From 689ef6bc3db2f4ec219829ba58db8cf8acddade6 Mon Sep 17 00:00:00 2001
From: Wenyan <porlong@qq.com>
Date: Mon, 24 Nov 2025 18:03:57 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E8=A7=92=E8=89=B2?=
 =?UTF-8?q?=E6=9D=83=E9=99=90=E7=AE=A1=E7=90=86=E6=A8=A1=E5=9D=97=E7=9A=84?=
 =?UTF-8?q?API=E8=AE=A4=E8=AF=81=E5=92=8C=E6=95=B0=E6=8D=AE=E5=8A=A0?=
 =?UTF-8?q?=E8=BD=BD=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

主要修复：
1. 修复所有RBAC API函数使用axios-client（自动添加JWT token）
   - getRoles, createRole, updateRole, deleteRole 从rbacFetch切换到axios-client
   - 解决401未授权导致的数据加载失败问题

2. 修复用户ID字段不匹配问题
   - getAllUsers函数使用user_id字段（兼容user.user_id || user.id）
   - 确保角色分配时使用正确的用户ID

3. 修复路由ID不匹配问题
   - getRoutes函数改用真实后端API（GET /rbac/user/routes）
   - 解决前端Mock路由ID与数据库不一致导致的400错误

4. 增强axios-client成功响应识别
   - 支持code=200作为成功状态（原本只支持code=0）
   - 兼容不同后端API的响应格式

5. 实现用户单角色限制功能
   - 添加getUserRoles API函数
   - 分配角色前检查用户现有角色
   - 在用户列表中显示当前角色标签

6. 改进创建角色的表单验证
   - role_key必须以字母开头（正则：^[a-z][a-z0-9_]*$）
   - 添加实时验证提示
   - 更新提示文案说明规则

7. 添加删除操作的安全确认机制
   - 删除角色/移除用户角色前显示确认模态框
   - 3秒倒计时后才能确认删除
   - 成功删除后自动刷新数据

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 app/api/axios-client.ts                      |   28 +-
 app/api/role-permissions/role-permissions.ts | 1026 +++++++++++++++---
 app/routes/role-permissions._index.tsx       |  989 ++++++++++++++++-
 app/styles/pages/role-permissions.css        |  224 ++++
 docs/role-permissions/FRONTEND_API_GUIDE.md  |  709 ++++++++++++
 5 files changed, 2802 insertions(+), 174 deletions(-)
 create mode 100644 docs/role-permissions/FRONTEND_API_GUIDE.md

diff --git a/app/api/axios-client.ts b/app/api/axios-client.ts
index 20bbd55..a6c7eda 100644
--- a/app/api/axios-client.ts
+++ b/app/api/axios-client.ts
@@ -81,6 +81,7 @@ axiosInstance.interceptors.request.use(
   (config) => {
     // 检查是否在白名单中
     if (isInAuthWhitelist(config.url)) {
+      console.log('🔓 [Request Interceptor] URL在白名单中，跳过Authorization:', config.url);
       return config;
     }
 
@@ -89,12 +90,24 @@ axiosInstance.interceptors.request.use(
       const token = localStorage.getItem('access_token');
       if (token) {
         config.headers.Authorization = `Bearer ${token}`;
+        console.log('🔑 [Request Interceptor] 添加Authorization头:', {
+          url: config.url,
+          method: config.method,
+          hasToken: !!token,
+          tokenPreview: token.substring(0, 20) + '...'
+        });
+      } else {
+        console.warn('⚠️ [Request Interceptor] 没有找到access_token:', {
+          url: config.url,
+          localStorage: Object.keys(localStorage)
+        });
       }
     }
 
     return config;
   },
   (error) => {
+    console.error('❌ [Request Interceptor] 请求拦截器错误:', error);
     return Promise.reject(error);
   }
 );
@@ -114,9 +127,21 @@ export class AuthenticationError extends Error {
  */
 axiosInstance.interceptors.response.use(
   (response) => {
+    console.log('✅ [Response Interceptor] 请求成功:', {
+      url: response.config.url,
+      status: response.status,
+      statusText: response.statusText
+    });
     return response;
   },
   (error) => {
+    console.error('❌ [Response Interceptor] 请求失败:', {
+      url: error.config?.url,
+      status: error.response?.status,
+      statusText: error.response?.statusText,
+      data: error.response?.data
+    });
+
     if (isAxiosError(error) && error.response?.status === 401) {
       // 检查是否在错误容忍白名单中
       const requestUrl = error.config?.url;
@@ -442,7 +467,8 @@ export async function apiRequest<T>(
     
     // 检查API返回的状态码
     const data = response.data;
-    if (data && typeof data === 'object' && 'code' in data && data.code !== 0) {
+    // 修复：支持code=0（PostgREST）和code=200（RBAC API）两种成功响应
+    if (data && typeof data === 'object' && 'code' in data && data.code !== 0 && data.code !== 200) {
       const errorMessage = data.message || data.msg || '未知错误';
       console.error(`API请求失败: ${errorMessage} - ${url}`);
 
diff --git a/app/api/role-permissions/role-permissions.ts b/app/api/role-permissions/role-permissions.ts
index abc90ca..3edf319 100644
--- a/app/api/role-permissions/role-permissions.ts
+++ b/app/api/role-permissions/role-permissions.ts
@@ -3,6 +3,60 @@
  * 用于角色、路由权限、用户角色的管理
  */
 
+// ==================== 常量定义 ====================
+
+/**
+ * RBAC API 基础路径
+ * 注意：使用相对路径，会命中Remix API路由而不是后端服务器
+ */
+const RBAC_API_BASE = '/api/v3/rbac';
+
+/**
+ * RBAC专用API客户端 - 使用fetch直接请求Remix API路由
+ */
+async function rbacFetch<T>(url: string, options: RequestInit = {}): Promise<T> {
+  console.log('🔗 [RBAC Fetch] 请求:', url, options.method || 'GET');
+
+  const response = await fetch(url, {
+    ...options,
+    headers: {
+      'Content-Type': 'application/json',
+      ...options.headers
+    }
+  });
+
+  console.log('📡 [RBAC Fetch] 响应状态:', response.status, response.statusText);
+
+  const data = await response.json();
+  console.log('📦 [RBAC Fetch] 响应数据:', data);
+
+  if (!response.ok) {
+    throw new Error(data.detail || data.message || `HTTP ${response.status}`);
+  }
+
+  return data;
+}
+
+/**
+ * 统一响应处理函数
+ * 处理后端返回的统一格式响应
+ */
+function handleApiResponse<T>(response: ApiResponse<any>): T {
+  if (response.error) {
+    throw new Error(response.error);
+  }
+
+  if (response.data && 'code' in response.data) {
+    if (response.data.code !== 200) {
+      throw new Error(response.data.message || '请求失败');
+    }
+    return response.data.data as T;
+  }
+
+  // 如果没有code字段，直接返回data
+  return response.data as T;
+}
+
 // ==================== 类型定义 ====================
 
 /**
@@ -74,6 +128,45 @@ export interface UserRoleRelation {
   created_at: string;
 }
 
+/**
+ * RBAC权限信息
+ */
+export interface Permission {
+  id: number;
+  permission_key: string;        // 格式: module:resource:action
+  module: string;                // 模块名
+  resource: string;              // 资源名
+  action: string;                // 操作名
+  display_name: string;          // 显示名称
+  description: string | null;
+  permission_type: 'API' | 'MENU' | 'BUTTON';
+  is_system: boolean;
+  parent_id: number | null;
+  sort_order: number;
+  children?: Permission[];       // 树形结构
+}
+
+/**
+ * 角色权限配置
+ */
+export interface RolePermissionConfig {
+  permission_id: number;
+  grant_type?: 'GRANT' | 'DENY';
+  data_scope?: 'ALL' | 'DEPT' | 'SELF';
+}
+
+/**
+ * 角色权限详情
+ */
+export interface RolePermissionDetail {
+  id: number;
+  permission_id: number;
+  permission_key: string;
+  display_name: string;
+  grant_type: 'GRANT' | 'DENY';
+  data_scope: 'ALL' | 'DEPT' | 'SELF';
+}
+
 // ==================== 模拟数据 ====================
 
 /**
@@ -209,63 +302,42 @@ const mockRoutes: RouteInfo[] = [
 ];
 
 /**
- * 模拟角色数据
+ * 模拟角色数据（与数据库实际数据一致）
+ * 仅用于开发阶段API失败时的降级方案
  */
 const mockRoles: RoleInfo[] = [
   {
     id: 1,
     role_key: 'admin',
-    role_name: '系统管理员',
-    data_scope: 'ALL',
-    description: '拥有系统所有权限',
-    priority: 1,
-    is_system_role: true,
-    created_at: '2024-01-01 10:00:00',
-    updated_at: '2024-01-01 10:00:00'
+    role_name: '市级管理员',
+    data_scope: 'DEPT',
+    description: '负责本地区的所有业务管理，不包括系统设置和角色权限管理',
+    priority: 0,
+    is_system_role: false,
+    created_at: '2025-07-18 10:35:39',
+    updated_at: '2025-07-18 10:35:39'
   },
   {
     id: 2,
-    role_key: 'provincial',
-    role_name: '省级管理员',
-    data_scope: 'PROVINCE',
-    description: '省级权限，可管理文档类型和评查点',
-    priority: 2,
-    is_system_role: false,
-    created_at: '2024-01-02 10:00:00',
-    updated_at: '2024-01-02 10:00:00'
-  },
-  {
-    id: 3,
-    role_key: 'city_admin',
-    role_name: '市级管理员',
-    data_scope: 'CITY',
-    description: '市级权限，可管理本市文档',
-    priority: 3,
-    is_system_role: false,
-    created_at: '2024-01-03 10:00:00',
-    updated_at: '2024-01-03 10:00:00'
-  },
-  {
-    id: 4,
-    role_key: 'common_user',
-    role_name: '普通用户',
+    role_key: 'common',
+    role_name: '普通员工',
     data_scope: 'SELF',
-    description: '普通用户，只能查看自己的文档',
-    priority: 4,
+    description: '仅能操作自己的数据',
+    priority: 0,
     is_system_role: false,
-    created_at: '2024-01-04 10:00:00',
-    updated_at: '2024-01-04 10:00:00'
+    created_at: '2025-07-18 10:35:39',
+    updated_at: '2025-07-18 10:35:39'
   },
   {
-    id: 5,
-    role_key: 'reviewer',
-    role_name: '评审员',
-    data_scope: 'DEPARTMENT',
-    description: '负责文档评审工作',
-    priority: 5,
-    is_system_role: false,
-    created_at: '2024-01-05 10:00:00',
-    updated_at: '2024-01-05 10:00:00'
+    id: 52,
+    role_key: 'provincial_admin',
+    role_name: '省级管理员',
+    data_scope: 'ALL',
+    description: '拥有全部权限，可以管理所有地区的评查点规则、提示词、动态按钮、评查组',
+    priority: 1,
+    is_system_role: true,
+    created_at: '2025-11-19 17:25:45',
+    updated_at: '2025-11-19 17:25:45'
   }
 ];
 
@@ -369,19 +441,140 @@ const mockUserRoles: UserRoleRelation[] = [
 
 /**
  * 获取所有角色列表
+ * @param params 查询参数
  */
-export async function getRoles(): Promise<RoleInfo[]> {
-  // 模拟网络延迟
-  await new Promise(resolve => setTimeout(resolve, 300));
-  return mockRoles;
+export async function getRoles(params?: {
+  page?: number;
+  page_size?: number;
+  role_key?: string;
+  role_name?: string;
+  include_system?: boolean;
+}): Promise<RoleInfo[]> {
+  try {
+    // 导入 axios-client 的 get 函数
+    const { get } = await import('~/api/axios-client');
+
+    console.log('🔍 [getRoles] 开始调用后端API:', `/api/v3/rbac/roles`, params);
+
+    // 使用 axios-client 的 get 函数调用真实后端API
+    const response = await get<any>(`/api/v3/rbac/roles`, params || {});
+    console.log('📦 [getRoles] 后端API完整响应:', JSON.stringify(response, null, 2));
+
+    if (response.error) {
+      throw new Error(response.error);
+    }
+
+    // 后端响应格式: { code: 200, message: "success", data: { total, page, page_size, items: [...] } }
+    let items: any[] = [];
+    if (response.data && response.data.data && Array.isArray(response.data.data.items)) {
+      items = response.data.data.items;
+    } else if (response.data && Array.isArray(response.data.items)) {
+      items = response.data.items;
+    }
+
+    console.log('✅ [getRoles] 解析出的角色数组:', items);
+
+    // 数据格式转换（后端字段 -> 前端字段）
+    const roles = items.map(role => ({
+      id: role.id,
+      role_key: role.role_key,
+      role_name: role.role_name,
+      data_scope: role.data_scope,
+      description: role.description || '',
+      parent_role_id: role.parent_role_id || null,
+      priority: role.priority || 0,
+      is_system_role: role.is_system || false,
+      created_at: role.created_at,
+      updated_at: role.updated_at
+    }));
+
+    console.log('✅ [getRoles] 最终返回的角色列表，共', roles.length, '个角色');
+    return roles;
+  } catch (error) {
+    console.error('❌ [getRoles] 获取角色列表失败:', error);
+    // 失败时返回空数组
+    return [];
+  }
+}
+
+/**
+ * 获取角色详情
+ * @param roleId 角色ID
+ */
+export async function getRoleDetail(roleId: number): Promise<RoleInfo | null> {
+  try {
+    const response = await get<any>(`${RBAC_API_BASE}/roles/${roleId}`);
+    const role = handleApiResponse<any>(response);
+
+    return {
+      id: role.id,
+      role_key: role.role_key,
+      role_name: role.role_name,
+      data_scope: role.data_scope,
+      description: role.description || '',
+      parent_role_id: role.parent_role_id || null,
+      priority: role.priority || 0,
+      is_system_role: role.is_system,
+      created_at: role.created_at,
+      updated_at: role.updated_at
+    };
+  } catch (error) {
+    console.error('获取角色详情失败:', error);
+    return null;
+  }
 }
 
