feat: implement full RBAC role-based access control

Backend:
- deps.py: add require_admin, require_manager, require_labeler, require_guest_or_above
- user.py: all write endpoints require admin
- datasource.py: write/sync endpoints require admin
- metadata.py: sync endpoint requires admin
- classification.py: category/rule write requires admin; results query requires guest+ with data isolation
- project.py: GET requires manager with created_by filtering; DELETE checks ownership
- task.py: my-tasks requires labeler with assignee_id filtering; create-task requires manager
- dashboard.py: requires guest_or_above
- report.py: requires guest_or_above
- project_service: list_projects adds created_by filter; list_results adds project_ids filter

Frontend:
- stores/user.ts: add hasRole, hasAnyRole, isAdmin, isManager, isLabeler, isSuperadmin
- router/index.ts: add roles to route meta; beforeEach checks role permissions
- Layout.vue: filter menu routes by user roles
- System.vue: hide add/edit/delete buttons for non-admins
- DataSource.vue: hide add/edit/delete/sync buttons for non-admins
- Project.vue: hide add/delete buttons for non-admins

backend/app/api/deps.py

@@ -4,7 +4,7 @@ from jose import JWTError
 
 from app.core.database import get_db
 from app.core.security import decode_token
-from app.models.user import User
+from app.models.user import User, Role
 from app.services import user_service
 
 
@@ -47,3 +47,85 @@ def get_current_active_user(
     current_user: User = Depends(get_current_user),
 ) -> User:
     return current_user
+
+
+# ===================== RBAC Dependencies =====================
+
+# Role code constants
+ROLE_SUPERADMIN = "superadmin"
+ROLE_ADMIN = "admin"
+ROLE_PROJECT_MANAGER = "project_manager"
+ROLE_LABELER = "labeler"
+ROLE_REVIEWER = "reviewer"
+ROLE_GUEST = "guest"
+
+# Role hierarchy (higher index = more permissions)
+ROLE_LEVELS = {
+    ROLE_GUEST: 0,
+    ROLE_LABELER: 1,
+    ROLE_REVIEWER: 1,
+    ROLE_PROJECT_MANAGER: 2,
+    ROLE_ADMIN: 3,
+    ROLE_SUPERADMIN: 4,
+}
+
+
+def _get_user_role_codes(user: User) -> list[str]:
+    """Get list of role codes for a user."""
+    return [r.code for r in user.roles]
+
+
+def _has_role(user: User, role_code: str) -> bool:
+    """Check if user has a specific role."""
+    return role_code in _get_user_role_codes(user)
+
+
+def _has_any_role(user: User, role_codes: list[str]) -> bool:
+    """Check if user has any of the specified roles."""
+    user_roles = _get_user_role_codes(user)
+    return any(r in user_roles for r in role_codes)
+
+
+def _is_admin(user: User) -> bool:
+    """Check if user is admin or superadmin."""
+    return user.is_superuser or _has_any_role(user, [ROLE_SUPERADMIN, ROLE_ADMIN])
+
+
+def require_admin(current_user: User = Depends(get_current_user)) -> User:
+    """Require admin or superadmin role."""
+    if not _is_admin(current_user):
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="需要管理员权限",
+        )
+    return current_user
+
+
+def require_manager(current_user: User = Depends(get_current_user)) -> User:
+    """Require project manager or above."""
+    if _is_admin(current_user):
+        return current_user
+    if _has_role(current_user, ROLE_PROJECT_MANAGER):
+        return current_user
+    raise HTTPException(
+        status_code=status.HTTP_403_FORBIDDEN,
+        detail="需要项目负责人及以上权限",
+    )
+
+
+def require_labeler(current_user: User = Depends(get_current_user)) -> User:
+    """Require labeler or above (excluding guest)."""
+    if _is_admin(current_user):
+        return current_user
+    allowed = [ROLE_PROJECT_MANAGER, ROLE_LABELER, ROLE_REVIEWER]
+    if _has_any_role(current_user, allowed):
+        return current_user
+    raise HTTPException(
+        status_code=status.HTTP_403_FORBIDDEN,
+        detail="权限不足",
+    )
+
+
+def require_guest_or_above(current_user: User = Depends(get_current_user)) -> User:
+    """Any authenticated user (including guest)."""
+    return current_user

backend/app/api/v1/classification.py

@@ -11,7 +11,7 @@ from app.schemas.classification import (
 )
 from app.schemas.common import ResponseModel, ListResponse
 from app.services import classification_service, classification_engine
-from app.api.deps import get_current_user
+from app.api.deps import get_current_user, require_admin, require_labeler, require_guest_or_above, _is_admin, ROLE_PROJECT_MANAGER
 
 router = APIRouter()
 
