feat(auth): 实现多租户切换功能

- 在前端AppLayout中添加租户选择下拉框组件 - 实现switchTenant API接口用于租户间切换 - 更新登录流程以支持租户信息存储和解析 - 修改后端认证服务以支持租户上下文管理 - 添加租户权限验证和访问控制逻辑 - 重构权限查询以基于当前租户进行过滤 - 更新数据访问层以正确处理租户隔离 - 添加租户切换相关的状态管理和UI显示
2026-02-26 13:53:58 +08:00 · 2026-02-26 13:53:58 +08:00 · 86009e2602
parent 26c2b977d6
commit 86009e2602
29 changed files with 689 additions and 191 deletions
--- a/backend/src/main/java/com/imeeting/auth/JwtAuthenticationFilter.java
+++ b/backend/src/main/java/com/imeeting/auth/JwtAuthenticationFilter.java
@ -69,17 +69,22 @@ public class JwtAuthenticationFilter extends OncePerRequestFilter {
        if (username != null && SecurityContextHolder.getContext().getAuthentication() == null) {
          // 1. Validate User Status (Ignore Tenant isolation here)
          SysUser user = sysUserMapper.selectByIdIgnoreTenant(userId);
-          if (user == null || user.getStatus() != 1 || user.getIsDeleted() ) {
+          if (user == null || user.getStatus() != 1 || user.getIsDeleted() != 0) {
-              response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "User account is disabled or deleted");
+              response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
              response.setContentType("application/json;charset=UTF-8");
              response.getWriter().write("{\"code\":\"401\",\"msg\":\"User account is disabled or deleted\"}");
              return;
          }
          // 2. Validate Tenant Status & Grace Period
          // Skip validation for system platform tenant (ID=0)
-          if (tenantId != null && !Long.valueOf(0).equals(tenantId)) {
+          Long activeTenantId = tenantId;
-              SysTenant tenant = sysTenantMapper.selectByIdIgnoreTenant(tenantId);
+          if (activeTenantId != null && !Long.valueOf(0).equals(activeTenantId)) {
              SysTenant tenant = sysTenantMapper.selectByIdIgnoreTenant(activeTenantId);
              if (tenant == null || tenant.getStatus() != 1) {
-                  response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Tenant is disabled");
+                  response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
                  response.setContentType("application/json;charset=UTF-8");
                  response.getWriter().write("{\"code\":\"401\",\"msg\":\"Tenant is disabled\"}");
                  return;
              }
@ -89,27 +94,29 @@ public class JwtAuthenticationFilter extends OncePerRequestFilter {
                      String graceDaysStr = sysParamService.getParamValue("sys.tenant.grace_period_days", "0");
                      int graceDays = Integer.parseInt(graceDaysStr);
                      if (now.isAfter(tenant.getExpireTime().plusDays(graceDays))) {
-                          response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Tenant subscription expired");
+                          response.setStatus(HttpServletResponse.SC_UNAUTHORIZED);
                          response.setContentType("application/json;charset=UTF-8");
                          response.getWriter().write("{\"code\":\"401\",\"msg\":\"Tenant subscription expired\"}");
                          return;
                      }
                  }
              }
          }
-          // 3. Get Permissions (With Redis Cache)
+          // 3. Get Permissions (With Redis Cache, Key must include tenantId)
-          String permKey = "sys:auth:perm:" + userId;
+          String permKey = "sys:auth:perm:" + userId + ":" + activeTenantId;
          Set<String> permissions;
          String cachedPerms = redisTemplate.opsForValue().get(permKey);
          if (cachedPerms != null) {
              permissions = Set.of(cachedPerms.split(","));
          } else {
-              permissions = sysPermissionService.listPermissionCodesByUserId(userId);
+              permissions = sysPermissionService.listPermissionCodesByUserId(userId, activeTenantId);
              if (permissions != null && !permissions.isEmpty()) {
                  redisTemplate.opsForValue().set(permKey, String.join(",", permissions), java.time.Duration.ofHours(2));
              }
          }
-          LoginUser loginUser = new LoginUser(userId, tenantId, username, user.getIsPlatformAdmin(), permissions);
+          LoginUser loginUser = new LoginUser(userId, activeTenantId, username, user.getIsPlatformAdmin(), permissions);
          UsernamePasswordAuthenticationToken authentication =
              new UsernamePasswordAuthenticationToken(loginUser, null, loginUser.getAuthorities());
--- a/backend/src/main/java/com/imeeting/auth/dto/TokenResponse.java
+++ b/backend/src/main/java/com/imeeting/auth/dto/TokenResponse.java
@ -1,13 +1,23 @@
 package com.imeeting.auth.dto;
-import lombok.AllArgsConstructor;
+import lombok.Builder;
 import lombok.Data;
 import java.util.List;
@Data
-@AllArgsConstructor
+@Builder
 public class TokenResponse {
  private String accessToken;
  private String refreshToken;
  private long accessExpiresInMinutes;
  private long refreshExpiresInDays;
  private List<TenantInfo> availableTenants;
  @Data
  @Builder
  public static class TenantInfo {
    private Long tenantId;
    private String tenantCode;
    private String tenantName;
  }
 }
--- a/backend/src/main/java/com/imeeting/common/GlobalExceptionHandler.java
+++ b/backend/src/main/java/com/imeeting/common/GlobalExceptionHandler.java
@ -15,6 +15,12 @@ public class GlobalExceptionHandler {
    return ApiResponse.error(ex.getMessage());
  }
  @ExceptionHandler(org.springframework.security.access.AccessDeniedException.class)
  public ApiResponse<Void> handleAccessDenied(org.springframework.security.access.AccessDeniedException ex) {
    log.warn("Access denied: {}", ex.getMessage());
    return ApiResponse.error("无权限操作");
  }
  @ExceptionHandler(Exception.class)
  public ApiResponse<Void> handleGeneric(Exception ex) {
    log.error("Unhandled exception", ex);
--- a/backend/src/main/java/com/imeeting/config/MybatisPlusConfig.java
+++ b/backend/src/main/java/com/imeeting/config/MybatisPlusConfig.java
@ -43,17 +43,18 @@ public class MybatisPlusConfig {
      @Override
      public boolean ignoreTable(String tableName) {
        // System level tables that should not be filtered by tenant_id
        // and check if current user is platform admin to skip filtering
        Authentication auth = SecurityContextHolder.getContext().getAuthentication();
        if (auth != null && auth.getPrincipal() instanceof LoginUser) {
          LoginUser user = (LoginUser) auth.getPrincipal();
          // 只有当平台管理员处于系统租户(0)时，才忽略所有过滤。
          // 如果他切换到了具体租户(>0)，则必须接受过滤，确保只能看到当前租户数据。
          if (Boolean.TRUE.equals(user.getIsPlatformAdmin()) && Long.valueOf(0).equals(user.getTenantId())) {
            return true; 
          }
        }
-        return List.of("sys_tenant", "sys_permission", "sys_role_permission", "sys_user_role", "sys_dict_type", "sys_dict_item", "sys_param").contains(tableName.toLowerCase());
+        // 公共表始终忽略过滤
        return List.of("sys_tenant", "sys_user", "sys_tenant_user", "sys_permission", "sys_role_permission", "sys_user_role", "sys_dict_type", "sys_dict_item", "sys_param").contains(tableName.toLowerCase());
      }
    }));
    return interceptor;
@ -67,7 +68,7 @@ public class MybatisPlusConfig {
        strictInsertFill(metaObject, "createdAt", LocalDateTime::now, LocalDateTime.class);
        strictInsertFill(metaObject, "updatedAt", LocalDateTime::now, LocalDateTime.class);
        strictInsertFill(metaObject, "status", () -> 1, Integer.class);
