200172f0af
All checks were successful
ci/woodpecker/push/woodpecker Pipeline was successful
- Gate 智能调度 module on BI-SCHEDULE-OPT role (or full-access roles) via shared canAccessScheduling helper, replacing hardcoded userId allowlist - Thread roles[] through JWT payload → middleware → frontend nav - Add router guard that 403s non-authorized users on /api/scheduling/* - Emit replace_qualified suggestion for every qualified vehicle so list count matches the 已完成考核目标 card; recalc qualifiedCount / hopelessCount post-permission-filter for card↔list consistency Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
24 lines
864 B
TypeScript
24 lines
864 B
TypeScript
import { Hono } from 'hono';
|
|
import suggestionsRouter from './suggestions.js';
|
|
import notifyRouter from './notify.js';
|
|
import type { AuthUser } from '../../auth/types.js';
|
|
import { canAccessScheduling } from '../../auth/types.js';
|
|
|
|
const app = new Hono();
|
|
|
|
// Module-level access guard. When auth middleware is active, `user` is set and
|
|
// we require a role from SCHEDULING_ACCESS_ROLES (or a full-access role).
|
|
// When auth is bypassed (dev), `user` is undefined and requests pass through.
|
|
app.use('*', async (c, next) => {
|
|
const user = (c as any).get('user') as AuthUser | undefined;
|
|
if (user && !canAccessScheduling(user.roles)) {
|
|
return c.json({ error: 'Forbidden: 智能调度访问需要 BI-SCHEDULE-OPT 角色' }, 403);
|
|
}
|
|
return next();
|
|
});
|
|
|
|
app.route('/suggestions', suggestionsRouter);
|
|
app.route('/notify', notifyRouter);
|
|
|
|
export default app;
|