From 200fd7d3a1fc0bc96055908e9c3ca39c633f9a67 Mon Sep 17 00:00:00 2001
From: gitadmin <aiyimickey@sina.com>
Date: Thu, 14 May 2026 16:54:34 +0800
Subject: [PATCH] =?UTF-8?q?feat:=20=E5=B7=A5=E5=8D=95API=E7=BB=86=E7=B2=92?=
 =?UTF-8?q?=E5=BA=A6=E6=9D=83=E9=99=90=20=E2=80=94=20create/import/export?=
 =?UTF-8?q?=20=E7=8B=AC=E7=AB=8B=E6=A3=80=E6=9F=A5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- POST /api/tickets 手动建单改用 tickets:create
- POST /api/tickets/import 导入改用 tickets:import
- GET /api/tickets/export 新增 tickets:export 权限检查（此前仅有登录检查，是一个安全漏洞）
- PUT/DELETE /api/tickets/[id] 和 PUT /api/tickets/batch 保持 tickets:write 不变
---
 src/app/api/tickets/export/route.ts | 2 ++
 src/app/api/tickets/import/route.ts | 2 +-
 src/app/api/tickets/route.ts        | 2 +-
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/app/api/tickets/export/route.ts b/src/app/api/tickets/export/route.ts
index 6b07be1..e638365 100644
--- a/src/app/api/tickets/export/route.ts
+++ b/src/app/api/tickets/export/route.ts
@@ -2,6 +2,7 @@ import { NextRequest, NextResponse } from 'next/server'
 import { getDb } from '@/lib/db'
 import { initDatabase } from '@/lib/db-schema'
 import { getCurrentUser } from '@/lib/auth'
+import { hasPermission } from '@/lib/permissions'
 import { exportTicketsToExcel } from '@/lib/excel'
 
 export async function GET(request: NextRequest) {
@@ -9,6 +10,7 @@ export async function GET(request: NextRequest) {
     initDatabase()
     const user = await getCurrentUser()
     if (!user) return NextResponse.json({ error: '未登录' }, { status: 401 })
+    if (!hasPermission(user, 'tickets:export')) return NextResponse.json({ error: '权限不足' }, { status: 403 })
 
     const { searchParams } = request.nextUrl
     const idsParam = searchParams.get('ids')
diff --git a/src/app/api/tickets/import/route.ts b/src/app/api/tickets/import/route.ts
index 98c531a..d4f949f 100644
--- a/src/app/api/tickets/import/route.ts
+++ b/src/app/api/tickets/import/route.ts
@@ -24,7 +24,7 @@ export async function POST(request: NextRequest) {
     initDatabase()
     const user = await getCurrentUser()
     if (!user) return NextResponse.json({ error: '未登录' }, { status: 401 })
-    if (!hasPermission(user, 'tickets:write')) return NextResponse.json({ error: '权限不足' }, { status: 403 })
+    if (!hasPermission(user, 'tickets:import')) return NextResponse.json({ error: '权限不足' }, { status: 403 })
 
     const formData = await request.formData()
     const file = formData.get('file') as File | null
diff --git a/src/app/api/tickets/route.ts b/src/app/api/tickets/route.ts
index a6deb5f..7a055b3 100644
--- a/src/app/api/tickets/route.ts
+++ b/src/app/api/tickets/route.ts
@@ -101,7 +101,7 @@ export async function POST(request: NextRequest) {
     initDatabase()
     const user = await getCurrentUser()
     if (!user) return NextResponse.json({ error: '未登录' }, { status: 401 })
-    if (!hasPermission(user, 'tickets:write')) return NextResponse.json({ error: '权限不足' }, { status: 403 })
+    if (!hasPermission(user, 'tickets:create')) return NextResponse.json({ error: '权限不足' }, { status: 403 })
 
     const body = await request.json()
     const db = getDb()