-        strictInsertFill(metaObject, "isDeleted", () -> Boolean.FALSE, Boolean.class);
+        strictInsertFill(metaObject, "isDeleted", () -> 0, Integer.class);
      }
      @Override
--- a/backend/src/main/java/com/imeeting/controller/AuthController.java
+++ b/backend/src/main/java/com/imeeting/controller/AuthController.java
@ -74,6 +74,15 @@ public class AuthController {
    return ApiResponse.ok(authService.refresh(request.getRefreshToken()));
  }
  @PostMapping("/switch-tenant")
  public ApiResponse<TokenResponse> switchTenant(@RequestParam Long tenantId, @RequestHeader("Authorization") String authorization) {
    String token = authorization.replace("Bearer ", "");
    var claims = jwtTokenProvider.parseToken(token);
    Long userId = claims.get("userId", Long.class);
    String deviceCode = claims.get("deviceCode", String.class);
    return ApiResponse.ok(authService.switchTenant(userId, tenantId, deviceCode));
  }
  @PostMapping("/logout")
  public ApiResponse<Void> logout(@RequestHeader("Authorization") String authorization) {
    String token = authorization.replace("Bearer ", "");
--- a/backend/src/main/java/com/imeeting/controller/PermissionController.java
+++ b/backend/src/main/java/com/imeeting/controller/PermissionController.java
@ -34,8 +34,7 @@ public class PermissionController {
  @GetMapping("/me")
  public ApiResponse<List<SysPermission>> myPermissions() {
-    // Implementation can use SecurityContext to get current userId
+    return ApiResponse.ok(sysPermissionService.listByUserId(getCurrentUserId(), getCurrentTenantId()));
    return ApiResponse.ok(sysPermissionService.listByUserId(getCurrentUserId()));
  }
  @GetMapping("/tree")
@ -46,7 +45,7 @@ public class PermissionController {
  @GetMapping("/tree/me")
  public ApiResponse<List<PermissionNode>> myTree() {
-    return ApiResponse.ok(buildTree(sysPermissionService.listByUserId(getCurrentUserId())));
+    return ApiResponse.ok(buildTree(sysPermissionService.listByUserId(getCurrentUserId(), getCurrentTenantId())));
  }
  @GetMapping("/{id}")
@ -97,6 +96,14 @@ public class PermissionController {
    return null;
  }
  private Long getCurrentTenantId() {
    org.springframework.security.core.Authentication authentication = org.springframework.security.core.context.SecurityContextHolder.getContext().getAuthentication();
    if (authentication != null && authentication.getPrincipal() instanceof com.imeeting.security.LoginUser) {
      return ((com.imeeting.security.LoginUser) authentication.getPrincipal()).getTenantId();
    }
    return null;
  }
  private String validateParent(SysPermission perm) {
    if (perm.getLevel() == null) {
      return null;
--- a/backend/src/main/java/com/imeeting/controller/UserController.java
+++ b/backend/src/main/java/com/imeeting/controller/UserController.java
@ -28,22 +28,35 @@ public class UserController {
  private final PasswordEncoder passwordEncoder;
  private final JwtTokenProvider jwtTokenProvider;
  private final SysUserRoleMapper sysUserRoleMapper;
  private final com.imeeting.service.SysTenantUserService sysTenantUserService;
-  public UserController(SysUserService sysUserService, PasswordEncoder passwordEncoder, JwtTokenProvider jwtTokenProvider, SysUserRoleMapper sysUserRoleMapper) {
+  public UserController(SysUserService sysUserService, PasswordEncoder passwordEncoder, JwtTokenProvider jwtTokenProvider, SysUserRoleMapper sysUserRoleMapper, com.imeeting.service.SysTenantUserService sysTenantUserService) {
    this.sysUserService = sysUserService;
    this.passwordEncoder = passwordEncoder;
    this.jwtTokenProvider = jwtTokenProvider;
    this.sysUserRoleMapper = sysUserRoleMapper;
    this.sysTenantUserService = sysTenantUserService;
  }
  @GetMapping
  @PreAuthorize("@ss.hasPermi('sys_user:list')")
  public ApiResponse<List<SysUser>> list(@RequestParam(required = false) Long tenantId, @RequestParam(required = false) Long orgId) {
-    LambdaQueryWrapper<SysUser> query = new LambdaQueryWrapper<>();
+    Long currentTenantId = getCurrentTenantId();
-    if (orgId != null) {
+    if (Long.valueOf(0).equals(currentTenantId) && tenantId == null) {
-      query.eq(SysUser::getOrgId, orgId);
+        List<SysUser> allUsers = sysUserService.list();
        // 为每个用户加载其租户关系
        if (allUsers != null && !allUsers.isEmpty()) {
            for (SysUser user : allUsers) {
                user.setMemberships(sysTenantUserService.listByUserId(user.getUserId()));
            }
        }
        return ApiResponse.ok(allUsers);
    }
-    return ApiResponse.ok(sysUserService.list(query));
+    Long targetTenantId = tenantId != null ? tenantId : currentTenantId;
    if (targetTenantId == null) {
        return ApiResponse.error("Tenant ID required");
    }
    return ApiResponse.ok(sysUserService.listUsersByTenant(targetTenantId, orgId));
  }
  @GetMapping("/me")
@ -55,7 +68,7 @@ public class UserController {
    LoginUser loginUser = (LoginUser) authentication.getPrincipal();
    Long userId = loginUser.getUserId();
-    SysUser user = sysUserService.getById(userId);
+    SysUser user = sysUserService.getByIdIgnoreTenant(userId);
    if (user == null) {
      return ApiResponse.error("User not found");
    }
@ -74,7 +87,19 @@ public class UserController {
  @GetMapping("/{id}")
  @PreAuthorize("@ss.hasPermi('sys_user:query')")
  public ApiResponse<SysUser> get(@PathVariable Long id) {
-    return ApiResponse.ok(sysUserService.getById(id));
+    SysUser user = sysUserService.getByIdIgnoreTenant(id);
    if (user != null) {
        user.setMemberships(sysTenantUserService.listByUserId(id));
    }
    return ApiResponse.ok(user);
  }
  private Long getCurrentTenantId() {
    Authentication auth = SecurityContextHolder.getContext().getAuthentication();
    if (auth != null && auth.getPrincipal() instanceof LoginUser) {
      return ((LoginUser) auth.getPrincipal()).getTenantId();
    }
    return null;
  }
  @PostMapping
@ -84,7 +109,11 @@ public class UserController {
    if (user.getPasswordHash() != null && !user.getPasswordHash().isEmpty()) {
      user.setPasswordHash(passwordEncoder.encode(user.getPasswordHash()));
    }
-    return ApiResponse.ok(sysUserService.save(user));
+    boolean saved = sysUserService.save(user);
    if (saved) {
        sysTenantUserService.syncMemberships(user.getUserId(), user.getMemberships());
    }
    return ApiResponse.ok(saved);
  }
  @PutMapping("/{id}")
@ -95,7 +124,11 @@ public class UserController {
    if (user.getPasswordHash() != null && !user.getPasswordHash().isEmpty()) {
      user.setPasswordHash(passwordEncoder.encode(user.getPasswordHash()));
    }
-    return ApiResponse.ok(sysUserService.updateById(user));
+    boolean updated = sysUserService.updateById(user);
    if (updated) {
        sysTenantUserService.syncMemberships(id, user.getMemberships());
    }
    return ApiResponse.ok(updated);
  }
  @DeleteMapping("/{id}")
--- a/backend/src/main/java/com/imeeting/entity/BaseEntity.java
+++ b/backend/src/main/java/com/imeeting/entity/BaseEntity.java
@ -12,8 +12,8 @@ public class BaseEntity {
  private Long tenantId;
  private Integer status;
-  @TableLogic
+  @TableLogic(value = "0", delval = "1")
-  private Boolean isDeleted;
+  private Integer isDeleted;
  @TableField(fill = FieldFill.INSERT)
  private LocalDateTime createdAt;
--- a/backend/src/main/java/com/imeeting/entity/SysDictItem.java
+++ b/backend/src/main/java/com/imeeting/entity/SysDictItem.java
@ -23,5 +23,5 @@ public class SysDictItem extends BaseEntity {
  private Long tenantId;
  @TableField(exist = false)
