From 2b990f06fb400aab1383e0b8f77c29d5496539ac Mon Sep 17 00:00:00 2001
From: seaislee1209 <seaislee129@gmail.com>
Date: Sat, 14 Feb 2026 12:10:02 +0800
Subject: [PATCH] =?UTF-8?q?feat:=20=E5=90=88=E5=90=8C=E9=87=91=E9=A2=9D?=
 =?UTF-8?q?=E6=9D=83=E9=99=90=E6=8E=A7=E5=88=B6=20+=20=E5=86=85=E7=BD=AE?=
 =?UTF-8?q?=E8=A7=92=E8=89=B2=E6=9D=83=E9=99=90=E8=87=AA=E5=8A=A8=E5=90=8C?=
 =?UTF-8?q?=E6=AD=A5?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- 新增 project:view_contract 权限，仅超级管理员可查看合同金额
- 项目详情、仪表盘、结算页、创建项目表单均受权限保护
- 启动时自动同步内置角色权限，新增权限无需手动更新数据库

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 backend/main.py                      | 12 +++++++++++-
 backend/models.py                    |  1 +
 frontend/src/views/Dashboard.vue     |  5 ++++-
 frontend/src/views/ProjectDetail.vue |  4 ++--
 frontend/src/views/Projects.vue      |  2 +-
 frontend/src/views/Settlement.vue    |  5 ++++-
 6 files changed, 23 insertions(+), 6 deletions(-)

diff --git a/backend/main.py b/backend/main.py
index 033320f..58c8408 100644
--- a/backend/main.py
+++ b/backend/main.py
@@ -12,6 +12,7 @@ from models import (
     Project, ProjectMilestone, DEFAULT_MILESTONES
 )
 from auth import hash_password
+from sqlalchemy.orm.attributes import flag_modified
 import os
 import logging
 
@@ -108,7 +109,7 @@ def init_roles_and_admin():
     from database import SessionLocal
     db = SessionLocal()
     try:
-        # 初始化内置角色
+        # 初始化 / 同步内置角色权限
         for role_name, role_def in BUILTIN_ROLES.items():
             existing = db.query(Role).filter(Role.name == role_name).first()
             if not existing:
@@ -120,6 +121,15 @@ def init_roles_and_admin():
                 )
                 db.add(role)
                 print(f"[OK] created role: {role_name}")
+            elif existing.is_system:
+                # 同步内置角色：补充代码中新增的权限
+                current = set(existing.permissions or [])
+                defined = set(role_def["permissions"])
+                missing = defined - current
+                if missing:
+                    existing.permissions = list(current | missing)
+                    flag_modified(existing, "permissions")
+                    print(f"[SYNC] added permissions to {role_name}: {missing}")
         db.commit()
 
         # 迁移旧成本权限 → 细分权限
diff --git a/backend/models.py b/backend/models.py
index 11975e1..64ee4f4 100644
--- a/backend/models.py
+++ b/backend/models.py
@@ -20,6 +20,7 @@ ALL_PERMISSIONS = [
     ("project:edit", "编辑项目", "项目管理"),
     ("project:delete", "删除项目", "项目管理"),
     ("project:complete", "确认完成项目", "项目管理"),
+    ("project:view_contract", "查看合同金额", "项目管理"),
     # 内容提交
     ("submission:view", "查看提交记录", "内容提交"),
     ("submission:create", "新增提交", "内容提交"),
diff --git a/frontend/src/views/Dashboard.vue b/frontend/src/views/Dashboard.vue
index 68f43d5..3d71117 100644
--- a/frontend/src/views/Dashboard.vue
+++ b/frontend/src/views/Dashboard.vue
@@ -161,7 +161,7 @@
       <div class="card-body">
         <el-table :data="data.settled_projects" size="small">
           <el-table-column prop="project_name" label="项目" />
-          <el-table-column label="合同金额" align="right" width="120">
+          <el-table-column v-if="authStore.hasPermission('project:view_contract')" label="合同金额" align="right" width="120">
             <template #default="{ row }">
               <span v-if="row.contract_amount">¥{{ formatNum(row.contract_amount) }}</span>
               <span v-else class="text-muted">—</span>
@@ -187,8 +187,11 @@
 <script setup>
 import { ref, onMounted, onUnmounted, nextTick } from 'vue'
 import { dashboardApi } from '../api'
+import { useAuthStore } from '../stores/auth'
 import * as echarts from 'echarts'
 
