yumoqing/integrated_crm_app
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
integrated_crm_app/app/perm_config.py
yumoqing 1ed4ce0935 fix: RBAC permission init - remove /main prefix, include js/css files, use * wildcard 
- perm_config.py: all paths no longer use /main prefix
- init_permissions.py:
  1. scan wwwroot including symlinks for .ui/.dspy/.js/.css
  2. register paths without /main prefix
  3. create admin_superuser user (super/Kyy@123456)
  4. use orgtypeid='*' for role wildcard matching
- sync app/ and root copies
2026-05-05 13:44:55 +08:00

450 lines
18 KiB
Python
Raw Blame History

#!/usr/bin/env python3
"""
Integrated CRM Application - RBAC Permission Configuration
Defines roles, permission matrix, and CRUD table mappings for the
four-department CRM system (Sales, Marketing, Operations, Finance).
"""
# ============================================================
# ROLE DEFINITIONS
# ============================================================
# Format: role_id -> (display_name, description)
# Role IDs are used in perm_config; ensure_role() matches by name or ID.
ROLES = {
# --- 销售部门 Sales ---
"sales_director": ("销售总监", "销售部门最高负责人,全模块读写+审批"),
"sales_manager": ("销售经理", "销售团队管理,本部门数据读写+审批"),
"sales_rep": ("销售代表", "一线销售,本人数据读写"),
"sales_support": ("销售支持", "销售辅助岗位,全局只读"),
# --- 市场部门 Marketing ---
"marketing_director": ("市场总监", "市场部门最高负责人,全模块读写+审批"),
"marketing_manager": ("市场经理", "市场团队管理,本部门数据读写+审批"),
"marketing_specialist": ("市场专员", "一线市场人员,本人数据读写"),
"campaign_operator": ("活动运营", "市场活动运营,活动关联数据读写"),
# --- 运维部门 Operations ---
"ops_director": ("运维总监", "运维部门最高负责人,全模块读写+审批"),
"ops_manager": ("运维经理", "运维团队管理,本部门合同读写+审批"),
"ops_engineer": ("运维工程师", "运维技术人员,工单/合同相关读写"),
"customer_service": ("客服专员", "客户服务,客户管理读写+合同只读"),
# --- 财务部门 Finance ---
"finance_director": ("财务总监", "财务部门最高负责人,全模块读写+审批"),
"finance_manager": ("财务经理", "财务团队管理,合同/财务读写+审批"),
"accountant": ("会计", "财务核算,财务模块读写"),
"cashier": ("出纳", "收付款执行,收付款读写"),
# --- 系统级 System ---
"admin_superuser": ("系统管理员", "超级管理员,全平台所有权限"),
}
# ============================================================
# PERMISSION_MATRIX
# ============================================================
# Maps URL path patterns -> list of roles that can access.
# 路径不加 /main 前缀,统一使用相对于 wwwroot 的路径。
#
# RBAC 通配机制:
# - 角色展开为 orgtypeid.name、orgtypeid.*、*.name 三种 key
# - *.role_name 匹配所有机构的同名角色
#
# 权限级别通过路径分组体现:
# /api/*_create.dspy, /api/*_update.dspy, /api/*_delete.dspy -> 写操作
# /api/*_list.dspy, *.ui -> 读操作
# /api/*_list.dspy, *.ui -> read operations
#
# The init script expands '**' to concrete file paths, then registers
# both canonical (/module/path.ui) and /main-prefixed (/main/module/path.ui) variants.
PERMISSION_MATRIX = {
# ========================================================
# Public / System Resources
# ========================================================
"bricks_static": {
"/bricks/**": ["any"], # All logged-in users
},
"rbac_public": {
"/main/login.ui": ["any"],
"/main/login.dspy": ["any"],
},
# ========================================================
# 客户管理 Customer Management
# ========================================================
# 模块文件: customer_list.ui, customer_edit.ui, customer_pool.ui,
# handover_list.ui, base.ui
# api/customers_list.dspy, api/customers_create.dspy,
# api/customers_update.dspy, api/customers_delete.dspy,
# api/customer_pool_list.dspy, api/handover_list.dspy
"customer_management_read": {
"/customer_management/customer_list.ui": [
"sales_director", "sales_manager", "sales_rep", "sales_support",
"marketing_director", "marketing_manager", "marketing_specialist", "campaign_operator",
"ops_director", "ops_manager", "ops_engineer", "customer_service",
"finance_director", "finance_manager", "accountant",
"admin_superuser",
],
"/customer_management/customer_edit.ui": [
"sales_director", "sales_manager", "sales_rep",
"customer_service",
"admin_superuser",
],
"/customer_management/customer_pool.ui": [
"sales_director", "sales_manager", "sales_rep",
"admin_superuser",
],
"/customer_management/handover_list.ui": [
"sales_director", "sales_manager",
"admin_superuser",
],
"/customer_management/base.ui": [
"sales_director", "sales_manager", "sales_rep", "sales_support",
"marketing_director", "marketing_manager",
"ops_director", "ops_manager",
"finance_director", "finance_manager",
"customer_service",
"admin_superuser",
],
},
"customer_management_api_read": {
"/customer_management/api/customers_list.dspy": [
"sales_director", "sales_manager", "sales_rep", "sales_support",
"marketing_director", "marketing_manager", "marketing_specialist", "campaign_operator",
"ops_director", "ops_manager", "ops_engineer", "customer_service",
"finance_director", "finance_manager", "accountant",
"admin_superuser",
],
