feat: add permission decorator to enhance API access control

2026-05-11 18:10:10 +08:00 · 2026-02-09 12:32:25 +08:00
parent f444ec46cc
commit 451e8555d5
15 changed files with 269 additions and 98 deletions
--- a/domain/backup/api.py
+++ b/domain/backup/api.py
@@ -1,10 +1,13 @@
 import datetime
+from typing import Annotated

 from fastapi import APIRouter, Depends, File, Form, Query, Request, UploadFile
 from fastapi.responses import JSONResponse

 from domain.audit import AuditAction, audit
-from domain.auth import get_current_active_user
+from domain.auth import User, get_current_active_user
+from domain.permission import require_system_permission
+from domain.permission.types import SystemPermission
 from .service import BackupService

 router = APIRouter(
@@ -16,8 +19,11 @@ router = APIRouter(

@router.get("/export", summary="导出全站数据")
@audit(action=AuditAction.DOWNLOAD, description="导出备份")
+@require_system_permission(SystemPermission.CONFIG_EDIT)
 async def export_backup(
-    request: Request, sections: list[str] | None = Query(default=None)
+    request: Request,
+    current_user: Annotated[User, Depends(get_current_active_user)],
+    sections: list[str] | None = Query(default=None),
 ):
    data = await BackupService.export_data(sections=sections)
    timestamp = datetime.datetime.now().strftime("%Y-%m-%d_%H-%M-%S")
@@ -27,8 +33,10 @@ async def export_backup(

@router.post("/import", summary="导入数据")
@audit(action=AuditAction.UPLOAD, description="导入备份")
+@require_system_permission(SystemPermission.CONFIG_EDIT)
 async def import_backup(
    request: Request,
+    current_user: Annotated[User, Depends(get_current_active_user)],
    file: UploadFile = File(...),
    mode: str = Form("replace"),
 ):