refactor: 数据权限过滤从 GORM Callback 改为 Store 层显式调用

- 移除 RegisterDataPermissionCallback 和 SkipDataPermission 机制
- 在 Auth 中间件预计算 SubordinateShopIDs 并注入 Context
- 新增 ApplyShopFilter/ApplyEnterpriseFilter/ApplyOwnerShopFilter 等 Helper 函数
- 所有 Store 层查询方法显式调用数据权限过滤函数
- 权限检查函数 CanManageShop/CanManageEnterprise 改为从 Context 获取数据

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

internal/store/postgres/device_store.go

@@ -7,6 +7,7 @@ import (
 	"github.com/break/junhong_cmp_fiber/internal/model"
 	"github.com/break/junhong_cmp_fiber/internal/store"
 	"github.com/break/junhong_cmp_fiber/pkg/constants"
+	"github.com/break/junhong_cmp_fiber/pkg/middleware"
 	"github.com/redis/go-redis/v9"
 	"gorm.io/gorm"
 )
@@ -36,7 +37,10 @@ func (s *DeviceStore) CreateBatch(ctx context.Context, devices []*model.Device)
 
 func (s *DeviceStore) GetByID(ctx context.Context, id uint) (*model.Device, error) {
 	var device model.Device
-	if err := s.db.WithContext(ctx).First(&device, id).Error; err != nil {
+	query := s.db.WithContext(ctx).Where("id = ?", id)
+	// 应用数据权限过滤（NULL shop_id 对代理用户不可见）
+	query = middleware.ApplyShopFilter(ctx, query)
+	if err := query.First(&device).Error; err != nil {
 		return nil, err
 	}
 	return &device, nil
@@ -44,7 +48,10 @@ func (s *DeviceStore) GetByID(ctx context.Context, id uint) (*model.Device, erro
 
 func (s *DeviceStore) GetByDeviceNo(ctx context.Context, deviceNo string) (*model.Device, error) {
 	var device model.Device
-	if err := s.db.WithContext(ctx).Where("device_no = ?", deviceNo).First(&device).Error; err != nil {
+	query := s.db.WithContext(ctx).Where("device_no = ?", deviceNo)
+	// 应用数据权限过滤（NULL shop_id 对代理用户不可见）
+	query = middleware.ApplyShopFilter(ctx, query)
+	if err := query.First(&device).Error; err != nil {
 		return nil, err
 	}
 	return &device, nil
@@ -55,7 +62,10 @@ func (s *DeviceStore) GetByIDs(ctx context.Context, ids []uint) ([]*model.Device
 	if len(ids) == 0 {
 		return devices, nil
 	}
-	if err := s.db.WithContext(ctx).Where("id IN ?", ids).Find(&devices).Error; err != nil {
+	query := s.db.WithContext(ctx).Where("id IN ?", ids)
+	// 应用数据权限过滤（NULL shop_id 对代理用户不可见）
+	query = middleware.ApplyShopFilter(ctx, query)
+	if err := query.Find(&devices).Error; err != nil {
 		return nil, err
 	}
 	return devices, nil
@@ -74,6 +84,8 @@ func (s *DeviceStore) List(ctx context.Context, opts *store.QueryOptions, filter
 	var total int64
 
 	query := s.db.WithContext(ctx).Model(&model.Device{})
+	// 应用数据权限过滤（NULL shop_id 对代理用户不可见）
+	query = middleware.ApplyShopFilter(ctx, query)
 
 	if deviceNo, ok := filters["device_no"].(string); ok && deviceNo != "" {
 		query = query.Where("device_no LIKE ?", "%"+deviceNo+"%")
@@ -179,7 +191,10 @@ func (s *DeviceStore) GetByDeviceNos(ctx context.Context, deviceNos []string) ([
 	if len(deviceNos) == 0 {
 		return devices, nil
 	}
-	if err := s.db.WithContext(ctx).Where("device_no IN ?", deviceNos).Find(&devices).Error; err != nil {
+	query := s.db.WithContext(ctx).Where("device_no IN ?", deviceNos)
+	// 应用数据权限过滤（NULL shop_id 对代理用户不可见）
+	query = middleware.ApplyShopFilter(ctx, query)
+	if err := query.Find(&devices).Error; err != nil {
 		return nil, err
 	}
 	return devices, nil
@@ -198,7 +213,10 @@ func (s *DeviceStore) BatchUpdateSeriesID(ctx context.Context, deviceIDs []uint,
 // ListBySeriesID 根据套餐系列ID查询设备列表
 func (s *DeviceStore) ListBySeriesID(ctx context.Context, seriesID uint) ([]*model.Device, error) {
 	var devices []*model.Device
-	if err := s.db.WithContext(ctx).Where("series_id = ?", seriesID).Find(&devices).Error; err != nil {
+	query := s.db.WithContext(ctx).Where("series_id = ?", seriesID)
+	// 应用数据权限过滤（NULL shop_id 对代理用户不可见）
+	query = middleware.ApplyShopFilter(ctx, query)
+	if err := query.Find(&devices).Error; err != nil {
 		return nil, err
 	}
 	return devices, nil