feat: implement full RBAC role-based access control

Backend:
- deps.py: add require_admin, require_manager, require_labeler, require_guest_or_above
- user.py: all write endpoints require admin
- datasource.py: write/sync endpoints require admin
- metadata.py: sync endpoint requires admin
- classification.py: category/rule write requires admin; results query requires guest+ with data isolation
- project.py: GET requires manager with created_by filtering; DELETE checks ownership
- task.py: my-tasks requires labeler with assignee_id filtering; create-task requires manager
- dashboard.py: requires guest_or_above
- report.py: requires guest_or_above
- project_service: list_projects adds created_by filter; list_results adds project_ids filter

Frontend:
- stores/user.ts: add hasRole, hasAnyRole, isAdmin, isManager, isLabeler, isSuperadmin
- router/index.ts: add roles to route meta; beforeEach checks role permissions
- Layout.vue: filter menu routes by user roles
- System.vue: hide add/edit/delete buttons for non-admins
- DataSource.vue: hide add/edit/delete/sync buttons for non-admins
- Project.vue: hide add/delete buttons for non-admins

frontend/src/router/index.ts

@@ -18,55 +18,55 @@ const routes = [
         path: 'dashboard',
         name: 'Dashboard',
         component: () => import('@/views/dashboard/Dashboard.vue'),
-        meta: { title: '首页', icon: 'HomeFilled' },
+        meta: { title: '首页', icon: 'HomeFilled', roles: ['superadmin', 'admin', 'project_manager', 'labeler', 'reviewer', 'guest'] },
       },
       {
         path: 'datasource',
         name: 'DataSource',
         component: () => import('@/views/datasource/DataSource.vue'),
-        meta: { title: '数据源管理', icon: 'DataLine' },
+        meta: { title: '数据源管理', icon: 'DataLine', roles: ['superadmin', 'admin', 'project_manager', 'labeler', 'reviewer', 'guest'] },
       },
       {
         path: 'metadata',
         name: 'Metadata',
         component: () => import('@/views/metadata/Metadata.vue'),
-        meta: { title: '数据资产', icon: 'FolderOpened' },
+        meta: { title: '数据资产', icon: 'FolderOpened', roles: ['superadmin', 'admin', 'project_manager', 'labeler', 'reviewer', 'guest'] },
       },
       {
         path: 'category',
         name: 'Category',
         component: () => import('@/views/category/Category.vue'),
-        meta: { title: '分类分级标准', icon: 'Collection' },
+        meta: { title: '分类分级标准', icon: 'Collection', roles: ['superadmin', 'admin', 'project_manager', 'labeler', 'reviewer', 'guest'] },
       },
       {
         path: 'project',
         name: 'Project',
         component: () => import('@/views/project/Project.vue'),
-        meta: { title: '项目管理', icon: 'List' },
+        meta: { title: '项目管理', icon: 'List', roles: ['superadmin', 'admin', 'project_manager'] },
       },
       {
         path: 'task',
         name: 'Task',
         component: () => import('@/views/task/Task.vue'),
-        meta: { title: '我的任务', icon: 'EditPen' },
+        meta: { title: '我的任务', icon: 'EditPen', roles: ['superadmin', 'admin', 'project_manager', 'labeler', 'reviewer'] },
       },
       {
         path: 'classification',
         name: 'Classification',
         component: () => import('@/views/classification/Classification.vue'),
-        meta: { title: '分类分级结果', icon: 'DocumentChecked' },
+        meta: { title: '分类分级结果', icon: 'DocumentChecked', roles: ['superadmin', 'admin', 'project_manager', 'labeler', 'reviewer', 'guest'] },
       },
       {
         path: 'report',
         name: 'Report',
         component: () => import('@/views/report/Report.vue'),
-        meta: { title: '报表统计', icon: 'TrendCharts' },
+        meta: { title: '报表统计', icon: 'TrendCharts', roles: ['superadmin', 'admin', 'project_manager'] },
       },
       {
         path: 'system',
         name: 'System',
         component: () => import('@/views/system/System.vue'),
-        meta: { title: '系统管理', icon: 'Setting' },
+        meta: { title: '系统管理', icon: 'Setting', roles: ['superadmin', 'admin'] },
       },
     ],
   },
@@ -83,11 +83,30 @@ const router = createRouter({
 
 router.beforeEach((to, from, next) => {
   const userStore = useUserStore()
-  if (!to.meta.public && !userStore.token) {
-    next('/login')
-  } else {
+  
+  // Public routes (login)
+  if (to.meta.public) {
     next()
+    return
   }
+  
+  // Not logged in
+  if (!userStore.token) {
+    next('/login')
+    return
+  }
+  
+  // Check role permissions
+  const allowedRoles = to.meta.roles as string[] | undefined
+  if (allowedRoles && allowedRoles.length > 0) {
+    const hasPermission = userStore.hasAnyRole(allowedRoles)
+    if (!hasPermission) {
+      next('/dashboard')
+      return
+    }
+  }
+  
+  next()
 })
 
 export default router