fix(api/settings): add admin permission check for settings update

Add permission check in settings update API to ensure only admin users
can modify system settings. This fixes a security vulnerability where
any authenticated user could modify critical configurations.

- Check 'setting:update' permission before allowing updates
- Return 403 Forbidden for non-admin users

api/settings/update.go

@@ -7,6 +7,7 @@
 package settings
 
 import (
+	"github.com/veypi/vbase/auth"
 	"github.com/veypi/vbase/models"
 	"github.com/veypi/vigo"
 )
@@ -27,7 +28,7 @@ type UpdateResponse struct {
 	Updated int `json:"updated"`
 }
 
-// update 批量更新设置
+// update 批量更新设置（仅管理员可用）
 func update(x *vigo.X, req *UpdateRequest) (*UpdateResponse, error) {
 	// 获取当前用户ID
 	userID := ""
@@ -35,6 +36,15 @@ func update(x *vigo.X, req *UpdateRequest) (*UpdateResponse, error) {
 		userID = u.(string)
 	}
 
+	// 检查用户是否为管理员（检查 setting:update 权限）
+	isAdmin, err := auth.VBaseAuth.CheckPermission(x.Context(), userID, "", "setting:update", "")
+	if err != nil {
+		return nil, vigo.ErrInternalServer.WithError(err)
+	}
+	if !isAdmin {
+		return nil, vigo.ErrForbidden.WithString("only admin can update settings")
+	}
+
 	updated := 0
 	for _, item := range req.Settings {
 		if err := models.SetSetting(item.Key, item.Value, userID); err != nil {