 /**
  * 获取所有路由（树形结构）
+ * 从后端API获取当前用户可访问的所有路由
  */
 export async function getRoutes(): Promise<RouteInfo[]> {
-  await new Promise(resolve => setTimeout(resolve, 300));
-  return mockRoutes;
+  try {
+    const { get } = await import('~/api/axios-client');
+
+    console.log('🔍 [getRoutes] 开始调用后端API: /rbac/user/routes');
+
+    // 调用后端API获取当前用户的路由（provincial_admin应该有所有路由权限）
+    const response = await get<any>('/rbac/user/routes');
+
+    if (response.error) {
+      console.error('❌ [getRoutes] API调用失败:', response.error);
+      throw new Error(response.error);
+    }
+
+    // 后端响应格式: { code: 200, msg: "success", data: { user_id, username, routes: [...], routes_flat: [...] } }
+    let routes: any[] = [];
+    if (response.data && response.data.data && Array.isArray(response.data.data.routes)) {
+      routes = response.data.data.routes;
+    } else if (response.data && Array.isArray(response.data.routes)) {
+      // 兼容可能的响应格式
+      routes = response.data.routes;
+    }
+
+    console.log('✅ [getRoutes] 成功获取路由数据，共', routes.length, '个顶级路由');
+
+    // 将后端数据转换为前端RouteInfo格式
+    const mapRouteData = (route: any): RouteInfo => ({
+      id: route.id,
+      route_path: route.route_path,
+      route_name: route.route_name,
+      route_title: route.route_title,
+      icon: route.icon || '',
+      sort_order: route.sort_order || 0,
+      is_hidden: route.is_hidden || false,
+      is_cache: route.is_cache !== false, // 默认true
+      status: route.status || 1,
+      parent_id: route.parent_id || null,
+      component: route.component,
+      children: route.children ? route.children.map(mapRouteData) : undefined
+    });
+
+    return routes.map(mapRouteData);
+  } catch (error) {
+    console.error('❌ [getRoutes] 获取路由数据失败:', error);
+    // 失败时返回空数组，让前端显示错误提示
+    return [];
+  }
 }
 
 /**
@@ -389,8 +582,42 @@ export async function getRoutes(): Promise<RouteInfo[]> {
  * @param roleId 角色ID
  */
 export async function getRoleRoutePermissions(roleId: number): Promise<RoleRoutePermission[]> {
-  await new Promise(resolve => setTimeout(resolve, 200));
-  return mockRoleRoutePermissions.filter(p => p.role_id === roleId);
+  try {
+    // 导入 axios-client 的 get 函数
+    const { get } = await import('~/api/axios-client');
+
+    console.log('🔍 [getRoleRoutePermissions] 开始调用后端API:', `/rbac/roles/${roleId}/routes`);
+
+    // 使用 axios-client 的 get 函数调用真实后端API
+    const response = await get<any>(`/rbac/roles/${roleId}/routes`);
+    console.log('📦 [getRoleRoutePermissions] 后端API完整响应:', JSON.stringify(response, null, 2));
+
+    if (response.error) {
+      throw new Error(response.error);
+    }
+
+    // 后端响应格式: { code: 200, msg: "success", data: { role_id, routes: [...] } }
+    let routes: any[] = [];
+    if (response.data && response.data.data && Array.isArray(response.data.data.routes)) {
+      routes = response.data.data.routes;
+    }
+
+    // 将路由数据转换为RoleRoutePermission格式
+    const permissions = routes.map((route, index) => ({
+      id: index + 1,
+      role_id: roleId,
+      route_id: route.id,
+      permission: 'RW', // 默认读写权限
+      created_at: new Date().toISOString()
+    }));
+
+    console.log('✅ [getRoleRoutePermissions] 获取角色路由权限成功:', permissions);
+    return permissions;
+  } catch (error) {
+    console.error('❌ [getRoleRoutePermissions] 获取角色路由权限失败:', error);
+    // 失败时返回空数组，避免页面崩溃
+    return [];
+  }
 }
 
 /**
@@ -402,57 +629,174 @@ export async function updateRoleRoutePermissions(
   roleId: number,
   routeIds: number[]
 ): Promise<{ success: boolean; message: string }> {
-  await new Promise(resolve => setTimeout(resolve, 500));
+  try {
+    // 导入 axios-client 的 put 函数
+    const { put } = await import('~/api/axios-client');
 
-  // 在实际应用中，这里会调用后端API
-  console.log('更新角色权限:', { roleId, routeIds });
+    console.log('🔍 [updateRoleRoutePermissions] 开始调用后端API:', `/rbac/roles/${roleId}/routes`, routeIds);
 
-  // 模拟更新本地数据
-  // 删除该角色的旧权限
-  const oldPermissions = mockRoleRoutePermissions.filter(p => p.role_id === roleId);
-  oldPermissions.forEach(p => {
-    const index = mockRoleRoutePermissions.indexOf(p);
-    if (index > -1) {
-      mockRoleRoutePermissions.splice(index, 1);
-    }
-  });
-
-  // 添加新权限
-  routeIds.forEach((routeId, index) => {
-    mockRoleRoutePermissions.push({
-      id: Date.now() + index,
-      role_id: roleId,
-      route_id: routeId,
-      permission: 'RW',
-      created_at: new Date().toISOString()
+    // 使用 axios-client 的 put 函数调用真实后端API
+    const response = await put<any>(`/rbac/roles/${roleId}/routes`, {
+      route_ids: routeIds,
+      permission: 'RW'
     });
-  });
+    console.log('📦 [updateRoleRoutePermissions] 后端API完整响应:', JSON.stringify(response, null, 2));
 
-  return { success: true, message: '角色权限更新成功' };
+    if (response.error) {
+      throw new Error(response.error);
+    }
+
+    // 后端响应格式: { code: 200, msg: "success", data: { role_id, assigned_count, removed_count, route_ids } }
+    let message = '角色权限更新成功';
+    if (response.data && response.data.msg) {
+      message = response.data.msg;
+    } else if (response.data && response.data.data) {
+      const { assigned_count, removed_count } = response.data.data;
+      message = `成功分配 ${assigned_count} 个路由，移除了 ${removed_count} 个旧路由`;
+    }
+
+    console.log('✅ [updateRoleRoutePermissions] 角色权限更新成功');
+    return { success: true, message };
+  } catch (error) {
+    console.error('❌ [updateRoleRoutePermissions] 更新角色权限失败:', error);
+    return {
+      success: false,
+      message: error instanceof Error ? error.message : '更新角色权限失败'
+    };
+  }
 }
 
+// ==================== 用户角色管理 API ====================
+
 /**
  * 获取指定角色的用户列表
  * @param roleId 角色ID
+ * @param params 查询参数
  */
-export async function getRoleUsers(roleId: number): Promise<UserInfo[]> {
-  await new Promise(resolve => setTimeout(resolve, 200));
+export async function getRoleUsers(
+  roleId: number,
+  params?: {
+    page?: number;
+    page_size?: number;
+    area?: string;
+    username?: string;
+  }
+): Promise<UserInfo[]> {
+  try {
+    // 导入 axios-client 的 get 函数
+    const { get } = await import('~/api/axios-client');
 
-  // 查找具有该角色的用户ID
-  const userIds = mockUserRoles
-    .filter(ur => ur.role_id === roleId)
-    .map(ur => ur.user_id);
+    console.log('🔍 [getRoleUsers] 开始调用后端API:', `/api/v3/rbac/roles/${roleId}/users`, params);
 
-  // 返回用户详细信息
-  return mockUsers.filter(u => userIds.includes(u.id));
+    // 构建查询参数对象
+    const queryParams: Record<string, any> = {};
+    if (params?.page) queryParams.page = params.page;
+    if (params?.page_size) queryParams.page_size = params.page_size;
+    if (params?.area) queryParams.area = params.area;
+    if (params?.username) queryParams.username = params.username;
+
+    // 使用 axios-client 的 get 函数调用真实后端API
+    const response = await get<any>(`/api/v3/rbac/roles/${roleId}/users`, queryParams);
+    console.log('📦 [getRoleUsers] 后端API完整响应:', JSON.stringify(response, null, 2));
+
+    if (response.error) {
+      throw new Error(response.error);
+    }
+
+    // 后端响应格式: { code: 200, message: "success", data: { total, page, page_size, items: [...] } }
+    let items: any[] = [];
+    if (response.data && response.data.data && Array.isArray(response.data.data.items)) {
+      items = response.data.data.items;
+    } else if (response.data && Array.isArray(response.data.items)) {
+      items = response.data.items;
+    }
+
+    console.log('✅ [getRoleUsers] 解析出的用户数组:', items);
+
+    const users = items.map((user: any) => ({
+      id: user.user_id || user.id,
+      username: user.username,
+      nick_name: user.nick_name,
+      phone_number: user.phone_number || '',
+      email: user.email || '',
+      ou_name: user.ou_name,
+      status: user.status || 1,
+      is_leader: user.is_leader || false
+    }));
+
+    console.log('✅ [getRoleUsers] 最终返回的用户列表:', users);
+    return users;
+  } catch (error) {
+    console.error('❌ [getRoleUsers] 获取角色用户列表失败:', error);
+    return [];
+  }
 }
 
 /**
  * 获取所有用户列表
+ * @param params 查询参数
  */
-export async function getAllUsers(): Promise<UserInfo[]> {
-  await new Promise(resolve => setTimeout(resolve, 300));
-  return mockUsers;
+export async function getAllUsers(params?: {
+  page?: number;
+  page_size?: number;
+  area?: string;
+  username?: string;
+}): Promise<UserInfo[]> {
+  try {
+    // 导入 axios-client 的 get 函数
+    const { get } = await import('~/api/axios-client');
+
+    console.log('🔍 [getAllUsers] 开始调用后端API:', '/admin/users/users', params);
+
+    // 构建查询参数对象
+    const queryParams: Record<string, any> = {};
+    if (params?.page) queryParams.page = params.page;
+    if (params?.page_size) queryParams.page_size = params.page_size;
+    if (params?.username) queryParams.search = params.username;
+
+    // 使用 axios-client 的 get 函数，会自动添加 baseURL 和 Authorization
+    const response = await get<any>('/admin/users/users', queryParams);
+    console.log('📦 [getAllUsers] 后端API完整响应:', JSON.stringify(response, null, 2));
+
+    if (response.error) {
+      throw new Error(response.error);
+    }
+
+    // axios-client 返回格式: { data: { users: [...], total: number }, status: 200 }
+    // 后端实际返回: { users: [...], total: number }
+    let users: any[] = [];
+
+    if (response.data) {
+      // 如果 response.data 是对象且包含 users 字段
+      if (response.data.users && Array.isArray(response.data.users)) {
+        users = response.data.users;
+      }
+      // 如果 response.data 本身就是数组
+      else if (Array.isArray(response.data)) {
+        users = response.data;
+      }
+    }
+
+    console.log('✅ [getAllUsers] 解析出的用户数组:', users);
+    console.log('✅ [getAllUsers] 用户数量:', users.length);
+
+    const userList = users.map(user => ({
+      id: user.user_id || user.id,  // 优先使用 user_id，兼容不同的后端响应格式
+      username: user.username,
+      nick_name: user.nick_name,
+      phone_number: user.phone_number || '',
+      email: user.email || '',
+      ou_name: user.ou_name,
+      status: user.status || 1,
+      is_leader: user.is_leader || false
+    }));
+
+    console.log('✅ [getAllUsers] 最终返回的用户列表:', userList);
+    return userList;
+  } catch (error) {
+    console.error('❌ [getAllUsers] 获取用户列表失败:', error);
+    return [];
+  }
 }
 
 /**
@@ -464,31 +808,77 @@ export async function assignUserRoles(
   userId: number,
   roleIds: number[]
 ): Promise<{ success: boolean; message: string }> {
-  await new Promise(resolve => setTimeout(resolve, 500));
+  try {
+    // 导入 axios-client 的 post 函数
+    const { post } = await import('~/api/axios-client');
 
-  console.log('为用户分配角色:', { userId, roleIds });
+    console.log('🔍 [assignUserRoles] 开始调用后端API:', `/api/v3/rbac/users/${userId}/roles`, roleIds);
 
-  // 模拟更新本地数据
-  // 删除该用户的旧角色
-  const oldRoles = mockUserRoles.filter(ur => ur.user_id === userId);
-  oldRoles.forEach(ur => {
-    const index = mockUserRoles.indexOf(ur);
-    if (index > -1) {
-      mockUserRoles.splice(index, 1);
-    }
-  });
-
-  // 添加新角色
-  roleIds.forEach((roleId, index) => {
-    mockUserRoles.push({
-      id: Date.now() + index,
-      user_id: userId,
-      role_id: roleId,
-      created_at: new Date().toISOString()
+    // 使用 axios-client 的 post 函数调用真实后端API
+    const response = await post<any>(`/api/v3/rbac/users/${userId}/roles`, {
+      role_ids: roleIds
     });
-  });
+    console.log('📦 [assignUserRoles] 后端API完整响应:', JSON.stringify(response, null, 2));
 
-  return { success: true, message: '用户角色分配成功' };
+    if (response.error) {
+      throw new Error(response.error);
+    }
+
+    // 后端响应格式: { code: 200, message: "角色分配成功", data: { user_id, roles: [...] } }
+    let message = '用户角色分配成功';
+    if (response.data && response.data.message) {
+      message = response.data.message;
+    }
+
+    console.log('✅ [assignUserRoles] 角色分配成功');
+    return { success: true, message };
+  } catch (error) {
+    console.error('❌ [assignUserRoles] 分配用户角色失败:', error);
+    return {
+      success: false,
+      message: error instanceof Error ? error.message : '分配失败'
+    };
+  }
+}
+
+/**
+ * 移除用户角色
+ * @param userId 用户ID
+ * @param roleId 角色ID
+ */
+export async function revokeUserRole(
+  userId: number,
+  roleId: number
+): Promise<{ success: boolean; message: string }> {
+  try {
+    // 导入 axios-client 的 del 函数
+    const { del } = await import('~/api/axios-client');
+
+    console.log('🔍 [revokeUserRole] 开始调用后端API:', `/api/v3/rbac/users/${userId}/roles/${roleId}`);
+
+    // 使用 axios-client 的 del 函数调用真实后端API
+    const response = await del<any>(`/api/v3/rbac/users/${userId}/roles/${roleId}`);
+    console.log('📦 [revokeUserRole] 后端API完整响应:', JSON.stringify(response, null, 2));
+
+    if (response.error) {
+      throw new Error(response.error);
+    }
+
+    // 后端响应格式: { code: 200, message: "角色移除成功" }
+    let message = '用户角色移除成功';
+    if (response.data && response.data.message) {
+      message = response.data.message;
+    }
+
+    console.log('✅ [revokeUserRole] 角色移除成功');
+    return { success: true, message };
+  } catch (error) {
+    console.error('❌ [revokeUserRole] 移除用户角色失败:', error);
+    return {
+      success: false,
+      message: error instanceof Error ? error.message : '移除失败'
+    };
+  }
 }
 
 /**
@@ -498,18 +888,53 @@ export async function assignUserRoles(
 export async function createRole(
   roleData: Omit<RoleInfo, 'id' | 'created_at' | 'updated_at'>
 ): Promise<{ success: boolean; message: string; data?: RoleInfo }> {
-  await new Promise(resolve => setTimeout(resolve, 500));
+  try {
+    // 导入 axios-client 的 post 函数
+    const { post } = await import('~/api/axios-client');
 
-  const newRole: RoleInfo = {
-    ...roleData,
-    id: Math.max(...mockRoles.map(r => r.id)) + 1,
-    created_at: new Date().toISOString(),
-    updated_at: new Date().toISOString()
-  };
+    console.log('🔍 [createRole] 开始调用后端API:', `/api/v3/rbac/roles`, roleData);
 
-  mockRoles.push(newRole);
+    // 使用 axios-client 的 post 函数调用真实后端API
+    const response = await post<any>(`/api/v3/rbac/roles`, {
+      role_key: roleData.role_key,
+      role_name: roleData.role_name,
+      description: roleData.description || '',
+      data_scope: roleData.data_scope || 'SELF',
+      metadata: {}
+    });
 
-  return { success: true, message: '角色创建成功', data: newRole };
+    console.log('📦 [createRole] 后端API完整响应:', JSON.stringify(response, null, 2));
+
+    if (response.error) {
+      throw new Error(response.error);
+    }
+
+    // 后端响应格式: { code: 200, message: "角色创建成功", data: { id, role_key, ... } }
+    const data = response.data?.data || response.data;
+
+    return {
+      success: true,
+      message: response.data?.message || '角色创建成功',
+      data: {
+        id: data.id,
+        role_key: data.role_key,
+        role_name: data.role_name,
+        data_scope: data.data_scope,
+        description: data.description || '',
+        parent_role_id: data.parent_role_id || null,
+        priority: data.priority || 0,
+        is_system_role: data.is_system || false,
+        created_at: data.created_at,
+        updated_at: data.updated_at
+      }
+    };
+  } catch (error) {
+    console.error('❌ [createRole] 创建角色失败:', error);
+    return {
+      success: false,
+      message: error instanceof Error ? error.message : '创建角色失败'
+    };
+  }
 }
 
 /**
@@ -521,40 +946,355 @@ export async function updateRole(
   roleId: number,
   roleData: Partial<Omit<RoleInfo, 'id' | 'created_at' | 'updated_at'>>
 ): Promise<{ success: boolean; message: string }> {
-  await new Promise(resolve => setTimeout(resolve, 500));
+  try {
+    // 导入 axios-client 的 put 函数
+    const { put } = await import('~/api/axios-client');
 
-  const roleIndex = mockRoles.findIndex(r => r.id === roleId);
-  if (roleIndex === -1) {
-    return { success: false, message: '角色不存在' };
+    const updatePayload: any = {};
+
+    if (roleData.role_name !== undefined) updatePayload.role_name = roleData.role_name;
+    if (roleData.description !== undefined) updatePayload.description = roleData.description;
+    if (roleData.data_scope !== undefined) updatePayload.data_scope = roleData.data_scope;
+    if (roleData.priority !== undefined) updatePayload.priority = roleData.priority;
+    if (roleData.parent_role_id !== undefined) updatePayload.parent_role_id = roleData.parent_role_id;
+
+    console.log('🔍 [updateRole] 开始调用后端API:', `/api/v3/rbac/roles/${roleId}`, updatePayload);
+
+    const response = await put<any>(`/api/v3/rbac/roles/${roleId}`, updatePayload);
+
+    console.log('📦 [updateRole] 后端API完整响应:', JSON.stringify(response, null, 2));
+
+    if (response.error) {
+      throw new Error(response.error);
+    }
+
+    return { success: true, message: response.data?.message || '角色更新成功' };
+  } catch (error) {
+    console.error('❌ [updateRole] 更新角色失败:', error);
+    return {
+      success: false,
+      message: error instanceof Error ? error.message : '更新角色失败'
+    };
   }
-
-  mockRoles[roleIndex] = {
-    ...mockRoles[roleIndex],
-    ...roleData,
-    updated_at: new Date().toISOString()
-  };
-
-  return { success: true, message: '角色更新成功' };
 }
 
 /**
  * 删除角色
  * @param roleId 角色ID
+ * @param force 是否强制删除（会自动解除用户关联）
  */
-export async function deleteRole(roleId: number): Promise<{ success: boolean; message: string }> {
-  await new Promise(resolve => setTimeout(resolve, 500));
+export async function deleteRole(
+  roleId: number,
+  force = false
+): Promise<{ success: boolean; message: string }> {
+  try {
+    // 导入 axios-client 的 del 函数
+    const { del } = await import('~/api/axios-client');
 