-  private Boolean isDeleted;
+  private Integer isDeleted;
 }
--- a/backend/src/main/java/com/imeeting/entity/SysDictType.java
+++ b/backend/src/main/java/com/imeeting/entity/SysDictType.java
@ -21,5 +21,5 @@ public class SysDictType extends BaseEntity {
  private Long tenantId;
  @TableField(exist = false)
-  private Boolean isDeleted;
+  private Integer isDeleted;
 }
--- a/backend/src/main/java/com/imeeting/entity/SysUser.java
+++ b/backend/src/main/java/com/imeeting/entity/SysUser.java
@ -16,6 +16,14 @@ public class SysUser extends BaseEntity {
  private String phone;
  private String passwordHash;
  private Long orgId;
  private Boolean isPlatformAdmin;
  @com.baomidou.mybatisplus.annotation.TableField(exist = false)
  private Long tenantId;
  @com.baomidou.mybatisplus.annotation.TableField(exist = false)
  private Long orgId;
  @com.baomidou.mybatisplus.annotation.TableField(exist = false)
  private java.util.List<SysTenantUser> memberships;
 }
--- a/backend/src/main/java/com/imeeting/mapper/SysPermissionMapper.java
+++ b/backend/src/main/java/com/imeeting/mapper/SysPermissionMapper.java
@ -10,12 +10,14 @@ import java.util.List;
@Mapper
 public interface SysPermissionMapper extends BaseMapper<SysPermission> {
  @com.baomidou.mybatisplus.annotation.InterceptorIgnore(tenantLine = "true")
  @Select("""
      SELECT DISTINCT p.*
      FROM sys_permission p
      JOIN sys_role_permission rp ON rp.perm_id = p.perm_id
-      JOIN sys_user_role ur ON ur.role_id = rp.role_id
+      JOIN sys_role r ON r.role_id = rp.role_id
-      WHERE ur.user_id = #{userId}
+      JOIN sys_user_role ur ON ur.role_id = r.role_id
      WHERE ur.user_id = #{userId} AND r.tenant_id = #{tenantId}
      """)
-  List<SysPermission> selectByUserId(@Param("userId") Long userId);
+  List<SysPermission> selectByUserId(@Param("userId") Long userId, @Param("tenantId") Long tenantId);
 }
--- a/backend/src/main/java/com/imeeting/mapper/SysUserMapper.java
+++ b/backend/src/main/java/com/imeeting/mapper/SysUserMapper.java
@ -21,14 +21,25 @@ public interface SysUserMapper extends BaseMapper<SysUser> {
    @Select("SELECT * FROM sys_user WHERE user_id = #{userId} AND is_deleted = 0")
    SysUser selectByIdIgnoreTenant(@Param("userId") Long userId);
    @InterceptorIgnore(tenantLine = "true")
    @Select("<script>" +
        "SELECT u.*, tu.org_id as orgId, tu.tenant_id as tenantId " +
        "FROM sys_user u " +
        "JOIN sys_tenant_user tu ON u.user_id = tu.user_id " +
        "WHERE tu.tenant_id = #{tenantId} " +
        "<if test='orgId != null'> AND tu.org_id = #{orgId} </if> " +
        "AND u.is_deleted = 0 AND tu.is_deleted = 0" +
        "</script>")
    List<SysUser> selectUsersByTenant(@Param("tenantId") Long tenantId, @Param("orgId") Long orgId);
    @InterceptorIgnore(tenantLine = "true")
    @Select("""
-        SELECT u.* 
+        SELECT t.id as tenantId, t.tenant_code as tenantCode, t.tenant_name as tenantName
-        FROM sys_user u 
+        FROM sys_tenant t
-        JOIN sys_tenant t ON u.tenant_id = t.id 
+        JOIN sys_tenant_user tu ON t.id = tu.tenant_id
-        WHERE u.username = #{username} 
+        JOIN sys_user u ON u.user_id = tu.user_id
-          AND t.tenant_code = #{tenantCode} 
+        WHERE u.username = #{username} AND u.is_deleted = 0 AND t.is_deleted = 0
-          AND u.is_deleted = 0
+        ORDER BY t.id ASC
        """)
-    SysUser selectByUsernameAndTenantCode(@Param("username") String username, @Param("tenantCode") String tenantCode);
+    List<com.imeeting.auth.dto.TokenResponse.TenantInfo> selectTenantsByUsername(@Param("username") String username);
 }
--- a/backend/src/main/java/com/imeeting/service/AuthService.java
+++ b/backend/src/main/java/com/imeeting/service/AuthService.java
@ -8,4 +8,5 @@ public interface AuthService {
  TokenResponse refresh(String refreshToken);
  void logout(Long userId, String deviceCode);
  String createDeviceCode(LoginRequest request, String deviceName);
  TokenResponse switchTenant(Long userId, Long targetTenantId, String deviceCode);
 }
--- a/backend/src/main/java/com/imeeting/service/SysPermissionService.java
+++ b/backend/src/main/java/com/imeeting/service/SysPermissionService.java
@ -7,7 +7,7 @@ import java.util.List;
 import java.util.Set;
 public interface SysPermissionService extends IService<SysPermission> {
-  List<SysPermission> listByUserId(Long userId);
+  List<SysPermission> listByUserId(Long userId, Long tenantId);
-  Set<String> listPermissionCodesByUserId(Long userId);
+  Set<String> listPermissionCodesByUserId(Long userId, Long tenantId);
 }
--- a/backend/src/main/java/com/imeeting/service/SysUserService.java
+++ b/backend/src/main/java/com/imeeting/service/SysUserService.java
@ -10,8 +10,16 @@ import java.util.List;
 public interface SysUserService extends IService<SysUser> {
-    List<SysUser> listUsersByRoleId(Long roleId);
+        List<SysUser> listUsersByRoleId(Long roleId);
        SysUser getByIdIgnoreTenant(Long userId);
        List<SysUser> listUsersByTenant(Long tenantId, Long orgId);
      }
 }
--- a/backend/src/main/java/com/imeeting/service/impl/AuthServiceImpl.java
+++ b/backend/src/main/java/com/imeeting/service/impl/AuthServiceImpl.java
@ -71,20 +71,51 @@ public class AuthServiceImpl implements AuthService {
        validateCaptcha(request.getCaptchaId(), request.getCaptchaCode());
      }
-      SysUser user;
+      SysUser user = sysUserMapper.selectByUsernameIgnoreTenant(request.getUsername());
      if (request.getTenantCode() == null || request.getTenantCode().trim().isEmpty()) {
          // 平台管理登录逻辑 (全局搜索)
          user = sysUserMapper.selectByUsernameIgnoreTenant(request.getUsername());
          if (user != null && !Boolean.TRUE.equals(user.getIsPlatformAdmin())) {
              throw new IllegalArgumentException("非平台管理账号请提供租户编码");
          }
      } else {
          // 租户用户登录逻辑 (按租户搜索)
          user = sysUserMapper.selectByUsernameAndTenantCode(request.getUsername(), request.getTenantCode().trim());
      }
      if (user == null || user.getStatus() != 1 || !passwordEncoder.matches(request.getPassword(), user.getPasswordHash())) {
-        throw new IllegalArgumentException("用户名、密码或租户编码错误");
+        throw new IllegalArgumentException("用户名或密码错误");
      }
      // 获取该用户关联的所有租户
      java.util.List<TokenResponse.TenantInfo> availableTenants = sysUserMapper.selectTenantsByUsername(user.getUsername());
      // 如果是平台管理员，且没有在租户列表中，手动添加系统租户(ID=0)
      if (Boolean.TRUE.equals(user.getIsPlatformAdmin())) {
          boolean hasSystemTenant = availableTenants.stream().anyMatch(t -> t.getTenantId() == 0L);
          if (!hasSystemTenant) {
              availableTenants.add(0, TokenResponse.TenantInfo.builder()
                  .tenantId(0L).tenantCode("SYSTEM").tenantName("系统平台").build());
          }
      }
      if (availableTenants.isEmpty()) {
          throw new IllegalArgumentException("该账号未关联任何租户");
      }
      // 确定当前租户：
      // 1. 如果请求指定了租户，且用户属于该租户，则使用该租户
      // 2. 否则，如果用户是平台管理员，默认进入系统租户(0)
      // 3. 否则，使用第一个非0的业务租户
      Long activeTenantId = null;
      if (request.getTenantCode() != null && !request.getTenantCode().trim().isEmpty()) {
          String tc = request.getTenantCode().trim();
          activeTenantId = availableTenants.stream()
              .filter(t -> t.getTenantCode().equals(tc))
              .map(TokenResponse.TenantInfo::getTenantId)
              .findFirst()
              .orElseThrow(() -> new IllegalArgumentException("您不属于指定的租户: " + tc));
      } else {