@@ -39,7 +39,7 @@ def list_categories(
 def create_category(
     req: CategoryCreate,
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_admin),
 ):
     item = classification_service.create_category(db, req)
     return ResponseModel(data=CategoryOut.model_validate(item))
@@ -50,7 +50,7 @@ def update_category(
     category_id: int,
     req: CategoryUpdate,
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_admin),
 ):
     db_obj = classification_service.get_category(db, category_id)
     if not db_obj:
@@ -64,7 +64,7 @@ def update_category(
 def delete_category(
     category_id: int,
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_admin),
 ):
     classification_service.delete_category(db, category_id)
     return ResponseModel(message="删除成功")
@@ -103,7 +103,7 @@ def list_rules(
 def create_rule(
     req: RecognitionRuleCreate,
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_admin),
 ):
     item = classification_service.create_rule(db, req)
     data = RecognitionRuleOut.model_validate(item)
@@ -118,7 +118,7 @@ def update_rule(
     rule_id: int,
     req: RecognitionRuleUpdate,
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_admin),
 ):
     db_obj = classification_service.get_rule(db, rule_id)
     if not db_obj:
@@ -136,7 +136,7 @@ def update_rule(
 def delete_rule(
     rule_id: int,
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_admin),
 ):
     classification_service.delete_rule(db, rule_id)
     return ResponseModel(message="删除成功")
@@ -159,10 +159,42 @@ def list_results(
     page: int = Query(1, ge=1),
     page_size: int = Query(20, ge=1, le=500),
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_guest_or_above),
 ):
     from app.services.project_service import list_results as _list_results
-    items, total = _list_results(db, project_id=project_id, keyword=keyword, page=page, page_size=page_size)
+    from app.models.project import ClassificationProject, ClassificationTask
+    from app.api.deps import _has_role
+
+    # Data isolation: compute allowed project IDs for non-admin users
+    allowed_project_ids = None
+    if not _is_admin(current_user):
+        if _has_role(current_user, ROLE_PROJECT_MANAGER):
+            # Project managers see their own projects
+            allowed_project_ids = [
+                p.id for p in db.query(ClassificationProject.id).filter(
+                    ClassificationProject.created_by == current_user.id
+                ).all()
+            ]
+        elif _has_role(current_user, 'labeler') or _has_role(current_user, 'reviewer'):
+            # Labelers/reviewers see projects where they have tasks
+            task_projects = db.query(ClassificationTask.project_id).filter(
+                ClassificationTask.assignee_id == current_user.id
+            ).distinct().all()
+            allowed_project_ids = [p[0] for p in task_projects]
+        else:
+            # Guests see all results (read-only)
+            allowed_project_ids = None
+        if allowed_project_ids is not None and not allowed_project_ids:
+            allowed_project_ids = []
+
+    # If a specific project_id is requested, check permission
+    if project_id and allowed_project_ids is not None and project_id not in allowed_project_ids:
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="无权查看此项目")
+
+    items, total = _list_results(
+        db, project_id=project_id, keyword=keyword, page=page, page_size=page_size,
+        project_ids=allowed_project_ids,
+    )
 
     data = []
     for r in items:
@@ -171,7 +203,6 @@ def list_results(
         database = table.database if table else None
         source = database.source if database else None
 
-        # Filter by level_id if specified
         if level_id and r.level_id != level_id:
             continue
 

backend/app/api/v1/dashboard.py

@@ -9,7 +9,7 @@ from app.models.metadata import DataSource, DataTable, DataColumn
 from app.models.project import ClassificationResult, ClassificationProject
 from app.models.classification import Category, DataLevel
 from app.schemas.common import ResponseModel
-from app.api.deps import get_current_user
+from app.api.deps import get_current_user, require_guest_or_above, _is_admin
 
 router = APIRouter()
 
