用户可查看审计日志
+    require_permission(&ctx, "audit.log.list")?;
+
     let page = params.page.unwrap_or(1).max(1);
     let page_size = params.page_size.unwrap_or(20).min(100);
     let tenant_id = ctx.tenant_id;

crates/erp-server/src/handlers/upload.rs

@@ -2,6 +2,7 @@ use axum::Extension;
 use axum::extract::{FromRef, Multipart, State};
 use axum::response::Json;
 use erp_core::error::AppError;
+use erp_core::rbac::require_permission;
 use erp_core::types::{ApiResponse, TenantContext};
 use serde::Serialize;
 use uuid::Uuid;
@@ -40,6 +41,9 @@ where
     AppState: FromRef<S>,
     S: Clone + Send + Sync + 'static,
 {
+    // 权限守卫：只有拥有 file.upload 权限的用户可上传文件
+    require_permission(&ctx, "file.upload")?;
+
     let max_size = state.config.storage.max_file_size_bytes();
     let upload_dir = &state.config.storage.upload_dir;