fix: tighten route permission guards
This commit is contained in:
@@ -237,6 +237,10 @@ function mapApiRuleToModel(apiRule: ApiRule): Rule {
|
||||
|
||||
export async function loader({ request }: LoaderFunctionArgs) {
|
||||
const url = new URL(request.url);
|
||||
const { getUserSession } = await import("~/api/login/auth.server");
|
||||
const { frontendJWT, userInfo } = await getUserSession(request);
|
||||
const { requireRoutePermission } = await import("~/api/auth/check-route-permission.server");
|
||||
await requireRoutePermission("/rules/list", userInfo?.role || "", frontendJWT || undefined);
|
||||
|
||||
// 从 URL 参数中提取查询条件
|
||||
const params = {
|
||||
@@ -280,6 +284,10 @@ export async function loader({ request }: LoaderFunctionArgs) {
|
||||
|
||||
export async function action({ request }: LoaderFunctionArgs) {
|
||||
const url = new URL(request.url);
|
||||
const { getUserSession } = await import("~/api/login/auth.server");
|
||||
const { frontendJWT, userInfo } = await getUserSession(request);
|
||||
const { requireRoutePermission } = await import("~/api/auth/check-route-permission.server");
|
||||
await requireRoutePermission("/rules/list", userInfo?.role || "", frontendJWT || undefined);
|
||||
const formData = await request.formData();
|
||||
const _action = formData.get('_action');
|
||||
const ruleId = formData.get('ruleId');
|
||||
|
||||
Reference in New Issue
Block a user