feat: implement full RBAC role-based access control

Backend:
- deps.py: add require_admin, require_manager, require_labeler, require_guest_or_above
- user.py: all write endpoints require admin
- datasource.py: write/sync endpoints require admin
- metadata.py: sync endpoint requires admin
- classification.py: category/rule write requires admin; results query requires guest+ with data isolation
- project.py: GET requires manager with created_by filtering; DELETE checks ownership
- task.py: my-tasks requires labeler with assignee_id filtering; create-task requires manager
- dashboard.py: requires guest_or_above
- report.py: requires guest_or_above
- project_service: list_projects adds created_by filter; list_results adds project_ids filter

Frontend:
- stores/user.ts: add hasRole, hasAnyRole, isAdmin, isManager, isLabeler, isSuperadmin
- router/index.ts: add roles to route meta; beforeEach checks role permissions
- Layout.vue: filter menu routes by user roles
- System.vue: hide add/edit/delete buttons for non-admins
- DataSource.vue: hide add/edit/delete/sync buttons for non-admins
- Project.vue: hide add/delete buttons for non-admins

backend/app/api/deps.py

@@ -4,7 +4,7 @@ from jose import JWTError
 
 from app.core.database import get_db
 from app.core.security import decode_token
-from app.models.user import User
+from app.models.user import User, Role
 from app.services import user_service
 
 
@@ -47,3 +47,85 @@ def get_current_active_user(
     current_user: User = Depends(get_current_user),
 ) -> User:
     return current_user
+
+
+# ===================== RBAC Dependencies =====================
+
+# Role code constants
+ROLE_SUPERADMIN = "superadmin"
+ROLE_ADMIN = "admin"
+ROLE_PROJECT_MANAGER = "project_manager"
+ROLE_LABELER = "labeler"
+ROLE_REVIEWER = "reviewer"
+ROLE_GUEST = "guest"
+
+# Role hierarchy (higher index = more permissions)
+ROLE_LEVELS = {
+    ROLE_GUEST: 0,
+    ROLE_LABELER: 1,
+    ROLE_REVIEWER: 1,
+    ROLE_PROJECT_MANAGER: 2,
+    ROLE_ADMIN: 3,
+    ROLE_SUPERADMIN: 4,
+}
+
+
+def _get_user_role_codes(user: User) -> list[str]:
+    """Get list of role codes for a user."""
+    return [r.code for r in user.roles]
+
+
+def _has_role(user: User, role_code: str) -> bool:
+    """Check if user has a specific role."""
+    return role_code in _get_user_role_codes(user)
+
+
+def _has_any_role(user: User, role_codes: list[str]) -> bool:
+    """Check if user has any of the specified roles."""
+    user_roles = _get_user_role_codes(user)
+    return any(r in user_roles for r in role_codes)
+
+
+def _is_admin(user: User) -> bool:
+    """Check if user is admin or superadmin."""
+    return user.is_superuser or _has_any_role(user, [ROLE_SUPERADMIN, ROLE_ADMIN])
+
+
+def require_admin(current_user: User = Depends(get_current_user)) -> User:
+    """Require admin or superadmin role."""
+    if not _is_admin(current_user):
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="需要管理员权限",
+        )
+    return current_user
+
+
+def require_manager(current_user: User = Depends(get_current_user)) -> User:
+    """Require project manager or above."""
+    if _is_admin(current_user):
+        return current_user
+    if _has_role(current_user, ROLE_PROJECT_MANAGER):
+        return current_user
+    raise HTTPException(
+        status_code=status.HTTP_403_FORBIDDEN,
+        detail="需要项目负责人及以上权限",
+    )
+
+
+def require_labeler(current_user: User = Depends(get_current_user)) -> User:
+    """Require labeler or above (excluding guest)."""
+    if _is_admin(current_user):
+        return current_user
+    allowed = [ROLE_PROJECT_MANAGER, ROLE_LABELER, ROLE_REVIEWER]
+    if _has_any_role(current_user, allowed):
+        return current_user
+    raise HTTPException(
+        status_code=status.HTTP_403_FORBIDDEN,
+        detail="权限不足",
+    )
+
+
+def require_guest_or_above(current_user: User = Depends(get_current_user)) -> User:
+    """Any authenticated user (including guest)."""
+    return current_user

backend/app/api/v1/classification.py

@@ -11,7 +11,7 @@ from app.schemas.classification import (
 )
 from app.schemas.common import ResponseModel, ListResponse
 from app.services import classification_service, classification_engine
-from app.api.deps import get_current_user
+from app.api.deps import get_current_user, require_admin, require_labeler, require_guest_or_above, _is_admin, ROLE_PROJECT_MANAGER
 
 router = APIRouter()
 
@@ -39,7 +39,7 @@ def list_categories(
 def create_category(
     req: CategoryCreate,
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_admin),
 ):
     item = classification_service.create_category(db, req)
     return ResponseModel(data=CategoryOut.model_validate(item))
@@ -50,7 +50,7 @@ def update_category(
     category_id: int,
     req: CategoryUpdate,
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_admin),
 ):
     db_obj = classification_service.get_category(db, category_id)
     if not db_obj:
@@ -64,7 +64,7 @@ def update_category(
 def delete_category(
     category_id: int,
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_admin),
 ):
     classification_service.delete_category(db, category_id)
     return ResponseModel(message="删除成功")
@@ -103,7 +103,7 @@ def list_rules(
 def create_rule(
     req: RecognitionRuleCreate,
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_admin),
 ):
     item = classification_service.create_rule(db, req)
     data = RecognitionRuleOut.model_validate(item)
@@ -118,7 +118,7 @@ def update_rule(
     rule_id: int,
     req: RecognitionRuleUpdate,
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_admin),
 ):
     db_obj = classification_service.get_rule(db, rule_id)
     if not db_obj:
@@ -136,7 +136,7 @@ def update_rule(
 def delete_rule(
     rule_id: int,
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_admin),
 ):
     classification_service.delete_rule(db, rule_id)
     return ResponseModel(message="删除成功")
@@ -159,10 +159,42 @@ def list_results(
     page: int = Query(1, ge=1),
     page_size: int = Query(20, ge=1, le=500),
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_guest_or_above),
 ):
     from app.services.project_service import list_results as _list_results
-    items, total = _list_results(db, project_id=project_id, keyword=keyword, page=page, page_size=page_size)
+    from app.models.project import ClassificationProject, ClassificationTask
+    from app.api.deps import _has_role
+
+    # Data isolation: compute allowed project IDs for non-admin users
+    allowed_project_ids = None
+    if not _is_admin(current_user):
+        if _has_role(current_user, ROLE_PROJECT_MANAGER):
+            # Project managers see their own projects
+            allowed_project_ids = [
+                p.id for p in db.query(ClassificationProject.id).filter(
+                    ClassificationProject.created_by == current_user.id
+                ).all()
+            ]
+        elif _has_role(current_user, 'labeler') or _has_role(current_user, 'reviewer'):
+            # Labelers/reviewers see projects where they have tasks
+            task_projects = db.query(ClassificationTask.project_id).filter(
+                ClassificationTask.assignee_id == current_user.id
+            ).distinct().all()
+            allowed_project_ids = [p[0] for p in task_projects]
+        else:
+            # Guests see all results (read-only)
+            allowed_project_ids = None
+        if allowed_project_ids is not None and not allowed_project_ids:
+            allowed_project_ids = []
+
+    # If a specific project_id is requested, check permission
+    if project_id and allowed_project_ids is not None and project_id not in allowed_project_ids:
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="无权查看此项目")
+
+    items, total = _list_results(
+        db, project_id=project_id, keyword=keyword, page=page, page_size=page_size,
+        project_ids=allowed_project_ids,
+    )
 
     data = []
     for r in items:
@@ -171,7 +203,6 @@ def list_results(
         database = table.database if table else None
         source = database.source if database else None
 
-        # Filter by level_id if specified
         if level_id and r.level_id != level_id:
             continue
 

backend/app/api/v1/dashboard.py

@@ -9,7 +9,7 @@ from app.models.metadata import DataSource, DataTable, DataColumn
 from app.models.project import ClassificationResult, ClassificationProject
 from app.models.classification import Category, DataLevel
 from app.schemas.common import ResponseModel
-from app.api.deps import get_current_user
+from app.api.deps import get_current_user, require_guest_or_above, _is_admin
 
 router = APIRouter()
 
@@ -17,7 +17,7 @@ router = APIRouter()
 @router.get("/stats")
 def get_dashboard_stats(
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_guest_or_above),
 ):
     """Dashboard overview statistics based on real DB data."""
     data_sources = db.query(DataSource).count()
@@ -42,7 +42,7 @@ def get_dashboard_stats(
 @router.get("/distribution")
 def get_dashboard_distribution(
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_guest_or_above),
 ):
     """Distribution data for charts based on real DB data."""
     # Level distribution

backend/app/api/v1/datasource.py

@@ -7,7 +7,7 @@ from app.models.user import User
 from app.schemas.datasource import DataSourceCreate, DataSourceUpdate, DataSourceOut, DataSourceTest
 from app.schemas.common import ResponseModel, ListResponse
 from app.services import datasource_service
-from app.api.deps import get_current_user
+from app.api.deps import get_current_user, require_admin
 
 router = APIRouter()
 
@@ -41,7 +41,7 @@ def get_datasource(
 def create_datasource(
     req: DataSourceCreate,
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_admin),
 ):
     item = datasource_service.create_datasource(db, req, current_user.id)
     return ResponseModel(data=DataSourceOut.model_validate(item))
@@ -52,7 +52,7 @@ def update_datasource(
     source_id: int,
     req: DataSourceUpdate,
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_admin),
 ):
     db_obj = datasource_service.get_datasource(db, source_id)
     if not db_obj:
@@ -66,7 +66,7 @@ def update_datasource(
 def delete_datasource(
     source_id: int,
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_admin),
 ):
     datasource_service.delete_datasource(db, source_id)
     return ResponseModel(message="删除成功")

backend/app/api/v1/metadata.py

@@ -7,7 +7,7 @@ from app.models.user import User
 from app.schemas.metadata import DatabaseOut, DataTableOut, DataColumnOut
 from app.schemas.common import ResponseModel, ListResponse
 from app.services import metadata_service
-from app.api.deps import get_current_user
+from app.api.deps import get_current_user, require_admin
 
 router = APIRouter()
 
@@ -60,7 +60,7 @@ def list_columns(
 def sync_metadata(
     source_id: int,
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_admin),
 ):
     result = metadata_service.sync_metadata(db, source_id, current_user.id)
     return ResponseModel(data=result)

backend/app/api/v1/project.py

@@ -6,7 +6,7 @@ from app.core.database import get_db
 from app.models.user import User
 from app.schemas.common import ResponseModel, ListResponse
 from app.services import project_service
-from app.api.deps import get_current_user
+from app.api.deps import get_current_user, require_admin, require_manager, _is_admin
 
 router = APIRouter()
 
@@ -17,9 +17,11 @@ def list_projects(
     page_size: int = Query(20, ge=1, le=500),
     keyword: Optional[str] = Query(None),
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_manager),
 ):
-    items, total = project_service.list_projects(db, keyword=keyword, page=page, page_size=page_size)
+    # Data isolation: non-admin users only see their own projects
+    created_by = None if _is_admin(current_user) else current_user.id
+    items, total = project_service.list_projects(db, keyword=keyword, page=page, page_size=page_size, created_by=created_by)
     data = []
     for p in items:
         stats = project_service.get_project_stats(db, p.id)
@@ -43,7 +45,7 @@ def create_project(
     target_source_ids: Optional[str] = None,
     description: Optional[str] = None,
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_manager),
 ):
     item = project_service.create_project(
         db, name=name, template_id=template_id,
@@ -85,6 +87,13 @@ def delete_project(
     db: Session = Depends(get_db),
     current_user: User = Depends(get_current_user),
 ):
+    p = project_service.get_project(db, project_id)
+    if not p:
+        from fastapi import HTTPException, status
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="项目不存在")
+    # Only admin or project creator can delete
+    if not _is_admin(current_user) and p.created_by != current_user.id:
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="无权删除此项目")
     project_service.delete_project(db, project_id)
     return ResponseModel(message="删除成功")
 
