fix: 真流量虚流量权限
All checks were successful
构建并部署前端到测试环境 / build-and-deploy (push) Successful in 4m42s

This commit is contained in:
sexygoat
2026-05-14 10:52:11 +08:00
parent 1690252740
commit 38cf7d12e9
29 changed files with 859 additions and 198 deletions

View File

@@ -0,0 +1,59 @@
## ADDED Requirements
### Requirement: List Status Controls Must Be Hidden Without Permission
The system SHALL hide list-level status mutation fields from users who do not have the corresponding update permission, instead of rendering disabled switches or other disabled interactive controls.
This rule MUST apply to the following list pages and permission mappings:
- `角色管理` -> `role:update_status` -> `状态`
- `运营商管理` -> `carrier:update_status` -> `状态`
- `套餐系列` -> `package_series:update_status` -> `状态`
- `套餐列表` -> `package:update_status` -> `状态`
- `套餐列表` -> `package:update_away` -> `上架状态`
- `代理系列授权` -> `series_grants:update_status` -> `状态`
- `店铺列表` -> `shop:modify_status` -> `状态`
- `账号列表` -> `account:modify_status` -> `状态`
- `企业客户` -> `enterprise_customer:status` -> `状态`
- `微信配置` -> `wechat_config:status` -> `激活状态`
When the current user lacks the corresponding permission on one of the pages above, the page MUST NOT render the corresponding status field/column, and MUST NOT render a disabled `ElSwitch` or equivalent disabled interactive control in its place.
When the current user has the corresponding permission, the page MUST continue to render the existing status control and MUST preserve the current status update workflow.
This requirement only applies to list-level interactive status fields. Search filters, detail pages, and create/edit dialogs are outside the scope of this change.
Frontend hiding MUST NOT be treated as sufficient authorization. The system MUST continue to rely on backend permission checks for any status update API request.
#### Scenario: Render status field when the user has permission
- **GIVEN** 用户进入上述任一列表页
- **AND** 用户拥有该页面对应的状态更新权限
- **WHEN** 页面渲染列表
- **THEN** 页面 MUST 显示对应的状态类交互字段
- **AND** 页面 MUST 继续允许用户按现有流程发起状态更新
#### Scenario: Hide status field instead of disabling it when the user lacks permission
- **GIVEN** 用户进入 `角色管理``运营商管理``套餐系列``代理系列授权``店铺列表``账号列表``企业客户``微信配置` 列表页之一
- **AND** 用户不拥有该页面对应的状态更新权限
- **WHEN** 页面渲染列表
- **THEN** 页面 MUST NOT 显示对应的状态字段或列
- **AND** 页面 MUST NOT 显示 disabled 的状态开关作为占位
#### Scenario: Package list hides only the unauthorized status field
- **GIVEN** 用户进入 `套餐列表`
- **WHEN** 页面渲染列表
- **THEN** 若用户缺少 `package:update_status`,页面 MUST 隐藏 `状态` 字段
- **AND** 若用户缺少 `package:update_away`,页面 MUST 隐藏 `上架状态` 字段
- **AND** 页面 MUST 仅显示用户已被授权的状态类字段
- **AND** 页面 MUST NOT 用 disabled 开关展示未授权字段
#### Scenario: Backend authorization remains mandatory
- **GIVEN** 用户在前端列表页看不到某个状态更新入口
- **AND** 用户仍尝试通过直接构造请求或篡改页面 DOM 发起状态更新
- **WHEN** 请求到达状态更新接口
- **THEN** 系统 MUST 继续依赖后端权限校验来决定是否放行
- **AND** 前端隐藏行为 MUST NOT 被视为接口层放行依据