From 8b2bc843990e98bdfcc2d8c17e74cde65758b79e Mon Sep 17 00:00:00 2001 From: hiderfong Date: Thu, 23 Apr 2026 12:09:32 +0800 Subject: [PATCH] feat: implement full RBAC role-based access control Backend: - deps.py: add require_admin, require_manager, require_labeler, require_guest_or_above - user.py: all write endpoints require admin - datasource.py: write/sync endpoints require admin - metadata.py: sync endpoint requires admin - classification.py: category/rule write requires admin; results query requires guest+ with data isolation - project.py: GET requires manager with created_by filtering; DELETE checks ownership - task.py: my-tasks requires labeler with assignee_id filtering; create-task requires manager - dashboard.py: requires guest_or_above - report.py: requires guest_or_above - project_service: list_projects adds created_by filter; list_results adds project_ids filter Frontend: - stores/user.ts: add hasRole, hasAnyRole, isAdmin, isManager, isLabeler, isSuperadmin - router/index.ts: add roles to route meta; beforeEach checks role permissions - Layout.vue: filter menu routes by user roles - System.vue: hide add/edit/delete buttons for non-admins - DataSource.vue: hide add/edit/delete/sync buttons for non-admins - Project.vue: hide add/delete buttons for non-admins --- backend/app/api/deps.py | 84 +++++++++++++++++++- backend/app/api/v1/classification.py | 51 +++++++++--- backend/app/api/v1/dashboard.py | 6 +- backend/app/api/v1/datasource.py | 8 +- backend/app/api/v1/metadata.py | 4 +- backend/app/api/v1/project.py | 19 +++-- backend/app/api/v1/report.py | 4 +- backend/app/api/v1/task.py | 10 ++- backend/app/api/v1/user.py | 10 +-- backend/app/services/project_service.py | 7 +- frontend/src/components/Layout.vue | 8 +- frontend/src/router/index.ts | 43 +++++++--- frontend/src/stores/user.ts | 26 ++++++ frontend/src/views/datasource/DataSource.vue | 10 ++- frontend/src/views/project/Project.vue | 6 +- frontend/src/views/system/System.vue | 8 +- 16 files changed, 245 insertions(+), 59 deletions(-) diff --git a/backend/app/api/deps.py b/backend/app/api/deps.py index 012fce11..34389fa5 100644 --- a/backend/app/api/deps.py +++ b/backend/app/api/deps.py @@ -4,7 +4,7 @@ from jose import JWTError from app.core.database import get_db from app.core.security import decode_token -from app.models.user import User +from app.models.user import User, Role from app.services import user_service @@ -47,3 +47,85 @@ def get_current_active_user( current_user: User = Depends(get_current_user), ) -> User: return current_user + + +# ===================== RBAC Dependencies ===================== + +# Role code constants +ROLE_SUPERADMIN = "superadmin" +ROLE_ADMIN = "admin" +ROLE_PROJECT_MANAGER = "project_manager" +ROLE_LABELER = "labeler" +ROLE_REVIEWER = "reviewer" +ROLE_GUEST = "guest" + +# Role hierarchy (higher index = more permissions) +ROLE_LEVELS = { + ROLE_GUEST: 0, + ROLE_LABELER: 1, + ROLE_REVIEWER: 1, + ROLE_PROJECT_MANAGER: 2, + ROLE_ADMIN: 3, + ROLE_SUPERADMIN: 4, +} + + +def _get_user_role_codes(user: User) -> list[str]: + """Get list of role codes for a user.""" + return [r.code for r in user.roles] + + +def _has_role(user: User, role_code: str) -> bool: + """Check if user has a specific role.""" + return role_code in _get_user_role_codes(user) + + +def _has_any_role(user: User, role_codes: list[str]) -> bool: + """Check if user has any of the specified roles.""" + user_roles = _get_user_role_codes(user) + return any(r in user_roles for r in role_codes) + + +def _is_admin(user: User) -> bool: + """Check if user is admin or superadmin.""" + return user.is_superuser or _has_any_role(user, [ROLE_SUPERADMIN, ROLE_ADMIN]) + + +def require_admin(current_user: User = Depends(get_current_user)) -> User: + """Require admin or superadmin role.""" + if not _is_admin(current_user): + raise HTTPException( + status_code=status.HTTP_403_FORBIDDEN, + detail="需要管理员权限", + ) + return current_user + + +def require_manager(current_user: User = Depends(get_current_user)) -> User: + """Require project manager or above.""" + if _is_admin(current_user): + return current_user + if _has_role(current_user, ROLE_PROJECT_MANAGER): + return current_user + raise HTTPException( + status_code=status.HTTP_403_FORBIDDEN, + detail="需要项目负责人及以上权限", + ) + + +def require_labeler(current_user: User = Depends(get_current_user)) -> User: + """Require labeler or above (excluding guest).""" + if _is_admin(current_user): + return current_user + allowed = [ROLE_PROJECT_MANAGER, ROLE_LABELER, ROLE_REVIEWER] + if _has_any_role(current_user, allowed): + return current_user + raise HTTPException( + status_code=status.HTTP_403_FORBIDDEN, + detail="权限不足", + ) + + +def require_guest_or_above(current_user: User = Depends(get_current_user)) -> User: + """Any authenticated user (including guest).""" + return current_user diff --git a/backend/app/api/v1/classification.py b/backend/app/api/v1/classification.py index 9f0d530c..5b18c257 100644 --- a/backend/app/api/v1/classification.py +++ b/backend/app/api/v1/classification.py @@ -11,7 +11,7 @@ from app.schemas.classification import ( ) from app.schemas.common import ResponseModel, ListResponse from app.services import classification_service, classification_engine -from app.api.deps import get_current_user +from app.api.deps import get_current_user, require_admin, require_labeler, require_guest_or_above, _is_admin, ROLE_PROJECT_MANAGER router = APIRouter() @@ -39,7 +39,7 @@ def list_categories( def create_category( req: CategoryCreate, db: Session = Depends(get_db), - current_user: User = Depends(get_current_user), + current_user: User = Depends(require_admin), ): item = classification_service.create_category(db, req) return ResponseModel(data=CategoryOut.model_validate(item)) @@ -50,7 +50,7 @@ def update_category( category_id: int, req: CategoryUpdate, db: Session = Depends(get_db), - current_user: User = Depends(get_current_user), + current_user: User = Depends(require_admin), ): db_obj = classification_service.get_category(db, category_id) if not db_obj: @@ -64,7 +64,7 @@ def update_category( def delete_category( category_id: int, db: Session = Depends(get_db), - current_user: User = Depends(get_current_user), + current_user: User = Depends(require_admin), ): classification_service.delete_category(db, category_id) return ResponseModel(message="删除成功") @@ -103,7 +103,7 @@ def list_rules( def create_rule( req: RecognitionRuleCreate, db: Session = Depends(get_db), - current_user: User = Depends(get_current_user), + current_user: User = Depends(require_admin), ): item = classification_service.create_rule(db, req) data = RecognitionRuleOut.model_validate(item) @@ -118,7 +118,7 @@ def update_rule( rule_id: int, req: RecognitionRuleUpdate, db: Session = Depends(get_db), - current_user: User = Depends(get_current_user), + current_user: User = Depends(require_admin), ): db_obj = classification_service.get_rule(db, rule_id) if not db_obj: @@ -136,7 +136,7 @@ def update_rule( def delete_rule( rule_id: int, db: Session = Depends(get_db), - current_user: User = Depends(get_current_user), + current_user: User = Depends(require_admin), ): classification_service.delete_rule(db, rule_id) return ResponseModel(message="删除成功") @@ -159,10 +159,42 @@ def list_results( page: int = Query(1, ge=1), page_size: int = Query(20, ge=1, le=500), db: Session = Depends(get_db), - current_user: User = Depends(get_current_user), + current_user: User = Depends(require_guest_or_above), ): from app.services.project_service import list_results as _list_results - items, total = _list_results(db, project_id=project_id, keyword=keyword, page=page, page_size=page_size) + from app.models.project import ClassificationProject, ClassificationTask + from app.api.deps import _has_role + + # Data isolation: compute allowed project IDs for non-admin users + allowed_project_ids = None + if not _is_admin(current_user): + if _has_role(current_user, ROLE_PROJECT_MANAGER): + # Project managers see their own projects + allowed_project_ids = [ + p.id for p in db.query(ClassificationProject.id).filter( + ClassificationProject.created_by == current_user.id + ).all() + ] + elif _has_role(current_user, 'labeler') or _has_role(current_user, 'reviewer'): + # Labelers/reviewers