fix: tighten entry module rbac flows
This commit is contained in:
@@ -23,6 +23,7 @@
|
||||
*/
|
||||
|
||||
import { useRouteLoaderData, useLocation } from "@remix-run/react";
|
||||
import { normalizeRoutePathForPermission } from "~/utils/route-alias";
|
||||
|
||||
interface RootLoaderData {
|
||||
permissions?: string[];
|
||||
@@ -74,7 +75,7 @@ export function usePermission() {
|
||||
const userArea = rootData?.userArea || '';
|
||||
|
||||
// 🔑 根据当前路由获取权限列表
|
||||
const currentPath = location.pathname;
|
||||
const currentPath = normalizeRoutePathForPermission(location.pathname);
|
||||
// console.log('currentPath', currentPath)
|
||||
|
||||
// 获取当前路由的权限:优先使用 permissionMap,否则使用交叉评查默认配置
|
||||
@@ -118,13 +119,7 @@ export function usePermission() {
|
||||
return legacyPermissions.includes(permissionKey);
|
||||
}
|
||||
|
||||
// 降级方案:如果没有权限数据,使用userRole判断(兼容现有系统)
|
||||
// 包含'provin'的角色拥有所有权限
|
||||
if (userRole.toLowerCase().includes('provin')) {
|
||||
return true;
|
||||
}
|
||||
|
||||
// 默认只有查看权限
|
||||
// 降级方案:没有权限映射时绝不默认放开写权限,只保留只读能力。
|
||||
if (permissionKey.includes(':read')) {
|
||||
return true;
|
||||
}
|
||||
@@ -174,8 +169,8 @@ export function usePermission() {
|
||||
return legacyPermissions.some(p => p.startsWith(`${module}:`));
|
||||
}
|
||||
|
||||
// 降级方案
|
||||
return userRole.toLowerCase().includes('provin');
|
||||
// 降级方案只保留只读模块识别,避免 0/6 权限时被角色名放大。
|
||||
return hasPermission(`${module}:list:read`) || hasPermission(`${module}:detail:read`);
|
||||
};
|
||||
|
||||
/**
|
||||
|
||||
Reference in New Issue
Block a user