#!/usr/bin/env python3 """ Integrated CRM Application - RBAC Permission Configuration Defines roles, permission matrix, and CRUD table mappings for the four-department CRM system (Sales, Marketing, Operations, Finance). """ # ============================================================ # ROLE DEFINITIONS # ============================================================ # Format: role_id -> (display_name, description) # Role IDs are used in perm_config; ensure_role() matches by name or ID. ROLES = { # --- 销售部门 Sales --- "sales_director": ("销售总监", "销售部门最高负责人,全模块读写+审批"), "sales_manager": ("销售经理", "销售团队管理,本部门数据读写+审批"), "sales_rep": ("销售代表", "一线销售,本人数据读写"), "sales_support": ("销售支持", "销售辅助岗位,全局只读"), # --- 市场部门 Marketing --- "marketing_director": ("市场总监", "市场部门最高负责人,全模块读写+审批"), "marketing_manager": ("市场经理", "市场团队管理,本部门数据读写+审批"), "marketing_specialist": ("市场专员", "一线市场人员,本人数据读写"), "campaign_operator": ("活动运营", "市场活动运营,活动关联数据读写"), # --- 运维部门 Operations --- "ops_director": ("运维总监", "运维部门最高负责人,全模块读写+审批"), "ops_manager": ("运维经理", "运维团队管理,本部门合同读写+审批"), "ops_engineer": ("运维工程师", "运维技术人员,工单/合同相关读写"), "customer_service": ("客服专员", "客户服务,客户管理读写+合同只读"), # --- 财务部门 Finance --- "finance_director": ("财务总监", "财务部门最高负责人,全模块读写+审批"), "finance_manager": ("财务经理", "财务团队管理,合同/财务读写+审批"), "accountant": ("会计", "财务核算,财务模块读写"), "cashier": ("出纳", "收付款执行,收付款读写"), # --- 系统级 System --- "admin_superuser": ("系统管理员", "超级管理员,全平台所有权限"), } # ============================================================ # PERMISSION_MATRIX # ============================================================ # Maps URL path patterns -> list of roles that can access. # 路径不加 /main 前缀,统一使用相对于 wwwroot 的路径。 # # RBAC 通配机制: # - 角色展开为 orgtypeid.name、orgtypeid.*、*.name 三种 key # - *.role_name 匹配所有机构的同名角色 # # 权限级别通过路径分组体现: # /api/*_create.dspy, /api/*_update.dspy, /api/*_delete.dspy -> 写操作 # /api/*_list.dspy, *.ui -> 读操作 # /api/*_list.dspy, *.ui -> read operations # # 初始化脚本通过遍历 wwwroot 文件系统展开具体路径,然后注册到 permission 表。 PERMISSION_MATRIX = { # ======================================================== # Public / System Resources # ======================================================== "bricks_static": { "/bricks/**": ["any"], # All logged-in users }, "rbac_public": { "/login.ui": ["any"], "/login.dspy": ["any"], }, # ======================================================== # 客户管理 Customer Management # ======================================================== # 模块文件: customer_list.ui, customer_edit.ui, customer_pool.ui, # handover_list.ui, base.ui # api/customers_list.dspy, api/customers_create.dspy, # api/customers_update.dspy, api/customers_delete.dspy, # api/customer_pool_list.dspy, api/handover_list.dspy "customer_management_read": { "/customer_management/customer_list.ui": [ "sales_director", "sales_manager", "sales_rep", "sales_support", "marketing_director", "marketing_manager", "marketing_specialist", "campaign_operator", "ops_director", "ops_manager", "ops_engineer", "customer_service", "finance_director", "finance_manager", "accountant", "admin_superuser", ], "/customer_management/customer_edit.ui": [ "sales_director", "sales_manager", "sales_rep", "customer_service", "admin_superuser", ], "/customer_management/customer_pool.ui": [ "sales_director", "sales_manager", "sales_rep", "admin_superuser", ], "/customer_management/handover_list.ui": [ "sales_director", "sales_manager", "admin_superuser", ], "/customer_management/base.ui": [ "sales_director", "sales_manager", "sales_rep", "sales_support", "marketing_director", "marketing_manager", "ops_director", "ops_manager", "finance_director", "finance_manager", "customer_service", "admin_superuser", ], }, "customer_management_api_read": { "/customer_management/api/customers_list.dspy": [ "sales_director", "sales_manager", "sales_rep", "sales_support", "marketing_director", "marketing_manager", "marketing_specialist", "campaign_operator", "ops_director", "ops_manager", "ops_engineer", "customer_service", "finance_director", "finance_manager", "accountant", "admin_superuser", ], "/customer_management/api/customer_pool_list.dspy": [ "sales_director", "sales_manager", "sales_rep", "admin_superuser", ], "/customer_management/api/handover_list.dspy": [ "sales_director", "sales_manager", "admin_superuser", ], }, "customer_management_api_write": { "/customer_management/api/customers_create.dspy": [ "sales_director", "sales_manager", "sales_rep", "customer_service", "admin_superuser", ], "/customer_management/api/customers_update.dspy": [ "sales_director", "sales_manager", "sales_rep", "customer_service", "admin_superuser", ], "/customer_management/api/customers_delete.dspy": [ "sales_director", "sales_manager", "admin_superuser", ], }, # ======================================================== # 