see projects where they have tasks + task_projects = db.query(ClassificationTask.project_id).filter( + ClassificationTask.assignee_id == current_user.id + ).distinct().all() + allowed_project_ids = [p[0] for p in task_projects] + else: + # Guests see all results (read-only) + allowed_project_ids = None + if allowed_project_ids is not None and not allowed_project_ids: + allowed_project_ids = [] + + # If a specific project_id is requested, check permission + if project_id and allowed_project_ids is not None and project_id not in allowed_project_ids: + raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="无权查看此项目") + + items, total = _list_results( + db, project_id=project_id, keyword=keyword, page=page, page_size=page_size, + project_ids=allowed_project_ids, + ) data = [] for r in items: @@ -171,7 +203,6 @@ def list_results( database = table.database if table else None source = database.source if database else None - # Filter by level_id if specified if level_id and r.level_id != level_id: continue diff --git a/backend/app/api/v1/dashboard.py b/backend/app/api/v1/dashboard.py index f9a60f63..92e10647 100644 --- a/backend/app/api/v1/dashboard.py +++ b/backend/app/api/v1/dashboard.py @@ -9,7 +9,7 @@ from app.models.metadata import DataSource, DataTable, DataColumn from app.models.project import ClassificationResult, ClassificationProject from app.models.classification import Category, DataLevel from app.schemas.common import ResponseModel -from app.api.deps import get_current_user +from app.api.deps import get_current_user, require_guest_or_above, _is_admin router = APIRouter() @@ -17,7 +17,7 @@ router = APIRouter() @router.get("/stats") def get_dashboard_stats( db: Session = Depends(get_db), - current_user: User = Depends(get_current_user), + current_user: User = Depends(require_guest_or_above), ): """Dashboard overview statistics based on real DB data.""" data_sources = db.query(DataSource).count() @@ -42,7 +42,7 @@ def get_dashboard_stats( @router.get("/distribution") def get_dashboard_distribution( db: Session = Depends(get_db), - current_user: User = Depends(get_current_user), + current_user: User = Depends(require_guest_or_above), ): """Distribution data for charts based on real DB data.""" # Level distribution diff --git a/backend/app/api/v1/datasource.py b/backend/app/api/v1/datasource.py index 84cdac35..54474016 100644 --- a/backend/app/api/v1/datasource.py +++ b/backend/app/api/v1/datasource.py @@ -7,7 +7,7 @@ from app.models.user import User from app.schemas.datasource import DataSourceCreate, DataSourceUpdate, DataSourceOut, DataSourceTest from app.schemas.common import ResponseModel, ListResponse from app.services import datasource_service -from app.api.deps import get_current_user +from app.api.deps import get_current_user, require_admin router = APIRouter() @@ -41,7 +41,7 @@ def get_datasource( def create_datasource( req: DataSourceCreate, db: Session = Depends(get_db), - current_user: User = Depends(get_current_user), + current_user: User = Depends(require_admin), ): item = datasource_service.create_datasource(db, req, current_user.id) return ResponseModel(data=DataSourceOut.model_validate(item)) @@ -52,7 +52,7 @@ def update_datasource( source_id: int, req: DataSourceUpdate, db: Session = Depends(get_db), - current_user: User = Depends(get_current_user), + current_user: User = Depends(require_admin), ): db_obj = datasource_service.get_datasource(db, source_id) if not db_obj: @@ -66,7 +66,7 @@ def update_datasource( def delete_datasource( source_id: int, db: Session = Depends(get_db), - current_user: User = Depends(get_current_user), + current_user: User = Depends(require_admin), ): datasource_service.delete_datasource(db, source_id) return ResponseModel(message="删除成功") diff --git a/backend/app/api/v1/metadata.py b/backend/app/api/v1/metadata.py index 85f268ce..a8e75636 100644 --- a/backend/app/api/v1/metadata.py +++ b/backend/app/api/v1/metadata.py @@ -7,7 +7,7 @@ from app.models.user import User from app.schemas.metadata import DatabaseOut, DataTableOut, DataColumnOut from app.schemas.common import ResponseModel, ListResponse