@@ -17,7 +17,7 @@ router = APIRouter()
 @router.get("/stats")
 def get_dashboard_stats(
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_guest_or_above),
 ):
     """Dashboard overview statistics based on real DB data."""
     data_sources = db.query(DataSource).count()
@@ -42,7 +42,7 @@ def get_dashboard_stats(
 @router.get("/distribution")
 def get_dashboard_distribution(
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_guest_or_above),
 ):
     """Distribution data for charts based on real DB data."""
     # Level distribution

backend/app/api/v1/datasource.py

@@ -7,7 +7,7 @@ from app.models.user import User
 from app.schemas.datasource import DataSourceCreate, DataSourceUpdate, DataSourceOut, DataSourceTest
 from app.schemas.common import ResponseModel, ListResponse
 from app.services import datasource_service
-from app.api.deps import get_current_user
+from app.api.deps import get_current_user, require_admin
 
 router = APIRouter()
 
@@ -41,7 +41,7 @@ def get_datasource(
 def create_datasource(
     req: DataSourceCreate,
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_admin),
 ):
     item = datasource_service.create_datasource(db, req, current_user.id)
     return ResponseModel(data=DataSourceOut.model_validate(item))
@@ -52,7 +52,7 @@ def update_datasource(
     source_id: int,
     req: DataSourceUpdate,
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_admin),
 ):
     db_obj = datasource_service.get_datasource(db, source_id)
     if not db_obj:
@@ -66,7 +66,7 @@ def update_datasource(
 def delete_datasource(
     source_id: int,
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_admin),
 ):
     datasource_service.delete_datasource(db, source_id)
     return ResponseModel(message="删除成功")

backend/app/api/v1/metadata.py

@@ -7,7 +7,7 @@ from app.models.user import User
 from app.schemas.metadata import DatabaseOut, DataTableOut, DataColumnOut
 from app.schemas.common import ResponseModel, ListResponse
 from app.services import metadata_service
-from app.api.deps import get_current_user
+from app.api.deps import get_current_user, require_admin
 
 router = APIRouter()
 
@@ -60,7 +60,7 @@ def list_columns(
 def sync_metadata(
     source_id: int,
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_admin),
 ):
     result = metadata_service.sync_metadata(db, source_id, current_user.id)
     return ResponseModel(data=result)

backend/app/api/v1/project.py

@@ -6,7 +6,7 @@ from app.core.database import get_db
 from app.models.user import User
 from app.schemas.common import ResponseModel, ListResponse
 from app.services import project_service
-from app.api.deps import get_current_user
+from app.api.deps import get_current_user, require_admin, require_manager, _is_admin
 
 router = APIRouter()
 
@@ -17,9 +17,11 @@ def list_projects(
     page_size: int = Query(20, ge=1, le=500),
     keyword: Optional[str] = Query(None),
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_manager),
 ):
-    items, total = project_service.list_projects(db, keyword=keyword, page=page, page_size=page_size)
+    # Data isolation: non-admin users only see their own projects
+    created_by = None if _is_admin(current_user) else current_user.id
+    items, total = project_service.list_projects(db, keyword=keyword, page=page, page_size=page_size, created_by=created_by)
     data = []
     for p in items:
         stats = project_service.get_project_stats(db, p.id)
@@ -43,7 +45,7 @@ def create_project(
     target_source_ids: Optional[str] = None,
     description: Optional[str] = None,
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_manager),
 ):
     item = project_service.create_project(
         db, name=name, template_id=template_id,
@@ -85,6 +87,13 @@ def delete_project(
     db: Session = Depends(get_db),
     current_user: User = Depends(get_current_user),
 ):
+    p = project_service.get_project(db, project_id)
+    if not p:
+        from fastapi import HTTPException, status
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="项目不存在")
+    # Only admin or project creator can delete
+    if not _is_admin(current_user) and p.created_by != current_user.id:
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="无权删除此项目")
     project_service.delete_project(db, project_id)
     return ResponseModel(message="删除成功")
 
@@ -93,7 +102,7 @@ def delete_project(
 def project_auto_classify(
     project_id: int,
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_manager),
 ):
     from app.services.classification_engine import run_auto_classification
     result = run_auto_classification(db, project_id)

backend/app/api/v1/report.py

@@ -7,7 +7,7 @@ from app.models.user import User
 from app.models.project import ClassificationResult, ClassificationProject
 from app.models.classification import Category, DataLevel
 from app.schemas.common import ResponseModel
-from app.api.deps import get_current_user
+from app.api.deps import get_current_user, require_guest_or_above
 from app.services import report_service
 
 router = APIRouter()
@@ -16,7 +16,7 @@ router = APIRouter()
 @router.get("/stats")
 def get_report_stats(
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_guest_or_above),
 ):
     """Global report statistics."""
     total = db.query(ClassificationResult).count()

backend/app/api/v1/task.py

@@ -5,7 +5,7 @@ from sqlalchemy.orm import Session
 from app.core.database import get_db
 from app.models.user import User
 from app.schemas.common import ResponseModel, ListResponse
-from app.api.deps import get_current_user
+from app.api.deps import get_current_user, require_manager, require_labeler, _is_admin
 from app.services import task_service, project_service
 
 router = APIRouter()
@@ -15,9 +15,11 @@ router = APIRouter()
 def my_tasks(
     status: Optional[str] = Query(None),
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_labeler),
 ):
-    items, _ = task_service.list_tasks(db, assignee_id=current_user.id, status=status)
+    # Data isolation: non-admin users only see tasks assigned to them
+    assignee_id = None if _is_admin(current_user) else current_user.id
+    items, _ = task_service.list_tasks(db, assignee_id=assignee_id, status=status)
     data = []
     for t in items:
         project = project_service.get_project(db, t.project_id)
@@ -100,7 +102,7 @@ def create_task_for_project(
     assignee_id: int,
     target_type: str = Query("column"),
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_manager),
 ):
     task = task_service.create_task(
         db, project_id=project_id, name=name,

backend/app/api/v1/user.py

@@ -8,7 +8,7 @@ from app.models.user import Role, Dept
 from app.schemas.user import UserCreate, UserUpdate, UserOut, RoleOut, DeptOut
 from app.schemas.common import ResponseModel, ListResponse, PageParams
 from app.services import user_service
-from app.api.deps import get_current_user
+from app.api.deps import get_current_user, require_admin
 
 router = APIRouter()
 
@@ -24,7 +24,7 @@ def list_users(
     page_size: int = Query(20, ge=1, le=500),
     keyword: Optional[str] = Query(None),
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_admin),
 ):
     items, total = user_service.list_users(db, keyword=keyword, page=page, page_size=page_size)
     return ListResponse(data=[UserOut.model_validate(u) for u in items], total=total, page=page, page_size=page_size)
@@ -34,7 +34,7 @@ def list_users(
 def create_user(
     req: UserCreate,
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_admin),
 ):
     user = user_service.create_user(db, req)
     return ResponseModel(data=UserOut.model_validate(user))
@@ -45,7 +45,7 @@ def update_user(
     user_id: int,
     req: UserUpdate,
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_admin),
 ):
     user = user_service.get_user_by_id(db, user_id)
     if not user:
@@ -59,7 +59,7 @@ def update_user(
 def delete_user(
     user_id: int,
     db: Session = Depends(get_db),
-    current_user: User = Depends(get_current_user),
+    current_user: User = Depends(require_admin),
 ):
     user_service.delete_user(db, user_id)
     return ResponseModel(message="删除成功")

backend/app/services/project_service.py

@@ -12,11 +12,13 @@ def get_project(db: Session, project_id: int) -> Optional[ClassificationProject]
 