+const authStore = useAuthStore()
+
 const loading = ref(false)
 const data = ref({})
 const typeTagMap = { '客户正式项目': 'success', '客户测试项目': 'warning', '内部原创项目': '', '内部测试项目': 'info' }
diff --git a/frontend/src/views/ProjectDetail.vue b/frontend/src/views/ProjectDetail.vue
index 24c13ba..c322a08 100644
--- a/frontend/src/views/ProjectDetail.vue
+++ b/frontend/src/views/ProjectDetail.vue
@@ -19,7 +19,7 @@
     <!-- 项目信息 -->
     <div class="card info-card">
       <div class="info-grid">
-        <div class="info-item">
+        <div class="info-item" v-if="authStore.hasPermission('project:view_contract')">
           <span class="info-label">合同金额</span>
           <span class="info-value price">{{ project.contract_amount ? '¥' + project.contract_amount.toLocaleString() : '未设置' }}</span>
         </div>
@@ -355,7 +355,7 @@
         <el-form-item label="预估完成日期">
           <el-date-picker v-model="editForm.estimated_completion_date" value-format="YYYY-MM-DD" placeholder="选择预计交付日期" style="width:100%" />
         </el-form-item>
-        <el-form-item v-if="editForm.project_type === '客户正式项目'" label="合同金额">
+        <el-form-item v-if="editForm.project_type === '客户正式项目' && authStore.hasPermission('project:view_contract')" label="合同金额">
           <el-input-number v-model="editForm.contract_amount" :min="0" :step="10000" :controls="false" placeholder="甲方合同总金额（元）" style="width:100%" />
         </el-form-item>
       </el-form>
diff --git a/frontend/src/views/Projects.vue b/frontend/src/views/Projects.vue
index 2cf87e7..cb4d893 100644
--- a/frontend/src/views/Projects.vue
+++ b/frontend/src/views/Projects.vue
@@ -90,7 +90,7 @@
         <el-form-item label="预估完成日期">
           <el-date-picker v-model="form.estimated_completion_date" value-format="YYYY-MM-DD" placeholder="选择预计交付日期" style="width:100%" />
         </el-form-item>
-        <el-form-item v-if="form.project_type === '客户正式项目'" label="合同金额">
+        <el-form-item v-if="form.project_type === '客户正式项目' && authStore.hasPermission('project:view_contract')" label="合同金额">
           <el-input-number v-model="form.contract_amount" :min="0" :step="10000" :controls="false" placeholder="甲方合同总金额（元）" style="width:100%" />
         </el-form-item>
 
diff --git a/frontend/src/views/Settlement.vue b/frontend/src/views/Settlement.vue
index 69a6c2e..0bdf213 100644
--- a/frontend/src/views/Settlement.vue
+++ b/frontend/src/views/Settlement.vue
@@ -39,7 +39,7 @@
       </el-row>
 
       <!-- 盈亏（仅客户正式项目） -->
-      <el-card v-if="data.contract_amount != null" class="section-card">
+      <el-card v-if="data.contract_amount != null && authStore.hasPermission('project:view_contract')" class="section-card">
         <template #header><span class="section-title">项目盈亏</span></template>
         <el-row :gutter="16">
           <el-col :span="8">
@@ -102,6 +102,9 @@
 import { ref, onMounted } from 'vue'
 import { useRoute } from 'vue-router'
 import { projectApi } from '../api'
+import { useAuthStore } from '../stores/auth'
+
+const authStore = useAuthStore()
 
 const route = useRoute()
 const loading = ref(false)