from app.services import metadata_service -from app.api.deps import get_current_user +from app.api.deps import get_current_user, require_admin router = APIRouter() @@ -60,7 +60,7 @@ def list_columns( def sync_metadata( source_id: int, db: Session = Depends(get_db), - current_user: User = Depends(get_current_user), + current_user: User = Depends(require_admin), ): result = metadata_service.sync_metadata(db, source_id, current_user.id) return ResponseModel(data=result) diff --git a/backend/app/api/v1/project.py b/backend/app/api/v1/project.py index a78c8bc7..9f252dde 100644 --- a/backend/app/api/v1/project.py +++ b/backend/app/api/v1/project.py @@ -6,7 +6,7 @@ from app.core.database import get_db from app.models.user import User from app.schemas.common import ResponseModel, ListResponse from app.services import project_service -from app.api.deps import get_current_user +from app.api.deps import get_current_user, require_admin, require_manager, _is_admin router = APIRouter() @@ -17,9 +17,11 @@ def list_projects( page_size: int = Query(20, ge=1, le=500), keyword: Optional[str] = Query(None), db: Session = Depends(get_db), - current_user: User = Depends(get_current_user), + current_user: User = Depends(require_manager), ): - items, total = project_service.list_projects(db, keyword=keyword, page=page, page_size=page_size) + # Data isolation: non-admin users only see their own projects + created_by = None if _is_admin(current_user) else current_user.id + items, total = project_service.list_projects(db, keyword=keyword, page=page, page_size=page_size, created_by=created_by) data = [] for p in items: stats = project_service.get_project_stats(db, p.id) @@ -43,7 +45,7 @@ def create_project( target_source_ids: Optional[str] = None, description: Optional[str] = None, db: Session = Depends(get_db), - current_user: User = Depends(get_current_user), + current_user: User = Depends(require_manager), ): item = project_service.create_project( db, name=name, template_id=template_id, @@ -85,6 +87,13 @@ def delete_project( db: Session = Depends(get_db), current_user: User = Depends(get_current_user), ): + p = project_service.get_project(db, project_id) + if not p: + from fastapi import HTTPException, status + raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="项目不存在") + # Only admin or project creator can delete + if not _is_admin(current_user) and p.created_by != current_user.id: + raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="无权删除此项目") project_service.delete_project(db, project_id) return ResponseModel(message="删除成功") @@ -93,7 +102,7 @@ def delete_project( def project_auto_classify( project_id: int, db: Session = Depends(get_db), - current_user: User = Depends(get_current_user), + current_user: User = Depends(require_manager), ): from app.services.classification_engine import run_auto_classification result = run_auto_classification(db, project_id) diff --git a/backend/app/api/v1/report.py b/backend/app/api/v1/report.py index 4bb5f2fb..16db7755 100644 --- a/backend/app/api/v1/report.py +++ b/backend/app/api/v1/report.py @@ -7,7 +7,7 @@ from app.models.user import User from app.models.project import ClassificationResult, ClassificationProject from app.models.classification import Category, DataLevel from app.schemas.common import ResponseModel -from app.api.deps import get_current_user +from app.api.deps import get_current_user, require_guest_or_above from app.services import report_service router = APIRouter() @@ -16,7 +16,7 @@ router = APIRouter() @router.get("/stats") def get_report_stats( db: Session = Depends(get_db), - current_user: User = Depends(get_current_user), + current_user: User = Depends(require_guest_or_above), ): """Global report statistics.""" total = db.query(ClassificationResult).count() diff --git a/backend/app/api/v1/task.py b/backend/app/api/v1/task.py index 8076cdbb..12a7c432 100644 --- a/backend/app/api/v1/task.py +++ b/backend/app/api/v1/task.py @@ -5,7 +5,7 @@ from sqlalchemy.orm import Session from app.core.database import get_db from app.models.user import User from app.schemas.common import ResponseModel, ListResponse -from app.api.deps import get_current_user +from app.api.deps import get_current_user, require_manager, require_labeler, _is_admin from app.services import task_service, project_service router = APIRouter() @@ -15,9 +15,11 @@ router = APIRouter() def my_tasks( status: Optional[str] = Query(None), db: Session = Depends(get_db), - current_user: User = Depends(get_current_user), + current_user: User = Depends(require_labeler), ): - items, _ = task_service.list_tasks(db, assignee_id=current_user.id, status=status) + # Data isolation: non-admin users only see tasks assigned to them + assignee_id = None if _is_admin(current_user) else current_user.id + items, _ = task_service.list_tasks(db, assignee_id=assignee_id, status=status) data = [] for t in items: project = project_service.get_project(db, t.project_id) @@ -100,7 +102,7 @@ def create_task_for_project( assignee_id: int, target_type: str = Query("column"), db: Session = Depends(get_db), - current_user: User = Depends(get_current_user), + current_user: User = Depends(require_manager), ): task = task_service.create_task( db, project_id=project_id, name=name, diff --git a/backend/app/api/v1/user.py b/backend/app/api/v1/user.py index cf2c29f1..39cff3b1 100644 --- a/backend/app/api/v1/user.py +++ b/backend/app/api/v1/user.py @@ -8,7 +8,7 @@ from app.models.user import Role, Dept from app.schemas.user import UserCreate, UserUpdate, UserOut, RoleOut, DeptOut from app.schemas.common import ResponseModel, ListResponse, PageParams from app.services import user_service -from app.api.deps import get_current_user +from app.api.deps import get_current_user, require_admin router = APIRouter() @@ -24,7 +24,7 @@ def list_users( page_size: int = Query(20, ge=1, le=500), keyword: Optional[str] = Query(None), db: Session = Depends(get_db), - current_user: User = Depends(get_current_user), + current_user: User = Depends(require_admin), ): items, total = user_service.list_users(db, keyword=keyword, page=page, page_size=page_size) return ListResponse(data=[UserOut.model_validate(u) for u in items], total=total, page=page, page_size=page_size) @@ -34,7 +34,7 @@ def list_users( def create_user( req: UserCreate, db: Session = Depends(get_db), - current_user: User = Depends(get_current_user), + current_user: User = Depends(require_admin), ): user = user_service.create_user(db, req) return ResponseModel(data=UserOut.model_validate(user)) @@ -45,7 +45,7 @@ def update_user( user_id: int, req: UserUpdate, db: Session = Depends(get_db), - current_user: User = Depends(get_current_user), + current_user: User = Depends(require_admin), ): user = user_service.get_user_by_id(db, user_id) if not user: @@ -59,7 +59,7 @@ def update_user( def delete_user( user_id: int, db: Session = Depends(get_db), - current_user: User = Depends(get_current_user), + current_user: User = Depends(require_admin), ): user_service.delete_user(db, user_id) return ResponseModel(message="删除成功") diff --git a/backend/app/services/project_service.py b/backend/app/services/project_service.py index a6dcc245..6d616042 100644 --- a/backend/app/services/project_service.py +++ b/backend/app/services/project_service.py @@ -12,11 +12,13 @@ def get_project(db: Session, project_id: int) -> Optional[ClassificationProject] def list_projects( - db: Session, keyword: Optional[str] = None, page: int = 1, page_size: int = 20 + db: Session, keyword: Optional[str] = None, page: int = 1, page_size: int = 20, created_by: Optional[int] = None ) -> Tuple[List[ClassificationProject], int]: query = db.query(ClassificationProject) if keyword: query = query.filter(ClassificationProject.name.contains(keyword)) + if created_by: + query = query.filter(ClassificationProject.created_by == created_by) total = query.count() items = query.order_by(ClassificationProject.created_at.desc()).offset((page - 1) * page_size).limit(page_size).all() return items, total @@ -82,10 +84,13 @@ def list_results( keyword: Optional[str] = None, page: int = 1, page_size: int = 50, + project_ids: Optional[List[int]] = None, ) -> Tuple[List[ClassificationResult], int]: query = db.query(ClassificationResult) if project_id: query = query.filter(ClassificationResult.project_id == project_id) + if project_ids: + query = query.filter(ClassificationResult.project_id.in_(project_ids)) if table_id: query = query.join(DataColumn).filter(DataColumn.table_id == table_id) if status: diff --git a/frontend/src/components/Layout.vue b/frontend/src/components/Layout.vue index aa35d80b..f63a6a74 100644 --- a/frontend/src/components/Layout.vue +++ b/frontend/src/components/Layout.vue @@ -122,7 +122,13 @@ const pageTitle = computed(() => (route.meta?.title as string) || 'DataPointer') const menuRoutes = computed(() => { const layout = router.getRoutes().find((r) => r.name === 'Layout') - return layout?.children.filter((r) => r.meta?.title) || [] + const routes = layout?.children.filter((r) => r.meta?.title) || [] + // Filter by role permissions + return routes.filter((r) => { + const allowedRoles = r.meta?.roles as string[] | undefined + if (!allowedRoles || allowedRoles.length === 0) return true + return userStore.hasAnyRole(allowedRoles) + }) }) function handleCommand(cmd: string) { diff --git a/frontend/src/router/index.ts b/frontend/src/router/index.ts index d006f02a..80440ae7 100644 --- a/frontend/src/router/index.ts +++ b/frontend/src/router/index.ts @@ -18,55 +18,55 @@ const routes = [ path: 'dashboard', name: 'Dashboard', component: () => import('@/views/dashboard/Dashboard.vue'), - meta: { title: '首页', icon: 'HomeFilled' }, + meta: { title: '首页', icon: 'HomeFilled', roles: ['superadmin', 'admin', 'project_manager', 'labeler', 'reviewer', 'guest'] }, }, { path: 'datasource', name: 'DataSource', component: () => import('@/views/datasource/DataSource.vue'), - meta: { title: '数据源管理', icon: 'DataLine' }, + meta: { title: '数据源管理', icon: 'DataLine', roles: ['superadmin', 'admin', 'project_manager', 'labeler', 'reviewer', 'guest'] }, }, { path: 'metadata', name: 'Metadata', component: () => import('@/views/metadata/Metadata.vue'), - meta: { title: '数据资产', icon: 'FolderOpened' }, + meta: { title: '数据资产', icon: 'FolderOpened', roles: ['superadmin', 'admin', 'project_manager', 'labeler', 'reviewer', 'guest'] }, }, { path: 'category', name: 'Category', component: () => import('@/views/category/Category.vue'), - meta: { title: '分类分级标准', icon: 'Collection' }, + meta: { title: '分类分级标准', icon: 'Collection', roles: ['superadmin', 'admin', 'project_manager', 'labeler', 'reviewer', 'guest'] }, }, { path: 'project', name: 'Project', component: () => import('@/views/project/Project.vue'), - meta: { title: '项目管理', icon: 'List' }, + meta: { title: '项目管理', icon: 'List', roles: ['superadmin', 'admin', 'project_manager'] }, }, { path: 'task', name: 'Task', component: () => import('@/views/task/Task.vue'), - meta: { title: '我的任务', icon: 'EditPen' }, + meta: { title: '我的任务', icon: 'EditPen', roles: ['superadmin', 'admin', 'project_manager', 'labeler', 'reviewer'] }, }, { path: 'classification', name: 'Classification', component: () => import('@/views/classification/Classification.vue'), - meta: { title: '分类分级结果', icon: 'DocumentChecked' }, + meta: { title: '分类分级结果', icon: 'DocumentChecked', roles: ['superadmin', 'admin', 'project_manager', 'labeler', 'reviewer', 'guest'] }, }, { path: 'report', name: 'Report', component: () => import('@/views/report/Report.vue'), - meta: { title: '报表统计', icon: 'TrendCharts' }, + meta: { title: '报表统计', icon: 'TrendCharts', roles: ['superadmin', 'admin', 'project_manager'] }, }, { path: 'system', name: 'System', component: () => import('@/views/system/System.vue'), - meta: { title: '系统管理', icon: 'Setting' }, + meta: { title: '系统管理', icon: 'Setting', roles: ['superadmin', 'admin'] }, }, ], }, @@ -83,11 +83,30 @@ const router = createRouter({ router.beforeEach((to, from, next) => { const userStore = useUserStore() - if (!to.meta.public && !userStore.token) { - next('/login') - } else { + + // Public routes (login) + if (to.meta.public) { next() + return } + + // Not logged in + if (!userStore.token) { + next('/login') + return + } + + // Check role permissions + const allowedRoles = to.meta.roles as string[] | undefined + if (allowedRoles && allowedRoles.length > 0) { + const