商机管理 Opportunity Management # ======================================================== # 模块文件: opportunity_management.ui, opportunity_edit.ui, base.ui # api/opportunities_list.dspy, api/opportunities_create.dspy, # api/opportunities_update.dspy, api/opportunities_delete.dspy, # api/sales_stages_list.dspy "opportunity_management_read": { "/opportunity_management/opportunity_management.ui": [ "sales_director", "sales_manager", "sales_rep", "marketing_director", "marketing_manager", "marketing_specialist", "admin_superuser", ], "/opportunity_management/opportunity_edit.ui": [ "sales_director", "sales_manager", "sales_rep", "marketing_director", "marketing_manager", "marketing_specialist", "admin_superuser", ], "/opportunity_management/base.ui": [ "sales_director", "sales_manager", "sales_rep", "marketing_director", "marketing_manager", "admin_superuser", ], }, "opportunity_management_api_read": { "/opportunity_management/api/opportunities_list.dspy": [ "sales_director", "sales_manager", "sales_rep", "marketing_director", "marketing_manager", "marketing_specialist", "admin_superuser", ], "/opportunity_management/api/sales_stages_list.dspy": [ "sales_director", "sales_manager", "sales_rep", "marketing_director", "marketing_manager", "marketing_specialist", "admin_superuser", ], }, "opportunity_management_api_write": { "/opportunity_management/api/opportunities_create.dspy": [ "sales_director", "sales_manager", "sales_rep", "marketing_director", "marketing_manager", "marketing_specialist", "admin_superuser", ], "/opportunity_management/api/opportunities_update.dspy": [ "sales_director", "sales_manager", "sales_rep", "marketing_director", "marketing_manager", "marketing_specialist", "admin_superuser", ], "/opportunity_management/api/opportunities_delete.dspy": [ "sales_director", "sales_manager", "marketing_director", "marketing_manager", "admin_superuser", ], }, # ======================================================== # 合同管理 Contract Management # ======================================================== # 模块文件: contract_list.ui, contract_edit.ui, contract_detail.ui, # ai_config.ui # api/contract_list.dspy, api/contracts_create.dspy, # api/contracts_update.dspy, api/contracts_delete.dspy, # api/check_contract.dspy "contract_management_read": { "/contract_management/contract_list.ui": [ "sales_director", "sales_manager", "sales_rep", "sales_support", "marketing_director", "marketing_manager", "ops_director", "ops_manager", "ops_engineer", "finance_director", "finance_manager", "accountant", "cashier", "admin_superuser", ], "/contract_management/contract_edit.ui": [ "sales_director", "sales_manager", "ops_director", "ops_manager", "finance_director", "finance_manager", "admin_superuser", ], "/contract_management/contract_detail.ui": [ "sales_director", "sales_manager", "sales_rep", "sales_support", "ops_director", "ops_manager", "ops_engineer", "finance_director", "finance_manager", "accountant", "cashier", "admin_superuser", ], "/contract_management/ai_config.ui": [ "sales_director", "sales_manager", "ops_director", "finance_director", "admin_superuser", ], "/contract_management/base.ui": [ "sales_director", "sales_manager", "ops_director", "ops_manager", "finance_director", "finance_manager", "admin_superuser", ], }, "contract_management_api_read": { "/contract_management/api/contract_list.dspy": [ "sales_director", "sales_manager", "sales_rep", "sales_support", "ops_director", "ops_manager", "ops_engineer", "finance_director", "finance_manager", "accountant", "cashier", "admin_superuser", ], "/contract_management/api/check_contract.dspy": [ "sales_director", "sales_manager", "ops_director", "ops_manager", "finance_director", "finance_manager", "admin_superuser", ], }, "contract_management_api_write": { "/contract_management/api/contracts_create.dspy": [ "sales_director", "sales_manager", "ops_director", "ops_manager", "finance_director", "finance_manager", "admin_superuser", ], "/contract_management/api/contracts_update.dspy": [ "sales_director", "sales_manager", "ops_director", "ops_manager", "finance_director", "finance_manager", "admin_superuser", ], "/contract_management/api/contracts_delete.dspy": [ "sales_director", "sales_manager", "ops_director", "finance_director", "admin_superuser", ], }, # ======================================================== # 财务管理 Financial Management # ======================================================== # 模块文件: index.ui, receivables.ui, receivable_edit.ui, # payments.ui, receipts.ui, financial_vouchers.ui # api/receivables.dspy, api/receivables_list.dspy, # api/receivables_create.dspy, api/receivables_update.dspy, # api/receivables_delete.dspy "financial_management_read": { "/financial_management/index.ui": [ "sales_director", "sales_manager", "ops_director", "ops_manager", "finance_director", "finance_manager", "accountant", "cashier", "admin_superuser", ], "/financial_management/receivables.ui": [ "sales_director", "sales_manager", "finance_director", "finance_manager", "accountant", "cashier", "admin_superuser", ], "/financial_management/receivable_edit.ui": [ "finance_director", "finance_manager", "accountant", "admin_superuser", ], "/financial_management/payments.ui": [ "finance_director", "finance_manager", "accountant", "cashier", "admin_superuser", ], "/financial_management/receipts.ui": [ "finance_director", "finance_manager", "accountant", "cashier", "admin_superuser", ], "/financial_management/financial_vouchers.ui": [ "finance_director", "finance_manager", "accountant", "admin_superuser", ], }, "financial_management_api_read": { "/financial_management/api/receivables.dspy": [ "sales_director", "sales_manager", "finance_director", "finance_manager", "accountant", "cashier", "admin_superuser", ], "/financial_management/api/receivables_list.dspy": [ "sales_director", "sales_manager", "finance_director", "finance_manager", "accountant", "cashier", "admin_superuser", ], "/financial_management/api/debug_receivables.dspy": [ "finance_director", "finance_manager", "accountant", "admin_superuser", ], "/financial_management/api/test_env.dspy": [ "admin_superuser", ], }, "financial_management_api_write": { "/financial_management/api/receivables_create.dspy": [ "finance_director", "finance_manager", "accountant", "admin_superuser", ], "/financial_management/api/receivables_update.dspy": [ "finance_director", "finance_manager", "accountant", "cashier", "admin_superuser", ], "/financial_management/api/receivables_delete.dspy": [ "finance_director", "finance_manager", "admin_superuser", ], }, # ======================================================== # 审批管理 Workflow Approval (placeholder) # ======================================================== "workflow_approval": { "/workflow_approval/**": [ "sales_director", "sales_manager", "marketing_director", "marketing_manager", "ops_director", "ops_manager", "finance_director", "finance_manager", "accountant", "admin_superuser", ], }, # ======================================================== # 统一仪表盘 Unified Dashboard (placeholder) # ======================================================== "unified_dashboard": { "/unified_dashboard/**": [ "sales_director", "sales_manager", "sales_rep", "marketing_director", "marketing_manager", "ops_director", "ops_manager", "finance_director", "finance_manager", "accountant", "admin_superuser", ], }, # ======================================================== # RBAC Admin (system admin only) # ======================================================== "rbac_admin": { "/rbac/**": ["admin_superuser"], }, # ======================================================== # AppBase (system admin + department directors) # ======================================================== "appbase": { "/appbase/**": [ "admin_superuser", "sales_director", "marketing_director", "ops_director", "finance_director", ], }, # ======================================================== # Main app pages (login redirect, base layout) # ======================================================== "main_app": { "/base.ui": ["logined"], # All logged-in users "/index.ui": ["logined"], }, } # ============================================================ # CRUD TABLE PERMISSIONS # ============================================================ # Maps module -> list of database tables. The init script registers # CRUD API endpoints for each table. CRUD_TABLES = { "customer_management": [ "customers", "customer_pool", "customer_handover", "customer_handover_items", ], "opportunity_management": [ "opportunities", "sales_stages", "opportunity_stage_history", ], "contract_management": [ "contracts", "contract_milestones", "contract_versions", "contract_attachments", "orders", "order_payments", ], "financial_management": [ "receivables", "payments", "receipts", "receipt_allocations", "financial_vouchers", ], } # ============================================================ # MODULE DIRECTORY MAP # ============================================================ # Maps module name -> wwwroot subdirectory path for wildcard expansion. # Used by init_permissions.py to locate files on disk. MODULE_WWWROOT = { "customer_management": "customer_management", "opportunity_management": "opportunity_management", "contract_management": "contract_management", "financial_management": "financial_management", "workflow_approval": "workflow_approval", "unified_dashboard": "unified_dashboard", "rbac": "rbac", "appbase": "appbase", "bricks": "bricks", }