gaoxiaopei
/
issue-ai
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: 工单API细粒度权限 — create/import/export 独立检查 

- POST /api/tickets 手动建单改用 tickets:create
- POST /api/tickets/import 导入改用 tickets:import
- GET /api/tickets/export 新增 tickets:export 权限检查(此前仅有登录检查,是一个安全漏洞)
- PUT/DELETE /api/tickets/[id] 和 PUT /api/tickets/batch 保持 tickets:write 不变
This commit is contained in:
gitadmin 2026-05-14 16:54:34 +08:00
parent a52241f4db
commit 200fd7d3a1
3 changed files with 4 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/app/api/tickets/export/route.ts
View File

@ -2,6 +2,7 @@ import { NextRequest, NextResponse } from 'next/server'
import { getDb } from '@/lib/db'
import { initDatabase } from '@/lib/db-schema'
import { getCurrentUser } from '@/lib/auth'
import { hasPermission } from '@/lib/permissions'
import { exportTicketsToExcel } from '@/lib/excel'
export async function GET(request: NextRequest) {
@ -9,6 +10,7 @@ export async function GET(request: NextRequest) {
initDatabase()
const user = await getCurrentUser()
if (!user) return NextResponse.json({ error: '未登录' }, { status: 401 })
if (!hasPermission(user, 'tickets:export')) return NextResponse.json({ error: '权限不足' }, { status: 403 })
const { searchParams } = request.nextUrl
const idsParam = searchParams.get('ids')

2
src/app/api/tickets/import/route.ts
View File

@ -24,7 +24,7 @@ export async function POST(request: NextRequest) {
initDatabase()
const user = await getCurrentUser()
if (!user) return NextResponse.json({ error: '未登录' }, { status: 401 })
if (!hasPermission(user, 'tickets:write')) return NextResponse.json({ error: '权限不足' }, { status: 403 })
if (!hasPermission(user, 'tickets:import')) return NextResponse.json({ error: '权限不足' }, { status: 403 })
const formData = await request.formData()
const file = formData.get('file') as File | null

2
src/app/api/tickets/route.ts
View File

@ -101,7 +101,7 @@ export async function POST(request: NextRequest) {
initDatabase()
const user = await getCurrentUser()
if (!user) return NextResponse.json({ error: '未登录' }, { status: 401 })
if (!hasPermission(user, 'tickets:write')) return NextResponse.json({ error: '权限不足' }, { status: 403 })
if (!hasPermission(user, 'tickets:create')) return NextResponse.json({ error: '权限不足' }, { status: 403 })
const body = await request.json()
const db = getDb()