fix(auth): enforce document and govdoc route grants

2026-05-25 15:37:53 +08:00
parent 75c077da77
commit 4ac53ded5a
8 changed files with 424 additions and 19 deletions
@@ -26,6 +26,7 @@ class RbacServiceImpl(IRbacService):
        "/files",
        "/documents",
        "/rules",
+        "/rule-groups",
        "/rules-files",
        "/settings",
        "/entry-modules",
@@ -322,6 +323,20 @@ class RbacServiceImpl(IRbacService):
                        "meta": {"group": "settings"},
                        "children": None,
                    },
+                    {
+                        "id": 1019,
+                        "route_path": "/rule-groups",
+                        "route_name": "rule-groups",
+                        "component": "rule-groups",
+                        "parent_id": 1013,
+                        "route_title": "评查点分组",
+                        "icon": "ri-node-tree",
+                        "sort_order": 6,
+                        "is_hidden": False,
+                        "is_cache": True,
+                        "meta": {"group": "settings"},
+                        "children": None,
+                    },
                ],
            },
            {
@@ -738,7 +753,8 @@ class RbacServiceImpl(IRbacService):
            databaseRoutes = await self._loadDatabaseRoutes(Session, roleIds, grantedPermissions)

            if self._isFrontendRouteSetReady(databaseRoutes):
-                routes = self._filterRoutesByMinimalScope(databaseRoutes)
+                grantedRoutePaths = self._collectCurrentFrontendRoutePaths(databaseRoutes)
+                routes = self._filterRoutesByRouteAndPermissionScope(databaseRoutes, grantedRoutePaths, grantedPermissions)
            else:
                routes = self._buildCompatibilityRoutes(roleKeys, grantedPermissions)

@@ -872,6 +888,30 @@ class RbacServiceImpl(IRbacService):
            filtered.append(routeCopy)
        return filtered

+    def _filterRoutesByRouteAndPermissionScope(
+        self,
+        Routes: list[RbacRouteVO],
+        GrantedRoutePaths: set[str],
+        GrantedPermissions: set[str],
+    ) -> list[RbacRouteVO]:
+        """按角色已勾选路由裁剪，接口权限不能替代子路由勾选。"""
+        filtered: list[RbacRouteVO] = []
+        for route in Routes:
+            if not self._isRoutePathEnabled(route.route_path):
+                continue
+            if route.route_path not in GrantedRoutePaths:
+                continue
+
+            routeCopy = route.model_copy(deep=True)
+            routeCopy.permissions = self._resolvePermissionsForPath(route.route_path, GrantedPermissions)
+            routeCopy.children = self._filterRoutesByRouteAndPermissionScope(
+                route.children or [],
+                GrantedRoutePaths,
+                GrantedPermissions,
+            ) or None
+            filtered.append(routeCopy)
+        return filtered
+
    def _filterBlueprintsByMinimalScope(self, Blueprints: list[dict[str, Any]]) -> list[dict[str, Any]]:
        """按当前最小可用范围裁剪兼容蓝图。"""
        filtered: list[dict[str, Any]] = []
@@ -953,6 +993,14 @@ class RbacServiceImpl(IRbacService):
                paths.update(self._collectRoutePaths(route.children))
        return paths

+    def _collectCurrentFrontendRoutePaths(self, Routes: list[RbacRouteVO]) -> set[str]:
+        """收集当前前端真实路由，旧 govdoc-audit 残留授权不映射成新版子路由。"""
+        return {
+            path
+            for path in self._collectRoutePaths(Routes)
+            if not path.startswith("/govdoc-audit/")
+        }
+
    @staticmethod
    def _normalizeMeta(Meta: Any) -> dict | None:
        """兼容 meta 为 JSON 字符串、字典或空值的情况。"""