feat: implement full RBAC role-based access control

Backend:
- deps.py: add require_admin, require_manager, require_labeler, require_guest_or_above
- user.py: all write endpoints require admin
- datasource.py: write/sync endpoints require admin
- metadata.py: sync endpoint requires admin
- classification.py: category/rule write requires admin; results query requires guest+ with data isolation
- project.py: GET requires manager with created_by filtering; DELETE checks ownership
- task.py: my-tasks requires labeler with assignee_id filtering; create-task requires manager
- dashboard.py: requires guest_or_above
- report.py: requires guest_or_above
- project_service: list_projects adds created_by filter; list_results adds project_ids filter

Frontend:
- stores/user.ts: add hasRole, hasAnyRole, isAdmin, isManager, isLabeler, isSuperadmin
- router/index.ts: add roles to route meta; beforeEach checks role permissions
- Layout.vue: filter menu routes by user roles
- System.vue: hide add/edit/delete buttons for non-admins
- DataSource.vue: hide add/edit/delete/sync buttons for non-admins
- Project.vue: hide add/delete buttons for non-admins

backend/app/api/v1/project.py

@@ -6,7 +6,7 @@ from app.core.database import get_db
 from app.models.user import User
 from app.schemas.common import ResponseModel, ListResponse
 from app.services import project_service
-from app.api.deps import get_current_user
+from app.api.deps import get_current_user, require_admin, require_manager, _is_admin
 
 router = APIRouter()
 
@@ -17,9 +17,11 @@ def list_projects(
     page_size: int = Query(20, ge=1, le=500),
     keyword: Optional[str] = Query(None),
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_manager),
 ):
-    items, total = project_service.list_projects(db, keyword=keyword, page=page, page_size=page_size)
+    # Data isolation: non-admin users only see their own projects
+    created_by = None if _is_admin(current_user) else current_user.id
+    items, total = project_service.list_projects(db, keyword=keyword, page=page, page_size=page_size, created_by=created_by)
     data = []
     for p in items:
         stats = project_service.get_project_stats(db, p.id)
@@ -43,7 +45,7 @@ def create_project(
     target_source_ids: Optional[str] = None,
     description: Optional[str] = None,
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_manager),
 ):
     item = project_service.create_project(
         db, name=name, template_id=template_id,
@@ -85,6 +87,13 @@ def delete_project(
     db: Session = Depends(get_db),
     current_user: User = Depends(get_current_user),
 ):
+    p = project_service.get_project(db, project_id)
+    if not p:
+        from fastapi import HTTPException, status
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="项目不存在")
+    # Only admin or project creator can delete
+    if not _is_admin(current_user) and p.created_by != current_user.id:
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="无权删除此项目")
     project_service.delete_project(db, project_id)
     return ResponseModel(message="删除成功")
 
@@ -93,7 +102,7 @@ def delete_project(
 def project_auto_classify(
     project_id: int,
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_manager),
 ):
     from app.services.classification_engine import run_auto_classification
     result = run_auto_classification(db, project_id)