fix issues

wu-clan · wu-clan · commit 9df29c73490e · 2025-04-28T01:36:08.000+08:00
diff --git a/backend/app/admin/api/v1/sys/data_rule.py b/backend/app/admin/api/v1/sys/data_rule.py
@@ -25,7 +25,7 @@ async def get_data_rule_models() -> ResponseSchemaModel[list[str]]:
 @router.get('/model/{model}/columns', summary='获取数据规则可用模型列', dependencies=[DependsJwtAuth])
 async def get_data_rule_model_columns(
     model: Annotated[str, Path(description='模型名称')],
-) -> ResponseSchemaModel[list[str]]:
+) -> ResponseSchemaModel[list[dict[str, str]]]:
     models = await data_rule_service.get_columns(model=model)
     return response_base.success(data=models)
 
diff --git a/backend/app/admin/api/v1/sys/dept.py b/backend/app/admin/api/v1/sys/dept.py
@@ -2,7 +2,7 @@
 # -*- coding: utf-8 -*-
 from typing import Annotated, Any
 
-from fastapi import APIRouter, Depends, Path, Query
+from fastapi import APIRouter, Depends, Path, Query, Request
 
 from backend.app.admin.schema.dept import CreateDeptParam, GetDeptDetail, UpdateDeptParam
 from backend.app.admin.service.dept_service import dept_service
@@ -22,12 +22,13 @@ async def get_dept(pk: Annotated[int, Path(description='部门 ID')]) -> Respons
 
 @router.get('', summary='获取所有部门展示树', dependencies=[DependsJwtAuth])
 async def get_all_depts(
+    request: Request,
     name: Annotated[str | None, Query(description='部门名称')] = None,
     leader: Annotated[str | None, Query(description='部门负责人')] = None,
     phone: Annotated[str | None, Query(description='联系电话')] = None,
     status: Annotated[int | None, Query(description='状态')] = None,
 ) -> ResponseSchemaModel[list[dict[str, Any]]]:
-    dept = await dept_service.get_dept_tree(name=name, leader=leader, phone=phone, status=status)
+    dept = await dept_service.get_dept_tree(request=request, name=name, leader=leader, phone=phone, status=status)
     return response_base.success(data=dept)
 
 
diff --git a/backend/app/admin/crud/crud_data_rule.py b/backend/app/admin/crud/crud_data_rule.py
@@ -31,7 +31,7 @@ async def get_list(self, name: str | None) -> Select:
         :param name: 规则名称
         :return:
         """
-        stmt = select(self.model).options(noload(self.model.roles)).order_by(desc(self.model.created_time))
+        stmt = select(self.model).options(noload(self.model.scope)).order_by(desc(self.model.created_time))
 
         filters = []
         if name is not None:
diff --git a/backend/app/admin/crud/crud_dept.py b/backend/app/admin/crud/crud_dept.py
@@ -2,13 +2,15 @@
 # -*- coding: utf-8 -*-
 from typing import Sequence
 
+from fastapi import Request
 from sqlalchemy import select
 from sqlalchemy.ext.asyncio import AsyncSession
 from sqlalchemy.orm import selectinload
 from sqlalchemy_crud_plus import CRUDPlus
 
 from backend.app.admin.model import Dept
 from backend.app.admin.schema.dept import CreateDeptParam, UpdateDeptParam
+from backend.common.security.permission import filter_data_permission
 
 
 class CRUDDept(CRUDPlus[Dept]):
@@ -35,11 +37,18 @@ async def get_by_name(self, db: AsyncSession, name: str) -> Dept | None:
         return await self.select_model_by_column(db, name=name, del_flag=0)
 
     async def get_all(
-        self, db: AsyncSession, name: str | None, leader: str | None, phone: str | None, status: int | None
+        self,
+        request: Request,
+        db: AsyncSession,
+        name: str | None,
+        leader: str | None,
+        phone: str | None,
+        status: int | None,
     ) -> Sequence[Dept]:
         """
         获取所有部门
 
