diff --git a/crates/erp-server/migration/src/m20260531_000184_diary_seed_data.rs b/crates/erp-server/migration/src/m20260531_000184_diary_seed_data.rs index d554384..453cb51 100644 --- a/crates/erp-server/migration/src/m20260531_000184_diary_seed_data.rs +++ b/crates/erp-server/migration/src/m20260531_000184_diary_seed_data.rs @@ -56,7 +56,11 @@ impl MigrationTrait for Migration { ("diary.class.manage", "管理班级", "class", "manage", "允许创建和管理班级"), ("diary.topic.assign", "布置主题", "topic", "assign", "允许老师布置日记主题"), ("diary.comment.write", "写评语", "comment", "write", "允许老师点评日记"), + ("diary.comment.delete", "删除评语", "comment", "delete", "允许老师删除评语"), ("diary.parent.bind", "家长绑定", "parent", "bind", "允许家长绑定孩子账号"), + // 基座补充权限(审计日志 + 文件上传端点缺少权限守卫) + ("audit.log.list", "查看审计日志", "audit_log", "list", "允许查看系统审计日志"), + ("file.upload", "上传文件", "file", "upload", "允许上传文件到服务器"), ]; for (code, name, resource, action, desc) in &diary_permissions { diff --git a/crates/erp-server/migration/src/m20260601_000300_diary_role_seed.rs b/crates/erp-server/migration/src/m20260601_000300_diary_role_seed.rs index 36bb3b3..7b86e12 100644 --- a/crates/erp-server/migration/src/m20260601_000300_diary_role_seed.rs +++ b/crates/erp-server/migration/src/m20260601_000300_diary_role_seed.rs @@ -37,6 +37,7 @@ impl MigrationTrait for Migration { // teacher 权限: diary.journal.create, diary.journal.read, diary.journal.update, diary.journal.delete, // diary.class.manage, diary.topic.assign, diary.comment.write, diary.comment.delete // parent 权限: diary.journal.read, diary.parent.bind + // admin 权限: diary.comment.delete, audit.log.list, file.upload(基座 m000149 不含这些新权限) let role_permissions = [ ("student", "diary.journal.create"), ("student", "diary.journal.read"), @@ -52,6 +53,10 @@ impl MigrationTrait for Migration { ("teacher", "diary.comment.delete"), ("parent", "diary.journal.read"), ("parent", "diary.parent.bind"), + // admin 补充权限(m000149 之后新增的权限码) + ("admin", "diary.comment.delete"), + ("admin", "audit.log.list"), + ("admin", "file.upload"), ]; for (role_code, perm_code) in &role_permissions { diff --git a/crates/erp-server/src/handlers/audit_log.rs b/crates/erp-server/src/handlers/audit_log.rs index 16abc8b..1a1dee5 100644 --- a/crates/erp-server/src/handlers/audit_log.rs +++ b/crates/erp-server/src/handlers/audit_log.rs @@ -7,6 +7,7 @@ use serde::{Deserialize, Serialize}; use erp_core::entity::audit_log; use erp_core::error::AppError; +use erp_core::rbac::require_permission; use erp_core::types::{ApiResponse, PaginatedResponse, TenantContext}; #[derive(Debug, Deserialize)] @@ -97,6 +98,9 @@ where sea_orm::DatabaseConnection: FromRef, S: Clone + Send + Sync + 'static, { + // 权限守卫:只有拥有 audit.log.list 权限的用户可查看审计日志 + require_permission(&ctx, "audit.log.list")?; + let page = params.page.unwrap_or(1).max(1); let page_size = params.page_size.unwrap_or(20).min(100); let tenant_id = ctx.tenant_id; diff --git a/crates/erp-server/src/handlers/upload.rs b/crates/erp-server/src/handlers/upload.rs index 28163a8..05cce68 100644 --- a/crates/erp-server/src/handlers/upload.rs +++ b/crates/erp-server/src/handlers/upload.rs @@ -2,6 +2,7 @@ use axum::Extension; use axum::extract::{FromRef, Multipart, State}; use axum::response::Json; use erp_core::error::AppError; +use erp_core::rbac::require_permission; use erp_core::types::{ApiResponse, TenantContext}; use serde::Serialize; use uuid::Uuid; @@ -40,6 +41,9 @@ where AppState: FromRef, S: Clone + Send + Sync + 'static, { + // 权限守卫:只有拥有 file.upload 权限的用户可上传文件 + require_permission(&ctx, "file.upload")?; + let max_size = state.config.storage.max_file_size_bytes(); let upload_dir = &state.config.storage.upload_dir;