"/customer_management/api/customer_pool_list.dspy": [
"sales_director", "sales_manager", "sales_rep",
"admin_superuser",
],
"/customer_management/api/handover_list.dspy": [
"sales_director", "sales_manager",
"admin_superuser",
],
},
"customer_management_api_write": {
"/customer_management/api/customers_create.dspy": [
"sales_director", "sales_manager", "sales_rep",
"customer_service",
"admin_superuser",
],
"/customer_management/api/customers_update.dspy": [
"sales_director", "sales_manager", "sales_rep",
"customer_service",
"admin_superuser",
],
"/customer_management/api/customers_delete.dspy": [
"sales_director", "sales_manager",
"admin_superuser",
],
},
# ========================================================
# 商机管理 Opportunity Management
# ========================================================
# 模块文件: opportunity_management.ui, opportunity_edit.ui, base.ui
# api/opportunities_list.dspy, api/opportunities_create.dspy,
# api/opportunities_update.dspy, api/opportunities_delete.dspy,
# api/sales_stages_list.dspy
"opportunity_management_read": {
"/opportunity_management/opportunity_management.ui": [
"sales_director", "sales_manager", "sales_rep",
"marketing_director", "marketing_manager", "marketing_specialist",
"admin_superuser",
],
"/opportunity_management/opportunity_edit.ui": [
"sales_director", "sales_manager", "sales_rep",
"marketing_director", "marketing_manager", "marketing_specialist",
"admin_superuser",
],
"/opportunity_management/base.ui": [
"sales_director", "sales_manager", "sales_rep",
"marketing_director", "marketing_manager",
"admin_superuser",
],
},
"opportunity_management_api_read": {
"/opportunity_management/api/opportunities_list.dspy": [
"sales_director", "sales_manager", "sales_rep",
"marketing_director", "marketing_manager", "marketing_specialist",
"admin_superuser",
],
"/opportunity_management/api/sales_stages_list.dspy": [
"sales_director", "sales_manager", "sales_rep",
"marketing_director", "marketing_manager", "marketing_specialist",
"admin_superuser",
],
},
"opportunity_management_api_write": {
"/opportunity_management/api/opportunities_create.dspy": [
"sales_director", "sales_manager", "sales_rep",
"marketing_director", "marketing_manager", "marketing_specialist",
"admin_superuser",
],
"/opportunity_management/api/opportunities_update.dspy": [
"sales_director", "sales_manager", "sales_rep",
"marketing_director", "marketing_manager", "marketing_specialist",
"admin_superuser",
],
"/opportunity_management/api/opportunities_delete.dspy": [
"sales_director", "sales_manager",
"marketing_director", "marketing_manager",
"admin_superuser",
],
},
# ========================================================
# 合同管理 Contract Management
# ========================================================
# 模块文件: contract_list.ui, contract_edit.ui, contract_detail.ui,
# ai_config.ui
# api/contract_list.dspy, api/contracts_create.dspy,
# api/contracts_update.dspy, api/contracts_delete.dspy,
# api/check_contract.dspy
"contract_management_read": {
"/contract_management/contract_list.ui": [
"sales_director", "sales_manager", "sales_rep", "sales_support",
"marketing_director", "marketing_manager",
"ops_director", "ops_manager", "ops_engineer",
"finance_director", "finance_manager", "accountant", "cashier",
"admin_superuser",
],
"/contract_management/contract_edit.ui": [
"sales_director", "sales_manager",
"ops_director", "ops_manager",
"finance_director", "finance_manager",
"admin_superuser",
],
"/contract_management/contract_detail.ui": [
"sales_director", "sales_manager", "sales_rep", "sales_support",
"ops_director", "ops_manager", "ops_engineer",
"finance_director", "finance_manager", "accountant", "cashier",
"admin_superuser",
],
"/contract_management/ai_config.ui": [
"sales_director", "sales_manager",
"ops_director",
"finance_director",
"admin_superuser",
],
"/contract_management/base.ui": [
"sales_director", "sales_manager",
"ops_director", "ops_manager",
"finance_director", "finance_manager",
"admin_superuser",
],
},
"contract_management_api_read": {
"/contract_management/api/contract_list.dspy": [
"sales_director", "sales_manager", "sales_rep", "sales_support",
"ops_director", "ops_manager", "ops_engineer",
"finance_director", "finance_manager", "accountant", "cashier",
"admin_superuser",
],
"/contract_management/api/check_contract.dspy": [
"sales_director", "sales_manager",
"ops_director", "ops_manager",
"finance_director", "finance_manager",
"admin_superuser",
],
},
"contract_management_api_write": {
"/contract_management/api/contracts_create.dspy": [
"sales_director", "sales_manager",
"ops_director", "ops_manager",
"finance_director", "finance_manager",
"admin_superuser",
],
"/contract_management/api/contracts_update.dspy": [
"sales_director", "sales_manager",