+        :param request: FastAPI 请求对象
         :param db: 数据库会话
         :param name: 部门名称
         :param leader: 负责人
@@ -56,7 +65,7 @@ async def get_all(
             filters.update(phone__startswith=phone)
         if status is not None:
             filters.update(status=status)
-        return await self.select_models_order(db, sort_columns='sort', **filters)
+        return await self.select_models_order(db, 'sort', None, await filter_data_permission(db, request), **filters)
 
     async def create(self, db: AsyncSession, obj: CreateDeptParam) -> None:
         """
diff --git a/backend/app/admin/crud/crud_user.py b/backend/app/admin/crud/crud_user.py
@@ -311,7 +311,7 @@ async def get_with_relation(
         """
         stmt = select(self.model).options(
             selectinload(self.model.dept),
-            selectinload(self.model.roles).options(selectinload(Role.menus), selectinload(Role.rules)),
+            selectinload(self.model.roles).options(selectinload(Role.menus), selectinload(Role.scopes)),
         )
 
         filters = []
diff --git a/backend/app/admin/model/data_rule.py b/backend/app/admin/model/data_rule.py
@@ -5,8 +5,6 @@
 from typing import TYPE_CHECKING
 
 from sqlalchemy import ForeignKey, String
-from sqlalchemy.dialects.mysql import LONGTEXT
-from sqlalchemy.dialects.postgresql import TEXT
 from sqlalchemy.orm import Mapped, mapped_column, relationship
 
 from backend.common.model import Base, id_key
@@ -21,17 +19,17 @@ class DataRule(Base):
     __tablename__ = 'sys_data_rule'
 
     id: Mapped[id_key] = mapped_column(init=False)
-    model: Mapped[str] = mapped_column(String(50), comment='SQLA 模型类名')
+    name: Mapped[str] = mapped_column(String(500), unique=True, comment='名称')
+    model: Mapped[str] = mapped_column(String(50), comment='SQLA 模型名，对应 DATA_PERMISSION_MODELS 键名')
     column: Mapped[str] = mapped_column(String(20), comment='模型字段名')
     operator: Mapped[int] = mapped_column(comment='运算符（0：and、1：or）')
     expression: Mapped[int] = mapped_column(
         comment='表达式（0：==、1：!=、2：>、3：>=、4：<、5：<=、6：in、7：not_in）'
     )
     value: Mapped[str] = mapped_column(String(255), comment='规则值')
-    remark: Mapped[str] = mapped_column(LONGTEXT().with_variant(TEXT, 'postgresql'), comment='备注')
 
     # 数据范围规则一对多
-    rule_id: Mapped[int | None] = mapped_column(
+    scope_id: Mapped[int | None] = mapped_column(
         ForeignKey('sys_data_scope.id', ondelete='SET NULL'), default=None, comment='数据范围关联 ID'
     )
-    rule: Mapped[DataScope] = relationship(init=False, back_populates='rules')
+    scope: Mapped[DataScope] = relationship(init=False, back_populates='rules')
diff --git a/backend/app/admin/model/data_scope.py b/backend/app/admin/model/data_scope.py
@@ -1,13 +1,18 @@
 #!/usr/bin/env python3
 # -*- coding: utf-8 -*-
+from __future__ import annotations
+
+from typing import TYPE_CHECKING
 
 from sqlalchemy import String
 from sqlalchemy.orm import Mapped, mapped_column, relationship
 
-from backend.app.admin.model import DataRule, Role
 from backend.app.admin.model.m2m import sys_role_data_scope
 from backend.common.model import Base, id_key
 
+if TYPE_CHECKING:
+    from backend.app.admin.model import DataRule, Role
+
 
 class DataScope(Base):
     """数据范围表"""
diff --git a/backend/app/admin/schema/data_rule.py b/backend/app/admin/schema/data_rule.py
@@ -14,10 +14,9 @@ class DataRuleSchemaBase(SchemaBase):
     name: str = Field(description='规则名称')
     model: str = Field(description='模型名称')
     column: str = Field(description='字段名称')
-    operator: RoleDataRuleOperatorType = Field(RoleDataRuleOperatorType.OR, description='操作符（AND/OR）')
+    operator: RoleDataRuleOperatorType = Field(RoleDataRuleOperatorType.AND, description='操作符（AND/OR）')
     expression: RoleDataRuleExpressionType = Field(RoleDataRuleExpressionType.eq, description='表达式类型')
     value: str = Field(description='规则值')
-    remark: str = Field(description='备注')
 
 
 class CreateDataRuleParam(DataRuleSchemaBase):
diff --git a/backend/app/admin/service/data_rule_service.py b/backend/app/admin/service/data_rule_service.py
@@ -36,7 +36,7 @@ async def get_models() -> list[str]:
         return list(settings.DATA_PERMISSION_MODELS.keys())
 
