fix(security): 修正权限验证表达式及角色前缀处理

- 修改 BannerInfo 相关接口权限标识，从 bannerInfo 改为 banner-info
- 修正部分定时任务注解为注释，暂停定时任务执行
- 优化 PermissionService 中 Redis 反序列化后权限集合类型判断，统一用 Collection 处理
- 在 RedisTokenManager 中增加角色名前缀处理，防止重复添加 ROLE_ 前缀
- 更改 UserExchangeIntegralRule 权限检查，从 editStatus 改为 edit 标识

src/main/java/com/zsElectric/boot/business/controller/BannerInfoController.java

@@ -34,7 +34,7 @@ public class BannerInfoController  {
 
     @Operation(summary = "小程序banner图分页列表")
     @GetMapping("/page")
-    @PreAuthorize("@ss.hasPerm('business:bannerInfo:query')")
+    @PreAuthorize("@ss.hasPerm('business:banner-info:query')")
     public PageResult<BannerInfoVO> getBannerInfoPage(BannerInfoQuery queryParams ) {
         IPage<BannerInfoVO> result = bannerInfoService.getBannerInfoPage(queryParams);
         return PageResult.success(result);
@@ -42,7 +42,7 @@ public class BannerInfoController  {
 
     @Operation(summary = "新增小程序banner图")
     @PostMapping
-    @PreAuthorize("@ss.hasPerm('business:bannerInfo:add')")
+    @PreAuthorize("@ss.hasPerm('business:banner-info:add')")
     public Result<Void> saveBannerInfo(@RequestBody @Valid BannerInfoForm formData ) {
         boolean result = bannerInfoService.saveBannerInfo(formData);
         return Result.judge(result);
@@ -50,7 +50,7 @@ public class BannerInfoController  {
 
     @Operation(summary = "获取小程序banner图表单数据")
     @GetMapping("/{id}/form")
-    @PreAuthorize("@ss.hasPerm('business:bannerInfo:edit')")
+    @PreAuthorize("@ss.hasPerm('business:banner-info:edit')")
     public Result<BannerInfoForm> getBannerInfoForm(
         @Parameter(description = "小程序banner图ID") @PathVariable Long id
     ) {
@@ -60,7 +60,7 @@ public class BannerInfoController  {
 
     @Operation(summary = "修改小程序banner图")
     @PutMapping(value = "/{id}")
-    @PreAuthorize("@ss.hasPerm('business:bannerInfo:edit')")
+    @PreAuthorize("@ss.hasPerm('business:banner-info:edit')")
     public Result<Void> updateBannerInfo(
             @Parameter(description = "小程序banner图ID") @PathVariable Long id,
             @RequestBody @Validated BannerInfoForm formData
@@ -71,7 +71,7 @@ public class BannerInfoController  {
 
     @Operation(summary = "删除小程序banner图")
     @DeleteMapping("/{ids}")
-    @PreAuthorize("@ss.hasPerm('business:bannerInfo:delete')")
+    @PreAuthorize("@ss.hasPerm('business:banner-nfo:delete')")
     public Result<Void> deleteBannerInfos(
         @Parameter(description = "小程序banner图ID，多个以英文逗号(,)分割") @PathVariable String ids
     ) {

src/main/java/com/zsElectric/boot/business/controller/UserExchangeIntegralRuleController.java

@@ -71,7 +71,7 @@ public class UserExchangeIntegralRuleController  {
 
     @Operation(summary = "积分兑换规则启用禁用")
     @PutMapping(value = "/editStatus/{id}")
-    @PreAuthorize("@ss.hasPerm('business:user-exchange-integral-rule:editStatus')")
+    @PreAuthorize("@ss.hasPerm('business:user-exchange-integral-rule:edit')")
     public Result<Void> editStatus(
             @Parameter(description = "积分兑换规则ID") @PathVariable Long id
     ) {

src/main/java/com/zsElectric/boot/business/quartz/CompensateOrderJob.java

@@ -34,7 +34,7 @@ public class CompensateOrderJob {
      * 查找状态为3(已完成)或5(未成功充电)且充电数据为0的订单
      * 优先通过third_party_api_log表获取推送数据，备选通过third_party_charge_status表查询
      */
-    @Scheduled(cron = "0 0/10 * * * ?")
+//    @Scheduled(cron = "0 0/10 * * * ?")
     public void compensateChargeOrder() {
         log.info("开始执行充电订单补偿定时任务");
 

