leaudit-platform-backend

TanWenyan/leaudit-platform-backend

Fork 0

Commit Graph

Author	SHA1	Message	Date
wren	ab31c808d7	fix: show permission display_name instead of key in 403 errors Previously _assertPermission raised "缺少权限: rbac:roles:delete". Now it looks up the display_name from the permissions table and shows "缺少「删除角色」权限".	2026-04-30 11:18:06 +08:00
wren	33255e823f	fix: enforce fine-grained rbac permissions on role CRUD endpoints Add _assertPermission() that checks role_permissions table for specific permission keys (super_admin bypasses). Wire it into CreateRole (rbac:roles:create), UpdateRole (rbac:roles:update), and DeleteRole (rbac:roles:delete). Previously only the coarse can_manage role check was enforced, making the permission grants in role_permissions purely cosmetic for these endpoints.	2026-04-30 10:36:38 +08:00
wren	3a58f19d6c	feat: add rbac-backed settings modules	2026-04-29 22:25:06 +08:00

Author

SHA1

Message

Date

wren

ab31c808d7

fix: show permission display_name instead of key in 403 errors

Previously _assertPermission raised "缺少权限: rbac:roles:delete".
Now it looks up the display_name from the permissions table and
shows "缺少「删除角色」权限".

2026-04-30 11:18:06 +08:00

wren

33255e823f

fix: enforce fine-grained rbac permissions on role CRUD endpoints

Add _assertPermission() that checks role_permissions table for
specific permission keys (super_admin bypasses). Wire it into
CreateRole (rbac:roles:create), UpdateRole (rbac:roles:update),
and DeleteRole (rbac:roles:delete). Previously only the coarse
can_manage role check was enforced, making the permission grants
in role_permissions purely cosmetic for these endpoints.

2026-04-30 10:36:38 +08:00

wren

3a58f19d6c

feat: add rbac-backed settings modules

2026-04-29 22:25:06 +08:00

3 Commits