feat(scheduling): role-based access + align list count with qualifiedCount

- Gate 智能调度 module on BI-SCHEDULE-OPT role (or full-access roles) via shared canAccessScheduling helper, replacing hardcoded userId allowlist - Thread roles[] through JWT payload → middleware → frontend nav - Add router guard that 403s non-authorized users on /api/scheduling/* - Emit replace_qualified suggestion for every qualified vehicle so list count matches the 已完成考核目标 card; recalc qualifiedCount / hopelessCount post-permission-filter for card↔list consistency Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-17 15:42:21 +08:00
parent a954fb90f6
commit 200172f0af
9 changed files with 64 additions and 25 deletions
--- a/src/App.tsx
+++ b/src/App.tsx
@@ -7,11 +7,7 @@ import SchedulingModule from './modules/scheduling/SchedulingModule';
 import AuthProvider from './auth/AuthProvider';
 import { useAuth } from './auth/useAuth';
 import UnauthorizedPage from './auth/UnauthorizedPage';
-
+import { canAccessScheduling } from './shared/auth/roles';
 const SCHEDULING_ALLOWED_USERS = new Set([
  '1105261382487539712',
  '1116631120763437056',
 ]);
 const BASE_MODULES: ModuleConfig[] = [
  { id: 'assets', label: '资产管理', icon: Truck, component: AssetsModule },
@@ -26,11 +22,11 @@ function AuthGate() {
  const { isLoading, isAuthenticated, error, user } = useAuth();
  const modules = useMemo(() => {
-    if (user?.userId && SCHEDULING_ALLOWED_USERS.has(user.userId)) {
+    if (canAccessScheduling(user?.roles)) {
      return [...BASE_MODULES, SCHEDULING_MODULE];
    }
    return BASE_MODULES;
-  }, [user?.userId]);
+  }, [user?.roles]);
  if (isLoading) {
    return (
--- a/src/auth/useAuth.ts
+++ b/src/auth/useAuth.ts
@@ -3,7 +3,13 @@ import { createContext, useContext } from 'react';
 export interface AuthState {
  isLoading: boolean;
  isAuthenticated: boolean;
-  user: { userId: string; userName: string; permissionLevel: string; depName: string } | null;
+  user: {
    userId: string;
    userName: string;
    permissionLevel: string;
    depName: string;
    roles?: string[];
  } | null;
  error: string | null;
 }
--- a/src/server/auth/login.ts
+++ b/src/server/auth/login.ts
@@ -66,6 +66,7 @@ app.get('/exchange', async (c) => {
      depCode: userInfo.depCode,
      depName,
      permissionLevel,
      roles: roleNames,
    };
    const token = jwt.sign(payload, JWT_SECRET, { expiresIn: '8h' });
--- a/src/server/auth/middleware.ts
+++ b/src/server/auth/middleware.ts
@@ -35,6 +35,7 @@ export async function authMiddleware(c: Context, next: Next) {
      depCode: payload.depCode,
      depName: payload.depName,
      permissionLevel: payload.permissionLevel,
      roles: payload.roles ?? [],
    };
    c.set('user', user);
    return next();
--- a/src/server/auth/types.ts
+++ b/src/server/auth/types.ts
@@ -7,6 +7,7 @@ export interface AuthUser {
  depCode: string;
  depName: string;
  permissionLevel: PermissionLevel;
  roles: string[];
 }
 export interface JwtPayload {
@@ -16,12 +17,16 @@ export interface JwtPayload {
  depCode: string;
  depName: string;
  permissionLevel: PermissionLevel;
  roles: string[];
  iat?: number;
  exp?: number;
 }
-/** 全量权限角色名 */
+// Re-export role constants and helpers from the shared module so existing
-export const FULL_ACCESS_ROLES = ['所有权限', '数智中心', 'BI-Leader'];
+// server imports (`from './types.js'`) keep working.
-
+export {
-/** 部门级权限角色名 */
+  FULL_ACCESS_ROLES,
-export const DEPT_ACCESS_ROLES = ['BI-Leader-Dep'];
+  DEPT_ACCESS_ROLES,
  SCHEDULING_ACCESS_ROLES,
  canAccessScheduling,
 } from '../../shared/auth/roles.js';
--- a/src/server/routes/scheduling/algorithm.ts
+++ b/src/server/routes/scheduling/algorithm.ts
@@ -157,12 +157,10 @@ export function generateSuggestions(
  }
  // --- replace_qualified (medium priority) ---
-  // Swap out the qualified car, swap in a car that NEEDS mileage.
