This commit is contained in:
@@ -0,0 +1,59 @@
|
||||
## ADDED Requirements
|
||||
|
||||
### Requirement: List Status Controls Must Be Hidden Without Permission
|
||||
|
||||
The system SHALL hide list-level status mutation fields from users who do not have the corresponding update permission, instead of rendering disabled switches or other disabled interactive controls.
|
||||
|
||||
This rule MUST apply to the following list pages and permission mappings:
|
||||
|
||||
- `角色管理` -> `role:update_status` -> `状态`
|
||||
- `运营商管理` -> `carrier:update_status` -> `状态`
|
||||
- `套餐系列` -> `package_series:update_status` -> `状态`
|
||||
- `套餐列表` -> `package:update_status` -> `状态`
|
||||
- `套餐列表` -> `package:update_away` -> `上架状态`
|
||||
- `代理系列授权` -> `series_grants:update_status` -> `状态`
|
||||
- `店铺列表` -> `shop:modify_status` -> `状态`
|
||||
- `账号列表` -> `account:modify_status` -> `状态`
|
||||
- `企业客户` -> `enterprise_customer:status` -> `状态`
|
||||
- `微信配置` -> `wechat_config:status` -> `激活状态`
|
||||
|
||||
When the current user lacks the corresponding permission on one of the pages above, the page MUST NOT render the corresponding status field/column, and MUST NOT render a disabled `ElSwitch` or equivalent disabled interactive control in its place.
|
||||
|
||||
When the current user has the corresponding permission, the page MUST continue to render the existing status control and MUST preserve the current status update workflow.
|
||||
|
||||
This requirement only applies to list-level interactive status fields. Search filters, detail pages, and create/edit dialogs are outside the scope of this change.
|
||||
|
||||
Frontend hiding MUST NOT be treated as sufficient authorization. The system MUST continue to rely on backend permission checks for any status update API request.
|
||||
|
||||
#### Scenario: Render status field when the user has permission
|
||||
|
||||
- **GIVEN** 用户进入上述任一列表页
|
||||
- **AND** 用户拥有该页面对应的状态更新权限
|
||||
- **WHEN** 页面渲染列表
|
||||
- **THEN** 页面 MUST 显示对应的状态类交互字段
|
||||
- **AND** 页面 MUST 继续允许用户按现有流程发起状态更新
|
||||
|
||||
#### Scenario: Hide status field instead of disabling it when the user lacks permission
|
||||
|
||||
- **GIVEN** 用户进入 `角色管理`、`运营商管理`、`套餐系列`、`代理系列授权`、`店铺列表`、`账号列表`、`企业客户` 或 `微信配置` 列表页之一
|
||||
- **AND** 用户不拥有该页面对应的状态更新权限
|
||||
- **WHEN** 页面渲染列表
|
||||
- **THEN** 页面 MUST NOT 显示对应的状态字段或列
|
||||
- **AND** 页面 MUST NOT 显示 disabled 的状态开关作为占位
|
||||
|
||||
#### Scenario: Package list hides only the unauthorized status field
|
||||
|
||||
- **GIVEN** 用户进入 `套餐列表`
|
||||
- **WHEN** 页面渲染列表
|
||||
- **THEN** 若用户缺少 `package:update_status`,页面 MUST 隐藏 `状态` 字段
|
||||
- **AND** 若用户缺少 `package:update_away`,页面 MUST 隐藏 `上架状态` 字段
|
||||
- **AND** 页面 MUST 仅显示用户已被授权的状态类字段
|
||||
- **AND** 页面 MUST NOT 用 disabled 开关展示未授权字段
|
||||
|
||||
#### Scenario: Backend authorization remains mandatory
|
||||
|
||||
- **GIVEN** 用户在前端列表页看不到某个状态更新入口
|
||||
- **AND** 用户仍尝试通过直接构造请求或篡改页面 DOM 发起状态更新
|
||||
- **WHEN** 请求到达状态更新接口
|
||||
- **THEN** 系统 MUST 继续依赖后端权限校验来决定是否放行
|
||||
- **AND** 前端隐藏行为 MUST NOT 被视为接口层放行依据
|
||||
Reference in New Issue
Block a user