leaudit-platform-backend

Author	SHA1	Message	Date
wren	76ba7e65ed	feat: add backend rule group and permission support	2026-05-06 09:40:37 +08:00
wren	283c8228b2	feat: add document-types route and permissions to admin seeds	2026-04-30 14:13:33 +08:00
wren	b6d7f154ad	fix: enforce fine-grained read/write permissions on all rbac admin endpoints Previously only CreateRole/UpdateRole/DeleteRole checked specific permission keys. Now every endpoint enforces its corresponding permission: ListRoles/GetRoleRoutes/GetRolePermissions → rbac:roles:read ListUsers/ListRoleUsers/GetUserRoles → rbac:users:read AssignUserRoles/RevokeUserRole → rbac:user_roles:write UpdateRoleRoutes → rbac:role_routes:write SaveRolePermissions → rbac:role_permissions:write GetRoutePermissions → rbac:permissions:read	2026-04-30 11:23:09 +08:00
wren	ab31c808d7	fix: show permission display_name instead of key in 403 errors Previously _assertPermission raised "缺少权限: rbac:roles:delete". Now it looks up the display_name from the permissions table and shows "缺少「删除角色」权限".	2026-04-30 11:18:06 +08:00
wren	33255e823f	fix: enforce fine-grained rbac permissions on role CRUD endpoints Add _assertPermission() that checks role_permissions table for specific permission keys (super_admin bypasses). Wire it into CreateRole (rbac:roles:create), UpdateRole (rbac:roles:update), and DeleteRole (rbac:roles:delete). Previously only the coarse can_manage role check was enforced, making the permission grants in role_permissions purely cosmetic for these endpoints.	2026-04-30 10:36:38 +08:00
wren	3a58f19d6c	feat: add rbac-backed settings modules	2026-04-29 22:25:06 +08:00

6 Commits