fix(server): 添加权限守卫 — 审计日志 + 文件上传 + diary.comment.delete 种子

- audit_log handler: 添加 require_permission("audit.log.list") 守卫
- upload handler: 添加 require_permission("file.upload") 守卫
- 种子数据: 新增 audit.log.list / file.upload / diary.comment.delete 权限定义
- 角色种子: admin 获得 audit.log.list + file.upload + diary.comment.delete 权限
- diary.comment.delete 已在 teacher 列表中（种子定义之前缺失）

审计 ID: 5b-C01, 5b-C02, 4a-C02

crates/erp-server/src/handlers/audit_log.rs

@@ -7,6 +7,7 @@ use serde::{Deserialize, Serialize};
 
 use erp_core::entity::audit_log;
 use erp_core::error::AppError;
+use erp_core::rbac::require_permission;
 use erp_core::types::{ApiResponse, PaginatedResponse, TenantContext};
 
 #[derive(Debug, Deserialize)]
@@ -97,6 +98,9 @@ where
     sea_orm::DatabaseConnection: FromRef<S>,
     S: Clone + Send + Sync + 'static,
 {
+    // 权限守卫：只有拥有 audit.log.list 权限的用户可查看审计日志
+    require_permission(&ctx, "audit.log.list")?;
+
     let page = params.page.unwrap_or(1).max(1);
     let page_size = params.page_size.unwrap_or(20).min(100);
     let tenant_id = ctx.tenant_id;

crates/erp-server/src/handlers/upload.rs

@@ -2,6 +2,7 @@ use axum::Extension;
 use axum::extract::{FromRef, Multipart, State};
 use axum::response::Json;
 use erp_core::error::AppError;
+use erp_core::rbac::require_permission;
 use erp_core::types::{ApiResponse, TenantContext};
 use serde::Serialize;
 use uuid::Uuid;
@@ -40,6 +41,9 @@ where
     AppState: FromRef<S>,
     S: Clone + Send + Sync + 'static,
 {
+    // 权限守卫：只有拥有 file.upload 权限的用户可上传文件
+    require_permission(&ctx, "file.upload")?;
+
     let max_size = state.config.storage.max_file_size_bytes();
     let upload_dir = &state.config.storage.upload_dir;