          if (Boolean.TRUE.equals(user.getIsPlatformAdmin())) {
              activeTenantId = 0L;
          } else {
              // 优先选择非0的租户
              activeTenantId = availableTenants.stream()
                  .map(TokenResponse.TenantInfo::getTenantId)
                  .filter(id -> id != 0L)
                  .findFirst()
                  .orElse(availableTenants.get(0).getTenantId());
          }
      }
      String deviceCode = request.getDeviceCode();
@ -107,10 +138,11 @@ public class AuthServiceImpl implements AuthService {
      if (deviceCode == null || deviceCode.isEmpty()) {
        deviceCode = "default";
      }
-      TokenResponse tokens = issueTokens(user, deviceCode, accessMinutes, refreshDays);
+      TokenResponse tokens = issueTokens(user, activeTenantId, deviceCode, accessMinutes, refreshDays);
      tokens.setAvailableTenants(availableTenants);
      cacheRefreshToken(user.getUserId(), deviceCode, tokens.getRefreshToken(), refreshDays);
-      recordLoginLog(user.getUserId(), user.getTenantId(), user.getUsername(), 1, "登录成功", System.currentTimeMillis() - start);
+      recordLoginLog(user.getUserId(), activeTenantId, user.getUsername(), 1, "登录成功", System.currentTimeMillis() - start);
      return tokens;
    } catch (Exception e) {
      recordLoginLog(null, null, request.getUsername(), 0, e.getMessage(), System.currentTimeMillis() - start);
@ -141,6 +173,7 @@ public class AuthServiceImpl implements AuthService {
      throw new IllegalArgumentException("无效的刷新令牌");
    }
    Long userId = claims.get("userId", Long.class);
    Long tenantId = claims.get("tenantId", Long.class);
    String deviceCode = claims.get("deviceCode", String.class);
    String cached = stringRedisTemplate.opsForValue().get(RedisKeys.refreshTokenKey(userId, deviceCode));
    if (cached == null || !cached.equals(refreshToken)) {
@ -152,12 +185,54 @@ public class AuthServiceImpl implements AuthService {
    long refreshDays = parseLong(sysParamService.getParamValue("security.token.refresh_ttl_days",
        String.valueOf(refreshDefaultDays)), refreshDefaultDays);
-    SysUser user = sysUserService.getById(userId);
+    SysUser user = sysUserMapper.selectByIdIgnoreTenant(userId);
-    TokenResponse tokens = issueTokens(user, deviceCode, accessMinutes, refreshDays);
+    TokenResponse tokens = issueTokens(user, tenantId, deviceCode, accessMinutes, refreshDays);
    cacheRefreshToken(userId, deviceCode, tokens.getRefreshToken(), refreshDays);
    return tokens;
  }
  @Override
  public TokenResponse switchTenant(Long userId, Long targetTenantId, String deviceCode) {
    SysUser user = sysUserMapper.selectByIdIgnoreTenant(userId);
    if (user == null) {
      throw new IllegalArgumentException("用户不存在");
    }
    // 校验权限：平台管理员可以直接进入租户0，或者用户确实关联了目标租户
    boolean hasAccess = false;
    if (targetTenantId == 0L && Boolean.TRUE.equals(user.getIsPlatformAdmin())) {
        hasAccess = true;
    } else {
        java.util.List<TokenResponse.TenantInfo> tenants = sysUserMapper.selectTenantsByUsername(user.getUsername());
        hasAccess = tenants.stream().anyMatch(t -> t.getTenantId().equals(targetTenantId));
    }
    if (!hasAccess) {
      throw new IllegalArgumentException("您不属于目标租户");
    }
    long accessMinutes = parseLong(sysParamService.getParamValue("security.token.access_ttl_minutes",
        String.valueOf(accessDefaultMinutes)), accessDefaultMinutes);
    long refreshDays = parseLong(sysParamService.getParamValue("security.token.refresh_ttl_days",
        String.valueOf(refreshDefaultDays)), refreshDefaultDays);
    TokenResponse tokens = issueTokens(user, targetTenantId, deviceCode, accessMinutes, refreshDays);
    cacheRefreshToken(userId, deviceCode, tokens.getRefreshToken(), refreshDays);
    // 重新获取该用户关联的所有租户信息返回
    java.util.List<TokenResponse.TenantInfo> availableTenants = sysUserMapper.selectTenantsByUsername(user.getUsername());
    if (Boolean.TRUE.equals(user.getIsPlatformAdmin())) {
        boolean hasSystemTenant = availableTenants.stream().anyMatch(t -> t.getTenantId() == 0L);
        if (!hasSystemTenant) {
            availableTenants.add(0, TokenResponse.TenantInfo.builder()
                .tenantId(0L).tenantCode("SYSTEM").tenantName("系统平台").build());
        }
    }
    tokens.setAvailableTenants(availableTenants);
    return tokens;
  }
  @Override
  public void logout(Long userId, String deviceCode) {
    stringRedisTemplate.delete(RedisKeys.refreshTokenKey(userId, deviceCode));
@ -169,15 +244,10 @@ public class AuthServiceImpl implements AuthService {
      validateCaptcha(request.getCaptchaId(), request.getCaptchaCode());
    }
-    SysUser user;
+    SysUser user = sysUserMapper.selectByUsernameIgnoreTenant(request.getUsername());
    if (request.getTenantCode() == null || request.getTenantCode().trim().isEmpty()) {
        user = sysUserMapper.selectByUsernameIgnoreTenant(request.getUsername());
    } else {
        user = sysUserMapper.selectByUsernameAndTenantCode(request.getUsername(), request.getTenantCode().trim());
    }
    if (user == null || user.getStatus() != 1 || !passwordEncoder.matches(request.getPassword(), user.getPasswordHash())) {
-      throw new IllegalArgumentException("用户名、密码或租户编码错误");
+      throw new IllegalArgumentException("用户名或密码错误");
    }
    String deviceCode = UUID.randomUUID().toString().replace("-", "");
@ -227,23 +297,28 @@ public class AuthServiceImpl implements AuthService {
    return Boolean.parseBoolean(value);
  }
-  private TokenResponse issueTokens(SysUser user, String deviceCode, long accessMinutes, long refreshDays) {
+  private TokenResponse issueTokens(SysUser user, Long tenantId, String deviceCode, long accessMinutes, long refreshDays) {
    Map<String, Object> accessClaims = new HashMap<>();
    accessClaims.put("tokenType", "access");
    accessClaims.put("userId", user.getUserId());
-    accessClaims.put("tenantId", user.getTenantId());
+    accessClaims.put("tenantId", tenantId);
    accessClaims.put("username", user.getUsername());
    accessClaims.put("deviceCode", deviceCode);
    Map<String, Object> refreshClaims = new HashMap<>();
    refreshClaims.put("tokenType", "refresh");
    refreshClaims.put("userId", user.getUserId());
-    refreshClaims.put("tenantId", user.getTenantId());
+    refreshClaims.put("tenantId", tenantId);
    refreshClaims.put("deviceCode", deviceCode);
    String access = jwtTokenProvider.createToken(accessClaims, Duration.ofMinutes(accessMinutes).toMillis());
    String refresh = jwtTokenProvider.createToken(refreshClaims, Duration.ofDays(refreshDays).toMillis());
-    return new TokenResponse(access, refresh, accessMinutes, refreshDays);
+    return TokenResponse.builder()
        .accessToken(access)
        .refreshToken(refresh)
        .accessExpiresInMinutes(accessMinutes)
        .refreshExpiresInDays(refreshDays)
        .build();
  }
  private void cacheRefreshToken(Long userId, String deviceCode, String refreshToken, long refreshDays) {
--- a/backend/src/main/java/com/imeeting/service/impl/SysOrgServiceImpl.java
+++ b/backend/src/main/java/com/imeeting/service/impl/SysOrgServiceImpl.java
@ -13,6 +13,9 @@ public class SysOrgServiceImpl extends ServiceImpl<SysOrgMapper, SysOrg> impleme
    @Override
    public List<SysOrg> listTree(Long tenantId) {
        LambdaQueryWrapper<SysOrg> query = new LambdaQueryWrapper<>();
        if (tenantId != null) {
            query.eq(SysOrg::getTenantId, tenantId);
        }
        query.orderByAsc(SysOrg::getSortOrder);
        return list(query);
