feat: 报告API三层权限检查 — read/download/create 全覆盖

- GET /api/reports — 新增 reports:read 权限检查 - POST /api/reports — 修复为 reports:create（原错误使用 reports:read） - DELETE /api/reports — 新增 reports:create 权限检查 - GET /api/reports/[id] — 新增 reports:read 权限检查 - DELETE /api/reports/[id] — 新增 reports:create 权限检查 - POST /api/reports/[id]/generate — 从 reports:write 改为 reports:create - GET /api/reports/[id]/download — 新增 reports:download 权限检查 - POST /api/reports/download — 新增 reports:download 权限检查 5 个文件，共 8 个改动点
2026-05-14 16:57:29 +08:00 · 2026-05-14 16:57:29 +08:00 · 48f8084b9b
parent 200fd7d3a1
commit 48f8084b9b
5 changed files with 11 additions and 2 deletions
--- a/src/app/api/reports/[id]/download/route.ts
+++ b/src/app/api/reports/[id]/download/route.ts
@ -2,6 +2,7 @@ import { NextResponse } from 'next/server'
 import { getDb } from '@/lib/db'
 import { initDatabase } from '@/lib/db-schema'
 import { getCurrentUser } from '@/lib/auth'
+import { hasPermission } from '@/lib/permissions'
 import fs from 'fs'

 export async function GET(_request: Request, { params }: { params: Promise<{ id: string }> }) {
@ -9,6 +10,7 @@ export async function GET(_request: Request, { params }: { params: Promise<{ id:
    initDatabase()
    const user = await getCurrentUser()
    if (!user) return NextResponse.json({ error: '未登录' }, { status: 401 })
+    if (!hasPermission(user, 'reports:download')) return NextResponse.json({ error: '权限不足' }, { status: 403 })

    const { id } = await params
    const db = getDb()
--- a/src/app/api/reports/[id]/generate/route.ts
+++ b/src/app/api/reports/[id]/generate/route.ts
@ -14,7 +14,7 @@ export async function POST(
    initDatabase()
    const user = await getCurrentUser()
    if (!user) return NextResponse.json({ error: '未登录' }, { status: 401 })
-    if (!hasPermission(user, 'reports:write')) {
+    if (!hasPermission(user, 'reports:create')) {
      return NextResponse.json({ error: '权限不足' }, { status: 403 })
    }

--- a/src/app/api/reports/[id]/route.ts
+++ b/src/app/api/reports/[id]/route.ts
@ -2,6 +2,7 @@ import { NextRequest, NextResponse } from 'next/server'
 import { getDb } from '@/lib/db'
 import { initDatabase } from '@/lib/db-schema'
 import { getCurrentUser } from '@/lib/auth'
+import { hasPermission } from '@/lib/permissions'
 import fs from 'fs'

 export async function GET(_request: Request, { params }: { params: Promise<{ id: string }> }) {
@ -9,6 +10,7 @@ export async function GET(_request: Request, { params }: { params: Promise<{ id:
    initDatabase()
    const user = await getCurrentUser()
    if (!user) return NextResponse.json({ error: '未登录' }, { status: 401 })
+    if (!hasPermission(user, 'reports:read')) return NextResponse.json({ error: '权限不足' }, { status: 403 })

    const { id } = await params
    const db = getDb()
@ -72,6 +74,7 @@ export async function DELETE(_request: NextRequest, { params }: { params: Promis
    initDatabase()
    const user = await getCurrentUser()
    if (!user) return NextResponse.json({ error: '未登录' }, { status: 401 })
+    if (!hasPermission(user, 'reports:create')) return NextResponse.json({ error: '权限不足' }, { status: 403 })

    const { id } = await params
    const db = getDb()
--- a/src/app/api/reports/download/route.ts
+++ b/src/app/api/reports/download/route.ts
@ -2,6 +2,7 @@ import { NextRequest, NextResponse } from 'next/server'
 import { getDb } from '@/lib/db'
 import { initDatabase } from '@/lib/db-schema'
 import { getCurrentUser } from '@/lib/auth'
+import { hasPermission } from '@/lib/permissions'
 import JSZip from 'jszip'
 import fs from 'fs'

@ -10,6 +11,7 @@ export async function POST(request: NextRequest) {
    initDatabase()
    const user = await getCurrentUser()
    if (!user) return NextResponse.json({ error: '未登录' }, { status: 401 })
+    if (!hasPermission(user, 'reports:download')) return NextResponse.json({ error: '权限不足' }, { status: 403 })

    const { ids } = await request.json()
    if (!Array.isArray(ids) || ids.length === 0) {
--- a/src/app/api/reports/route.ts
+++ b/src/app/api/reports/route.ts
@ -10,6 +10,7 @@ export async function GET() {
    initDatabase()
    const user = await getCurrentUser()
    if (!user) return NextResponse.json({ error: '未登录' }, { status: 401 })
+    if (!hasPermission(user, 'reports:read')) return NextResponse.json({ error: '权限不足' }, { status: 403 })

    const db = getDb()
    const reports = db.prepare('SELECT * FROM reports ORDER BY created_at DESC').all()
@ -25,7 +26,7 @@ export async function POST(request: NextRequest) {
    initDatabase()
    const user = await getCurrentUser()
    if (!user) return NextResponse.json({ error: '未登录' }, { status: 401 })
-    if (!hasPermission(user, 'reports:read')) return NextResponse.json({ error: '权限不足' }, { status: 403 })
+    if (!hasPermission(user, 'reports:create')) return NextResponse.json({ error: '权限不足' }, { status: 403 })

    const body = await request.json()
    const { report_type, period_start, period_end } = body
@ -71,6 +72,7 @@ export async function DELETE(request: NextRequest) {
    initDatabase()
    const user = await getCurrentUser()
    if (!user) return NextResponse.json({ error: '未登录' }, { status: 401 })
+    if (!hasPermission(user, 'reports:create')) return NextResponse.json({ error: '权限不足' }, { status: 403 })

    const { ids } = await request.json()
    if (!Array.isArray(ids) || ids.length === 0) {