iven/zclaw_openfang
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

fix(saas): 统一权限体系 — check_permission 辅助函数 + admin:full 超级权限

Browse Source 
- 新增 check_permission() 统一权限检查,admin:full 自动通过所有检查
- 统一种子角色权限名称与 handler 检查一致 (provider:manage, model:manage, config:write)
- super_admin 拥有 admin:full + 所有模块管理权限
- 全部 handler 迁移到 check_permission(),消除手动 contains 检查
This commit is contained in:
iven
2026-03-27 13:12:09 +08:00
parent 900430d93e
commit a0d59b1947
6 changed files with 33 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
crates/zclaw-saas/src/model_config/handlers.rs
View File

@@ -5,9 +5,9 @@ use axum::{
http::StatusCode, Json,
};
use crate::state::AppState;
use crate::error::{SaasError, SaasResult};
use crate::error::SaasResult;
use crate::auth::types::AuthContext;
use crate::auth::handlers::log_operation;
use crate::auth::handlers::{log_operation, check_permission};
use super::{types::*, service};
// ============ Providers ============
@@ -35,9 +35,7 @@ pub async fn create_provider(
Extension(ctx): Extension<AuthContext>,
Json(req): Json<CreateProviderRequest>,
) -> SaasResult<(StatusCode, Json<ProviderInfo>)> {
if !ctx.permissions.contains(&"provider:manage".to_string()) {
return Err(SaasError::Forbidden("需要 provider:manage 权限".into()));
}
check_permission(&ctx, "provider:manage")?;
let provider = service::create_provider(&state.db, &req).await?;
log_operation(&state.db, &ctx.account_id, "provider.create", "provider", &provider.id,
Some(serde_json::json!({"name": &req.name})), None).await?;
@@ -51,9 +49,7 @@ pub async fn update_provider(
Extension(ctx): Extension<AuthContext>,
Json(req): Json<UpdateProviderRequest>,
) -> SaasResult<Json<ProviderInfo>> {
if !ctx.permissions.contains(&"provider:manage".to_string()) {
return Err(SaasError::Forbidden("需要 provider:manage 权限".into()));
}
check_permission(&ctx, "provider:manage")?;
let provider = service::update_provider(&state.db, &id, &req).await?;
log_operation(&state.db, &ctx.account_id, "provider.update", "provider", &id, None, None).await?;
Ok(Json(provider))
@@ -65,9 +61,7 @@ pub async fn delete_provider(
Path(id): Path<String>,
Extension(ctx): Extension<AuthContext>,
) -> SaasResult<Json<serde_json::Value>> {
if !ctx.permissions.contains(&"provider:manage".to_string()) {
return Err(SaasError::Forbidden("需要 provider:manage 权限".into()));
}
check_permission(&ctx, "provider:manage")?;
service::delete_provider(&state.db, &id).await?;
log_operation(&state.db, &ctx.account_id, "provider.delete", "provider", &id, None, None).await?;
Ok(Json(serde_json::json!({"ok": true})))
@@ -100,9 +94,7 @@ pub async fn create_model(
Extension(ctx): Extension<AuthContext>,
Json(req): Json<CreateModelRequest>,
) -> SaasResult<(StatusCode, Json<ModelInfo>)> {
if !ctx.permissions.contains(&"model:manage".to_string()) {
return Err(SaasError::Forbidden("需要 model:manage 权限".into()));
}
check_permission(&ctx, "model:manage")?;
let model = service::create_model(&state.db, &req).await?;
log_operation(&state.db, &ctx.account_id, "model.create", "model", &model.id,
Some(serde_json::json!({"model_id": &req.model_id, "provider_id": &req.provider_id})), None).await?;
@@ -116,9 +108,7 @@ pub async fn update_model(
Extension(ctx): Extension<AuthContext>,
Json(req): Json<UpdateModelRequest>,
) -> SaasResult<Json<ModelInfo>> {
if !ctx.permissions.contains(&"model:manage".to_string()) {
return Err(SaasError::Forbidden("需要 model:manage 权限".into()));
}
check_permission(&ctx, "model:manage")?;
let model = service::update_model(&state.db, &id, &req).await?;
log_operation(&state.db, &ctx.account_id, "model.update", "model", &id, None, None).await?;
Ok(Json(model))
@@ -130,9 +120,7 @@ pub async fn delete_model(
Path(id): Path<String>,
Extension(ctx): Extension<AuthContext>,
) -> SaasResult<Json<serde_json::Value>> {
if !ctx.permissions.contains(&"model:manage".to_string()) {
return Err(SaasError::Forbidden("需要 model:manage 权限".into()));
}
check_permission(&ctx, "model:manage")?;
service::delete_model(&state.db, &id).await?;
log_operation(&state.db, &ctx.account_id, "model.delete", "model", &id, None, None).await?;
Ok(Json(serde_json::json!({"ok": true})))