+  // Every qualified vehicle gets a suggestion row so the list count matches
-  // The high-mileage customer will drive it hard → helps it reach target.
+  // `qualifiedCount`. Candidates may be empty when no inventory vehicle can
-  // Exclude candidates already at target (gap <= 0) — swapping those in is pointless.
+  // reach target at this customer — the row still surfaces for manual review.
  for (const vehicle of qualified) {
    if (vehicle.customerAvgDaily <= vehicle.dailyRequiredMileage) continue;
    const candidates: CandidateVehicle[] = inventoryVehicles
      .filter((inv) => {
        if (!isTypeCompatible(vehicle.vehicleType, inv.vehicleType)) return false;
@@ -206,9 +204,6 @@ export function generateSuggestions(
      })
 ;
    // Skip if no candidate can reach target — swap would be pointless
    if (candidates.length === 0) continue;
    const yearRate = vehicle.yearTarget > 0 ? Math.round((vehicle.currentYearMileage / vehicle.yearTarget) * 100) : 0;
    const canAddKm = vehicle.customerAvgDaily * vehicle.daysLeft;
    const reason: ReasonBlock = {
@@ -231,8 +226,11 @@ export function generateSuggestions(
    });
  }
-  // Remove suggestions with no candidates
+  // Drop rescue_hopeless with no candidates — no actionable rescue available.
-  const filteredSuggestions = suggestions.filter((s) => s.candidates.length > 0);
+  // Keep every replace_qualified so the list count matches the qualifiedCount card.
  const filteredSuggestions = suggestions.filter(
    (s) => s.type === 'replace_qualified' || s.candidates.length > 0,
  );
  // Sort: high priority first
  filteredSuggestions.sort((a, b) => {
--- a/src/server/routes/scheduling/index.ts
+++ b/src/server/routes/scheduling/index.ts
@@ -1,9 +1,22 @@
 import { Hono } from 'hono';
 import suggestionsRouter from './suggestions.js';
 import notifyRouter from './notify.js';
 import type { AuthUser } from '../../auth/types.js';
 import { canAccessScheduling } from '../../auth/types.js';
 const app = new Hono();
 // Module-level access guard. When auth middleware is active, `user` is set and
 // we require a role from SCHEDULING_ACCESS_ROLES (or a full-access role).
 // When auth is bypassed (dev), `user` is undefined and requests pass through.
 app.use('*', async (c, next) => {
  const user = (c as any).get('user') as AuthUser | undefined;
  if (user && !canAccessScheduling(user.roles)) {
    return c.json({ error: 'Forbidden: 智能调度访问需要 BI-SCHEDULE-OPT 角色' }, 403);
  }
  return next();
 });
 app.route('/suggestions', suggestionsRouter);
 app.route('/notify', notifyRouter);
--- a/src/server/routes/scheduling/suggestions.ts
+++ b/src/server/routes/scheduling/suggestions.ts
@@ -344,8 +344,8 @@ app.get('/', async (c) => {
    const filteredHopeless = masked.filter((s: any) => s.type === 'rescue_hopeless').length;
    const recentInterventionCount = await fetchRecentInterventionCount();
    const filteredSummary: SchedulingSummary = {
-      qualifiedCount: summary.qualifiedCount,
+      qualifiedCount: filteredQualified,
-      hopelessCount: summary.hopelessCount,
+      hopelessCount: filteredHopeless,
      suggestionCount: masked.length,
      estimatedGain: masked.filter((s: any) =>
        s.candidates?.some((c: any) => c.canQualifyAfterSwap)
--- a/src/shared/auth/roles.ts
+++ b/src/shared/auth/roles.ts
@@ -0,0 +1,19 @@
 // Role constants and role-based access helpers shared between server (JWT
 // issuance / API guards) and client (nav visibility / module gating).
 /** 全量权限角色名 */
 export const FULL_ACCESS_ROLES = ['所有权限', '数智中心', 'BI-Leader'];
 /** 部门级权限角色名 */
 export const DEPT_ACCESS_ROLES = ['BI-Leader-Dep'];
 /** 智能调度模块访问角色 */
 export const SCHEDULING_ACCESS_ROLES = ['BI-SCHEDULE-OPT'];
 /** 用户是否可访问智能调度模块。全量权限用户默认获得访问。 */
 export function canAccessScheduling(roles: readonly string[] | null | undefined): boolean {
  if (!roles || roles.length === 0) return false;
  return roles.some(r =>
    SCHEDULING_ACCESS_ROLES.includes(r) || FULL_ACCESS_ROLES.includes(r),
  );
 }