From 48f8084b9b3430325561d2a51c5ac6b07257d334 Mon Sep 17 00:00:00 2001 From: gitadmin Date: Thu, 14 May 2026 16:57:29 +0800 Subject: [PATCH] =?UTF-8?q?feat:=20=E6=8A=A5=E5=91=8AAPI=E4=B8=89=E5=B1=82?= =?UTF-8?q?=E6=9D=83=E9=99=90=E6=A3=80=E6=9F=A5=20=E2=80=94=20read/downloa?= =?UTF-8?q?d/create=20=E5=85=A8=E8=A6=86=E7=9B=96?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - GET /api/reports — 新增 reports:read 权限检查 - POST /api/reports — 修复为 reports:create(原错误使用 reports:read) - DELETE /api/reports — 新增 reports:create 权限检查 - GET /api/reports/[id] — 新增 reports:read 权限检查 - DELETE /api/reports/[id] — 新增 reports:create 权限检查 - POST /api/reports/[id]/generate — 从 reports:write 改为 reports:create - GET /api/reports/[id]/download — 新增 reports:download 权限检查 - POST /api/reports/download — 新增 reports:download 权限检查 5 个文件,共 8 个改动点 --- src/app/api/reports/[id]/download/route.ts | 2 ++ src/app/api/reports/[id]/generate/route.ts | 2 +- src/app/api/reports/[id]/route.ts | 3 +++ src/app/api/reports/download/route.ts | 2 ++ src/app/api/reports/route.ts | 4 +++- 5 files changed, 11 insertions(+), 2 deletions(-) diff --git a/src/app/api/reports/[id]/download/route.ts b/src/app/api/reports/[id]/download/route.ts index ae0e40b..0981f26 100644 --- a/src/app/api/reports/[id]/download/route.ts +++ b/src/app/api/reports/[id]/download/route.ts @@ -2,6 +2,7 @@ import { NextResponse } from 'next/server' import { getDb } from '@/lib/db' import { initDatabase } from '@/lib/db-schema' import { getCurrentUser } from '@/lib/auth' +import { hasPermission } from '@/lib/permissions' import fs from 'fs' export async function GET(_request: Request, { params }: { params: Promise<{ id: string }> }) { @@ -9,6 +10,7 @@ export async function GET(_request: Request, { params }: { params: Promise<{ id: initDatabase() const user = await getCurrentUser() if (!user) return NextResponse.json({ error: '未登录' }, { status: 401 }) + if (!hasPermission(user, 'reports:download')) return NextResponse.json({ error: '权限不足' }, { status: 403 }) const { id } = await params const db = getDb() diff --git a/src/app/api/reports/[id]/generate/route.ts b/src/app/api/reports/[id]/generate/route.ts index 068ff90..7894c68 100644 --- a/src/app/api/reports/[id]/generate/route.ts +++ b/src/app/api/reports/[id]/generate/route.ts @@ -14,7 +14,7 @@ export async function POST( initDatabase() const user = await getCurrentUser() if (!user) return NextResponse.json({ error: '未登录' }, { status: 401 }) - if (!hasPermission(user, 'reports:write')) { + if (!hasPermission(user, 'reports:create')) { return NextResponse.json({ error: '权限不足' }, { status: 403 }) } diff --git a/src/app/api/reports/[id]/route.ts b/src/app/api/reports/[id]/route.ts index 1ac6f31..28c1af1 100644 --- a/src/app/api/reports/[id]/route.ts +++ b/src/app/api/reports/[id]/route.ts @@ -2,6 +2,7 @@ import { NextRequest, NextResponse } from 'next/server' import { getDb } from '@/lib/db' import { initDatabase } from '@/lib/db-schema' import { getCurrentUser } from '@/lib/auth' +import { hasPermission } from '@/lib/permissions' import fs from 'fs' export async function GET(_request: Request, { params }: { params: Promise<{ id: string }> }) { @@ -9,6 +10,7 @@ export async function GET(_request: Request, { params }: { params: Promise<{ id: initDatabase() const user = await getCurrentUser() if (!user) return NextResponse.json({ error: '未登录' }, { status: 401 }) + if (!hasPermission(user, 'reports:read')) return NextResponse.json({ error: '权限不足' }, { status: 403 }) const { id } = await params const db = getDb() @@ -72,6 +74,7 @@ export async function DELETE(_request: NextRequest, { params }: { params: Promis initDatabase() const user = await getCurrentUser() if (!user) return NextResponse.json({ error: '未登录' }, { status: 401 }) + if (!hasPermission(user, 'reports:create')) return NextResponse.json({ error: '权限不足' }, { status: 403 }) const { id } = await params const db = getDb() diff --git a/src/app/api/reports/download/route.ts b/src/app/api/reports/download/route.ts index d704091..f21f90c 100644 --- a/src/app/api/reports/download/route.ts +++ b/src/app/api/reports/download/route.ts @@ -2,6 +2,7 @@ import { NextRequest, NextResponse } from 'next/server' import { getDb } from '@/lib/db' import { initDatabase } from '@/lib/db-schema' import { getCurrentUser } from '@/lib/auth' +import { hasPermission } from '@/lib/permissions' import JSZip from 'jszip' import fs from 'fs' @@ -10,6 +11,7 @@ export async function POST(request: NextRequest) { initDatabase() const user = await getCurrentUser() if (!user) return NextResponse.json({ error: '未登录' }, { status: 401 }) + if (!hasPermission(user, 'reports:download')) return NextResponse.json({ error: '权限不足' }, { status: 403 }) const { ids } = await request.json() if (!Array.isArray(ids) || ids.length === 0) { diff --git a/src/app/api/reports/route.ts b/src/app/api/reports/route.ts index 34b015a..7116e89 100644 --- a/src/app/api/reports/route.ts +++ b/src/app/api/reports/route.ts @@ -10,6 +10,7 @@ export async function GET() { initDatabase() const user = await getCurrentUser() if (!user) return NextResponse.json({ error: '未登录' }, { status: 401 }) + if (!hasPermission(user, 'reports:read')) return NextResponse.json({ error: '权限不足' }, { status: 403 }) const db = getDb() const reports = db.prepare('SELECT * FROM reports ORDER BY created_at DESC').all() @@ -25,7 +26,7 @@ export async function POST(request: NextRequest) { initDatabase() const user = await getCurrentUser() if (!user) return NextResponse.json({ error: '未登录' }, { status: 401 }) - if (!hasPermission(user, 'reports:read')) return NextResponse.json({ error: '权限不足' }, { status: 403 }) + if (!hasPermission(user, 'reports:create')) return NextResponse.json({ error: '权限不足' }, { status: 403 }) const body = await request.json() const { report_type, period_start, period_end } = body @@ -71,6 +72,7 @@ export async function DELETE(request: NextRequest) { initDatabase() const user = await getCurrentUser() if (!user) return NextResponse.json({ error: '未登录' }, { status: 401 }) + if (!hasPermission(user, 'reports:create')) return NextResponse.json({ error: '权限不足' }, { status: 403 }) const { ids } = await request.json() if (!Array.isArray(ids) || ids.length === 0) {