leaudit-platform-backend

Author	SHA1	Message	Date
wren	b6d7f154ad	fix: enforce fine-grained read/write permissions on all rbac admin endpoints Previously only CreateRole/UpdateRole/DeleteRole checked specific permission keys. Now every endpoint enforces its corresponding permission: ListRoles/GetRoleRoutes/GetRolePermissions → rbac:roles:read ListUsers/ListRoleUsers/GetUserRoles → rbac:users:read AssignUserRoles/RevokeUserRole → rbac:user_roles:write UpdateRoleRoutes → rbac:role_routes:write SaveRolePermissions → rbac:role_permissions:write GetRoutePermissions → rbac:permissions:read	2026-04-30 11:23:09 +08:00
wren	ab31c808d7	fix: show permission display_name instead of key in 403 errors Previously _assertPermission raised "缺少权限: rbac:roles:delete". Now it looks up the display_name from the permissions table and shows "缺少「删除角色」权限".	2026-04-30 11:18:06 +08:00
wren	33255e823f	fix: enforce fine-grained rbac permissions on role CRUD endpoints Add _assertPermission() that checks role_permissions table for specific permission keys (super_admin bypasses). Wire it into CreateRole (rbac:roles:create), UpdateRole (rbac:roles:update), and DeleteRole (rbac:roles:delete). Previously only the coarse can_manage role check was enforced, making the permission grants in role_permissions purely cosmetic for these endpoints.	2026-04-30 10:36:38 +08:00
wren	3a58f19d6c	feat: add rbac-backed settings modules	2026-04-29 22:25:06 +08:00