逻辑修改

src/app/services/system_service_ext.py

@@ -25,6 +25,26 @@ class SystemServiceExt:
     def __init__(self):
         """初始化服务"""
         pass
+
+    async def is_admin_user(self, user_id: str, is_superuser: bool = False) -> bool:
+        """判断用户是否为管理员：is_superuser 为 True 或拥有 super_admin 角色"""
+        if is_superuser:
+            return True
+        conn = get_db_connection()
+        if not conn:
+            return False
+        cursor = conn.cursor()
+        try:
+            cursor.execute("""
+                SELECT COUNT(*) as count FROM t_sys_user_role ur
+                JOIN t_sys_role r ON ur.role_id = r.id
+                WHERE ur.user_id = %s AND r.code = 'super_admin' AND ur.is_active = 1
+            """, (user_id,))
+            result = cursor.fetchone()
+            return result['count'] > 0 if result else False
+        finally:
+            cursor.close()
+            conn.close()
     
     # ==================== 用户管理 ====================
     

src/views/sso_view.py

@@ -114,7 +114,10 @@ async def _sso_exchange_code(code: str, db: AsyncSession, request: Request) -> d
     email = userinfo.get("email") or f"{username}@placeholder.local"
     real_name = userinfo.get("name") or userinfo.get("real_name") or username
     # 角色信息（如果 SSO 返回了 roles）
-    sso_roles = userinfo.get("roles", [])
+    sso_roles_raw = userinfo.get("roles", [])
+    # 统一认证平台返回的 roles 是对象数组 [{name, code}]，提取 code
+    sso_roles = [r.get("code") if isinstance(r, dict) else r for r in sso_roles_raw]
+    sso_roles = [r for r in sso_roles if r]  # 过滤空值
 
     logger.info(f"[SSO 码交换] Step 3: 用户信息解析")
     logger.info(f"[SSO 码交换] external_user_id: {external_user_id}")

src/views/system_view.py

@@ -583,10 +583,12 @@ async def create_user(
             return ApiResponse(code="200002", message="无效的访问令牌", timestamp=datetime.now(timezone.utc).isoformat()).model_dump()
         
         is_superuser = payload.get("is_superuser", False)
-        if not is_superuser:
+        user_id = payload.get("sub")
+        service_ext = SystemServiceExt()
+        if not await service_ext.is_admin_user(user_id, is_superuser):
             return ApiResponse(code="200003", message="权限不足", timestamp=datetime.now(timezone.utc).isoformat()).model_dump()
-        
-        creator_id = payload.get("sub")
+
+        creator_id = user_id
         
         # 创建密码哈希
         password_hash = hash_password_simple(user_data['password'])
@@ -682,10 +684,9 @@ async def delete_user(
             return ApiResponse(code="200002", message="无效的访问令牌", timestamp=datetime.now(timezone.utc).isoformat()).model_dump()
         
         is_superuser = payload.get("is_superuser", False)
-        if not is_superuser:
-            return ApiResponse(code="200003", message="权限不足", timestamp=datetime.now(timezone.utc).isoformat()).model_dump()
-        
         current_user_id = payload.get("sub")
+        if not await SystemServiceExt().is_admin_user(current_user_id, is_superuser):
+            return ApiResponse(code="200003", message="权限不足", timestamp=datetime.now(timezone.utc).isoformat()).model_dump()
         
         # 不能删除自己
         if user_id == current_user_id:
@@ -748,9 +749,9 @@ async def update_role(
             return ApiResponse(code="200002", message="无效的访问令牌", timestamp=datetime.now(timezone.utc).isoformat()).model_dump()
         
         is_superuser = payload.get("is_superuser", False)
-        if not is_superuser:
-            return ApiResponse(code="200003", message="权限不足", timestamp=datetime.now(timezone.utc).isoformat()).model_dump()
         user_id = payload.get("sub")
+        if not await SystemServiceExt().is_admin_user(user_id, is_superuser):
+            return ApiResponse(code="200003", message="权限不足", timestamp=datetime.now(timezone.utc).isoformat()).model_dump()
         # 调用 service 层
         system_service = SystemService()
         success, message = await system_service.update_role(role_id, role_data , user_id)
@@ -758,7 +759,7 @@ async def update_role(
         if success:
             return ApiResponse(code="000000", message=message, timestamp=datetime.now(timezone.utc).isoformat()).model_dump()
         else:
-            code = 404 if "不存在" in message else 400
+            code = "404001" if "不存在" in message else "400001"
             return ApiResponse(code=code, message=message, timestamp=datetime.now(timezone.utc).isoformat()).model_dump()
     except Exception as e:
         logger.exception("更新角色错误")
@@ -778,7 +779,8 @@ async def delete_role(
             return ApiResponse(code="200002", message="无效的访问令牌", timestamp=datetime.now(timezone.utc).isoformat()).model_dump()
         
         is_superuser = payload.get("is_superuser", False)
-        if not is_superuser:
+        _uid = payload.get("sub")
+        if not await SystemServiceExt().is_admin_user(_uid, is_superuser):
             return ApiResponse(code="200003", message="权限不足", timestamp=datetime.now(timezone.utc).isoformat()).model_dump()
         
         # 调用 service 层
@@ -788,7 +790,7 @@ async def delete_role(
         if success:
             return ApiResponse(code="000000", message=message, timestamp=datetime.now(timezone.utc).isoformat()).model_dump()
         else:
-            code = 404 if "不存在" in message else 400
+            code = "404001" if "不存在" in message else "400001"
             return ApiResponse(code=code, message=message, timestamp=datetime.now(timezone.utc).isoformat()).model_dump()
         
     except Exception as e:
@@ -880,7 +882,7 @@ async def update_role_menus(
                 timestamp=datetime.now(timezone.utc).isoformat()
             ).model_dump()
         else:
-            code = 404 if "不存在" in message else 400
+            code = "404001" if "不存在" in message else "400001"
             return ApiResponse(
                 code=code,
                 message=message,
@@ -1047,7 +1049,8 @@ async def create_menu(
             return ApiResponse(code="200002", message="无效的访问令牌", timestamp=datetime.now(timezone.utc).isoformat()).model_dump()
         
         is_superuser = payload.get("is_superuser", False)
-        if not is_superuser:
+        _uid = payload.get("sub")
+        if not await SystemServiceExt().is_admin_user(_uid, is_superuser):
             return ApiResponse(code="200003", message="权限不足", timestamp=datetime.now(timezone.utc).isoformat()).model_dump()
         
         user_id = payload.get("sub")
@@ -1077,7 +1080,8 @@ async def update_menu(
             return ApiResponse(code="200002", message="无效的访问令牌", timestamp=datetime.now(timezone.utc).isoformat()).model_dump()
         
         is_superuser = payload.get("is_superuser", False)
-        if not is_superuser:
+        _uid = payload.get("sub")
+        if not await SystemServiceExt().is_admin_user(_uid, is_superuser):
             return ApiResponse(code="200003", message="权限不足", timestamp=datetime.now(timezone.utc).isoformat()).model_dump()
         
         user_id = payload.get("sub")
@@ -1107,7 +1111,8 @@ async def delete_menu(
             return ApiResponse(code="200002", message="无效的访问令牌", timestamp=datetime.now(timezone.utc).isoformat()).model_dump()
         
         is_superuser = payload.get("is_superuser", False)
-        if not is_superuser:
+        _uid = payload.get("sub")
+        if not await SystemServiceExt().is_admin_user(_uid, is_superuser):
             return ApiResponse(code="200003", message="权限不足", timestamp=datetime.now(timezone.utc).isoformat()).model_dump()
         
         # 调用 service 层