From 17e1d232e8baa34aad659c1f447e3736e8172e90 Mon Sep 17 00:00:00 2001
From: wangfq <wangfq@collectpublish.net>
Date: Thu, 11 Jun 2026 17:21:49 +0800
Subject: [PATCH] =?UTF-8?q?feat:=20=E5=A2=9E=E5=8A=A0=20analyst=20?=
 =?UTF-8?q?=E8=A7=92=E8=89=B2=E2=80=94=E2=80=94=E4=BB=85=E6=B5=8B=E8=AF=95?=
 =?UTF-8?q?=E6=95=B0=E6=8D=AE=E6=9F=A5=E8=AF=A2/=E4=B8=8B=E8=BD=BD+?=
 =?UTF-8?q?=E4=BF=AE=E6=94=B9=E5=AF=86=E7=A0=81?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 edc-web/app/auth.py              | 17 +++++++++++++++++
 edc-web/app/routes/test_data.py  |  4 ++++
 edc-web/app/templates/base.html  |  2 ++
 edc-web/app/templates/users.html |  2 ++
 edc_server                       |  2 +-
 5 files changed, 26 insertions(+), 1 deletion(-)

diff --git a/edc-web/app/auth.py b/edc-web/app/auth.py
index 8d74806..969c2a7 100644
--- a/edc-web/app/auth.py
+++ b/edc-web/app/auth.py
@@ -42,6 +42,23 @@ def load_user(user_id):
 def init_auth(app):
     login_manager.init_app(app)
 
+    # analyst 角色：全局路由白名单拦截
+    ANALYST_ALLOWED = {
+        "auth.login", "auth.logout", "auth.change_password",
+        "test_data.test_data_page",
+        "test_data.api_test_data",
+        "test_data.api_chart_data",
+        "test_data.api_export",
+        "test_data.api_delete",  # 自身有 inline 角色检查
+    }
+
+    @app.before_request
+    def _restrict_analyst():
+        if current_user.is_authenticated and current_user.role == "analyst":
+            ep = request.endpoint or ""
+            if ep not in ANALYST_ALLOWED and not ep.startswith("static"):
+                return "权限不足：当前角色为 analyst，仅可访问测试数据", 403
+
 
 # ─── 装饰器 ────────────────────────────────────────────────────────
 
diff --git a/edc-web/app/routes/test_data.py b/edc-web/app/routes/test_data.py
index 70cb2cb..3cb8862 100644
--- a/edc-web/app/routes/test_data.py
+++ b/edc-web/app/routes/test_data.py
@@ -10,12 +10,14 @@ bp = Blueprint("test_data", __name__)
 
 
 @bp.route("/test-data")
+@login_required
 def test_data_page():
     """测试信息页"""
     return render_template("test_data.html")
 
 
 @bp.route("/api/test-data")
+@login_required
 def api_test_data():
     """分页查询测试数据"""
     page = request.args.get("page", 1, type=int)
@@ -38,6 +40,7 @@ def api_test_data():
 
 
 @bp.route("/api/test-data/chart")
+@login_required
 def api_chart_data():
     """返回图表所需全部数据（不分页）"""
     serial = request.args.get("serial", "", type=str)
@@ -51,6 +54,7 @@ def api_chart_data():
     return jsonify({"records": records, "total": len(records)})
 
 @bp.route("/api/test-data/export")
+@login_required
 def api_export():
     """导出测试数据为 CSV"""
     serial = request.args.get("serial", "", type=str)
diff --git a/edc-web/app/templates/base.html b/edc-web/app/templates/base.html
index 25fc311..ea51848 100644
--- a/edc-web/app/templates/base.html
+++ b/edc-web/app/templates/base.html
@@ -8,7 +8,9 @@
 </head>
 <body>
     <nav class="top-menu">
+        {% if current_user.is_authenticated and current_user.role != 'analyst' %}
         <a href="/" class="{% if request.path == '/' %}active{% endif %}">设备</a>
+        {% endif %}
         <a href="/test-data" class="{% if request.path == '/test-data' %}active{% endif %}">测试信息</a>
         {% if current_user.is_authenticated and current_user.role in ('admin', 'manager') %}
         <a href="/device-logs" class="{% if request.path == '/device-logs' %}active{% endif %}">设备日志</a>
diff --git a/edc-web/app/templates/users.html b/edc-web/app/templates/users.html
index 2facc17..08526bc 100644
--- a/edc-web/app/templates/users.html
+++ b/edc-web/app/templates/users.html
@@ -12,6 +12,7 @@
         <label>角色：
             <select id="new-role" style="margin:0 8px;">
                 <option value="operator">operator</option>
+                <option value="analyst">analyst</option>
                 <option value="manager">manager</option>
                 <option value="admin">admin</option>
             </select>
@@ -52,6 +53,7 @@ async function loadUsers() {
             <td>
                 <select onchange="updateUser(${u.id}, this, 'role')" data-field="role">
                     <option value="operator" ${u.role==='operator'?'selected':''}>operator</option>
+                    <option value="analyst" ${u.role==='analyst'?'selected':''}>analyst</option>
                     <option value="manager" ${u.role==='manager'?'selected':''}>manager</option>
                     <option value="admin" ${u.role==='admin'?'selected':''}>admin</option>
                 </select>
diff --git a/edc_server b/edc_server
index 25aafd5..3580f89 160000
--- a/edc_server
+++ b/edc_server
@@ -1 +1 @@
-Subproject commit 25aafd57c8b18300484dfefe9358372b946ef545
+Subproject commit 3580f895524610baa5b996ac29a820a904c01379