     @staticmethod
-    async def get_columns(model: str) -> list[str]:
+    async def get_columns(model: str) -> list[dict[str, str]]:
         """
         获取数据规则可用模型的字段列表
 
@@ -46,8 +46,11 @@ async def get_columns(model: str) -> list[str]:
         if model not in settings.DATA_PERMISSION_MODELS:
             raise errors.NotFoundError(msg='数据规则可用模型不存在')
         model_ins = dynamic_import_data_model(settings.DATA_PERMISSION_MODELS[model])
+
         model_columns = [
-            key for key in model_ins.__table__.columns.keys() if key not in settings.DATA_PERMISSION_COLUMN_EXCLUDE
+            {column.key: column.comment}
+            for column in model_ins.__table__.columns
+            if column.key not in settings.DATA_PERMISSION_COLUMN_EXCLUDE
         ]
         return model_columns
 
@@ -95,6 +98,9 @@ async def update(*, pk: int, obj: UpdateDataRuleParam) -> int:
             data_rule = await data_rule_dao.get(db, pk)
             if not data_rule:
                 raise errors.NotFoundError(msg='数据规则不存在')
+            if data_rule.name != obj.name:
+                if await data_rule_dao.get_by_name(db, obj.name):
+                    raise errors.ForbiddenError(msg='数据规则已存在')
             count = await data_rule_dao.update(db, pk, obj)
             return count
 
diff --git a/backend/app/admin/service/data_scope_service.py b/backend/app/admin/service/data_scope_service.py
@@ -80,6 +80,9 @@ async def update(*, pk: int, obj: UpdateDataScopeParam) -> int:
             data_scope = await data_scope_dao.get(db, pk)
             if not data_scope:
                 raise errors.NotFoundError(msg='数据范围不存在')
+            if data_scope.name != obj.name:
+                if await data_scope_dao.get_by_name(db, obj.name):
+                    raise errors.ForbiddenError(msg='数据范围已存在')
             count = await data_scope_dao.update(db, pk, obj)
             for role in await data_scope.awaitable_attrs.roles:
                 for user in await role.awaitable_attrs.users:
diff --git a/backend/app/admin/service/dept_service.py b/backend/app/admin/service/dept_service.py
@@ -2,6 +2,8 @@
 # -*- coding: utf-8 -*-
 from typing import Any
 
+from fastapi import Request
+
 from backend.app.admin.crud.crud_dept import dept_dao
 from backend.app.admin.model import Dept
 from backend.app.admin.schema.dept import CreateDeptParam, UpdateDeptParam
@@ -31,19 +33,20 @@ async def get(*, pk: int) -> Dept:
 
     @staticmethod
     async def get_dept_tree(
-        *, name: str | None, leader: str | None, phone: str | None, status: int | None
+        *, request: Request, name: str | None, leader: str | None, phone: str | None, status: int | None
     ) -> list[dict[str, Any]]:
         """
         获取部门树形结构
 
+        :param request: FastAPI 请求对象
         :param name: 部门名称
         :param leader: 部门负责人
         :param phone: 联系电话
         :param status: 状态
         :return:
         """
         async with async_db_session() as db:
-            dept_select = await dept_dao.get_all(db=db, name=name, leader=leader, phone=phone, status=status)
+            dept_select = await dept_dao.get_all(request, db, name, leader, phone, status)
             tree_data = get_tree_data(dept_select)
             return tree_data
 
diff --git a/backend/common/security/permission.py b/backend/common/security/permission.py
@@ -16,8 +16,6 @@
 if TYPE_CHECKING:
     from backend.app.admin.model import DataRule
 
-    pass
-
 
 class RequestPermission:
     """
@@ -65,11 +63,13 @@ async def filter_data_permission(db: AsyncSession, request: Request) -> ColumnEl
     # 获取用户角色和数据范围
     data_scopes = []
     for role in request.user.roles:
-        data_scopes.extend(role.scopes)
+        for scope in role.scopes:
+            if scope.status:
+                data_scopes.append(scope)
 
     # 超级管理员和无规则用户不做过滤
-    if request.user.is_superuser or not data_scopes:
-        return or_(1 == 1)
+    # if request.user.is_superuser or not data_scopes:
+    #     return or_(1 == 1)
 
     # 获取数据范围规则
     data_rule_list: list[DataRule] = []
@@ -80,7 +80,7 @@ async def filter_data_permission(db: AsyncSession, request: Request) -> ColumnEl
     where_and_list = []
     where_or_list = []
 
