fix(saas): 统一权限体系 — check_permission 辅助函数 + admin:full 超级权限

- 新增 check_permission() 统一权限检查，admin:full 自动通过所有检查 - 统一种子角色权限名称与 handler 检查一致 (provider:manage, model:manage, config:write) - super_admin 拥有 admin:full + 所有模块管理权限 - 全部 handler 迁移到 check_permission()，消除手动 contains 检查
2026-03-27 13:12:09 +08:00
parent 900430d93e
commit a0d59b1947
6 changed files with 33 additions and 47 deletions
--- a/crates/zclaw-saas/src/migration/handlers.rs
+++ b/crates/zclaw-saas/src/migration/handlers.rs
@@ -7,6 +7,7 @@ use axum::{
 use crate::state::AppState;
 use crate::error::SaasResult;
 use crate::auth::types::AuthContext;
+use crate::auth::handlers::check_permission;
 use super::{types::*, service};

 /// GET /api/v1/config/items?category=xxx&source=xxx
@@ -33,9 +34,7 @@ pub async fn create_config_item(
    Extension(ctx): Extension<AuthContext>,
    Json(req): Json<CreateConfigItemRequest>,
 ) -> SaasResult<(StatusCode, Json<ConfigItemInfo>)> {
-    if !ctx.permissions.contains(&"config:manage".to_string()) {
-        return Err(crate::error::SaasError::Forbidden("需要 config:manage 权限".into()));
-    }
+    check_permission(&ctx, "config:write")?;
    let item = service::create_config_item(&state.db, &req).await?;
    Ok((StatusCode::CREATED, Json(item)))
 }
@@ -47,9 +46,7 @@ pub async fn update_config_item(
    Extension(ctx): Extension<AuthContext>,
    Json(req): Json<UpdateConfigItemRequest>,
 ) -> SaasResult<Json<ConfigItemInfo>> {
-    if !ctx.permissions.contains(&"config:manage".to_string()) {
-        return Err(crate::error::SaasError::Forbidden("需要 config:manage 权限".into()));
-    }
+    check_permission(&ctx, "config:write")?;
    service::update_config_item(&state.db, &id, &req).await.map(Json)
 }

@@ -59,9 +56,7 @@ pub async fn delete_config_item(
    Path(id): Path<String>,
    Extension(ctx): Extension<AuthContext>,
 ) -> SaasResult<Json<serde_json::Value>> {
-    if !ctx.permissions.contains(&"config:manage".to_string()) {
-        return Err(crate::error::SaasError::Forbidden("需要 config:manage 权限".into()));
-    }
+    check_permission(&ctx, "config:write")?;
    service::delete_config_item(&state.db, &id).await?;
    Ok(Json(serde_json::json!({"ok": true})))
 }
@@ -79,9 +74,7 @@ pub async fn seed_config(
    State(state): State<AppState>,
    Extension(ctx): Extension<AuthContext>,
 ) -> SaasResult<Json<serde_json::Value>> {
-    if !ctx.permissions.contains(&"config:manage".to_string()) {
-        return Err(crate::error::SaasError::Forbidden("需要 config:manage 权限".into()));
-    }
+    check_permission(&ctx, "config:write")?;
    let count = service::seed_default_config_items(&state.db).await?;
    Ok(Json(serde_json::json!({"created": count})))
 }