hasPermission = userStore.hasAnyRole(allowedRoles) + if (!hasPermission) { + next('/dashboard') + return + } + } + + next() }) export default router diff --git a/frontend/src/stores/user.ts b/frontend/src/stores/user.ts index 74fb6515..fe3b6130 100644 --- a/frontend/src/stores/user.ts +++ b/frontend/src/stores/user.ts @@ -8,6 +8,25 @@ export const useUserStore = defineStore('user', () => { const userInfo = ref(null) const isLoggedIn = computed(() => !!token.value) + // Extract role codes from user info + const roleCodes = computed(() => { + if (!userInfo.value?.roles) return [] + return userInfo.value.roles.map((r: any) => r.code) + }) + + const isSuperadmin = computed(() => roleCodes.value.includes('superadmin')) + const isAdmin = computed(() => isSuperadmin.value || roleCodes.value.includes('admin')) + const isManager = computed(() => isAdmin.value || roleCodes.value.includes('project_manager')) + const isLabeler = computed(() => isManager.value || roleCodes.value.includes('labeler') || roleCodes.value.includes('reviewer')) + + function hasRole(code: string): boolean { + return roleCodes.value.includes(code) + } + + function hasAnyRole(codes: string[]): boolean { + return codes.some((c) => roleCodes.value.includes(c)) + } + async function login(username: string, password: string) { const res = await apiLogin(username, password) token.value = res.access_token @@ -39,6 +58,13 @@ export const useUserStore = defineStore('user', () => { token, userInfo, isLoggedIn, + roleCodes, + isSuperadmin, + isAdmin, + isManager, + isLabeler, + hasRole, + hasAnyRole, login, fetchUserInfo, logout, diff --git a/frontend/src/views/datasource/DataSource.vue b/frontend/src/views/datasource/DataSource.vue index 54d36c21..f9f4b46f 100644 --- a/frontend/src/views/datasource/DataSource.vue +++ b/frontend/src/views/datasource/DataSource.vue @@ -2,7 +2,7 @@

数据源管理

- + 新增数据源
@@ -44,9 +44,9 @@ @@ -114,9 +114,11 @@ import { ref, reactive, onMounted } from 'vue' import { ElMessage, ElMessageBox } from 'element-plus' import { Plus, Search } from '@element-plus/icons-vue' +import { useUserStore } from '@/stores/user' import { getDataSources, createDataSource, updateDataSource, deleteDataSource, testConnection, syncMetadata } from '@/api/datasource' import type { DataSourceItem, DataSourceForm } from '@/api/datasource' +const userStore = useUserStore() const loading = ref(false) const tableData = ref([]) const page = ref(1) diff --git a/frontend/src/views/project/Project.vue b/frontend/src/views/project/Project.vue index 0c68ee3f..6ad2ffad 100644 --- a/frontend/src/views/project/Project.vue +++ b/frontend/src/views/project/Project.vue @@ -2,7 +2,7 @@

项目管理

- + 新建项目
@@ -52,7 +52,7 @@
自动分类 - 删除 + 删除
@@ -91,6 +91,7 @@ import { ref, reactive, onMounted } from 'vue' import { ElMessage, ElMessageBox } from 'element-plus' import { Plus, Search } from '@element-plus/icons-vue' +import { useUserStore } from '@/stores/user' import { getProjects, createProject, deleteProject, autoClassifyProject } from '@/api/project' import { getTemplates } from '@/api/classification' import { getDataSources } from '@/api/datasource' @@ -103,6 +104,7 @@ const pageSize = ref(20) const total = ref(0) const keyword = ref('') +const userStore = useUserStore() const dialogVisible = ref(false) const submitLoading = ref(false) const formRef = ref() diff --git a/frontend/src/views/system/System.vue b/frontend/src/views/system/System.vue index ee868e9b..09dcc80b 100644 --- a/frontend/src/views/system/System.vue +++ b/frontend/src/views/system/System.vue @@ -10,7 +10,7 @@ 查询 - + 新增用户 @@ -39,8 +39,8 @@ @@ -112,10 +112,12 @@ import { ref, onMounted } from 'vue' import { ElMessage, ElMessageBox } from 'element-plus' import { Search, Plus } from '@element-plus/icons-vue' +import { useUserStore } from '@/stores/user' import { getUsers, createUser, updateUser, deleteUser } from '@/api/user' import { getRoles, getDepts } from '@/api/user' import type { UserItem, RoleItem, DeptItem } from '@/api/user' +const userStore = useUserStore() const activeTab = ref('users') const userList = ref([]) const userLoading = ref(false)