    }
--- a/backend/src/main/java/com/imeeting/service/impl/SysPermissionServiceImpl.java
+++ b/backend/src/main/java/com/imeeting/service/impl/SysPermissionServiceImpl.java
@ -23,32 +23,25 @@ public class SysPermissionServiceImpl extends ServiceImpl<SysPermissionMapper, S
  }
  @Override
-  public List<SysPermission> listByUserId(Long userId) {
+  public List<SysPermission> listByUserId(Long userId, Long tenantId) {
    if (userId == null) {
      return List.of();
    }
-    // Get current login user from Security Context
+    SysUser user = sysUserService.getByIdIgnoreTenant(userId);
-    org.springframework.security.core.Authentication auth = org.springframework.security.core.context.SecurityContextHolder.getContext().getAuthentication();
+    if (user != null && Boolean.TRUE.equals(user.getIsPlatformAdmin()) && Long.valueOf(0).equals(tenantId)) {
    if (auth != null && auth.getPrincipal() instanceof com.imeeting.security.LoginUser) {
      com.imeeting.security.LoginUser loginUser = (com.imeeting.security.LoginUser) auth.getPrincipal();
      // If current user is Platform Admin (tenantId=0 & isPlatformAdmin=true), return all permissions
      if (Boolean.TRUE.equals(loginUser.getIsPlatformAdmin()) && Long.valueOf(0).equals(loginUser.getTenantId())) {
        return list();
      }
    }
-    // Fallback or specific user logic (for tenant users or internal calls)
+    // 如果没有指定租户，或者租户为0但用户不是平台管理员，则返回空或按默认逻辑（通常需要指定租户）
-    if (userId == 1L) {
+    if (tenantId == null) return List.of();
      return list();
    }
-    return baseMapper.selectByUserId(userId);
+    return baseMapper.selectByUserId(userId, tenantId);
  }
  @Override
-  public Set<String> listPermissionCodesByUserId(Long userId) {
+  public Set<String> listPermissionCodesByUserId(Long userId, Long tenantId) {
-    List<SysPermission> perms = listByUserId(userId);
+    List<SysPermission> perms = listByUserId(userId, tenantId);
    return perms.stream()
        .map(SysPermission::getCode)
        .filter(code -> code != null && !code.isEmpty())
--- a/backend/src/main/java/com/imeeting/service/impl/SysUserServiceImpl.java
+++ b/backend/src/main/java/com/imeeting/service/impl/SysUserServiceImpl.java
@ -17,6 +17,16 @@ public class SysUserServiceImpl extends ServiceImpl<SysUserMapper, SysUser> impl
        return baseMapper.selectUsersByRoleId(roleId);
    }
    @Override
    public SysUser getByIdIgnoreTenant(Long userId) {
        return baseMapper.selectByIdIgnoreTenant(userId);
    }
    @Override
    public List<SysUser> listUsersByTenant(Long tenantId, Long orgId) {
        return baseMapper.selectUsersByTenant(tenantId, orgId);
    }
    @Override
    public boolean save(SysUser entity) {
        validateUniqueUsername(entity);
@ -40,7 +50,7 @@ public class SysUserServiceImpl extends ServiceImpl<SysUserMapper, SysUser> impl
        }
        if (count(query) > 0) {
-            throw new IllegalArgumentException("该租户下已存在名为 [" + user.getUsername() + "] 的用户");
+            throw new IllegalArgumentException("用户名 [" + user.getUsername() + "] 已被占用");
        }
    }
 }
--- a/frontend/src/api/auth.ts
+++ b/frontend/src/api/auth.ts
@ -5,11 +5,18 @@ export interface CaptchaResponse {
  imageBase64: string;
 }
 export interface TenantInfo {
  tenantId: number;
  tenantCode: string;
  tenantName: string;
 }
 export interface TokenResponse {
  accessToken: string;
  refreshToken: string;
  accessExpiresInMinutes: number;
  refreshExpiresInDays: number;
  availableTenants?: TenantInfo[];
 }
 export interface LoginPayload {
@ -48,3 +55,8 @@ export async function refreshToken(refreshToken: string) {
  const resp = await http.post("/auth/refresh", { refreshToken });
  return resp.data.data as TokenResponse;
 }
 export async function switchTenant(tenantId: number) {
  const resp = await http.post(`/auth/switch-tenant?tenantId=${tenantId}`);
  return resp.data.data as TokenResponse;
 }
--- a/frontend/src/api/http.ts
+++ b/frontend/src/api/http.ts
@ -18,7 +18,10 @@ http.interceptors.response.use(
  (resp) => {
    const body = resp.data;
    if (body && body.code !== "0") {
-      return Promise.reject(new Error(body.msg || "请求失败"));
+      const err = new Error(body.msg || "请求失败");
      (err as any).code = body.code;
      (err as any).msg = body.msg;
      return Promise.reject(err);
    }
    return resp;
  },
@ -31,6 +34,16 @@ http.interceptors.response.use(
      // Force redirect to login with timeout flag
      window.location.href = "/login?timeout=1";
    }
    // Process backend error message if available in response body even for non-200 status
    const body = error.response?.data;
    if (body && body.msg) {
        const err = new Error(body.msg);
        (err as any).code = body.code;
        (err as any).msg = body.msg;
        return Promise.reject(err);
    }
    return Promise.reject(error);
  }
 );
--- a/frontend/src/api/index.ts
+++ b/frontend/src/api/index.ts
@ -22,6 +22,11 @@ export async function deleteUser(id: number) {
  return resp.data.data as boolean;
 }
 export async function getUserDetail(id: number) {
  const resp = await http.get(`/api/users/${id}`);
  return resp.data.data as SysUser;
 }
 export async function listRoles() {
  const resp = await http.get("/api/roles");
  return resp.data.data as SysRole[];
--- a/frontend/src/layouts/AppLayout.tsx
+++ b/frontend/src/layouts/AppLayout.tsx
@ -1,5 +1,5 @@
-import { Layout, Menu, Button, Space, Avatar, Dropdown, message, type MenuProps } from "antd";
+import { Layout, Menu, Button, Space, Avatar, Dropdown, message, type MenuProps, Select } from "antd";
-import { useEffect, useState } from "react";
+import { useEffect, useState, useMemo } from "react";
 import { Link, Outlet, useLocation, useNavigate } from "react-router-dom";
 import { useTranslation } from "react-i18next";
 import { 
@ -14,11 +14,13 @@ import {
  MenuFoldOutlined,
  BellOutlined,
  SettingOutlined,
-  GlobalOutlined
+  GlobalOutlined,
  ShopOutlined
 } from "@ant-design/icons";
 import { useAuth } from "../hooks/useAuth";
 import { usePermission } from "../hooks/usePermission";
-import { listMyPermissions } from "../api";
+import { listMyPermissions, getCurrentUser } from "../api";
 import { switchTenant, type TenantInfo } from "../api/auth";
 import { SysPermission } from "../types";
 const { Header, Sider, Content } = Layout;
@ -36,13 +38,34 @@ export default function AppLayout() {
  const { t, i18n } = useTranslation();
  const [collapsed, setCollapsed] = useState(false);
  const [menus, setMenus] = useState<SysPermission[]>([]);
  const [availableTenants, setAvailableTenants] = useState<TenantInfo[]>([]);
  const [currentTenantId, setCurrentTenantId] = useState<number | null>(null);
  const location = useLocation();
  const navigate = useNavigate();
  const { logout } = useAuth();
  const { load: loadPermissions } = usePermission();
-  const fetchMenus = async () => {
+  const fetchInitialData = async () => {
    try {
      // Load tenants from localStorage
      const storedTenants = localStorage.getItem("availableTenants");
      if (storedTenants) {
        const tenants = JSON.parse(storedTenants) as TenantInfo[];
        setAvailableTenants(tenants);
      }
      // Get current profile to know current tenant
      const profileStr = sessionStorage.getItem("userProfile");
      if (profileStr) {
        const profile = JSON.parse(profileStr);
        // We need to know which tenant is active. The token has it, 
        // but for UI we can infer from profile if we update profile on switch.
