From 1dad810d15767ee514deb76f03229edbf386b48c Mon Sep 17 00:00:00 2001
From: QTom <qt@truesightai.com>
Date: Fri, 9 Jan 2026 14:36:31 +0800
Subject: [PATCH] =?UTF-8?q?refactor:=20=E7=BB=9F=E4=B8=80=E6=9D=83?=
 =?UTF-8?q?=E9=99=90=E6=A3=80=E6=9F=A5=E9=80=BB=E8=BE=91=EF=BC=8C=E4=BD=BF?=
 =?UTF-8?q?=E7=94=A8=20apiKeyService.hasPermission?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

将散布在各处的权限检查逻辑（permissions || 'all'）统一为
apiKeyService.hasPermission() 方法调用，确保：

- 权限检查的唯一真实来源
- 避免默认值不一致导致的安全问题
- 便于后续权限模型的扩展和维护

影响文件：
- geminiHandlers.js: key-info 端点
- apiStats.js: user-stats 统计端点
- openaiClaudeRoutes.js: 权限校验辅助函数
- openaiRoutes.js: key-info 端点
---
 src/handlers/geminiHandlers.js   | 2 +-
 src/routes/apiStats.js           | 2 +-
 src/routes/openaiClaudeRoutes.js | 3 +--
 src/routes/openaiRoutes.js       | 2 +-
 4 files changed, 4 insertions(+), 5 deletions(-)

diff --git a/src/handlers/geminiHandlers.js b/src/handlers/geminiHandlers.js
index 05e3fd25..7774b9c6 100644
--- a/src/handlers/geminiHandlers.js
+++ b/src/handlers/geminiHandlers.js
@@ -862,7 +862,7 @@ async function handleKeyInfo(req, res) {
     res.json({
       id: keyData.id,
       name: keyData.name,
-      permissions: keyData.permissions || 'all',
+      permissions: keyData.permissions,
       token_limit: keyData.tokenLimit,
       tokens_used: keyData.usage.total.tokens,
       tokens_remaining:
diff --git a/src/routes/apiStats.js b/src/routes/apiStats.js
index 62614b65..1ebf9be3 100644
--- a/src/routes/apiStats.js
+++ b/src/routes/apiStats.js
@@ -155,7 +155,7 @@ router.post('/api/user-stats', async (req, res) => {
         restrictedModels,
         enableClientRestriction: keyData.enableClientRestriction === 'true',
         allowedClients,
-        permissions: keyData.permissions || 'all',
+        permissions: keyData.permissions,
         // 添加激活相关字段
         expirationMode: keyData.expirationMode || 'fixed',
         isActivated: keyData.isActivated === 'true',
diff --git a/src/routes/openaiClaudeRoutes.js b/src/routes/openaiClaudeRoutes.js
index 200ef94e..7dd42279 100644
--- a/src/routes/openaiClaudeRoutes.js
+++ b/src/routes/openaiClaudeRoutes.js
@@ -20,8 +20,7 @@ const { getEffectiveModel } = require('../utils/modelHelper')
 
 // 🔧 辅助函数：检查 API Key 权限
 function checkPermissions(apiKeyData, requiredPermission = 'claude') {
-  const permissions = apiKeyData.permissions || 'all'
-  return permissions === 'all' || permissions === requiredPermission
+  return apiKeyService.hasPermission(apiKeyData?.permissions, requiredPermission)
 }
 
 function queueRateLimitUpdate(rateLimitInfo, usageSummary, model, context = '') {
diff --git a/src/routes/openaiRoutes.js b/src/routes/openaiRoutes.js
index 7f1b04f1..b222c1c5 100644
--- a/src/routes/openaiRoutes.js
+++ b/src/routes/openaiRoutes.js
@@ -904,7 +904,7 @@ router.get('/key-info', authenticateApiKey, async (req, res) => {
       id: keyData.id,
       name: keyData.name,
       description: keyData.description,
-      permissions: keyData.permissions || 'all',
+      permissions: keyData.permissions,
       token_limit: keyData.tokenLimit,
       tokens_used: keyData.usage.total.tokens,
       tokens_remaining: