feat: implement full RBAC role-based access control

Backend:
- deps.py: add require_admin, require_manager, require_labeler, require_guest_or_above
- user.py: all write endpoints require admin
- datasource.py: write/sync endpoints require admin
- metadata.py: sync endpoint requires admin
- classification.py: category/rule write requires admin; results query requires guest+ with data isolation
- project.py: GET requires manager with created_by filtering; DELETE checks ownership
- task.py: my-tasks requires labeler with assignee_id filtering; create-task requires manager
- dashboard.py: requires guest_or_above
- report.py: requires guest_or_above
- project_service: list_projects adds created_by filter; list_results adds project_ids filter

Frontend:
- stores/user.ts: add hasRole, hasAnyRole, isAdmin, isManager, isLabeler, isSuperadmin
- router/index.ts: add roles to route meta; beforeEach checks role permissions
- Layout.vue: filter menu routes by user roles
- System.vue: hide add/edit/delete buttons for non-admins
- DataSource.vue: hide add/edit/delete/sync buttons for non-admins
- Project.vue: hide add/delete buttons for non-admins

backend/app/api/v1/classification.py

@@ -11,7 +11,7 @@ from app.schemas.classification import (
 )
 from app.schemas.common import ResponseModel, ListResponse
 from app.services import classification_service, classification_engine
-from app.api.deps import get_current_user
+from app.api.deps import get_current_user, require_admin, require_labeler, require_guest_or_above, _is_admin, ROLE_PROJECT_MANAGER
 
 router = APIRouter()
 
@@ -39,7 +39,7 @@ def list_categories(
 def create_category(
     req: CategoryCreate,
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_admin),
 ):
     item = classification_service.create_category(db, req)
     return ResponseModel(data=CategoryOut.model_validate(item))
@@ -50,7 +50,7 @@ def update_category(
     category_id: int,
     req: CategoryUpdate,
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_admin),
 ):
     db_obj = classification_service.get_category(db, category_id)
     if not db_obj:
@@ -64,7 +64,7 @@ def update_category(
 def delete_category(
     category_id: int,
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_admin),
 ):
     classification_service.delete_category(db, category_id)
     return ResponseModel(message="删除成功")
@@ -103,7 +103,7 @@ def list_rules(
 def create_rule(
     req: RecognitionRuleCreate,
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_admin),
 ):
     item = classification_service.create_rule(db, req)
     data = RecognitionRuleOut.model_validate(item)
@@ -118,7 +118,7 @@ def update_rule(
     rule_id: int,
     req: RecognitionRuleUpdate,
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_admin),
 ):
     db_obj = classification_service.get_rule(db, rule_id)
     if not db_obj:
@@ -136,7 +136,7 @@ def update_rule(
 def delete_rule(
     rule_id: int,
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_admin),
 ):
     classification_service.delete_rule(db, rule_id)
     return ResponseModel(message="删除成功")
@@ -159,10 +159,42 @@ def list_results(
     page: int = Query(1, ge=1),
     page_size: int = Query(20, ge=1, le=500),
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_guest_or_above),
 ):
     from app.services.project_service import list_results as _list_results
-    items, total = _list_results(db, project_id=project_id, keyword=keyword, page=page, page_size=page_size)
+    from app.models.project import ClassificationProject, ClassificationTask
+    from app.api.deps import _has_role
+
+    # Data isolation: compute allowed project IDs for non-admin users
+    allowed_project_ids = None
+    if not _is_admin(current_user):
+        if _has_role(current_user, ROLE_PROJECT_MANAGER):
+            # Project managers see their own projects
+            allowed_project_ids = [
+                p.id for p in db.query(ClassificationProject.id).filter(
+                    ClassificationProject.created_by == current_user.id
+                ).all()
+            ]
+        elif _has_role(current_user, 'labeler') or _has_role(current_user, 'reviewer'):
+            # Labelers/reviewers see projects where they have tasks
+            task_projects = db.query(ClassificationTask.project_id).filter(
+                ClassificationTask.assignee_id == current_user.id
+            ).distinct().all()
+            allowed_project_ids = [p[0] for p in task_projects]
+        else:
+            # Guests see all results (read-only)
+            allowed_project_ids = None
+        if allowed_project_ids is not None and not allowed_project_ids:
+            allowed_project_ids = []
+
+    # If a specific project_id is requested, check permission
+    if project_id and allowed_project_ids is not None and project_id not in allowed_project_ids:
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="无权查看此项目")
+
+    items, total = _list_results(
+        db, project_id=project_id, keyword=keyword, page=page, page_size=page_size,
+        project_ids=allowed_project_ids,
+    )
 
     data = []
     for r in items:
@@ -171,7 +203,6 @@ def list_results(
         database = table.database if table else None
         source = database.source if database else None
 
-        # Filter by level_id if specified
         if level_id and r.level_id != level_id:
             continue