"""
dingdingflow RBAC权限配置 — 企业类型: owner
角色: superuser(继承全部), webmaster(提交审批), reviewer(审批管理),
      supervisor(审批配置)

用法: cd ~/repos/sage && ./py3/bin/python ~/repos/cms/dingdingflow/scripts/load_path.py
"""
import os, sys, subprocess

def find_sage_root():
    for c in [os.path.expanduser("~/repos/sage"), os.path.expanduser("~/sage")]:
        if os.path.isdir(os.path.join(c, "wwwroot")) and os.path.isdir(os.path.join(c, "py3")):
            return c
    return None

sage_root = find_sage_root()
if not sage_root:
    print("ERROR: Cannot find Sage root"); sys.exit(1)

py  = os.path.join(sage_root, "py3", "bin", "python")
sp  = os.path.join(sage_root, "set_role_perm.py")

def run(role, paths):
    for p in paths:
        print(f"  {role:30s} {p}")
        subprocess.run([py, sp, role, p], cwd=sage_root, capture_output=True)

any_paths = [
    "/dingdingflow/api/dingtalk_callback.dspy",
    "/dingdingflow/menu.ui",
]

# webmaster: 提交审批
webmaster_paths = [
    "/dingdingflow",
    "/dingdingflow/index.ui",
    "/dingdingflow/api/submit_approval.dspy",
    "/dingdingflow/dd_approvals", "/dingdingflow/dd_approvals/%",
    "/dingdingflow/api/dd_approvals_list.dspy",
]

# reviewer: 审批管理(查看全部 + 更新审批状态)
reviewer_paths = [
    "/dingdingflow",
    "/dingdingflow/index.ui",
    "/dingdingflow/dd_approvals", "/dingdingflow/dd_approvals/%",
    "/dingdingflow/api/dd_approvals_list.dspy",
    "/dingdingflow/api/dd_approvals_update.dspy",
]

# supervisor: 审批配置管理 + 全部审批记录
supervisor_paths = [
    "/dingdingflow",
    "/dingdingflow/index.ui",
    "/dingdingflow/dd_approvals", "/dingdingflow/dd_approvals/%",
    "/dingdingflow/dd_approval_configs", "/dingdingflow/dd_approval_configs/%",
    "/dingdingflow/api/dd_approvals_create.dspy",
    "/dingdingflow/api/dd_approvals_update.dspy",
    "/dingdingflow/api/dd_approvals_delete.dspy",
    "/dingdingflow/api/dd_approvals_list.dspy",
    "/dingdingflow/api/dd_approval_configs_create.dspy",
    "/dingdingflow/api/dd_approval_configs_update.dspy",
    "/dingdingflow/api/dd_approval_configs_delete.dspy",
    "/dingdingflow/api/dd_approval_configs_list.dspy",
    "/dingdingflow/api/submit_approval.dspy",
]

print("=== dingdingflow RBAC权限配置 ===")
print(f"\n--- any (匿名/钉钉回调) ---")
run("any", any_paths)
print(f"\n--- owner.webmaster ---")
run("owner.webmaster", webmaster_paths)
print(f"\n--- owner.reviewer ---")
run("owner.reviewer", reviewer_paths)
print(f"\n--- owner.supervisor ---")
run("owner.supervisor", supervisor_paths)
print("\n完成")