From 0193e78f187f8484678c65ed7e8d4cb28e829edb Mon Sep 17 00:00:00 2001
From: kkfluous <kkfluous@kdemacbook-air.local>
Date: Thu, 30 Apr 2026 18:16:42 +0800
Subject: [PATCH] =?UTF-8?q?fix(auth):=20=E8=83=BD=E6=BA=90=E7=AE=A1?=
 =?UTF-8?q?=E7=90=86=E4=BB=85=20BI-LEADER-ENERGY=20=E4=B8=8E=E3=80=8C?=
 =?UTF-8?q?=E6=89=80=E6=9C=89=E6=9D=83=E9=99=90=E3=80=8D=E5=8F=AF=E8=AE=BF?=
 =?UTF-8?q?=E9=97=AE?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

收紧准入：之前 FULL_ACCESS_ROLES（含 数智中心 / BI-Leader）会自动通过。
现在只接受 BI-LEADER-ENERGY 或「所有权限」两类角色。

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 src/shared/auth/roles.ts | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/shared/auth/roles.ts b/src/shared/auth/roles.ts
index 2b26b7b..2452bb5 100644
--- a/src/shared/auth/roles.ts
+++ b/src/shared/auth/roles.ts
@@ -28,8 +28,9 @@ export function canManageFeedback(roles: readonly string[] | null | undefined):
   return roles.some(r => FEEDBACK_ADMIN_ROLES.includes(r) || FULL_ACCESS_ROLES.includes(r));
 }
 
-/** 用户是否可访问能源管理模块。BI-LEADER-ENERGY 或全量权限角色可访问。 */
+/** 用户是否可访问能源管理模块。仅 BI-LEADER-ENERGY 或「所有权限」可访问。 */
+const ENERGY_FULL_ACCESS = '所有权限';
 export function canAccessEnergy(roles: readonly string[] | null | undefined): boolean {
   if (!roles || roles.length === 0) return false;
-  return roles.some(r => ENERGY_ACCESS_ROLES.includes(r) || FULL_ACCESS_ROLES.includes(r));
+  return roles.some(r => ENERGY_ACCESS_ROLES.includes(r) || r === ENERGY_FULL_ACCESS);
 }