fix: show permission display_name instead of key in 403 errors

Previously _assertPermission raised "缺少权限: rbac:roles:delete". Now it looks up the display_name from the permissions table and shows "缺少「删除角色」权限".
2026-04-30 11:18:06 +08:00
parent 292b18760c
commit ab31c808d7
1 changed files with 11 additions and 4 deletions
@@ -578,7 +578,7 @@ class RbacAdminServiceImpl(IRbacAdminService):
                await Session.execute(
                    text(
                        """
-                        SELECT 1
+                        SELECT p.display_name
                        FROM role_permissions rp
                        JOIN permissions p ON p.id = rp.permission_id
                        JOIN user_role ur ON ur.role_id = rp.role_id
@@ -590,9 +590,16 @@ class RbacAdminServiceImpl(IRbacAdminService):
                    ),
                    {"user_id": CurrentUserId, "permission_key": PermissionKey},
                )
-            ).first()
-        if not row:
-            raise LeauditException(StatusCodeEnum.HTTP_403_FORBIDDEN, f"缺少权限: {PermissionKey}")
+            ).mappings().first()
+            if not row:
+                displayRow = (
+                    await Session.execute(
+                        text("SELECT display_name FROM permissions WHERE permission_key = :key LIMIT 1"),
+                        {"key": PermissionKey},
+                    )
+                ).mappings().first()
+                displayName = displayRow["display_name"] if displayRow else PermissionKey
+                raise LeauditException(StatusCodeEnum.HTTP_403_FORBIDDEN, f"缺少「{displayName}」权限")

    async def _getCurrentUserContext(self, CurrentUserId: int) -> dict[str, Any]:
        """加载当前用户上下文。"""