-    for data_rule in list(dict.fromkeys(data_rule_list)):
+    for data_rule in data_rule_list:
         # 验证规则模型
         rule_model = data_rule.model
         if rule_model not in settings.DATA_PERMISSION_MODELS:
@@ -99,31 +99,33 @@ async def filter_data_permission(db: AsyncSession, request: Request) -> ColumnEl
         column_obj = getattr(model_ins, column)
         rule_expression = data_rule.expression
         condition = None
-        if rule_expression == RoleDataRuleExpressionType.eq:
-            condition = column_obj == data_rule.value
-        elif rule_expression == RoleDataRuleExpressionType.ne:
-            condition = column_obj != data_rule.value
-        elif rule_expression == RoleDataRuleExpressionType.gt:
-            condition = column_obj > data_rule.value
-        elif rule_expression == RoleDataRuleExpressionType.ge:
-            condition = column_obj >= data_rule.value
-        elif rule_expression == RoleDataRuleExpressionType.lt:
-            condition = column_obj < data_rule.value
-        elif rule_expression == RoleDataRuleExpressionType.le:
-            condition = column_obj <= data_rule.value
-        elif rule_expression == RoleDataRuleExpressionType.in_:
-            values = data_rule.value.split(',') if isinstance(data_rule.value, str) else data_rule.value
-            condition = column_obj.in_(values)
-        elif data_rule.expression == RoleDataRuleExpressionType.not_in:
-            values = data_rule.value.split(',') if isinstance(data_rule.value, str) else data_rule.value
-            condition = ~column_obj.in_(values)
+        match rule_expression:
+            case RoleDataRuleExpressionType.eq:
+                condition = column_obj == data_rule.value
+            case RoleDataRuleExpressionType.ne:
+                condition = column_obj != data_rule.value
+            case RoleDataRuleExpressionType.gt:
+                condition = column_obj > data_rule.value
+            case RoleDataRuleExpressionType.ge:
+                condition = column_obj >= data_rule.value
+            case RoleDataRuleExpressionType.lt:
+                condition = column_obj < data_rule.value
+            case RoleDataRuleExpressionType.le:
+                condition = column_obj <= data_rule.value
+            case RoleDataRuleExpressionType.in_:
+                values = data_rule.value.split(',') if isinstance(data_rule.value, str) else data_rule.value
+                condition = column_obj.in_(values)
+            case RoleDataRuleExpressionType.not_in:
+                values = data_rule.value.split(',') if isinstance(data_rule.value, str) else data_rule.value
+                condition = column_obj.not_in(values)
 
         # 根据运算符添加到对应列表
         if condition is not None:
-            if data_rule.operator == RoleDataRuleOperatorType.AND:
-                where_and_list.append(condition)
-            elif data_rule.operator == RoleDataRuleOperatorType.OR:
-                where_or_list.append(condition)
+            match data_rule.operator:
+                case RoleDataRuleOperatorType.AND:
+                    where_and_list.append(condition)
+                case RoleDataRuleOperatorType.OR:
+                    where_or_list.append(condition)
 
     # 组合所有条件
     where_list = []
diff --git a/backend/core/conf.py b/backend/core/conf.py
@@ -89,11 +89,12 @@ class Settings(BaseSettings):
 
     # 数据权限配置
     DATA_PERMISSION_MODELS: dict[str, str] = {  # 允许进行数据过滤的 SQLA 模型，它必须以模块字符串的方式定义
-        'Api': 'backend.plugin.casbin.model.Api',
+        '部门': 'backend.app.admin.model.Dept',
     }
     DATA_PERMISSION_COLUMN_EXCLUDE: list[str] = [  # 排除允许进行数据过滤的 SQLA 模型列
         'id',
         'sort',
+        'del_flag',
         'created_time',
         'updated_time',
     ]
diff --git a/backend/middleware/jwt_auth_middleware.py b/backend/middleware/jwt_auth_middleware.py
@@ -71,7 +71,7 @@ async def authenticate(self, request: Request) -> tuple[AuthCredentials, GetUser
         except TokenError as exc:
             raise _AuthenticationError(code=exc.code, msg=exc.detail, headers=exc.headers)
         except Exception as e:
-            log.error(f'JWT 授权异常：{e}')
+            log.exception(f'JWT 授权异常：{e}')
             raise _AuthenticationError(code=getattr(e, 'code', 500), msg=getattr(e, 'msg', 'Internal Server Error'))
 
