From a472e543ce596dffaa6ea77849d6890760efa678 Mon Sep 17 00:00:00 2001
From: kkfluous <kkfluous@kdemacbook-air.local>
Date: Fri, 17 Apr 2026 15:50:48 +0800
Subject: [PATCH] refactor(scheduling): gate access strictly on BI-SCHEDULE-OPT
 role
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Remove the implicit fallback that granted scheduling access to any
FULL_ACCESS role (所有权限 / 数智中心 / BI-Leader). Access now requires
an explicit BI-SCHEDULE-OPT assignment, so the module scope is managed
purely via role assignment rather than piggy-backing on admin roles.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 src/shared/auth/roles.ts | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/src/shared/auth/roles.ts b/src/shared/auth/roles.ts
index 34b4b65..bed4c72 100644
--- a/src/shared/auth/roles.ts
+++ b/src/shared/auth/roles.ts
@@ -10,10 +10,8 @@ export const DEPT_ACCESS_ROLES = ['BI-Leader-Dep'];
 /** 智能调度模块访问角色 */
 export const SCHEDULING_ACCESS_ROLES = ['BI-SCHEDULE-OPT'];
 
-/** 用户是否可访问智能调度模块。全量权限用户默认获得访问。 */
+/** 用户是否可访问智能调度模块。仅 BI-SCHEDULE-OPT 角色允许访问。 */
 export function canAccessScheduling(roles: readonly string[] | null | undefined): boolean {
   if (!roles || roles.length === 0) return false;
-  return roles.some(r =>
-    SCHEDULING_ACCESS_ROLES.includes(r) || FULL_ACCESS_ROLES.includes(r),
-  );
+  return roles.some(r => SCHEDULING_ACCESS_ROLES.includes(r));
 }