-  const role = mockRoles.find(r => r.id === roleId);
-  if (!role) {
-    return { success: false, message: '角色不存在' };
+    const url = `/api/v3/rbac/roles/${roleId}${force ? '?force=true' : ''}`;
+
+    console.log('🔍 [deleteRole] 开始调用后端API:', url);
+
+    const response = await del<any>(url);
+
+    console.log('📦 [deleteRole] 后端API完整响应:', JSON.stringify(response, null, 2));
+
+    if (response.error) {
+      throw new Error(response.error);
+    }
+
+    return { success: true, message: response.data?.message || '角色删除成功' };
+  } catch (error) {
+    console.error('❌ [deleteRole] 删除角色失败:', error);
+    return {
+      success: false,
+      message: error instanceof Error ? error.message : '删除角色失败'
+    };
+  }
+}
+
+// ==================== 权限管理 API ====================
+
+/**
+ * 获取权限列表（树形或平铺）
+ * @param format 格式：tree（树形）或 flat（平铺）
+ * @param params 查询参数
+ */
+export async function getPermissions(
+  format: 'tree' | 'flat' = 'tree',
+  params?: {
+    module?: string;
+    permission_type?: 'API' | 'MENU' | 'BUTTON';
+    include_system?: boolean;
+  }
+): Promise<Permission[]> {
+  try {
+    const response = await get<any>(`${RBAC_API_BASE}/permissions`, {
+      format,
+      ...params
+    });
+    const data = handleApiResponse<Permission[]>(response);
+
+    return data;
+  } catch (error) {
+    console.error('获取权限列表失败:', error);
+    return [];
+  }
+}
+
+/**
+ * 获取权限详情
+ * @param permissionId 权限ID
+ */
+export async function getPermissionDetail(permissionId: number): Promise<Permission | null> {
+  try {
+    const response = await get<any>(`${RBAC_API_BASE}/permissions/${permissionId}`);
+    const data = handleApiResponse<Permission>(response);
+
+    return data;
+  } catch (error) {
+    console.error('获取权限详情失败:', error);
+    return null;
+  }
+}
+
+/**
+ * 创建权限
+ * @param permissionData 权限数据
+ */
+export async function createPermission(
+  permissionData: Omit<Permission, 'id' | 'children'>
+): Promise<{ success: boolean; message: string; data?: Permission }> {
+  try {
+    // 从 permission_key 解析 module, resource, action
+    const [module, resource, action] = permissionData.permission_key.split(':');
+
+    const response = await post<any>(`${RBAC_API_BASE}/permissions`, {
+      permission_key: permissionData.permission_key,
+      display_name: permissionData.display_name,
+      description: permissionData.description || '',
+      module,
+      resource,
+      action,
+      permission_type: permissionData.permission_type || 'API',
+      parent_id: permissionData.parent_id || null,
+      sort_order: permissionData.sort_order || 0,
+      metadata: {}
+    });
+
+    const data = handleApiResponse<Permission>(response);
+
+    return {
+      success: true,
+      message: '权限创建成功',
+      data
+    };
+  } catch (error) {
+    console.error('创建权限失败:', error);
+    return {
+      success: false,
+      message: error instanceof Error ? error.message : '创建权限失败'
+    };
+  }
+}
+
+/**
+ * 更新权限
+ * @param permissionId 权限ID
+ * @param permissionData 权限数据
+ */
+export async function updatePermission(
+  permissionId: number,
+  permissionData: Partial<Omit<Permission, 'id' | 'children'>>
+): Promise<{ success: boolean; message: string }> {
+  try {
+    const response = await put<any>(`${RBAC_API_BASE}/permissions/${permissionId}`, permissionData);
+    handleApiResponse<any>(response);
+
+    return { success: true, message: '权限更新成功' };
+  } catch (error) {
+    console.error('更新权限失败:', error);
+    return {
+      success: false,
+      message: error instanceof Error ? error.message : '更新权限失败'
+    };
+  }
+}
+
+/**
+ * 删除权限
+ * @param permissionId 权限ID
+ */
+export async function deletePermission(
+  permissionId: number
+): Promise<{ success: boolean; message: string }> {
+  try {
+    const response = await del<any>(`${RBAC_API_BASE}/permissions/${permissionId}`);
+    handleApiResponse<any>(response);
+
+    return { success: true, message: '权限删除成功' };
+  } catch (error) {
+    console.error('删除权限失败:', error);
+    return {
+      success: false,
+      message: error instanceof Error ? error.message : '删除权限失败'
+    };
+  }
+}
+
+// ==================== 角色权限关联 API ====================
+
+/**
+ * 获取角色的所有权限
+ * @param roleId 角色ID
+ */
+export async function getRolePermissions(roleId: number): Promise<RolePermissionDetail[]> {
+  try {
+    const response = await get<any>(`${RBAC_API_BASE}/roles/${roleId}/permissions`);
+    const data = handleApiResponse<{ permissions: any[] }>(response);
+
+    return data.permissions.map(perm => ({
+      id: perm.id,
+      permission_id: perm.permission_id,
+      permission_key: perm.permission_key,
+      display_name: perm.display_name,
+      grant_type: perm.grant_type || 'GRANT',
+      data_scope: perm.data_scope || 'ALL'
+    }));
+  } catch (error) {
+    console.error('获取角色权限失败:', error);
+    return [];
+  }
+}
+
+/**
+ * 批量分配权限给角色
+ * @param roleId 角色ID
+ * @param permissions 权限配置列表
+ * @param replace 是否替换全部（true=替换，false=追加）
+ */
+export async function assignPermissionsToRole(
+  roleId: number,
+  permissions: RolePermissionConfig[],
+  replace = false
+): Promise<{ success: boolean; message: string }> {
+  try {
+    const response = await post<any>(`${RBAC_API_BASE}/roles/${roleId}/permissions`, {
+      permissions: permissions.map(p => ({
+        permission_id: p.permission_id,
+        grant_type: p.grant_type || 'GRANT',
+        data_scope: p.data_scope || 'ALL'
+      })),
+      replace
+    });
+
+    handleApiResponse<any>(response);
+
+    return { success: true, message: '权限分配成功' };
+  } catch (error) {
+    console.error('分配权限失败:', error);
+    return {
+      success: false,
+      message: error instanceof Error ? error.message : '分配权限失败'
+    };
+  }
+}
+
+/**
+ * 更新单个权限配置
+ * @param roleId 角色ID
+ * @param permissionId 权限ID
+ * @param config 权限配置
+ */
+export async function updateRolePermission(
+  roleId: number,
+  permissionId: number,
+  config: Partial<RolePermissionConfig>
+): Promise<{ success: boolean; message: string }> {
+  try {
+    const response = await put<any>(
+      `${RBAC_API_BASE}/roles/${roleId}/permissions/${permissionId}`,
+      config
+    );
+    handleApiResponse<any>(response);
+
+    return { success: true, message: '权限配置更新成功' };
+  } catch (error) {
+    console.error('更新权限配置失败:', error);
+    return {
+      success: false,
+      message: error instanceof Error ? error.message : '更新权限配置失败'
+    };
+  }
+}
+
+/**
+ * 移除角色权限
+ * @param roleId 角色ID
+ * @param permissionId 权限ID
+ */
+export async function revokeRolePermission(
+  roleId: number,
+  permissionId: number
+): Promise<{ success: boolean; message: string }> {
+  try {
+    const response = await del<any>(`${RBAC_API_BASE}/roles/${roleId}/permissions/${permissionId}`);
+    handleApiResponse<any>(response);
+
+    return { success: true, message: '权限移除成功' };
+  } catch (error) {
+    console.error('移除权限失败:', error);
+    return {
+      success: false,
+      message: error instanceof Error ? error.message : '移除权限失败'
+    };
+  }
+}
+
+/**
+ * 获取指定用户的所有角色
+ * @param userId 用户ID
+ * @returns 用户的角色列表
+ */
+export async function getUserRoles(userId: number): Promise<RoleInfo[]> {
+  try {
+    const { get } = await import('~/api/axios-client');
+
+    console.log('🔍 [getUserRoles] 开始调用后端API:', `/api/v3/rbac/users/${userId}/roles`);
+
+    const response = await get<any>(`/api/v3/rbac/users/${userId}/roles`);
+
+    if (response.error) {
+      console.error('❌ [getUserRoles] API调用失败:', response.error);
+      throw new Error(response.error);
+    }
+
+    // 后端响应格式: { code: 200, msg: "success", data: { user_id, username, roles: [...] } }
+    let roles: any[] = [];
+    if (response.data && response.data.data && Array.isArray(response.data.data.roles)) {
+      roles = response.data.data.roles;
+    } else if (response.data && Array.isArray(response.data.roles)) {
+      // 兼容可能的响应格式
+      roles = response.data.roles;
+    }
+
+    console.log('✅ [getUserRoles] 成功获取用户角色，共', roles.length, '个角色');
+
+    // 将后端数据转换为RoleInfo格式
+    return roles.map(role => ({
+      id: role.id || role.role_id,
+      role_key: role.role_key,
+      role_name: role.role_name,
+      data_scope: role.data_scope,
+      description: role.description || '',
+      priority: role.priority || 0,
+      is_system_role: role.is_system || false,
+      created_at: role.created_at || '',
+      updated_at: role.updated_at || ''
+    }));
+  } catch (error) {
+    console.error('❌ [getUserRoles] 获取用户角色失败:', error);
+    // 失败时返回空数组
+    return [];
   }
-
-  if (role.is_system_role) {
-    return { success: false, message: '系统角色不能删除' };
-  }
-
-  const roleIndex = mockRoles.indexOf(role);
-  mockRoles.splice(roleIndex, 1);
-
-  return { success: true, message: '角色删除成功' };
 }
diff --git a/app/routes/role-permissions._index.tsx b/app/routes/role-permissions._index.tsx
index a3da41b..b7ff95f 100644
--- a/app/routes/role-permissions._index.tsx
+++ b/app/routes/role-permissions._index.tsx
@@ -1,7 +1,8 @@
-import { useState, useEffect } from "react";
+import { useState, useEffect, useRef } from "react";
 import { ClientLoaderFunctionArgs, ClientActionFunctionArgs } from "@remix-run/react";
 import { Card } from "~/components/ui/Card";
 import { Button } from "~/components/ui/Button";
+import { Modal } from "~/components/ui/Modal";
 import { toastService } from "~/components/ui/Toast";
 import {
   getRoles,
@@ -14,6 +15,8 @@ import {
   createRole,
   updateRole,
   deleteRole,
+  revokeUserRole,
+  getUserRoles,
   type RoleInfo,
   type RouteInfo,
   type UserInfo
@@ -35,8 +38,60 @@ export const meta = () => {
   ];
 };
 
+// ==================== 辅助函数 ====================
+
+/**
+ * 数据范围转中文
+ */
+function getDataScopeLabel(scope: string): string {
+  const map: Record<string, string> = {
+    'ALL': '全部数据',
+    'DEPT': '部门数据',
+    'SELF': '仅本人数据'
+  };
+  return map[scope] || scope;
+}
+
 // ClientLoader - 加载初始数据
 export async function clientLoader({ request }: ClientLoaderFunctionArgs) {
+  // ==================== 权限校验 ====================
+  // 检查用户是否有provincial_admin权限
+  try {
+    const userInfo = localStorage.getItem('user_info');
+
+    if (!userInfo) {
+      // 未登录，重定向到登录页
+      window.location.href = '/login';
+      throw new Error('未登录');
+    }
+
+    const user = JSON.parse(userInfo);
+
+    // 检查角色或权限
+    // provincial_admin 角色拥有完整的RBAC管理权限
+    const hasPermission =
+      user.role === 'provincial_admin' ||
+      user.role_key === 'provincial_admin' ||
+      (user.permissions && Array.isArray(user.permissions) && user.permissions.includes('system:rbac:manage'));
+
+    if (!hasPermission) {
+      // 无权限，显示错误提示
+      console.warn('⚠️ 权限不足：需要省级管理员权限或system:rbac:manage权限');
+      toastService.error('权限不足，需要省级管理员权限');
+
+      // 返回空数据，但不阻止页面渲染（可以显示友好的无权限提示）
+      return {
+        roles: [],
+        routes: [],
+        users: [],
+        noPermission: true
+      };
+    }
+  } catch (error) {
+    console.error('权限检查失败:', error);
+  }
+
+  // ==================== 加载数据 ====================
   try {
     const [roles, routes, users] = await Promise.all([
       getRoles(),
@@ -47,14 +102,16 @@ export async function clientLoader({ request }: ClientLoaderFunctionArgs) {
     return {
       roles,
       routes,
-      users
+      users,
+      noPermission: false
     };
   } catch (error) {
     console.error("加载数据失败:", error);
     return {
       roles: [],
       routes: [],
-      users: []
+      users: [],
+      noPermission: false
     };
   }
 }
@@ -111,6 +168,638 @@ export async function clientAction({ request }: ClientActionFunctionArgs) {
   }
 }
 