        // For now, let's assume we store activeTenantId in localStorage on login/switch
        const activeId = localStorage.getItem("activeTenantId");
        if (activeId) setCurrentTenantId(Number(activeId));
      }
      const data = await listMyPermissions();
      // Load permissions into localStorage as well
      await loadPermissions();
@ -58,9 +81,31 @@ export default function AppLayout() {
  };
  useEffect(() => {
-    fetchMenus();
+    fetchInitialData();
  }, []);
  const handleSwitchTenant = async (tenantId: number) => {
    try {
      const data = await switchTenant(tenantId);
      localStorage.setItem("accessToken", data.accessToken);
      localStorage.setItem("refreshToken", data.refreshToken);
      localStorage.setItem("activeTenantId", String(tenantId));
      if (data.availableTenants) {
        localStorage.setItem("availableTenants", JSON.stringify(data.availableTenants));
      }
      // Refresh profile
      const profile = await getCurrentUser();
      sessionStorage.setItem("userProfile", JSON.stringify(profile));
      message.success(t('common.success'));
      // Reload to refresh all states and permissions
      window.location.reload();
    } catch (e: any) {
      message.error(e.message || t('common.error'));
    }
  };
  const handleLogout = () => {
    logout();
    navigate("/login");
@ -179,6 +224,22 @@ export default function AppLayout() {
            onClick={() => setCollapsed(!collapsed)}
            style={{ fontSize: '16px', width: 64, height: 64 }}
          />
          <div style={{ flex: 1, display: 'flex', alignItems: 'center', paddingLeft: 12 }}>
            {availableTenants.length > 0 && (
              <Select
                value={currentTenantId}
                onChange={handleSwitchTenant}
                style={{ width: 200 }}
                placeholder="切换租户"
                variant="borderless"
                suffixIcon={<ShopOutlined />}
                options={availableTenants.map(t => ({
                  label: t.tenantName,
                  value: t.tenantId
                }))}
              />
            )}
          </div>
          <Space size={20}>
            <Dropdown menu={{ items: langMenuItems }} placement="bottomRight">
              <GlobalOutlined style={{ fontSize: '18px', color: '#666', cursor: 'pointer' }} />
--- a/frontend/src/pages/Login.tsx
+++ b/frontend/src/pages/Login.tsx
@ -66,6 +66,15 @@ export default function Login() {
      localStorage.setItem("accessToken", data.accessToken);
      localStorage.setItem("refreshToken", data.refreshToken);
      localStorage.setItem("username", values.username);
      if (data.availableTenants) {
        localStorage.setItem("availableTenants", JSON.stringify(data.availableTenants));
        // We should infer activeTenantId from token or just use the first/default logic
        // For simplicity, we can parse the JWT to get tenantId, or backend can return it.
        // Let's assume for now we use the first one if not platform admin, or the backend logic.
        // Actually, if we use a helper to parse JWT:
        const payload = JSON.parse(atob(data.accessToken.split('.')[1]));
        localStorage.setItem("activeTenantId", String(payload.tenantId));
      }
      try {
        const profile = await getCurrentUser();
        sessionStorage.setItem("userProfile", JSON.stringify(profile));
@ -125,18 +134,6 @@ export default function Login() {
            requiredMark={false}
            autoComplete="off"
          >
            <Form.Item
              name="tenantCode"
              rules={[{ required: false }]}
            >
              <Input 
                size="large" 
                prefix={<ShopOutlined className="text-gray-400" aria-hidden="true" />}
                placeholder={t('login.tenantCodePlaceholder')} 
                aria-label={t('login.tenantCode')}
              />
            </Form.Item>
            <Form.Item
              name="username"
              rules={[{ required: true, message: t('login.username') }]}
--- a/frontend/src/pages/Orgs.tsx
+++ b/frontend/src/pages/Orgs.tsx
@ -65,6 +65,18 @@ export default function Orgs() {
  const [tenants, setTenants] = useState<SysTenant[]>([]);
  const [selectedTenantId, setSelectedTenantId] = useState<number | undefined>(undefined);
  // Platform admin check
  const isPlatformMode = useMemo(() => {
    const profileStr = sessionStorage.getItem("userProfile");
    if (profileStr) {
      const profile = JSON.parse(profileStr);
      return profile.isPlatformAdmin && localStorage.getItem("activeTenantId") === "0";
    }
    return false;
  }, []);
  const activeTenantId = useMemo(() => Number(localStorage.getItem("activeTenantId") || 0), []);
  const [drawerOpen, setDrawerOpen] = useState(false);
  const [editing, setEditing] = useState<SysOrg | null>(null);
  const [form] = Form.useForm();
@ -74,7 +86,10 @@ export default function Orgs() {
      const resp = await listTenants({ current: 1, size: 100 });
      const list = resp.records || [];
      setTenants(list);
-      if (list.length > 0 && selectedTenantId === undefined) {
+      
      if (!isPlatformMode) {
        setSelectedTenantId(activeTenantId);
      } else if (list.length > 0 && selectedTenantId === undefined) {
        setSelectedTenantId(list[0].id);
      }
    } catch (e) {
@ -219,20 +234,22 @@ export default function Orgs() {
        )}
      </div>
-      <Card className="shadow-sm mb-4">
+      {isPlatformMode && (
-        <Space>
+        <Card className="shadow-sm mb-4">
-          <Text strong>{t('users.tenant')}：</Text>
+          <Space>
-          <Select
+            <Text strong>{t('users.tenant')}：</Text>
-            style={{ width: 220 }}
+            <Select
-            placeholder={t('orgs.selectTenant')}
+              style={{ width: 220 }}
-            value={selectedTenantId}
+              placeholder={t('orgs.selectTenant')}
-            onChange={setSelectedTenantId}
+              value={selectedTenantId}
-            options={tenants.map(t => ({ label: t.tenantName, value: t.id }))}
+              onChange={setSelectedTenantId}
-            suffixIcon={<ShopOutlined aria-hidden="true" />}
+              options={tenants.map(t => ({ label: t.tenantName, value: t.id }))}
-          />
+              suffixIcon={<ShopOutlined aria-hidden="true" />}
-          <Button icon={<ReloadOutlined aria-hidden="true" />} onClick={loadOrgs}>{t('common.refresh')}</Button>
+            />
-        </Space>
+            <Button icon={<ReloadOutlined aria-hidden="true" />} onClick={loadOrgs}>{t('common.refresh')}</Button>
-      </Card>
+          </Space>
        </Card>
      )}
      <Card className="shadow-sm" styles={{ body: { padding: 0 } }}>
        {selectedTenantId !== undefined ? (
@ -271,9 +288,19 @@ export default function Orgs() {
        }
      >
        <Form form={form} layout="vertical">
-          <Form.Item label={t('users.tenant')} name="tenantId" rules={[{ required: true }]}>
+          <Form.Item 
            label={t('users.tenant')} 
            name="tenantId" 
            rules={[{ required: true }]}
            hidden={!isPlatformMode}
          >
            <Select disabled options={tenants.map(t => ({ label: t.tenantName, value: t.id }))} />
          </Form.Item>
          {!isPlatformMode && (
            <Form.Item label={t('users.tenant')}>
              <Input value={tenants.find(t => t.id === activeTenantId)?.tenantName || "当前租户"} disabled />
            </Form.Item>
          )}
          <Form.Item label={t('orgs.parentOrg')} name="parentId">
            <Select 
--- a/frontend/src/pages/Permissions.tsx
+++ b/frontend/src/pages/Permissions.tsx
@ -102,7 +102,7 @@ export default function Permissions() {
  const parentOptions = useMemo(() => {
    return data
-      .filter((p) => p.permType === "menu" && (p.level === 1 || !p.parentId))
+      .filter((p) => p.permType === "menu")
      .map((p) => ({ value: p.permId, label: p.name }));
  }, [data]);
@ -119,6 +119,20 @@ export default function Permissions() {
    setOpen(true);
  };
  const openAddChild = (record: SysPermission) => {
    setEditing(null);
    form.resetFields();
    form.setFieldsValue({ 
      parentId: record.permId, 
      level: Math.min((record.level || 1) + 1, 3),
      permType: record.level === 1 ? "menu" : "button",
      status: 1, 
      isVisible: 1, 
      sortOrder: 0 
    });
    setOpen(true);
  };
  const submit = async () => {
    try {
      const values = await form.validateFields();
@ -229,10 +243,20 @@ export default function Permissions() {
    },
    {
      title: t('common.action'),
-      width: 120,
+      width: 150,
      fixed: "right" as const,