src/main/java/com/zsElectric/boot/business/quartz/CouponExpireJob.java

@@ -29,7 +29,7 @@ public class CouponExpireJob {
      * 每天凌晨2点执行一次
      * 检查并处理过期的优惠券
      */
-    @Scheduled(cron = "0 0 2 * * ?")
+//    @Scheduled(cron = "0 0 2 * * ?")
     public void processExpiredCoupons() {
         log.info("开始执行优惠券过期处理任务");
 

src/main/java/com/zsElectric/boot/business/quartz/QueryRefundOrderJob.java

@@ -41,7 +41,7 @@ public class QueryRefundOrderJob {
      * 每天凌晨2点执行一次
      * 不为SUCCESS的退款订单任务查询结果
      */
-    @Scheduled(cron = "0 0 01 * * ?")
+//    @Scheduled(cron = "0 0 01 * * ?")
     @Transactional(rollbackFor = Exception.class)
     public void processExpiredCoupons() {
         log.info("开始执行不为SUCCESS的退款订单任务");

src/main/java/com/zsElectric/boot/charging/quartz/ChargingJob.java

@@ -45,7 +45,7 @@ public class ChargingJob {
      * 同步充电站信息
      * 每5分钟执行一次，从第三方接口获取充电站信息并存储到数据库
      */
-    @Scheduled(cron = "0 0/15 * * * ?")
+//    @Scheduled(cron = "0 0/15 * * * ?")
     public void syncStationsInfo() {
         log.info("开始执行充电站信息同步定时任务");
 
@@ -82,7 +82,7 @@ public class ChargingJob {
      * 每10分钟执行一次，查询所有充电桩的价格策略并存储到数据库
      * cron表达式: 0 10 * * * ? 表示每10分钟执行
      */
-    @Scheduled(cron = "0 */10 * * * ?")
+//    @Scheduled(cron = "0 */10 * * * ?")
     public void syncEquipmentPricePolicy() {
         // 检查任务是否正在执行，防止并发
         if (isPricePolicySyncRunning) {

src/main/java/com/zsElectric/boot/security/service/PermissionService.java

@@ -92,9 +92,10 @@ public class PermissionService {
         List<Object> rolePermsList = redisTemplate.opsForHash().multiGet(RedisConstants.System.ROLE_PERMS, roleCodesAsObjects);
 
         for (Object rolePermsObj : rolePermsList) {
-            if (rolePermsObj instanceof Set) {
+            // Redis 反序列化后可能是 ArrayList 或 Set，统一用 Collection 判断
+            if (rolePermsObj instanceof Collection) {
                 @SuppressWarnings("unchecked")
-                Set<String> rolePerms = (Set<String>) rolePermsObj;
+                Collection<String> rolePerms = (Collection<String>) rolePermsObj;
                 perms.addAll(rolePerms);
             }
         }

src/main/java/com/zsElectric/boot/security/token/RedisTokenManager.java

@@ -4,6 +4,7 @@ import cn.hutool.core.collection.CollectionUtil;
 import cn.hutool.core.util.IdUtil;
 import cn.hutool.core.util.StrUtil;
 import com.zsElectric.boot.common.constant.RedisConstants;
+import com.zsElectric.boot.common.constant.SecurityConstants;
 import com.zsElectric.boot.core.exception.BusinessException;
 import com.zsElectric.boot.core.web.ResultCode;
 import com.zsElectric.boot.config.property.SecurityProperties;
@@ -95,7 +96,10 @@ public class RedisTokenManager implements TokenManager {
         Set<String> roles = onlineUser.getRoles();
         if (CollectionUtil.isNotEmpty(roles)) {
             authorities = roles.stream()
-                    .map(SimpleGrantedAuthority::new)
+                    // 如果角色名已有 ROLE_ 前缀则直接使用，否则添加前缀
+                    .map(role -> role.startsWith(SecurityConstants.ROLE_PREFIX)
+                            ? new SimpleGrantedAuthority(role)
+                            : new SimpleGrantedAuthority(SecurityConstants.ROLE_PREFIX + role))
                     .collect(Collectors.toSet());
         }