 
 def list_projects(
-    db: Session, keyword: Optional[str] = None, page: int = 1, page_size: int = 20
+    db: Session, keyword: Optional[str] = None, page: int = 1, page_size: int = 20, created_by: Optional[int] = None
 ) -> Tuple[List[ClassificationProject], int]:
     query = db.query(ClassificationProject)
     if keyword:
         query = query.filter(ClassificationProject.name.contains(keyword))
+    if created_by:
+        query = query.filter(ClassificationProject.created_by == created_by)
     total = query.count()
     items = query.order_by(ClassificationProject.created_at.desc()).offset((page - 1) * page_size).limit(page_size).all()
     return items, total
@@ -82,10 +84,13 @@ def list_results(
     keyword: Optional[str] = None,
     page: int = 1,
     page_size: int = 50,
+    project_ids: Optional[List[int]] = None,
 ) -> Tuple[List[ClassificationResult], int]:
     query = db.query(ClassificationResult)
     if project_id:
         query = query.filter(ClassificationResult.project_id == project_id)
+    if project_ids:
+        query = query.filter(ClassificationResult.project_id.in_(project_ids))
     if table_id:
         query = query.join(DataColumn).filter(DataColumn.table_id == table_id)
     if status:

frontend/src/components/Layout.vue

@@ -122,7 +122,13 @@ const pageTitle = computed(() => (route.meta?.title as string) || 'DataPointer')
 
 const menuRoutes = computed(() => {
   const layout = router.getRoutes().find((r) => r.name === 'Layout')
-  return layout?.children.filter((r) => r.meta?.title) || []
+  const routes = layout?.children.filter((r) => r.meta?.title) || []
+  // Filter by role permissions
+  return routes.filter((r) => {
+    const allowedRoles = r.meta?.roles as string[] | undefined
+    if (!allowedRoles || allowedRoles.length === 0) return true
+    return userStore.hasAnyRole(allowedRoles)
+  })
 })
 
 function handleCommand(cmd: string) {

frontend/src/router/index.ts

@@ -18,55 +18,55 @@ const routes = [
         path: 'dashboard',
         name: 'Dashboard',
         component: () => import('@/views/dashboard/Dashboard.vue'),
-        meta: { title: '首页', icon: 'HomeFilled' },
+        meta: { title: '首页', icon: 'HomeFilled', roles: ['superadmin', 'admin', 'project_manager', 'labeler', 'reviewer', 'guest'] },
       },
       {
         path: 'datasource',
         name: 'DataSource',
         component: () => import('@/views/datasource/DataSource.vue'),
-        meta: { title: '数据源管理', icon: 'DataLine' },
+        meta: { title: '数据源管理', icon: 'DataLine', roles: ['superadmin', 'admin', 'project_manager', 'labeler', 'reviewer', 'guest'] },
       },
       {
         path: 'metadata',
         name: 'Metadata',
         component: () => import('@/views/metadata/Metadata.vue'),
-        meta: { title: '数据资产', icon: 'FolderOpened' },
+        meta: { title: '数据资产', icon: 'FolderOpened', roles: ['superadmin', 'admin', 'project_manager', 'labeler', 'reviewer', 'guest'] },
       },
       {
         path: 'category',
         name: 'Category',
         component: () => import('@/views/category/Category.vue'),
-        meta: { title: '分类分级标准', icon: 'Collection' },
+        meta: { title: '分类分级标准', icon: 'Collection', roles: ['superadmin', 'admin', 'project_manager', 'labeler', 'reviewer', 'guest'] },
       },
       {
         path: 'project',
         name: 'Project',
         component: () => import('@/views/project/Project.vue'),
-        meta: { title: '项目管理', icon: 'List' },
+        meta: { title: '项目管理', icon: 'List', roles: ['superadmin', 'admin', 'project_manager'] },
       },
       {
         path: 'task',
         name: 'Task',
         component: () => import('@/views/task/Task.vue'),
-        meta: { title: '我的任务', icon: 'EditPen' },
+        meta: { title: '我的任务', icon: 'EditPen', roles: ['superadmin', 'admin', 'project_manager', 'labeler', 'reviewer'] },
       },
       {
         path: 'classification',
         name: 'Classification',
         component: () => import('@/views/classification/Classification.vue'),
-        meta: { title: '分类分级结果', icon: 'DocumentChecked' },
+        meta: { title: '分类分级结果', icon: 'DocumentChecked', roles: ['superadmin', 'admin', 'project_manager', 'labeler', 'reviewer', 'guest'] },
       },
       {
         path: 'report',
         name: 'Report',
         component: () => import('@/views/report/Report.vue'),
-        meta: { title: '报表统计', icon: 'TrendCharts' },
+        meta: { title: '报表统计', icon: 'TrendCharts', roles: ['superadmin', 'admin', 'project_manager'] },
       },
       {
         path: 'system',
         name: 'System',
         component: () => import('@/views/system/System.vue'),
-        meta: { title: '系统管理', icon: 'Setting' },
+        meta: { title: '系统管理', icon: 'Setting', roles: ['superadmin', 'admin'] },
       },
     ],
   },
@@ -83,11 +83,30 @@ const router = createRouter({
 
