fix(auth): enforce document and govdoc route grants

2026-05-25 15:37:53 +08:00
parent 75c077da77
commit 4ac53ded5a
8 changed files with 424 additions and 19 deletions
@@ -145,3 +145,91 @@ def test_govdoc_root_route_marks_frontend_route_set_ready():
    ]

    assert service._isFrontendRouteSetReady(routes) is True
+
+
+def test_govdoc_parent_route_does_not_expose_ungranted_child_routes():
+    """只有内部公文父路由和接口权限时，不应补出未勾选的列表/上传子路由。"""
+    service = RbacServiceImpl()
+    routes = [
+        RbacRouteVO(
+            id=1,
+            route_path="/govdoc",
+            route_name="govdoc",
+            component="govdoc",
+            parent_id=None,
+            route_title="内部公文处理",
+            children=[
+                RbacRouteVO(
+                    id=2,
+                    route_path="/govdoc/audits",
+                    route_name="govdoc-audits",
+                    component="govdoc.audits",
+                    parent_id=1,
+                    route_title="公文列表",
+                ),
+                RbacRouteVO(
+                    id=3,
+                    route_path="/govdoc/upload",
+                    route_name="govdoc-upload",
+                    component="govdoc.upload",
+                    parent_id=1,
+                    route_title="公文上传",
+                ),
+            ],
+        )
+    ]
+
+    filtered = service._filterRoutesByRouteAndPermissionScope(
+        routes,
+        {"/govdoc"},
+        {"govdoc:document:read", "govdoc:document:create"},
+    )
+    paths = service._collectRoutePaths(filtered)
+
+    assert "/govdoc" in paths
+    assert "/govdoc/audits" not in paths
+    assert "/govdoc/upload" not in paths
+
+
+def test_legacy_govdoc_audit_route_does_not_grant_current_govdoc_child_route():
+    """旧 /govdoc-audit 残留授权不应继续放行当前 /govdoc 子路由。"""
+    service = RbacServiceImpl()
+    routes = [
+        RbacRouteVO(
+            id=1,
+            route_path="/govdoc",
+            route_name="govdoc",
+            component="govdoc",
+            parent_id=None,
+            route_title="内部公文处理",
+        ),
+        RbacRouteVO(
+            id=2,
+            route_path="/govdoc-audit/audits",
+            route_name="legacy-govdoc-audits",
+            component="govdoc-audit.audits",
+            parent_id=None,
+            route_title="旧公文列表",
+        ),
+        RbacRouteVO(
+            id=3,
+            route_path="/govdoc-audit/upload",
+            route_name="legacy-govdoc-upload",
+            component="govdoc-audit.upload",
+            parent_id=None,
+            route_title="旧公文上传",
+        ),
+    ]
+
+    filtered = service._filterRoutesByRouteAndPermissionScope(
+        routes,
+        service._collectCurrentFrontendRoutePaths(routes),
+        {"govdoc:document:read", "govdoc:document:create"},
+    )
+    paths = service._collectRoutePaths(filtered)
+
+    assert "/govdoc" in paths
+    assert "/govdoc-audit/audits" not in paths
+    assert "/govdoc-audit/upload" not in paths
+    assert "/govdoc/audits" not in paths
+    assert "/govdoc/upload" not in paths