@@ -93,7 +102,7 @@ def delete_project(
 def project_auto_classify(
     project_id: int,
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_manager),
 ):
     from app.services.classification_engine import run_auto_classification
     result = run_auto_classification(db, project_id)

backend/app/api/v1/report.py

@@ -7,7 +7,7 @@ from app.models.user import User
 from app.models.project import ClassificationResult, ClassificationProject
 from app.models.classification import Category, DataLevel
 from app.schemas.common import ResponseModel
-from app.api.deps import get_current_user
+from app.api.deps import get_current_user, require_guest_or_above
 from app.services import report_service
 
 router = APIRouter()
@@ -16,7 +16,7 @@ router = APIRouter()
 @router.get("/stats")
 def get_report_stats(
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_guest_or_above),
 ):
     """Global report statistics."""
     total = db.query(ClassificationResult).count()

backend/app/api/v1/task.py

@@ -5,7 +5,7 @@ from sqlalchemy.orm import Session
 from app.core.database import get_db
 from app.models.user import User
 from app.schemas.common import ResponseModel, ListResponse
-from app.api.deps import get_current_user
+from app.api.deps import get_current_user, require_manager, require_labeler, _is_admin
 from app.services import task_service, project_service
 
 router = APIRouter()
@@ -15,9 +15,11 @@ router = APIRouter()
 def my_tasks(
     status: Optional[str] = Query(None),
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_labeler),
 ):
-    items, _ = task_service.list_tasks(db, assignee_id=current_user.id, status=status)
+    # Data isolation: non-admin users only see tasks assigned to them
+    assignee_id = None if _is_admin(current_user) else current_user.id
+    items, _ = task_service.list_tasks(db, assignee_id=assignee_id, status=status)
     data = []
     for t in items:
         project = project_service.get_project(db, t.project_id)
@@ -100,7 +102,7 @@ def create_task_for_project(
     assignee_id: int,
     target_type: str = Query("column"),
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_manager),
 ):
     task = task_service.create_task(
         db, project_id=project_id, name=name,

backend/app/api/v1/user.py

@@ -8,7 +8,7 @@ from app.models.user import Role, Dept
 from app.schemas.user import UserCreate, UserUpdate, UserOut, RoleOut, DeptOut
 from app.schemas.common import ResponseModel, ListResponse, PageParams
 from app.services import user_service
-from app.api.deps import get_current_user
+from app.api.deps import get_current_user, require_admin
 
 router = APIRouter()
 
@@ -24,7 +24,7 @@ def list_users(
     page_size: int = Query(20, ge=1, le=500),
     keyword: Optional[str] = Query(None),
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_admin),
 ):
     items, total = user_service.list_users(db, keyword=keyword, page=page, page_size=page_size)
     return ListResponse(data=[UserOut.model_validate(u) for u in items], total=total, page=page, page_size=page_size)
@@ -34,7 +34,7 @@ def list_users(
 def create_user(
     req: UserCreate,
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_admin),
 ):
     user = user_service.create_user(db, req)
     return ResponseModel(data=UserOut.model_validate(user))
@@ -45,7 +45,7 @@ def update_user(
     user_id: int,
     req: UserUpdate,
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_admin),
 ):
     user = user_service.get_user_by_id(db, user_id)
     if not user:
@@ -59,7 +59,7 @@ def update_user(
 def delete_user(
     user_id: int,
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_admin),
 ):
     user_service.delete_user(db, user_id)
     return ResponseModel(message="删除成功")

backend/app/services/project_service.py

@@ -12,11 +12,13 @@ def get_project(db: Session, project_id: int) -> Optional[ClassificationProject]
 
 
 def list_projects(
-    db: Session, keyword: Optional[str] = None, page: int = 1, page_size: int = 20
+    db: Session, keyword: Optional[str] = None, page: int = 1, page_size: int = 20, created_by: Optional[int] = None
 ) -> Tuple[List[ClassificationProject], int]:
     query = db.query(ClassificationProject)
     if keyword:
         query = query.filter(ClassificationProject.name.contains(keyword))
+    if created_by:
+        query = query.filter(ClassificationProject.created_by == created_by)
     total = query.count()
     items = query.order_by(ClassificationProject.created_at.desc()).offset((page - 1) * page_size).limit(page_size).all()
     return items, total
@@ -82,10 +84,13 @@ def list_results(
     keyword: Optional[str] = None,
     page: int = 1,
     page_size: int = 50,
+    project_ids: Optional[List[int]] = None,
 ) -> Tuple[List[ClassificationResult], int]:
     query = db.query(ClassificationResult)
     if project_id:
         query = query.filter(ClassificationResult.project_id == project_id)
+    if project_ids:
+        query = query.filter(ClassificationResult.project_id.in_(project_ids))
     if table_id:
         query = query.join(DataColumn).filter(DataColumn.table_id == table_id)
     if status: