hiderfong/prop-data-guard
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: implement full RBAC role-based access control

Browse Source 
Backend:
- deps.py: add require_admin, require_manager, require_labeler, require_guest_or_above
- user.py: all write endpoints require admin
- datasource.py: write/sync endpoints require admin
- metadata.py: sync endpoint requires admin
- classification.py: category/rule write requires admin; results query requires guest+ with data isolation
- project.py: GET requires manager with created_by filtering; DELETE checks ownership
- task.py: my-tasks requires labeler with assignee_id filtering; create-task requires manager
- dashboard.py: requires guest_or_above
- report.py: requires guest_or_above
- project_service: list_projects adds created_by filter; list_results adds project_ids filter

Frontend:
- stores/user.ts: add hasRole, hasAnyRole, isAdmin, isManager, isLabeler, isSuperadmin
- router/index.ts: add roles to route meta; beforeEach checks role permissions
- Layout.vue: filter menu routes by user roles
- System.vue: hide add/edit/delete buttons for non-admins
- DataSource.vue: hide add/edit/delete/sync buttons for non-admins
- Project.vue: hide add/delete buttons for non-admins
This commit is contained in:
hiderfong
2026-04-23 12:09:32 +08:00
parent 377e9cba22
commit 8b2bc84399
16 changed files with 245 additions and 59 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/app/api/v1/datasource.py
+4 -4
View File
@@ -7,7 +7,7 @@ from app.models.user import User
from app.schemas.datasource import DataSourceCreate, DataSourceUpdate, DataSourceOut, DataSourceTest
from app.schemas.common import ResponseModel, ListResponse
from app.services import datasource_service
from app.api.deps import get_current_user
from app.api.deps import get_current_user, require_admin
router = APIRouter()
@@ -41,7 +41,7 @@ def get_datasource(
def create_datasource(
req: DataSourceCreate,
db: Session = Depends(get_db),
current_user: User = Depends(get_current_user),
current_user: User = Depends(require_admin),
):
item = datasource_service.create_datasource(db, req, current_user.id)
return ResponseModel(data=DataSourceOut.model_validate(item))
@@ -52,7 +52,7 @@ def update_datasource(
source_id: int,
req: DataSourceUpdate,
db: Session = Depends(get_db),
current_user: User = Depends(get_current_user),
current_user: User = Depends(require_admin),
):
db_obj = datasource_service.get_datasource(db, source_id)
if not db_obj:
@@ -66,7 +66,7 @@ def update_datasource(
def delete_datasource(
source_id: int,
db: Session = Depends(get_db),
current_user: User = Depends(get_current_user),
current_user: User = Depends(require_admin),
):
datasource_service.delete_datasource(db, source_id)
return ResponseModel(message="删除成功")