+// ==================== 创建角色模态框 ====================
+
+interface CreateRoleModalProps {
+  isOpen: boolean;
+  onClose: () => void;
+  onSuccess: () => void;
+}
+
+function CreateRoleModal({ isOpen, onClose, onSuccess }: CreateRoleModalProps) {
+  const [formData, setFormData] = useState({
+    role_key: '',
+    role_name: '',
+    description: '',
+    data_scope: 'SELF' as 'ALL' | 'DEPT' | 'SELF',
+    priority: 10
+  });
+
+  const [loading, setLoading] = useState(false);
+  const [errors, setErrors] = useState<Record<string, string>>({});
+
+  // 重置表单
+  const resetForm = () => {
+    setFormData({
+      role_key: '',
+      role_name: '',
+      description: '',
+      data_scope: 'SELF',
+      priority: 10
+    });
+    setErrors({});
+  };
+
+  // 验证表单
+  const validateForm = (): boolean => {
+    const newErrors: Record<string, string> = {};
+
+    if (!formData.role_key.trim()) {
+      newErrors.role_key = '角色标识不能为空';
+    } else if (!/^[a-z][a-z0-9_]*$/.test(formData.role_key)) {
+      newErrors.role_key = '角色标识只能包含小写字母、数字、下划线，且必须以字母开头';
+    }
+
+    if (!formData.role_name.trim()) {
+      newErrors.role_name = '角色名称不能为空';
+    }
+
+    setErrors(newErrors);
+    return Object.keys(newErrors).length === 0;
+  };
+
+  // 提交表单
+  const handleSubmit = async (e?: React.FormEvent) => {
+    if (e) e.preventDefault();
+
+    if (!validateForm()) {
+      toastService.error('请填写正确的表单信息');
+      return;
+    }
+
+    setLoading(true);
+    try {
+      const result = await createRole({
+        role_key: formData.role_key,
+        role_name: formData.role_name,
+        description: formData.description,
+        data_scope: formData.data_scope,
+        priority: formData.priority,
+        is_system_role: false
+      });
+
+      if (result.success) {
+        toastService.success(result.message);
+        resetForm();
+        onSuccess();
+        onClose();
+      } else {
+        toastService.error(result.message);
+      }
+    } catch (error) {
+      toastService.error('创建角色失败');
+      console.error('创建角色失败:', error);
+    } finally {
+      setLoading(false);
+    }
+  };
+
+  // 关闭时重置表单
+  const handleClose = () => {
+    resetForm();
+    onClose();
+  };
+
+  return (
+    <Modal
+      isOpen={isOpen}
+      onClose={handleClose}
+      title="创建新角色"
+      size="medium"
+      footer={
+        <>
+          <Button type="default" onClick={handleClose} disabled={loading}>
+            取消
+          </Button>
+          <Button type="primary" onClick={handleSubmit} disabled={loading}>
+            {loading ? '创建中...' : '创建'}
+          </Button>
+        </>
+      }
+    >
+      <form className="role-form" onSubmit={handleSubmit}>
+        <div className="form-group">
+          <label className="required">角色标识</label>
+          <input
+            type="text"
+            className={`form-input ${errors.role_key ? 'error' : ''}`}
+            placeholder="如: department_leader"
+            value={formData.role_key}
+            onChange={(e) => {
+              const value = e.target.value;
+              setFormData({ ...formData, role_key: value });
+
+              // 实时验证
+              if (value && !/^[a-z][a-z0-9_]*$/.test(value)) {
+                setErrors({ ...errors, role_key: '必须以字母开头，只能包含小写字母、数字、下划线' });
+              } else {
+                setErrors({ ...errors, role_key: '' });
+              }
+            }}
+            disabled={loading}
+          />
+          {errors.role_key && <span className="form-error">{errors.role_key}</span>}
+          <span className="form-hint">必须以字母开头，只能包含小写字母、数字、下划线，创建后不可修改</span>
+        </div>
+
+        <div className="form-group">
+          <label className="required">角色名称</label>
+          <input
+            type="text"
+            className={`form-input ${errors.role_name ? 'error' : ''}`}
+            placeholder="如: 部门负责人"
+            value={formData.role_name}
+            onChange={(e) => {
+              setFormData({ ...formData, role_name: e.target.value });
+              setErrors({ ...errors, role_name: '' });
+            }}
+            disabled={loading}
+          />
+          {errors.role_name && <span className="form-error">{errors.role_name}</span>}
+        </div>
+
+        <div className="form-group">
+          <label>角色描述</label>
+          <textarea
+            className="form-textarea"
+            placeholder="描述角色的职责和权限范围"
+            value={formData.description}
+            onChange={(e) => setFormData({ ...formData, description: e.target.value })}
+            rows={3}
+            disabled={loading}
+          />
+        </div>
+
+        <div className="form-group">
+          <label className="required">数据范围</label>
+          <select
+            className="form-select"
+            value={formData.data_scope}
+            onChange={(e) => setFormData({ ...formData, data_scope: e.target.value as any })}
+            disabled={loading}
+          >
+            <option value="SELF">仅本人数据</option>
+            <option value="DEPT">部门数据</option>
+            <option value="ALL">全部数据</option>
+          </select>
+          <span className="form-hint">控制该角色可访问的数据范围</span>
+        </div>
+
+        <div className="form-group">
+          <label>优先级</label>
+          <input
+            type="number"
+            className="form-input"
+            placeholder="数字越小优先级越高"
+            value={formData.priority}
+            onChange={(e) => setFormData({ ...formData, priority: parseInt(e.target.value) || 10 })}
+            min={1}
+            max={100}
+            disabled={loading}
+          />
+          <span className="form-hint">数字越小优先级越高，范围 1-100</span>
+        </div>
+      </form>
+    </Modal>
+  );
+}
+
+// ==================== 编辑角色模态框 ====================
+
+interface EditRoleModalProps {
+  isOpen: boolean;
+  onClose: () => void;
+  onSuccess: () => void;
+  role: RoleInfo | null;
+}
+
+function EditRoleModal({ isOpen, onClose, onSuccess, role }: EditRoleModalProps) {
+  const [formData, setFormData] = useState({
+    role_name: '',
+    description: '',
+    data_scope: 'SELF' as 'ALL' | 'DEPT' | 'SELF',
+    priority: 10
+  });
+
+  const [loading, setLoading] = useState(false);
+  const [errors, setErrors] = useState<Record<string, string>>({});
+
+  // 当角色数据变化时，更新表单
+  useEffect(() => {
+    if (role && isOpen) {
+      setFormData({
+        role_name: role.role_name,
+        description: role.description || '',
+        data_scope: role.data_scope as any,
+        priority: role.priority
+      });
+      setErrors({});
+    }
+  }, [role, isOpen]);
+
+  // 验证表单
+  const validateForm = (): boolean => {
+    const newErrors: Record<string, string> = {};
+
+    if (!formData.role_name.trim()) {
+      newErrors.role_name = '角色名称不能为空';
+    }
+
+    setErrors(newErrors);
+    return Object.keys(newErrors).length === 0;
+  };
+
+  // 提交表单
+  const handleSubmit = async (e?: React.FormEvent) => {
+    if (e) e.preventDefault();
+
+    if (!role) return;
+
+    if (!validateForm()) {
+      toastService.error('请填写正确的表单信息');
+      return;
+    }
+
+    setLoading(true);
+    try {
+      const result = await updateRole(role.id, {
+        role_name: formData.role_name,
+        description: formData.description,
+        data_scope: formData.data_scope,
+        priority: formData.priority
+      });
+
+      if (result.success) {
+        toastService.success(result.message);
+        onSuccess();
+        onClose();
+      } else {
+        toastService.error(result.message);
+      }
+    } catch (error) {
+      toastService.error('更新角色失败');
+      console.error('更新角色失败:', error);
+    } finally {
+      setLoading(false);
+    }
+  };
+
+  if (!role) return null;
+
+  return (
+    <Modal
+      isOpen={isOpen}
+      onClose={onClose}
+      title={`编辑角色 - ${role.role_key}`}
+      size="medium"
+      footer={
+        <>
+          <Button type="default" onClick={onClose} disabled={loading}>
+            取消
+          </Button>
+          <Button type="primary" onClick={handleSubmit} disabled={loading}>
+            {loading ? '保存中...' : '保存'}
+          </Button>
+        </>
+      }
+    >
+      <form className="role-form" onSubmit={handleSubmit}>
+        {role.is_system_role && (
+          <div className="form-notice warning">
+            <i className="ri-information-line"></i>
+            <span>系统角色的某些字段不可修改</span>
+          </div>
+        )}
+
+        <div className="form-group">
+          <label>角色标识</label>
+          <input
+            type="text"
+            className="form-input"
+            value={role.role_key}
+            disabled
+            style={{ background: '#f5f7fa', cursor: 'not-allowed' }}
+          />
+          <span className="form-hint">角色标识创建后不可修改</span>
+        </div>
+
+        <div className="form-group">
+          <label className="required">角色名称</label>
+          <input
+            type="text"
+            className={`form-input ${errors.role_name ? 'error' : ''}`}
+            placeholder="如: 部门负责人"
+            value={formData.role_name}
+            onChange={(e) => {
+              setFormData({ ...formData, role_name: e.target.value });
+              setErrors({ ...errors, role_name: '' });
+            }}
+            disabled={loading}
+          />
+          {errors.role_name && <span className="form-error">{errors.role_name}</span>}
+        </div>
+
+        <div className="form-group">
+          <label>角色描述</label>
+          <textarea
+            className="form-textarea"
+            placeholder="描述角色的职责和权限范围"
+            value={formData.description}
+            onChange={(e) => setFormData({ ...formData, description: e.target.value })}
+            rows={3}
+            disabled={loading}
+          />
+        </div>
+
+        <div className="form-group">
+          <label className="required">数据范围</label>
+          <select
+            className="form-select"
+            value={formData.data_scope}
+            onChange={(e) => setFormData({ ...formData, data_scope: e.target.value as any })}
+            disabled={loading || (role.is_system_role && role.role_key === 'provincial_admin')}
+          >
+            <option value="SELF">仅本人数据</option>
+            <option value="DEPT">部门数据</option>
+            <option value="ALL">全部数据</option>
+          </select>
+          {role.is_system_role && role.role_key === 'provincial_admin' && (
+            <span className="form-hint">省级管理员的数据范围不可修改</span>
+          )}
+        </div>
+
+        <div className="form-group">
+          <label>优先级</label>
+          <input
+            type="number"
+            className="form-input"
+            placeholder="数字越小优先级越高"
+            value={formData.priority}
+            onChange={(e) => setFormData({ ...formData, priority: parseInt(e.target.value) || 10 })}
+            min={1}
+            max={100}
+            disabled={loading}
+          />
+          <span className="form-hint">数字越小优先级越高，范围 1-100</span>
+        </div>
+      </form>
+    </Modal>
+  );
+}
+
+// ==================== 分配用户模态框 ====================
+
+interface AssignUserModalProps {
+  isOpen: boolean;
+  onClose: () => void;
+  onSuccess: () => void;
+  role: RoleInfo | null;
+}
+
+function AssignUserModal({ isOpen, onClose, onSuccess, role }: AssignUserModalProps) {
+  const [allUsers, setAllUsers] = useState<UserInfo[]>([]);
+  const [selectedUserIds, setSelectedUserIds] = useState<number[]>([]);
+  const [searchTerm, setSearchTerm] = useState('');
+  const [loading, setLoading] = useState(false);
+  const [loadingUsers, setLoadingUsers] = useState(false);
+  // 存储每个用户的角色信息
+  const [userRolesMap, setUserRolesMap] = useState<Map<number, RoleInfo[]>>(new Map());
+
+  // 当模态框打开时，加载用户列表
+  useEffect(() => {
+    if (isOpen && role) {
+      loadUsers();
+    }
+  }, [isOpen, role]);
+
+  // 加载所有用户及其角色信息
+  const loadUsers = async () => {
+    setLoadingUsers(true);
+    try {
+      const users = await getAllUsers();
+      setAllUsers(users);
+
+      // 批量获取每个用户的角色
+      const rolesMap = new Map<number, RoleInfo[]>();
+      await Promise.all(
+        users.map(async (user) => {
+          const roles = await getUserRoles(user.id);
+          rolesMap.set(user.id, roles);
+        })
+      );
+      setUserRolesMap(rolesMap);
+    } catch (error) {
+      console.error('加载用户列表失败:', error);
+      toastService.error('加载用户列表失败');
+    } finally {
+      setLoadingUsers(false);
+    }
+  };
+
+  // 重置状态
+  const resetState = () => {
+    setSelectedUserIds([]);
+    setSearchTerm('');
+  };
+
+  // 提交分配
+  const handleSubmit = async () => {
+    if (!role) return;
+
+    if (selectedUserIds.length === 0) {
+      toastService.error('请至少选择一个用户');
+      return;
+    }
+
+    setLoading(true);
+    try {
+      // 检查每个用户是否已有角色
+      const usersWithRoles: Array<{ userId: number; userName: string; roleName: string }> = [];
+
+      for (const userId of selectedUserIds) {
+        const userRoles = await getUserRoles(userId);
+        if (userRoles.length > 0) {
+          const user = allUsers.find(u => u.id === userId);
+          usersWithRoles.push({
+            userId,
+            userName: user?.nick_name || user?.username || `用户${userId}`,
+            roleName: userRoles.map(r => r.role_name).join('、')
+          });
+        }
+      }
+
+      // 如果有用户已经有角色，阻止分配并提示
+      if (usersWithRoles.length > 0) {
+        const userList = usersWithRoles.map(u => `• ${u.userName} (当前角色: ${u.roleName})`).join('\n');
+        toastService.error(
+          `以下用户已有角色，不能同时拥有多个角色：\n${userList}\n\n请先移除其现有角色后再分配新角色。`
+        );
+        setLoading(false);
+        return;
+      }
+
+      // 为每个选中的用户分配角色
+      const promises = selectedUserIds.map(userId =>
+        assignUserRoles(userId, [role.id])
+      );
+
+      await Promise.all(promises);
+
+      toastService.success(`成功为 ${selectedUserIds.length} 个用户分配角色`);
+      resetState();
+      onSuccess();
+      onClose();
+    } catch (error) {
+      console.error('分配用户角色失败:', error);
+      toastService.error('分配用户角色失败');
+    } finally {
+      setLoading(false);
+    }
+  };
+
+  // 关闭时重置
+  const handleClose = () => {
+    resetState();
+    onClose();
+  };
+
+  // 全选/取消全选
+  const handleToggleAll = () => {
+    const filteredUserIds = filteredUsers.map(u => u.id);
+    if (selectedUserIds.length === filteredUserIds.length) {
+      setSelectedUserIds([]);
+    } else {
+      setSelectedUserIds(filteredUserIds);
+    }
+  };
+
+  if (!role) return null;
+
+  // 过滤用户
+  const filteredUsers = allUsers.filter(user => {
+    const searchLower = searchTerm.toLowerCase();
+    return (
+      user.nick_name.toLowerCase().includes(searchLower) ||
+      user.username.toLowerCase().includes(searchLower) ||
+      user.ou_name.toLowerCase().includes(searchLower)
+    );
+  });
+
+  return (
+    <Modal
+      isOpen={isOpen}
+      onClose={handleClose}
+      title={`为角色"${role.role_name}"分配用户`}
+      size="medium"
+      footer={
+        <>
+          <Button type="default" onClick={handleClose} disabled={loading}>
+            取消
+          </Button>
+          <Button type="primary" onClick={handleSubmit} disabled={loading || selectedUserIds.length === 0}>
+            {loading ? '分配中...' : `分配 (${selectedUserIds.length})`}
+          </Button>
+        </>
+      }
+    >
+      <div className="assign-user-modal">
+        {/* 搜索框 */}
+        <div className="search-box">
+          <i className="ri-search-line"></i>
+          <input
+            type="text"
+            placeholder="搜索用户（姓名、用户名、单位）"
+            value={searchTerm}
+            onChange={(e) => setSearchTerm(e.target.value)}
+          />
+        </div>
+
+        {/* 全选按钮 */}
+        <div className="select-all-bar">
+          <label className="user-checkbox-item select-all">
+            <input
+              type="checkbox"
+              checked={filteredUsers.length > 0 && selectedUserIds.length === filteredUsers.length}
+              onChange={handleToggleAll}
+              disabled={filteredUsers.length === 0}
+            />
+            <span className="user-name">
+              全选 ({selectedUserIds.length} / {filteredUsers.length})
+            </span>
+          </label>
+        </div>
+
+        {/* 用户复选框列表 */}
+        {loadingUsers ? (
+          <div className="loading-container" style={{ minHeight: '300px' }}>
+            <i className="ri-loader-4-line spin"></i>
+            <span>加载用户中...</span>
+          </div>
+        ) : (
+          <div className="users-checkbox-list">
+            {filteredUsers.length > 0 ? (
+              filteredUsers.map(user => {
+                const userRoles = userRolesMap.get(user.id) || [];
+                const hasRoles = userRoles.length > 0;
+
+                return (
+                  <label key={user.id} className="user-checkbox-item">
+                    <input
+                      type="checkbox"
+                      checked={selectedUserIds.includes(user.id)}
+                      onChange={(e) => {
+                        if (e.target.checked) {
+                          setSelectedUserIds([...selectedUserIds, user.id]);
+                        } else {
+                          setSelectedUserIds(selectedUserIds.filter(id => id !== user.id));
+                        }
+                      }}
+                    />
+                    <div className="user-info">
+                      <div className="user-name">
+                        {user.nick_name}
+                        {user.is_leader && (
+                          <span className="leader-badge" style={{ marginLeft: '8px' }}>负责人</span>
+                        )}
+                        {hasRoles && (
+                          <span
+                            className="role-badge"
+                            style={{
+                              marginLeft: '8px',
+                              padding: '2px 8px',
+                              fontSize: '12px',
+                              backgroundColor: '#f0f9ff',
+                              color: '#0284c7',
+                              border: '1px solid #bae6fd',
+                              borderRadius: '4px'
+                            }}
+                            title={`当前角色: ${userRoles.map(r => r.role_name).join('、')}`}
+                          >
+                            {userRoles.map(r => r.role_name).join('、')}
+                          </span>
+                        )}
+                      </div>
+                      <div className="user-meta">
+                        @{user.username} • {user.ou_name}
+                        {user.phone_number && ` • ${user.phone_number}`}
+                      </div>
+                    </div>
+                  </label>
+                );
+              })
+            ) : (
+              <div className="empty-state" style={{ padding: '40px 20px' }}>
+                <i className="ri-user-search-line"></i>
+                <p>{searchTerm ? '没有找到匹配的用户' : '没有可分配的用户'}</p>
+              </div>
+            )}
+          </div>
+        )}
+      </div>
+    </Modal>
+  );
+}
+
 // 主组件
 export default function RolePermissions() {
   const [roles, setRoles] = useState<RoleInfo[]>([]);
@@ -120,6 +809,21 @@ export default function RolePermissions() {
   const [activeTab, setActiveTab] = useState<'permissions' | 'users'>('permissions');
   const [loading, setLoading] = useState(true);
 
+  // 模态框状态
+  const [showCreateModal, setShowCreateModal] = useState(false);
+  const [showEditModal, setShowEditModal] = useState(false);
+  const [roleToEdit, setRoleToEdit] = useState<RoleInfo | null>(null);
+  const [showAssignUserModal, setShowAssignUserModal] = useState(false);
+
+  // 确认删除Modal状态
+  const [showDeleteConfirm, setShowDeleteConfirm] = useState(false);
+  const [deleteTarget, setDeleteTarget] = useState<{
+    type: 'role' | 'userRole';
+    role?: RoleInfo;
+    user?: UserInfo;
+  } | null>(null);
+  const [deleteCountdown, setDeleteCountdown] = useState(3);
+
   // 路由权限相关状态
   const [selectedRouteIds, setSelectedRouteIds] = useState<number[]>([]);
   const [roleUsers, setRoleUsers] = useState<UserInfo[]>([]);
@@ -129,6 +833,17 @@ export default function RolePermissions() {
     loadData();
   }, []);
 
+  // 删除确认倒计时
+  useEffect(() => {
+    let timer: NodeJS.Timeout;
+    if (showDeleteConfirm && deleteCountdown > 0) {
+      timer = setTimeout(() => {
+        setDeleteCountdown(deleteCountdown - 1);
+      }, 1000);
+    }
+    return () => clearTimeout(timer);
+  }, [showDeleteConfirm, deleteCountdown]);
+
   const loadData = async () => {
     setLoading(true);
     try {
@@ -206,22 +921,119 @@ export default function RolePermissions() {
     }
   };
 
+  // 编辑角色
+  const handleEditRole = (role: RoleInfo) => {
+    setRoleToEdit(role);
+    setShowEditModal(true);
+  };
+
+  // 删除角色 - 显示确认Modal
+  const handleDeleteRole = (role: RoleInfo) => {
+    // 系统角色禁止删除
+    if (role.is_system_role) {
+      toastService.error('系统角色不能删除');
+      return;
+    }
+
+    // 核心角色保护
+    const coreRoles = ['provincial_admin', 'admin', 'common'];
+    if (coreRoles.includes(role.role_key)) {
+      toastService.error('系统核心角色不能删除');
+      return;
+    }
+
+    // 打开确认删除Modal
+    setDeleteTarget({ type: 'role', role });
+    setDeleteCountdown(3);
+    setShowDeleteConfirm(true);
+  };
+
+  // 确认删除角色 - 实际执行删除
+  const confirmDeleteRole = async () => {
+    if (!deleteTarget || deleteTarget.type !== 'role' || !deleteTarget.role) return;
+
+    const role = deleteTarget.role;
+    setShowDeleteConfirm(false);
+    setDeleteTarget(null);
+
+    try {
+      const result = await deleteRole(role.id, false);
+
+      if (result.success) {
+        toastService.success(result.message);
+        // 重新加载数据
+        await loadData();
+        // 如果删除的是当前选中的角色，清除选中状态
+        if (selectedRole?.id === role.id) {
+          setSelectedRole(null);
+        }
+      } else {
+        // 如果有用户关联，询问是否强制删除
+        if (result.message.includes('用户')) {
+          if (confirm(result.message + '\n\n是否强制删除并解除所有用户关联？')) {
+            const forceResult = await deleteRole(role.id, true);
+            if (forceResult.success) {
+              toastService.success('角色已强制删除');
+              await loadData();
+              if (selectedRole?.id === role.id) {
+                setSelectedRole(null);
+              }
+            } else {
+              toastService.error(forceResult.message);
+            }
+          }
+        } else {
+          toastService.error(result.message);
+        }
+      }
+    } catch (error) {
+      console.error('删除角色失败:', error);
+      toastService.error('删除角色失败');
+    }
+  };
+
+  // 移除用户角色 - 显示确认Modal
+  const handleRemoveUserRole = (user: UserInfo) => {
+    if (!selectedRole) return;
+
+    // 打开确认删除Modal
+    setDeleteTarget({ type: 'userRole', role: selectedRole, user });
+    setDeleteCountdown(3);
+    setShowDeleteConfirm(true);
+  };
+
+  // 确认移除用户角色 - 实际执行
+  const confirmRemoveUserRole = async () => {
+    if (!deleteTarget || deleteTarget.type !== 'userRole' || !deleteTarget.role || !deleteTarget.user) return;
+
+    const { role, user } = deleteTarget;
+    setShowDeleteConfirm(false);
+    setDeleteTarget(null);
+
+    try {
+      const result = await revokeUserRole(user.id, role.id);
+
+      if (result.success) {
+        toastService.success(result.message);
+        // 重新加载该角色的用户列表
+        const users = await getRoleUsers(role.id);
+        setRoleUsers(users);
+      } else {
+        toastService.error(result.message);
+      }
+    } catch (error) {
+      console.error('移除用户角色失败:', error);
+      toastService.error('移除用户角色失败');
+    }
+  };
+
   // 保存权限
   const handleSavePermissions = async () => {
     if (!selectedRole) return;
 
     try {
-      const formData = new FormData();
-      formData.append("action", "updatePermissions");
-      formData.append("roleId", selectedRole.id.toString());
-      formData.append("routeIds", JSON.stringify(selectedRouteIds));
-
-      const response = await fetch("/role-permissions", {
-        method: "POST",
-        body: formData
-      });
-
-      const result = await response.json();
+      // 直接调用API函数而不是发送POST请求
+      const result = await updateRoleRoutePermissions(selectedRole.id, selectedRouteIds);
 
       if (result.success) {
         toastService.success(result.message);
@@ -293,6 +1105,37 @@ export default function RolePermissions() {
     );
   }
 
+  // 检查是否有权限（通过角色列表是否为空判断）
+  // 注意：这是一个简单的权限检查，实际应该从loader返回的noPermission字段判断
+  const noPermission = roles.length === 0 && routes.length === 0 && users.length === 0 && !loading;
+
+  // 无权限提示页面
+  if (noPermission) {
+    return (
+      <div className="role-permissions-page">
+        <Card className="no-permission-card">
+          <div className="empty-state" style={{ padding: '80px 40px' }}>
+            <i className="ri-shield-cross-line" style={{ fontSize: '96px', color: '#dcdfe6' }}></i>
+            <h2 style={{ fontSize: '24px', fontWeight: 600, color: '#303133', marginTop: '24px', marginBottom: '12px' }}>
+              权限不足
+            </h2>
+            <p style={{ fontSize: '16px', color: '#606266', marginBottom: '32px' }}>
+              您没有访问角色权限管理的权限，需要 <strong>省级管理员</strong> 角色或 <strong>system:rbac:manage</strong> 权限
+            </p>
+            <div style={{ display: 'flex', gap: '12px', justifyContent: 'center' }}>
+              <Button type="default" icon="ri-arrow-left-line" onClick={() => window.history.back()}>
+                返回上一页
+              </Button>
+              <Button type="primary" icon="ri-home-line" onClick={() => window.location.href = '/'}>
+                返回首页
+              </Button>
+            </div>
+          </div>
+        </Card>
+      </div>
+    );
+  }
+
   return (
     <div className="role-permissions-page">
       {/* 页面头部 */}
@@ -305,9 +1148,7 @@ export default function RolePermissions() {
           <Button
             type="primary"
             icon="ri-add-line"
-            onClick={() => {
-              toastService.info("创建角色功能开发中...");
-            }}
+            onClick={() => setShowCreateModal(true)}
           >
             新建角色
           </Button>
@@ -336,7 +1177,7 @@ export default function RolePermissions() {
                   <div className="role-meta">
                     <span className="data-scope">
                       <i className="ri-database-line"></i>
-                      {role.data_scope}
+                      {getDataScopeLabel(role.data_scope)}
                     </span>
                     <span className="priority">
                       <i className="ri-sort-asc"></i>
@@ -350,7 +1191,7 @@ export default function RolePermissions() {
                       className="btn-icon"
                       onClick={(e) => {
                         e.stopPropagation();
-                        toastService.info("编辑角色功能开发中...");
+                        handleEditRole(role);
                       }}
                       title="编辑"
                     >
@@ -360,9 +1201,7 @@ export default function RolePermissions() {
                       className="btn-icon text-error"
                       onClick={(e) => {
                         e.stopPropagation();
-                        if (confirm(`确定要删除角色"${role.role_name}"吗？`)) {
-                          toastService.info("删除角色功能开发中...");
-                        }
+                        handleDeleteRole(role);
                       }}
                       title="删除"
                     >
@@ -432,9 +1271,7 @@ export default function RolePermissions() {
                         <Button
                           type="primary"
                           icon="ri-user-add-line"
-                          onClick={() => {
-                            toastService.info("分配用户功能开发中...");
-                          }}
+                          onClick={() => setShowAssignUserModal(true)}
                         >
                           分配用户
                         </Button>
@@ -474,11 +1311,7 @@ export default function RolePermissions() {
                               <div className="user-actions">
                                 <button
                                   className="btn-icon text-error"
-                                  onClick={() => {
-                                    if (confirm(`确定要移除用户"${user.nick_name}"的该角色吗？`)) {
-                                      toastService.info("移除角色功能开发中...");
-                                    }
-                                  }}
+                                  onClick={() => handleRemoveUserRole(user)}
                                   title="移除角色"
                                 >
                                   <i className="ri-user-unfollow-line"></i>
@@ -508,6 +1341,102 @@ export default function RolePermissions() {
           )}
         </div>
       </div>
+
+      {/* 创建角色模态框 */}
+      <CreateRoleModal
+        isOpen={showCreateModal}
+        onClose={() => setShowCreateModal(false)}
+        onSuccess={loadData}
+      />
+
+      {/* 编辑角色模态框 */}
+      <EditRoleModal
+        isOpen={showEditModal}
+        onClose={() => {
+          setShowEditModal(false);
+          setRoleToEdit(null);
+        }}
+        onSuccess={loadData}
+        role={roleToEdit}
+      />
+
+      {/* 分配用户模态框 */}
+      <AssignUserModal
+        isOpen={showAssignUserModal}
+        onClose={() => setShowAssignUserModal(false)}
+        onSuccess={async () => {
+          // 重新加载该角色的用户列表
+          if (selectedRole) {
+            const users = await getRoleUsers(selectedRole.id);
+            setRoleUsers(users);
+          }
+        }}
+        role={selectedRole}
+      />
+
+      {/* 确认删除模态框 */}
+      <Modal
+        isOpen={showDeleteConfirm}
+        onClose={() => {
+          setShowDeleteConfirm(false);
+          setDeleteTarget(null);
+        }}
+        title={deleteTarget?.type === 'role' ? '确认删除角色' : '确认移除用户角色'}
+      >
+        <div style={{ padding: '20px 0' }}>
+          {deleteTarget?.type === 'role' && deleteTarget.role && (
+            <div>
+              <p style={{ marginBottom: '16px', fontSize: '15px', lineHeight: '1.6' }}>
+                您确定要删除角色 <strong>"{deleteTarget.role.role_name}"</strong> 吗？
+              </p>
+              <p style={{ marginBottom: '16px', color: '#666', fontSize: '14px' }}>
+                此操作将永久删除该角色，且无法恢复。
+              </p>
+            </div>
+          )}
+
+          {deleteTarget?.type === 'userRole' && deleteTarget.role && deleteTarget.user && (
+            <div>
+              <p style={{ marginBottom: '16px', fontSize: '15px', lineHeight: '1.6' }}>
+                您确定要移除用户 <strong>"{deleteTarget.user.nick_name}"</strong> 的角色 <strong>"{deleteTarget.role.role_name}"</strong> 吗？
+              </p>
+              <p style={{ marginBottom: '16px', color: '#666', fontSize: '14px' }}>
+                移除后，该用户将失去此角色的所有权限。
+              </p>
+            </div>
+          )}
+
+          <div style={{
+            display: 'flex',
+            gap: '12px',
+            justifyContent: 'flex-end',
+            marginTop: '24px'
+          }}>
+            <Button
+              variant="secondary"
+              onClick={() => {
+                setShowDeleteConfirm(false);
+                setDeleteTarget(null);
+              }}
+            >
+              取消
+            </Button>
+            <Button
+              variant="danger"
+              onClick={() => {
+                if (deleteTarget?.type === 'role') {
+                  confirmDeleteRole();
+                } else if (deleteTarget?.type === 'userRole') {
+                  confirmRemoveUserRole();
+                }
+              }}
+              disabled={deleteCountdown > 0}
+            >
+              {deleteCountdown > 0 ? `确认删除 (${deleteCountdown}秒)` : '确认删除'}
+            </Button>
+          </div>
+        </div>
+      </Modal>
     </div>
   );
 }
diff --git a/app/styles/pages/role-permissions.css b/app/styles/pages/role-permissions.css
index e22f157..816e603 100644
--- a/app/styles/pages/role-permissions.css
+++ b/app/styles/pages/role-permissions.css
@@ -505,6 +505,230 @@
   }
 }
 
+/* ==================== 表单样式 ==================== */
+
+.role-form {
+  display: flex;
+  flex-direction: column;
+  gap: 20px;
+}
+
+.form-group {
+  display: flex;
+  flex-direction: column;
+  gap: 8px;
+}
+
+.form-group label {
+  font-size: 14px;
+  font-weight: 500;
+  color: #303133;
+}
+
+.form-group label.required::after {
+  content: ' *';
+  color: var(--color-error);
+}
+
+.form-input,
+.form-textarea,
+.form-select {
+  padding: 10px 12px;
+  border: 1px solid #dcdfe6;
+  border-radius: 4px;
+  font-size: 14px;
+  color: #303133;
+  transition: border-color 0.2s;
+}
+
+.form-input:focus,
+.form-textarea:focus,
+.form-select:focus {
+  outline: none;
+  border-color: var(--color-primary);
+  box-shadow: 0 0 0 2px rgba(0, 104, 74, 0.1);
+}
+
+.form-input.error,
+.form-textarea.error,
+.form-select.error {
+  border-color: var(--color-error);
+}
+
+.form-input:disabled,
+.form-textarea:disabled,
+.form-select:disabled {
+  background: #f5f7fa;
+  cursor: not-allowed;
+  color: #909399;
+}
+
+.form-hint {
+  font-size: 12px;
+  color: #909399;
+  line-height: 1.5;
+}
+
+.form-error {
+  font-size: 12px;
+  color: var(--color-error);
+  line-height: 1.5;
+}
+
+.form-notice {
+  display: flex;
+  align-items: center;
+  gap: 8px;
+  padding: 12px 16px;
+  border-radius: 4px;
+  font-size: 14px;
+  background: #ecf5ff;
+  border: 1px solid #b3d8ff;
+  color: #606266;
+}
+
+.form-notice.warning {
+  background: #fef0f0;
+  border-color: #fbc4c4;
+  color: #606266;
+}
+
+.form-notice i {
+  font-size: 18px;
+  color: #409eff;
+}
+
+.form-notice.warning i {
+  color: var(--color-error);
+}
+
+/* 分配用户模态框 */
+.assign-user-modal {
+  display: flex;
+  flex-direction: column;
+  gap: 16px;
+}
+
+/* 全选栏 */
+.select-all-bar {
+  padding: 12px 16px;
+  background: #f5f7fa;
+  border-radius: 6px;
+  border: 1px solid #e4e7ed;
+}
+
+.select-all-bar .user-checkbox-item {
+  padding: 0;
+  margin: 0;
+}
+
+.select-all-bar .user-checkbox-item:hover {
+  background: transparent;
+}
+
+.select-all-bar .user-name {
+  font-weight: 600;
+  color: #303133;
+}
+
+/* 用户复选框列表 */
+.users-checkbox-list {
+  max-height: 400px;
+  overflow-y: auto;
+  border: 1px solid #e4e7ed;
+  border-radius: 6px;
+  padding: 12px;
+  background: #fafbfc;
+}
+
+.user-checkbox-item {
+  display: flex;
+  align-items: center;
+  gap: 12px;
+  padding: 12px;
+  border-radius: 6px;
+  cursor: pointer;
+  transition: background 0.2s;
+}
+
+.user-checkbox-item:hover {
+  background: #e6e8eb;
+}
+
+.user-checkbox-item input[type="checkbox"] {
+  width: 18px;
+  height: 18px;
+  cursor: pointer;
+  accent-color: var(--color-primary);
+}
+
+.user-checkbox-item .user-info {
+  flex: 1;
+  min-width: 0;
+}
+
+.user-checkbox-item .user-name {
+  font-size: 14px;
+  font-weight: 500;
+  color: #303133;
+  margin-bottom: 4px;
+}
+
+.user-checkbox-item .user-meta {
+  font-size: 12px;
+  color: #909399;
+}
+
+/* 搜索框 */
+.search-box {
+  display: flex;
+  align-items: center;
+  gap: 10px;
+  padding: 10px 12px;
+  border: 1px solid #dcdfe6;
+  border-radius: 6px;
+  background: white;
+  margin-bottom: 16px;
+}
+
+.search-box i {
+  font-size: 18px;
+  color: #909399;
+}
+
+.search-box input {
+  flex: 1;
+  border: none;
+  outline: none;
+  font-size: 14px;
+  color: #303133;
+}
+
+.search-box input::placeholder {
+  color: #c0c4cc;
+}
+
+/* 无权限卡片 */
+.no-permission-card {
+  max-width: 800px;
+  margin: 60px auto;
+  box-shadow: 0 4px 16px rgba(0, 0, 0, 0.1);
+}
+
+.no-permission-card .empty-state {
+  text-align: center;
+}
+
+.no-permission-card h2 {
+  margin: 0;
+}
+
+.no-permission-card p {
+  margin: 0;
+}
+
+/* ==================== 响应式布局 ==================== */
+
 /* 响应式布局 */
 @media (max-width: 1200px) {
   .permissions-container {
diff --git a/docs/role-permissions/FRONTEND_API_GUIDE.md b/docs/role-permissions/FRONTEND_API_GUIDE.md
new file mode 100644
index 0000000..05ebb7e
--- /dev/null
+++ b/docs/role-permissions/FRONTEND_API_GUIDE.md
@@ -0,0 +1,709 @@
+# 用户权限管理接口 - 前端对接文档
+
+## 📋 文档信息
+
+- **版本**: v2.0
+- **更新日期**: 2025-01-24
+- **API基础URL**: `http://YOUR_HOST:8000`
+- **认证方式**: JWT Bearer Token
+
+---
+
+## ⚠️ 重要提示 - 前端对接必读
+
+### 1. Token过期处理
+
+**问题现象**: API返回 `code: 4001, msg: "token参数无效"`
+
+**原因**: JWT Token已过期（默认有效期1小时）
+
+**解决方案**:
+```javascript
+// 检查Token是否过期
+const isTokenExpired = (token) => {
+  try {
+    const payload = JSON.parse(atob(token.split('.')[1]));
+    return Date.now() >= payload.exp * 1000;
+  } catch {
+    return true;
+  }
+};
+
+// 在发送请求前检查
+if (isTokenExpired(token)) {
+  await login(); // 重新登录获取新Token
+}
+```
+
+### 2. 实际角色ID对应关系
+
+⚠️ **数据库中的实际角色ID** (请以实际数据为准):
+
+| 角色名称 | role_key | 实际role_id | 说明 |
+|---------|----------|------------|------|
+| 省级管理员 | provincial_admin | **52** | 拥有完整RBAC管理权限 |
+| 市级管理员 | admin | **1** | 负责本地区业务管理 |
+| 普通员工 | common | **2** | 只能查看和管理自己的数据 |
+
+**调用示例**:
+```javascript
+// ✅ 正确：使用实际的role_id
+const provincialAdminUsers = await getRoleUsers(52);
+const adminUsers = await getRoleUsers(1);
+const commonUsers = await getRoleUsers(2);
+
+// ❌ 错误：使用Mock数据的ID
+const wrongUsers = await getRoleUsers(3);  // 数据库中不存在
+```
+
+### 3. 响应格式说明
+
+所有接口统一返回格式：
+```json
+{
+  "code": 200,
+  "msg": "success",
+  "data": { ... }
+}
+```
+
+部分接口（如用户列表）直接返回数据对象：
+```json
+{
+  "users": [...],
+  "total": 10
+}
+```
+
+### 4. 权限要求
+
+| 接口模块 | 权限要求 | 说明 |
+|---------|----------|------|
+| RBAC管理接口 | `system:rbac:manage` | 仅provincial_admin角色 |
+| 用户管理接口 | JWT认证即可 | 所有登录用户 |
+| 路由权限接口 | JWT认证即可 | 所有登录用户 |
+
+---
+
+## 📚 接口总览
+
+### 一、RBAC管理接口（18个）
+
+**基础路径**: `/api/v3/rbac`
+
+#### 1.1 角色管理（5个接口）
+
+| 方法 | 路径 | 说明 |
+|------|------|------|
+| GET | `/roles` | 获取角色列表（支持分页、搜索） |
+| GET | `/roles/{role_id}` | 获取角色详情 |
+| POST | `/roles` | 创建角色 |
+| PUT | `/roles/{role_id}` | 更新角色 |
+| DELETE | `/roles/{role_id}` | 删除角色（支持force参数） |
+
+#### 1.2 权限管理（5个接口）
+
+| 方法 | 路径 | 说明 |
+|------|------|------|
+| GET | `/permissions` | 获取权限列表（支持树形/平铺） |
+| GET | `/permissions/{permission_id}` | 获取权限详情 |
+| POST | `/permissions` | 创建权限 |
+| PUT | `/permissions/{permission_id}` | 更新权限 |
+| DELETE | `/permissions/{permission_id}` | 删除权限 |
+
+#### 1.3 角色权限关联（4个接口）
+
+| 方法 | 路径 | 说明 |
+|------|------|------|
+| GET | `/roles/{role_id}/permissions` | 获取角色的所有权限 |
+| POST | `/roles/{role_id}/permissions` | 批量分配权限给角色（支持替换/追加） |
+| PUT | `/roles/{role_id}/permissions/{permission_id}` | 更新单个权限配置 |
+| DELETE | `/roles/{role_id}/permissions/{permission_id}` | 移除角色权限 |
+
+#### 1.4 用户角色管理（4个接口）
+
+| 方法 | 路径 | 说明 |
+|------|------|------|
+| GET | `/roles/{role_id}/users` | 获取拥有某角色的用户列表 |
+| GET | `/users/{user_id}/roles` | 获取用户的所有角色 |
+| POST | `/users/{user_id}/roles` | 为用户分配角色 |
+| DELETE | `/users/{user_id}/roles/{role_id}` | 移除用户角色 |
+
+### 二、用户管理接口（3个）
+
+**基础路径**: `/admin/users`
+
+| 方法 | 路径 | 说明 |
+|------|------|------|
+| GET | `/users` | 获取用户列表（支持分页、搜索） |
+| GET | `/organizations` | 获取组织架构（树形结构） |
+| GET | `/organizations/flat` | 获取组织列表（扁平结构） |
+
+### 三、路由权限接口（5个）
+
+**基础路径**: `/rbac`
+
+| 方法 | 路径 | 说明 |
+|------|------|------|
+| GET | `/user/routes` | 获取当前用户可访问路由（树形） |
+| GET | `/user/routes/flat` | 获取当前用户可访问路由（扁平） |
+| GET | `/roles/{role_id}/routes` | 获取角色可访问路由 |
+| PUT | `/roles/{role_id}/routes` | **批量更新角色路由权限** ⭐新增 |
+| GET | `/check-route` | 检查路由访问权限 |
+
+---
+
+## 📖 详细接口说明
+
+## 一、RBAC管理接口
+
+### 1.1 获取角色列表
+
+**接口**: `GET /api/v3/rbac/roles`
+
+**Query参数**:
+```javascript
+{
+  page: 1,              // 页码
+  page_size: 20,        // 每页数量
+  role_key: "",         // 角色标识过滤（可选）
+  role_name: "",        // 角色名称模糊搜索（可选）
+  include_system: true  // 是否包含系统角色（可选）
+}
+```
+
+**响应示例**:
+```json
+{
+  "code": 200,
+  "message": "success",
+  "data": {
+    "total": 3,
+    "page": 1,
+    "page_size": 20,
+    "items": [
+      {
+        "id": 52,
+        "role_key": "provincial_admin",
+        "role_name": "省级管理员",
+        "description": "省级权限，可管理所有地区",
+        "data_scope": "ALL",
+        "is_system": true,
+        "user_count": 1,
+        "permission_count": 15
+      },
+      {
+        "id": 1,
+        "role_key": "admin",
+        "role_name": "市级管理员",
+        "data_scope": "DEPT",
+        "is_system": true,
+        "user_count": 6
+      }
+    ]
+  }
+}
+```
+
+---
+
+### 1.2 创建角色
+
+**接口**: `POST /api/v3/rbac/roles`
+
+**请求体**:
+```json
+{
+  "role_key": "department_leader",
+  "role_name": "部门负责人",
+  "description": "负责部门日常管理",
+  "data_scope": "DEPT",
+  "metadata": {}
+}
