From c16bb841de89983589a0a3abd607317644b104ee Mon Sep 17 00:00:00 2001
From: wren <“porlong@qq.com”>
Date: Thu, 30 Apr 2026 10:58:37 +0800
Subject: [PATCH] fix: restrict area bypass to super_admin only
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Previously provincial_admin also skipped entry module area
filtering, making areas configuration meaningless for them.
Now only super_admin bypasses — provincial_admin and below
must match their area against the module's areas list.
---
 .../fastapi_leaudit/services/impl/homeServiceImpl.py            | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fastapi_modules/fastapi_leaudit/services/impl/homeServiceImpl.py b/fastapi_modules/fastapi_leaudit/services/impl/homeServiceImpl.py
index 30e0556..f2b4287 100644
--- a/fastapi_modules/fastapi_leaudit/services/impl/homeServiceImpl.py
+++ b/fastapi_modules/fastapi_leaudit/services/impl/homeServiceImpl.py
@@ -36,7 +36,7 @@ class HomeServiceImpl(IHomeService):
                     SELECT
                         u.id,
                         COALESCE(u.area, '') AS area,
-                        COALESCE(bool_or(r.role_key IN ('super_admin', 'provincial_admin')), FALSE) AS bypass_area
+                        COALESCE(bool_or(r.role_key = 'super_admin'), FALSE) AS bypass_area
                     FROM sso_users u
                     LEFT JOIN user_role ur ON ur.user_id = u.id
                     LEFT JOIN roles r ON r.id = ur.role_id