 router.beforeEach((to, from, next) => {
   const userStore = useUserStore()
-  if (!to.meta.public && !userStore.token) {
+  
-    next('/login')
+  // Public routes (login)
-  } else {
+  if (to.meta.public) {
     next()
+    return
   }
+  
+  // Not logged in
+  if (!userStore.token) {
+    next('/login')
+    return
+  }
+  
+  // Check role permissions
+  const allowedRoles = to.meta.roles as string[] | undefined
+  if (allowedRoles && allowedRoles.length > 0) {
+    const hasPermission = userStore.hasAnyRole(allowedRoles)
+    if (!hasPermission) {
+      next('/dashboard')
+      return
+    }
+  }
+  
+  next()
 })
 
 export default router

frontend/src/stores/user.ts

@@ -8,6 +8,25 @@ export const useUserStore = defineStore('user', () => {
   const userInfo = ref<UserInfo | null>(null)
   const isLoggedIn = computed(() => !!token.value)
 
+  // Extract role codes from user info
+  const roleCodes = computed(() => {
+    if (!userInfo.value?.roles) return []
+    return userInfo.value.roles.map((r: any) => r.code)
+  })
+
+  const isSuperadmin = computed(() => roleCodes.value.includes('superadmin'))
+  const isAdmin = computed(() => isSuperadmin.value || roleCodes.value.includes('admin'))
+  const isManager = computed(() => isAdmin.value || roleCodes.value.includes('project_manager'))
+  const isLabeler = computed(() => isManager.value || roleCodes.value.includes('labeler') || roleCodes.value.includes('reviewer'))
+
+  function hasRole(code: string): boolean {
+    return roleCodes.value.includes(code)
+  }
+
+  function hasAnyRole(codes: string[]): boolean {
+    return codes.some((c) => roleCodes.value.includes(c))
+  }
+
   async function login(username: string, password: string) {
     const res = await apiLogin(username, password)
     token.value = res.access_token
@@ -39,6 +58,13 @@ export const useUserStore = defineStore('user', () => {
     token,
     userInfo,
     isLoggedIn,
+    roleCodes,
+    isSuperadmin,
+    isAdmin,
+    isManager,
+    isLabeler,
+    hasRole,
+    hasAnyRole,
     login,
     fetchUserInfo,
     logout,

frontend/src/views/datasource/DataSource.vue

@@ -2,7 +2,7 @@
   <div class="page-container">
     <div class="page-header">
       <h2 class="page-title">数据源管理</h2>
-      <el-button type="primary" @click="handleAdd">
+      <el-button v-if="userStore.isAdmin" type="primary" @click="handleAdd">
         <el-icon><Plus /></el-icon>新增数据源
       </el-button>
     </div>
@@ -44,9 +44,9 @@
         </el-table-column>
         <el-table-column label="操作" width="260" fixed="right">
           <template #default="{ row }">
-            <el-button type="primary" link size="small" @click="handleEdit(row)">编辑</el-button>
+            <el-button v-if="userStore.isAdmin" type="primary" link size="small" @click="handleEdit(row)">编辑</el-button>
-            <el-button type="primary" link size="small" @click="handleSync(row)">同步元数据</el-button>
+            <el-button v-if="userStore.isAdmin" type="primary" link size="small" @click="handleSync(row)">同步元数据</el-button>
-            <el-button type="danger" link size="small" @click="handleDelete(row)">删除</el-button>
+            <el-button v-if="userStore.isAdmin" type="danger" link size="small" @click="handleDelete(row)">删除</el-button>
           </template>
         </el-table-column>
       </el-table>
@@ -114,9 +114,11 @@
 import { ref, reactive, onMounted } from 'vue'
 import { ElMessage, ElMessageBox } from 'element-plus'
 import { Plus, Search } from '@element-plus/icons-vue'
+import { useUserStore } from '@/stores/user'
 import { getDataSources, createDataSource, updateDataSource, deleteDataSource, testConnection, syncMetadata } from '@/api/datasource'
 import type { DataSourceItem, DataSourceForm } from '@/api/datasource'
 
+const userStore = useUserStore()
 const loading = ref(false)
 const tableData = ref<DataSourceItem[]>([])
 const page = ref(1)

frontend/src/views/project/Project.vue

@@ -2,7 +2,7 @@
   <div class="page-container">
     <div class="page-header">
       <h2 class="page-title">项目管理</h2>
-      <el-button type="primary" @click="handleAdd">
+      <el-button v-if="userStore.isAdmin" type="primary" @click="handleAdd">
         <el-icon><Plus /></el-icon>新建项目
       </el-button>
     </div>
@@ -52,7 +52,7 @@
             </div>
             <div class="project-actions">
               <el-button type="primary" size="small" @click="handleAutoClassify(p)">自动分类</el-button>
-              <el-button type="danger" link size="small" @click="handleDelete(p)">删除</el-button>
+              <el-button v-if="userStore.isAdmin" type="danger" link size="small" @click="handleDelete(p)">删除</el-button>
             </div>
           </div>
         </el-col>
@@ -91,6 +91,7 @@
 import { ref, reactive, onMounted } from 'vue'
 import { ElMessage, ElMessageBox } from 'element-plus'
 import { Plus, Search } from '@element-plus/icons-vue'
+import { useUserStore } from '@/stores/user'
 import { getProjects, createProject, deleteProject, autoClassifyProject } from '@/api/project'
 import { getTemplates } from '@/api/classification'
 import { getDataSources } from '@/api/datasource'
@@ -103,6 +104,7 @@ const pageSize = ref(20)
 const total = ref(0)
 const keyword = ref('')
 
+const userStore = useUserStore()
 const dialogVisible = ref(false)
 const submitLoading = ref(false)
 const formRef = ref()

frontend/src/views/system/System.vue

@@ -10,7 +10,7 @@
             <el-button type="primary" size="small" @click="handleSearch">
               <el-icon><Search /></el-icon>查询
             </el-button>
-            <el-button type="success" size="small" @click="openAdd">
+            <el-button v-if="userStore.isAdmin" type="success" size="small" @click="openAdd">
               <el-icon><Plus /></el-icon>新增用户
             </el-button>
           </div>
@@ -39,8 +39,8 @@
             </el-table-column>
             <el-table-column label="操作" width="160" fixed="right">
               <template #default="{ row }">
-                <el-button link type="primary" size="small" @click="openEdit(row)">编辑</el-button>
+                <el-button v-if="userStore.isAdmin" link type="primary" size="small" @click="openEdit(row)">编辑</el-button>
-                <el-button link type="danger" size="small" :disabled="row.is_superuser" @click="handleDelete(row)">
+                <el-button v-if="userStore.isAdmin" link type="danger" size="small" :disabled="row.is_superuser" @click="handleDelete(row)">
                   删除
                 </el-button>
               </template>
@@ -112,10 +112,12 @@
 import { ref, onMounted } from 'vue'
 import { ElMessage, ElMessageBox } from 'element-plus'
 import { Search, Plus } from '@element-plus/icons-vue'
+import { useUserStore } from '@/stores/user'
 import { getUsers, createUser, updateUser, deleteUser } from '@/api/user'
 import { getRoles, getDepts } from '@/api/user'
 import type { UserItem, RoleItem, DeptItem } from '@/api/user'
 
+const userStore = useUserStore()
 const activeTab = ref('users')
 const userList = ref<UserItem[]>([])
 const userLoading = ref(false)