+```
+
+**响应示例**:
+```json
+{
+  "code": 200,
+  "message": "角色创建成功",
+  "data": {
+    "id": 6,
+    "role_key": "department_leader",
+    "role_name": "部门负责人",
+    "data_scope": "DEPT",
+    "is_system": false
+  }
+}
+```
+
+---
+
+### 1.3 获取角色的所有用户
+
+**接口**: `GET /api/v3/rbac/roles/{role_id}/users`
+
+**Query参数**:
+```javascript
+{
+  page: 1,
+  page_size: 20,
+  area: "梅州",      // 按地区过滤（可选）
+  username: "admin"  // 用户名模糊搜索（可选）
+}
+```
+
+**响应示例**:
+```json
+{
+  "code": 200,
+  "message": "success",
+  "data": {
+    "total": 6,
+    "page": 1,
+    "page_size": 20,
+    "items": [
+      {
+        "user_id": 8,
+        "username": "梅州烟草",
+        "nick_name": "梅州烟草",
+        "area": "梅州管理员账号",
+        "ou_name": "梅州管理员账号",
+        "phone_number": null,
+        "email": null,
+        "assigned_at": "2025-11-18T01:40:25.030949+00:00"
+      }
+    ]
+  }
+}
+```
+
+---
+
+### 1.4 批量分配权限给角色
+
+**接口**: `POST /api/v3/rbac/roles/{role_id}/permissions`
+
+**请求体**:
+```json
+{
+  "permissions": [
+    {
+      "permission_id": 10,
+      "grant_type": "GRANT",
+      "data_scope": "ALL"
+    },
+    {
+      "permission_id": 11,
+      "grant_type": "GRANT",
+      "data_scope": "DEPT"
+    }
+  ],
+  "replace": true
+}
+```
+
+**参数说明**:
+- `replace`: true=替换全部权限，false=追加权限
+- `grant_type`: GRANT（授予）或 DENY（拒绝）
+- `data_scope`: ALL（全部数据）/ DEPT（本部门）/ SELF（仅自己）
+
+**响应示例**:
+```json
+{
+  "code": 200,
+  "message": "权限分配成功",
+  "data": {
+    "role_id": 2,
+    "assigned_count": 2
+  }
+}
+```
+
+---
+
+### 1.5 为用户分配角色
+
+**接口**: `POST /api/v3/rbac/users/{user_id}/roles`
+
+**请求体**:
+```json
+{
+  "role_ids": [1, 2]
+}
+```
+
+**响应示例**:
+```json
+{
+  "code": 200,
+  "message": "角色分配成功",
+  "data": {
+    "user_id": 20,
+    "username": "test_user",
+    "assigned_roles": [
+      {"role_id": 1, "role_name": "市级管理员"},
+      {"role_id": 2, "role_name": "普通员工"}
+    ]
+  }
+}
+```
+
+**注意事项**:
+- ⚠️ 不能给自己分配角色（防止提权）
+- ⚠️ provincial_admin角色只能由省级管理员分配
+- ⚠️ admin角色只能给本地区用户分配角色
+
+---
+
+## 二、用户管理接口
+
+### 2.1 获取用户列表
+
+**接口**: `GET /admin/users/users`
+
+**Query参数**:
+```javascript
+{
+  page: 1,
+  page_size: 20,
+  ou_id: "000",        // 组织ID过滤（可选）
+  is_leader: true,     // 是否领导过滤（可选）
+  search: "admin"      // 搜索关键词（可选）
+}
+```
+
+**响应示例**:
+```json
+{
+  "users": [
+    {
+      "id": 5,
+      "username": "admin",
+      "nick_name": "admin",
+      "ou_id": "000",
+      "ou_name": "test",
+      "is_leader": true,
+      "status": 0
+    }
+  ],
+  "total": 10
+}
+```
+
+⚠️ **已知问题**: 当前版本 `total` 字段返回0，请以 `users` 数组长度为准。
+
+---
+
+### 2.2 获取组织架构（树形）
+
+**接口**: `GET /admin/users/organizations`
+
+**Query参数**:
+```javascript
+{
+  include_users: true  // 是否包含用户信息
+}
+```
+
+**响应示例**:
+```json
+{
+  "organizations": [
+    {
+      "ou_id": "000",
+      "ou_name": "总部",
+      "parent_ou_id": null,
+      "level": 0,
+      "children": [
+        {
+          "ou_id": "0000000A1ML",
+          "ou_name": "梅州市局",
+          "parent_ou_id": "000",
+          "level": 1,
+          "users": [
+            {
+              "id": 8,
+              "username": "梅州烟草",
+              "nick_name": "梅州烟草",
+              "ou_id": "0000000A1ML",
+              "ou_name": "梅州市局"
+            }
+          ]
+        }
+      ],
+      "users": []
+    }
+  ],
+  "total_organizations": 5,
+  "total_users": 10
+}
+```
+
+---
+
+## 三、路由权限接口
+
+### 3.1 获取当前用户可访问路由
+
+**接口**: `GET /rbac/user/routes`
+
+**响应示例**:
+```json
+{
+  "code": 200,
+  "msg": "success",
+  "data": {
+    "user_id": 5,
+    "username": "admin",
+    "routes": [
+      {
+        "id": 1,
+        "route_path": "/",
+        "route_name": "Home",
+        "route_title": "首页",
+        "component": "Layout",
+        "parent_id": null,
+        "icon": "home",
+        "sort_order": 0,
+        "is_hidden": false,
+        "is_cache": true,
+        "meta": {},
+        "children": [
+          {
+            "id": 11,
+            "route_path": "/dashboard",
+            "route_name": "Dashboard",
+            "route_title": "工作台",
+            "parent_id": 1
+          }
+        ]
+      }
+    ],
+    "routes_flat": [
+      {"id": 1, "route_path": "/", "route_name": "Home"},
+      {"id": 11, "route_path": "/dashboard", "route_name": "Dashboard"}
+    ]
+  }
+}
+```
+
+**说明**:
+- `routes`: 树形结构（用于构建菜单）
+- `routes_flat`: 扁平结构（用于路由守卫权限检查）
+
+---
+
+### 3.2 获取角色可访问路由
+
+**接口**: `GET /rbac/roles/{role_id}/routes`
+
+**响应示例**:
+```json
+{
+  "code": 200,
+  "msg": "success",
+  "data": {
+    "role_id": 2,
+    "routes": [
+      {"id": 1, "route_path": "/", "route_name": "Home", "route_title": "首页"},
+      {"id": 11, "route_path": "/dashboard", "route_name": "Dashboard"}
+    ]
+  }
+}
+```
+
+---
+
+### 3.3 批量更新角色路由权限 ⭐新增
+
+**接口**: `PUT /rbac/roles/{role_id}/routes`
+
+**功能说明**:
+- 批量更新指定角色的路由权限
+- 采用**替换模式**：先删除现有所有关联，再插入新关联
+- 自动清除相关缓存（角色缓存 + 用户缓存）
+
+**请求体**:
+```json
+{
+  "route_ids": [1, 11, 12, 3, 31, 32, 2, 21],
+  "permission": "RW"
+}
+```
+
+**参数说明**:
+- `route_ids`: 路由ID列表（必填）
+- `permission`: 权限类型，可选值：
+  - `R`: 只读权限
+  - `W`: 只写权限
+  - `RW`: 读写权限（默认）
+
+**响应示例**:
+```json
+{
+  "code": 200,
+  "msg": "success",
+  "data": {
+    "role_id": 2,
+    "assigned_count": 8,
+    "removed_count": 5,
+    "route_ids": [1, 11, 12, 3, 31, 32, 2, 21]
+  }
+}
+```
+
+**前端调用示例**:
+```javascript
+const updateRoleRoutes = async (roleId, routeIds) => {
+  const response = await fetch(`/rbac/roles/${roleId}/routes`, {
+    method: 'PUT',
+    headers: {
+      'Authorization': `Bearer ${token}`,
+      'Content-Type': 'application/json'
+    },
+    body: JSON.stringify({
+      route_ids: routeIds,
+      permission: 'RW'
+    })
+  });
+
+  const result = await response.json();
+
+  if (result.code === 200) {
+    console.log(`成功分配 ${result.data.assigned_count} 个路由`);
+    console.log(`移除了 ${result.data.removed_count} 个旧路由`);
+  }
+
+  return result;
+};
+
+// 使用示例
+await updateRoleRoutes(2, [1, 11, 12, 3, 31, 32, 2, 21]);
+```
+
+**注意事项**:
+- ⚠️ 所有 `route_ids` 必须存在且未删除
+- ⚠️ 使用事务确保数据一致性
+- ⚠️ 会自动清除所有受影响用户的路由缓存
+
+---
+
+### 3.4 检查路由访问权限
+
+**接口**: `GET /rbac/check-route`
+
+**Query参数**:
+```javascript
+{
+  route_path: "/system/users"
+}
+```
+
+**响应示例**:
+```json
+{
+  "code": 200,
+  "msg": "success",
+  "data": {
+    "route_path": "/system/users",
+    "has_access": true
+  }
+}
+```
+
+---
+
+## 🚨 错误码说明
+
+### HTTP状态码
+
+| 状态码 | 说明 | 处理建议 |
+|--------|------|---------|
+| 200 | 成功 | - |
+| 400 | 请求参数错误 | 检查请求体格式和必填字段 |
+| 401 | 未认证 | Token过期或无效，需要重新登录 |
+| 403 | 无权限 | 显示权限不足提示 |
+| 404 | 资源不存在 | 检查ID是否正确 |
+| 409 | 冲突 | 如role_key重复 |
+| 500 | 服务器错误 | 联系后端排查 |
+
+### 常见错误处理
+
+```javascript
+// 统一错误处理
+const handleError = (error) => {
+  if (error.response?.status === 401) {
+    // Token过期，跳转登录
+    localStorage.removeItem('token');
+    window.location.href = '/login';
+  } else if (error.response?.status === 403) {
+    alert('权限不足');
+  } else if (error.response?.data?.detail) {
+    alert(error.response.data.detail);
+  } else {
+    alert('操作失败，请稍后重试');
+  }
+};
+```
+
+---
+
+## 💡 常见问题FAQ
+
+### Q1: 为什么所有接口返回 code: 4001？
+**A**: Token已过期，请重新登录获取新Token
+
+### Q2: role_id应该用哪个？文档里写的1,2,3还是52,1,2？
+**A**: 使用实际数据库中的ID：
+- provincial_admin = **52**
+- admin = **1**
+- common = **2**
+
+### Q3: 需要用Mock数据吗？
+**A**: **不需要**，所有接口已完整实现，直接调用真实API
+
+### Q4: 如何判断当前用户是否有RBAC管理权限？
+```javascript
+// 方式1：检查JWT中的user_role
+const payload = JSON.parse(atob(token.split('.')[1]));
+const isProvincialAdmin = payload.user_role === 'provincial_admin';
+
+// 方式2：调用权限检查接口（推荐）
+const routes = await fetch('/rbac/user/routes');
+const hasRBACAccess = routes.data.routes.some(r => r.route_path === '/rbac');
+```
+
+### Q5: 如何实现角色权限页面的路由分配功能？
+**A**: 使用新的批量更新接口 `PUT /rbac/roles/{role_id}/routes`:
+1. 通过 `GET /rbac/roles/{role_id}/routes` 获取当前角色已有路由
+2. 用户选择要分配的路由ID列表
+3. 调用 `PUT /rbac/roles/{role_id}/routes` 提交更新
+4. 接口会自动替换所有路由权限并清除缓存
+
+### Q6: total字段为什么返回0？
+**A**: `/admin/users/users` 接口的 `total` 字段当前版本存在bug，请以 `users` 数组长度为准。该问题已记录，将在后续版本修复。
+
+### Q7: 批量更新路由权限后，用户需要重新登录吗？
+**A**: 不需要。接口会自动清除相关用户的路由缓存，用户刷新页面即可看到新权限。
+
+---
+
+## 📦 前端开发清单
+
+- [ ] 移除所有RBAC相关的Mock数据
+- [ ] 使用实际的role_id（52, 1, 2）
+- [ ] 实现Token过期自动刷新机制
+- [ ] 处理401/403错误（跳转登录/权限提示）
+- [ ] 使用 `PUT /rbac/roles/{role_id}/routes` 实现路由权限分配
+- [ ] 处理 `total` 字段为0的情况（用数组长度代替）
+
+---
+
+## 📞 技术支持
+
+如有问题，请联系后端开发团队。
+
+**文档版本**: v2.0
+**最后更新**: 2025-01-24
+**维护者**: Backend Team