From 6142af761736ae1462bcbe9141a4b8741e19943d Mon Sep 17 00:00:00 2001
From: kkfluous <kkfluous@kdemacbook-air.local>
Date: Thu, 30 Apr 2026 18:02:21 +0800
Subject: [PATCH] =?UTF-8?q?fix(auth):=20=E8=83=BD=E6=BA=90=E7=AE=A1?=
 =?UTF-8?q?=E7=90=86=E4=BB=85=20BI-LEADER-ENERGY=20=E5=8F=AF=E8=AE=BF?=
 =?UTF-8?q?=E9=97=AE=EF=BC=8C=E7=A7=BB=E9=99=A4=E5=85=A8=E9=87=8F=E6=9D=83?=
 =?UTF-8?q?=E9=99=90=E6=97=81=E8=B7=AF?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

与智能调度的口径一致：模块访问需要专属角色，全量权限角色不再自动通过。
本地开发 dev mock 用户已含 BI-LEADER-ENERGY，调试不受影响。

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 src/shared/auth/roles.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/shared/auth/roles.ts b/src/shared/auth/roles.ts
index 2b26b7b..060dd47 100644
--- a/src/shared/auth/roles.ts
+++ b/src/shared/auth/roles.ts
@@ -28,8 +28,8 @@ export function canManageFeedback(roles: readonly string[] | null | undefined):
   return roles.some(r => FEEDBACK_ADMIN_ROLES.includes(r) || FULL_ACCESS_ROLES.includes(r));
 }
 
-/** 用户是否可访问能源管理模块。BI-LEADER-ENERGY 或全量权限角色可访问。 */
+/** 用户是否可访问能源管理模块。仅 BI-LEADER-ENERGY 角色允许访问。 */
 export function canAccessEnergy(roles: readonly string[] | null | undefined): boolean {
   if (!roles || roles.length === 0) return false;
-  return roles.some(r => ENERGY_ACCESS_ROLES.includes(r) || FULL_ACCESS_ROLES.includes(r));
+  return roles.some(r => ENERGY_ACCESS_ROLES.includes(r));
 }