      render: (_: any, record: SysPermission) => (
        <Space>
          {can("sys_permission:create") && record.permType === 'menu' && (
            <Tooltip title="添加子项">
              <Button 
                type="text" 
                size="small" 
                icon={<PlusOutlined aria-hidden="true" />} 
                onClick={() => openAddChild(record)}
              />
            </Tooltip>
          )}
          {can("sys_permission:update") && (
            <Button 
              type="text" 
@ -363,6 +387,9 @@ export default function Permissions() {
            if (changed.level === 1) {
              form.setFieldsValue({ parentId: undefined });
            }
            if (changed.level === 3) {
              form.setFieldsValue({ permType: "button" });
            }
          }}
        >
          <Row gutter={16}>
@ -371,6 +398,7 @@ export default function Permissions() {
                <Select aria-label={t('permissions.level')}>
                  <Select.Option value={1}>一级入口</Select.Option>
                  <Select.Option value={2}>二级子项</Select.Option>
                  <Select.Option value={3}>三级按钮</Select.Option>
                </Select>
              </Form.Item>
            </Col>
@ -387,8 +415,8 @@ export default function Permissions() {
            dependencies={["level"]}
            rules={[
              ({ getFieldValue }) => ({
-                required: getFieldValue("level") === 2,
+                required: getFieldValue("level") > 1,
-                message: "二级子项必须选择父级菜单"
+                message: "非一级入口必须选择父级"
              })
            ]}
          >
@ -397,7 +425,7 @@ export default function Permissions() {
              showSearch
              placeholder={level === 1 ? "一级入口无须父级" : "请选择父级菜单…"}
              options={parentOptions}
-              disabled={level !== 2}
+              disabled={level === 1}
              aria-label={t('permissions.parentId')}
            />
          </Form.Item>
--- a/frontend/src/pages/Roles.tsx
+++ b/frontend/src/pages/Roles.tsx
@ -106,6 +106,18 @@ export default function Roles() {
  const [permissions, setPermissions] = useState<SysPermission[]>([]);
  const [selectedRole, setSelectedRole] = useState<SysRole | null>(null);
  // Platform admin check
  const isPlatformMode = useMemo(() => {
    const profileStr = sessionStorage.getItem("userProfile");
    if (profileStr) {
      const profile = JSON.parse(profileStr);
      return profile.isPlatformAdmin && localStorage.getItem("activeTenantId") === "0";
    }
    return false;
  }, []);
  const activeTenantId = useMemo(() => Number(localStorage.getItem("activeTenantId") || 0), []);
  // Right side states
  const [selectedPermIds, setSelectedPermIds] = useState<number[]>([]);
  const [halfCheckedIds, setHalfCheckedIds] = useState<number[]>([]);
@ -120,14 +132,28 @@ export default function Roles() {
  // Search
  const [searchText, setSearchText] = useState("");
  const [filterTenantId, setFilterTenantId] = useState<number | undefined>(undefined);
  // Drawer (Only for Add/Edit basic info)
  const [drawerOpen, setDrawerOpen] = useState(false);
  const [editing, setEditing] = useState<SysRole | null>(null);
  const [tenants, setTenants] = useState<SysTenant[]>([]);
  const [form] = Form.useForm();
  const { can } = usePermission();
  const loadTenants = async () => {
    if (!isPlatformMode) return;
    try {
      const resp = await (await import("../api")).listTenants({ current: 1, size: 100 });
      setTenants(resp.records || []);
    } catch (e) {}
  };
  useEffect(() => {
    loadTenants();
  }, [isPlatformMode]);
  const permissionTreeData = useMemo(
    () => toTreeData(buildPermissionTree(permissions), t),
    [permissions, t]
@ -193,7 +219,14 @@ export default function Roles() {
    setLoading(true);
    try {
      const list = await listRoles();
-      const roles = list || [];
+      let roles = list || [];
      if (isPlatformMode && filterTenantId !== undefined) {
          roles = roles.filter(r => r.tenantId === filterTenantId);
      } else if (!isPlatformMode) {
          roles = roles.filter(r => r.tenantId === activeTenantId);
      }
      setData(roles);
      if (roles.length > 0 && !selectedRole) {
        selectRole(roles[0]);
@ -260,7 +293,10 @@ export default function Roles() {
  const openCreate = () => {
    setEditing(null);
    form.resetFields();
-    form.setFieldsValue({ status: 1 });
+    form.setFieldsValue({ 
      status: 1,
      tenantId: isPlatformMode ? undefined : activeTenantId
    });
    setDrawerOpen(true);
  };
@ -291,7 +327,8 @@ export default function Roles() {
        roleCode: editing?.roleCode || values.roleCode || generateRoleCode(),
        roleName: values.roleName,
        remark: values.remark,
-        status: values.status ?? DEFAULT_STATUS
+        status: values.status ?? DEFAULT_STATUS,
        tenantId: values.tenantId
      };
      if (editing) {
@ -344,7 +381,17 @@ export default function Roles() {
              </Button>
            )}
          >
-            <div className="mb-4">
+            <div className="mb-4 flex gap-2">
              {isPlatformMode && (
                <Select
                  placeholder={t('users.tenantFilter')}
                  style={{ width: 150 }}
                  allowClear
                  value={filterTenantId}
                  onChange={setFilterTenantId}
                  options={tenants.map(t => ({ label: t.tenantName, value: t.id }))}
                />
              )}
              <Input
                placeholder={t('roles.searchPlaceholder')}
                prefix={<SearchOutlined aria-hidden="true" />}
@ -578,6 +625,22 @@ export default function Roles() {
        }
      >
        <Form form={form} layout="vertical">
          <Form.Item 
            label={t('users.tenant')} 
            name="tenantId" 
            rules={[{ required: true }]}
            hidden={!isPlatformMode}
          >
            <Select 
              options={tenants.map(t => ({ label: t.tenantName, value: t.id }))} 
              disabled={!!editing}
            />
          </Form.Item>
          {!isPlatformMode && (
            <Form.Item label={t('users.tenant')}>
              <Input value={tenants.find(t => t.id === activeTenantId)?.tenantName || "当前租户"} disabled />
            </Form.Item>
          )}
          <Form.Item label={t('roles.roleName')} name="roleName" rules={[{ required: true }]}>
            <Input placeholder={t('roles.roleName')} />
          </Form.Item>
--- a/frontend/src/pages/Users.tsx
+++ b/frontend/src/pages/Users.tsx
@ -38,7 +38,8 @@ import {
  UserOutlined,
  ShopOutlined,
  ApartmentOutlined,
-  ReloadOutlined
+  ReloadOutlined,
  MinusCircleOutlined
 } from "@ant-design/icons";
 import type { SysRole, SysUser, SysTenant, SysOrg } from "../types";
 import "./Users.css";
@ -65,6 +66,39 @@ function buildOrgTree(list: SysOrg[]): any[] {
  return roots;
 }
 const MembershipOrgSelect = ({ fieldProps, name, tenantId }: { fieldProps: any, name: number, tenantId?: number }) => {
  const { t } = useTranslation();
  const [orgs, setOrgs] = useState<any[]>([]);
  const [loading, setLoading] = useState(false);
  useEffect(() => {
    if (tenantId) {
      setLoading(true);
      listOrgs(tenantId).then(data => {
        setOrgs(buildOrgTree(data || []));
      }).finally(() => setLoading(false));
    } else {
      setOrgs([]);
    }
  }, [tenantId]);
  return (
    <Form.Item
      {...fieldProps}
      label={t('users.orgNode')}
      name={[name, 'orgId']}
    >
      <TreeSelect
        placeholder="选择部门"
        allowClear
        treeData={orgs}
        loading={loading}
        disabled={!tenantId}
      />
    </Form.Item>
  );
 };
 export default function Users() {
  const { t } = useTranslation();
  const { can } = usePermission();
@ -75,6 +109,18 @@ export default function Users() {
  const [tenants, setTenants] = useState<SysTenant[]>([]);
  const [orgs, setOrgs] = useState<SysOrg[]>([]);
  // Platform admin check
  const isPlatformMode = useMemo(() => {
    const profileStr = sessionStorage.getItem("userProfile");
    if (profileStr) {
      const profile = JSON.parse(profileStr);
      return profile.isPlatformAdmin && localStorage.getItem("activeTenantId") === "0";
    }
    return false;
  }, []);
  const activeTenantId = useMemo(() => Number(localStorage.getItem("activeTenantId") || 0), []);
  // Search state
  const [searchText, setSearchText] = useState("");
  const [filterTenantId, setFilterTenantId] = useState<number | undefined>(undefined);
@ -151,23 +197,31 @@ export default function Users() {
  const openCreate = () => {
    setEditing(null);
    form.resetFields();