         # 请注意，此返回使用非标准模式，所以在认证通过时，将丢失某些标准特性
diff --git a/backend/sql/mysql/init_test_data.sql b/backend/sql/mysql/init_test_data.sql
@@ -1,11 +1,6 @@
 insert into sys_dept (id, name, sort, leader, phone, email, status, del_flag, parent_id, created_time, updated_time)
 values  (1, 'test', 0, null, null, null, 1, 0, null, '2023-06-26 17:13:45', null);
 
-insert into sys_api (id, name, method, path, remark, created_time, updated_time)
-values  (1, '创建API', 'POST', '/api/v1/apis', null, '2024-02-02 11:29:47', null),
-        (2, '删除API', 'DELETE', '/api/v1/apis', null, '2024-02-02 11:31:32', null),
-        (3, '编辑API', 'PUT', '/api/v1/apis/{pk}', null, '2024-02-02 11:32:22', null);
-
 insert into fba.sys_menu (id, title, name, path, sort, icon, type, component, perms, status, display, cache, link, remark, parent_id, created_time, updated_time)
 values  (1, '测试', 'Test', 'test', 0, null, 0, null, null, 0, 0, 1, null, null, null, '2023-07-27 19:14:10', null),
         (2, '仪表盘', 'Dashboard', 'dashboard', 0, 'material-symbols:dashboard', 0, null, null, 1, 1, 1, null, null, null, '2023-07-27 19:15:45', null),
diff --git a/backend/sql/postgresql/init_test_data.sql b/backend/sql/postgresql/init_test_data.sql
@@ -1,11 +1,6 @@
 insert into sys_dept (id, name, sort, leader, phone, email, status, del_flag, parent_id, created_time, updated_time)
 values  (1, 'test', 0, null, null, null, 1, 0, null, '2023-06-26 17:13:45', null);
 
-insert into sys_api (id, name, method, path, remark, created_time, updated_time)
-values  (1, '创建API', 'POST', '/api/v1/apis', null, '2024-02-02 11:29:47', null),
-        (2, '删除API', 'DELETE', '/api/v1/apis', null, '2024-02-02 11:31:32', null),
-        (3, '编辑API', 'PUT', '/api/v1/apis/{pk}', null, '2024-02-02 11:32:22', null);
-
 insert into fba.sys_menu (id, title, name, path, sort, icon, type, component, perms, status, display, cache, link, remark, parent_id, created_time, updated_time)
 values  (1, '测试', 'Test', 'test', 0, null, 0, null, null, 0, 0, 1, null, null, null, '2023-07-27 19:14:10', null),
         (2, '仪表盘', 'Dashboard', 'dashboard', 0, 'material-symbols:dashboard', 0, null, null, 1, 1, 1, null, null, null, '2023-07-27 19:15:45', null),
diff --git a/pyproject.toml b/pyproject.toml
@@ -46,7 +46,7 @@ dependencies = [
     "python-socketio>=5.12.0",
     "redis[hiredis]>=5.2.0",
     "rtoml>=0.12.0",
-    "sqlalchemy-crud-plus==1.6.0",
+    "sqlalchemy-crud-plus>=1.8.0",
     "sqlalchemy[asyncio]>=2.0.40",
     "user-agents==2.2.0",
 ]
diff --git a/requirements.txt b/requirements.txt
@@ -95,7 +95,7 @@ simple-websocket==1.1.0
 six==1.17.0
 sniffio==1.3.1
 sqlalchemy==2.0.40
-sqlalchemy-crud-plus==1.6.0
+sqlalchemy-crud-plus==1.8.0
 starlette==0.46.1
 termcolor==2.5.0
 tomli==2.2.1 ; python_full_version < '3.11'
diff --git a/uv.lock b/uv.lock

Original file line number	Diff line number	Diff line change
`@@ -311,7 +311,7 @@ async def get_with_relation(`
`311`	`311`	`"""`
`312`	`312`	`stmt = select(self.model).options(`
`313`	`313`	`selectinload(self.model.dept),`
`314`		`- selectinload(self.model.roles).options(selectinload(Role.menus), selectinload(Role.rules)),`
	`314`	`+ selectinload(self.model.roles).options(selectinload(Role.menus), selectinload(Role.scopes)),`
`315`	`315`	`)`
`316`	`316`
`317`	`317`	`filters = []`