fix: 修复授权记录备注修改权限问题
All checks were successful
构建并部署到测试环境(无 SSH) / build-and-deploy (push) Successful in 5m42s
All checks were successful
构建并部署到测试环境(无 SSH) / build-and-deploy (push) Successful in 5m42s
- 实现备注权限检查逻辑(authorization_service.go) - 添加备注权限验证存储层(authorization_store.go) - 新增集成测试覆盖备注权限场景 - 归档 fix-authorization-remark-permission 变更 - 同步 enterprise-card-authorization spec 规范
This commit is contained in:
@@ -0,0 +1,25 @@
|
||||
# 授权记录备注修改权限修复
|
||||
|
||||
## Why
|
||||
|
||||
当前“授权记录备注修改”链路缺少明确的权限边界校验:代理用户可能通过接口修改不属于自己创建的授权记录备注;企业用户也需要被明确禁止修改。
|
||||
|
||||
该问题会导致越权修改、审计信息失真,属于高风险权限缺陷。
|
||||
|
||||
## What Changes
|
||||
|
||||
- **权限规则落地**:
|
||||
- 平台/超级管理员:可修改任意授权记录备注
|
||||
- 代理:仅可修改“自己创建的授权记录”的备注(且必须在其可见数据范围内)
|
||||
- 企业:禁止修改授权记录备注
|
||||
- **服务端强校验**:在 Service 层统一做权限判断与可见性校验,Store 层更新语句增加必要约束,避免仅凭 `id` 更新造成越权。
|
||||
- **补充测试**:新增集成测试覆盖平台/代理/企业三种用户场景,确保规则稳定。
|
||||
|
||||
## Impact
|
||||
|
||||
涉及文件(预期):
|
||||
- Handler:`internal/handler/admin/authorization.go`
|
||||
- Service:`internal/service/enterprise_card/authorization_service.go`
|
||||
- Store:`internal/store/postgres/enterprise_card_authorization_store.go`
|
||||
- 测试:`tests/integration/authorization_test.go`(或新增对应用例文件)
|
||||
|
||||
Reference in New Issue
Block a user