-    form.setFieldsValue({ status: 1, roleIds: [], isPlatformAdmin: false });
+    form.setFieldsValue({ 
      status: 1, 
      roleIds: [], 
      isPlatformAdmin: false,
      tenantId: isPlatformMode ? undefined : activeTenantId,
      memberships: isPlatformMode ? [] : [{ tenantId: activeTenantId }]
    });
    setDrawerOpen(true);
  };
  const openEdit = async (record: SysUser) => {
    setEditing(record);
    try {
      // Fetch full detail including memberships
      const detail = await (await import("../api")).getUserDetail(record.userId);
      const roleIds = await listUserRoles(record.userId);
-      // Ensure orgs for the tenant are loaded
+      
      if (record.tenantId) {
          const orgList = await listOrgs(record.tenantId);
          setOrgs(orgList || []);
      }
      form.setFieldsValue({
-        ...record,
+        ...detail,
        roleIds: roleIds || [],
-        password: "" 
+        password: "",
        // For compatibility with single tenant view if needed
        tenantId: detail.tenantId || (detail.memberships?.[0]?.tenantId),
        orgId: detail.orgId || (detail.memberships?.[0]?.orgId),
        memberships: detail.memberships || []
      });
      setDrawerOpen(true);
    } catch (e) {
@ -196,11 +250,15 @@ export default function Users() {
        email: values.email,
        phone: values.phone,
        status: values.status,
-        tenantId: values.tenantId,
+        isPlatformAdmin: values.isPlatformAdmin,
-        orgId: values.orgId,
+        memberships: values.memberships || []
        isPlatformAdmin: values.isPlatformAdmin
      };
      // If single tenant view, ensure current active tenant is included
      if (!isPlatformMode && userPayload.memberships!.length === 0) {
          userPayload.memberships = [{ tenantId: activeTenantId, orgId: values.orgId } as any];
      }
      if (values.password) {
        userPayload.passwordHash = values.password;
      }
@ -251,20 +309,40 @@ export default function Users() {
    {
      title: t('users.org'),
      key: "org",
-      render: (_: any, record: SysUser) => (
+      render: (_: any, record: SysUser) => {
-        <div className="flex flex-col gap-1">
+        // Platform mode: show all tenants as tags
-          <Space size={4} style={{ fontSize: 13 }}>
+        if (isPlatformMode && record.memberships && record.memberships.length > 0) {
-            <ShopOutlined style={{ color: '#8c8c8c' }} />
+          return (
-            <span>{tenantMap[record.tenantId] || "未知租户"}</span>
+            <div className="flex flex-col gap-1">
-          </Space>
+              {record.memberships.slice(0, 3).map(m => (
-          {record.orgId && (
+                <Tag key={m.tenantId} color="blue" style={{ margin: 0, padding: '0 4px', fontSize: 11 }}>
-            <Space size={4} style={{ fontSize: 12, color: '#8c8c8c' }}>
+                  {tenantMap[m.tenantId] || `租户${m.tenantId}`}
-              <ApartmentOutlined />
+                </Tag>
-              <span>{orgs.find(o => o.id === record.orgId)?.orgName || "组织节点"}</span>
+              ))}
              {record.memberships.length > 3 && <Text type="secondary" style={{ fontSize: 11 }}>等 {record.memberships.length} 个</Text>}
            </div>
          );
        }
        // Single tenant mode or fallback: show specific tenant and org
        const tid = record.tenantId || record.memberships?.[0]?.tenantId;
        const oid = record.orgId || record.memberships?.[0]?.orgId;
        return (
          <div className="flex flex-col gap-1">
            <Space size={4} style={{ fontSize: 13 }}>
              <ShopOutlined style={{ color: '#8c8c8c' }} />
              <span>{tenantMap[tid || 0] || "未知租户"}</span>
            </Space>
-          )}
+            {oid && (
-        </div>
+              <Space size={4} style={{ fontSize: 12, color: '#8c8c8c' }}>
-      )
+                <ApartmentOutlined />
                <span>关联组织已设置</span>
              </Space>
            )}
          </div>
        );
      }
    },
    {
      title: t('common.status'),
@ -318,15 +396,17 @@ export default function Users() {
      <Card className="users-table-card shadow-sm">
        <div className="users-table-toolbar mb-4">
          <Space size="middle" wrap>
-            <Select
+            {isPlatformMode && (
-              placeholder={t('users.tenantFilter')}
+              <Select
-              style={{ width: 200 }}
+                placeholder={t('users.tenantFilter')}
-              allowClear
+                style={{ width: 200 }}
-              value={filterTenantId}
+                allowClear
-              onChange={setFilterTenantId}
+                value={filterTenantId}
-              options={tenants.map(t => ({ label: t.tenantName, value: t.id }))}
+                onChange={setFilterTenantId}
-              suffixIcon={<ShopOutlined aria-hidden="true" />}
+                options={tenants.map(t => ({ label: t.tenantName, value: t.id }))}
-            />
+                suffixIcon={<ShopOutlined aria-hidden="true" />}
              />
            )}
            <Input
              placeholder={t('users.searchPlaceholder')}
              prefix={<SearchOutlined aria-hidden="true" />}
@ -375,29 +455,7 @@ export default function Users() {
        }
      >
        <Form form={form} layout="vertical" className="user-form">
-          <Row gutter={16}>
+          <Title level={5} style={{ marginBottom: 16 }}>基本信息</Title>
            <Col span={12}>
              <Form.Item label={t('users.tenant')} name="tenantId" rules={[{ required: true, message: t('users.tenant') }]}>
                <Select 
                  placeholder={t('users.tenant')} 
                  showSearch
                  optionFilterProp="label"
                  options={tenants.map(t => ({ label: t.tenantName, value: t.id }))} 
                />
              </Form.Item>
            </Col>
            <Col span={12}>
              <Form.Item label={t('users.orgNode')} name="orgId">
                <TreeSelect
                  placeholder={t('users.orgNode')}
                  allowClear
                  treeData={orgTreeData}
                  disabled={!selectedTenantId}
                />
              </Form.Item>
            </Col>
          </Row>
          <Row gutter={16}>
            <Col span={12}>
              <Form.Item label={t('users.username')} name="username" rules={[{ required: true, message: t('users.username') }]}>
@ -452,6 +510,56 @@ export default function Users() {
              </Form.Item>
            </Col>
          </Row>
          <Title level={5} style={{ marginTop: 24, marginBottom: 16 }}>租户成员身份</Title>
          <Form.List name="memberships">
            {(fields, { add, remove }) => (
              <>
                {fields.map(({ key, name, ...restField }) => (
                  <Card 
                    key={key} 
                    size="small" 
                    className="mb-3" 
                    styles={{ body: { padding: '12px' } }}
                    title={isPlatformMode ? `身份 #${name + 1}` : undefined}
                    extra={isPlatformMode && fields.length > 1 && (
                      <Button type="text" danger icon={<MinusCircleOutlined />} onClick={() => remove(name)} />
                    )}
                  >
                    <Row gutter={12}>
                      <Col span={12}>
                        <Form.Item
                          {...restField}
                          label={t('users.tenant')}
                          name={[name, 'tenantId']}
                          rules={[{ required: true, message: '必填' }]}
                        >
                          <Select 
                            options={tenants.map(t => ({ label: t.tenantName, value: t.id }))} 
                            disabled={!isPlatformMode}
                            placeholder="选择租户"
                          />
                        </Form.Item>
                      </Col>
                      <Col span={12}>
                        <MembershipOrgSelect 
                          fieldProps={{...restField}} 
                          name={name} 
                          tenantId={form.getFieldValue(['memberships', name, 'tenantId'])} 
                        />
                      </Col>
                    </Row>
                  </Card>
                ))}
                {isPlatformMode && (
                  <Button type="dashed" onClick={() => add()} block icon={<PlusOutlined />}>
                    分配到新租户
                  </Button>
                )}
              </>
            )}
          </Form.List>
        </Form>
      </Drawer>
    </div>