"ops_director", "ops_manager",
"finance_director", "finance_manager",
"admin_superuser",
],
"/contract_management/api/contracts_delete.dspy": [
"sales_director", "sales_manager",
"ops_director",
"finance_director",
"admin_superuser",
],
},
# ========================================================
# 财务管理 Financial Management
# ========================================================
# 模块文件: index.ui, receivables.ui, receivable_edit.ui,
# payments.ui, receipts.ui, financial_vouchers.ui
# api/receivables.dspy, api/receivables_list.dspy,
# api/receivables_create.dspy, api/receivables_update.dspy,
# api/receivables_delete.dspy
"financial_management_read": {
"/financial_management/index.ui": [
"sales_director", "sales_manager",
"ops_director", "ops_manager",
"finance_director", "finance_manager", "accountant", "cashier",
"admin_superuser",
],
"/financial_management/receivables.ui": [
"sales_director", "sales_manager",
"finance_director", "finance_manager", "accountant", "cashier",
"admin_superuser",
],
"/financial_management/receivable_edit.ui": [
"finance_director", "finance_manager", "accountant",
"admin_superuser",
],
"/financial_management/payments.ui": [
"finance_director", "finance_manager", "accountant", "cashier",
"admin_superuser",
],
"/financial_management/receipts.ui": [
"finance_director", "finance_manager", "accountant", "cashier",
"admin_superuser",
],
"/financial_management/financial_vouchers.ui": [
"finance_director", "finance_manager", "accountant",
"admin_superuser",
],
},
"financial_management_api_read": {
"/financial_management/api/receivables.dspy": [
"sales_director", "sales_manager",
"finance_director", "finance_manager", "accountant", "cashier",
"admin_superuser",
],
"/financial_management/api/receivables_list.dspy": [
"sales_director", "sales_manager",
"finance_director", "finance_manager", "accountant", "cashier",
"admin_superuser",
],
"/financial_management/api/debug_receivables.dspy": [
"finance_director", "finance_manager", "accountant",
"admin_superuser",
],
"/financial_management/api/test_env.dspy": [
"admin_superuser",
],
},
"financial_management_api_write": {
"/financial_management/api/receivables_create.dspy": [
"finance_director", "finance_manager", "accountant",
"admin_superuser",
],
"/financial_management/api/receivables_update.dspy": [
"finance_director", "finance_manager", "accountant", "cashier",
"admin_superuser",
],
"/financial_management/api/receivables_delete.dspy": [
"finance_director", "finance_manager",
"admin_superuser",
],
},
# ========================================================
# 审批管理 Workflow Approval (placeholder)
# ========================================================
"workflow_approval": {
"/workflow_approval/**": [
"sales_director", "sales_manager",
"marketing_director", "marketing_manager",
"ops_director", "ops_manager",
"finance_director", "finance_manager", "accountant",
"admin_superuser",
],
},
# ========================================================
# 统一仪表盘 Unified Dashboard (placeholder)
# ========================================================
"unified_dashboard": {
"/unified_dashboard/**": [
"sales_director", "sales_manager", "sales_rep",
"marketing_director", "marketing_manager",
"ops_director", "ops_manager",
"finance_director", "finance_manager", "accountant",
"admin_superuser",
],
},
# ========================================================
# RBAC Admin (system admin only)
# ========================================================
"rbac_admin": {
"/rbac/**": ["admin_superuser"],
},
# ========================================================
# AppBase (system admin + department directors)
# ========================================================
"appbase": {
"/appbase/**": [
"admin_superuser",
"sales_director", "marketing_director",
"ops_director", "finance_director",
],
},
# ========================================================
# Main app pages (login redirect, base layout)
# ========================================================
"main_app": {
"/main/base.ui": ["logined"], # All logged-in users
"/main/index.ui": ["logined"],
},
}
# ============================================================
# CRUD TABLE PERMISSIONS
# ============================================================
# Maps module -> list of database tables. The init script registers
# CRUD API endpoints for each table.
CRUD_TABLES = {
"customer_management": [
"customers",
"customer_pool",
"customer_handover",
"customer_handover_items",
],
"opportunity_management": [
"opportunities",
"sales_stages",
"opportunity_stage_history",
],
"contract_management": [
"contracts",
"contract_milestones",
"contract_versions",
"contract_attachments",
"orders",
"order_payments",
],
"financial_management": [
"receivables",
"payments",
"receipts",
"receipt_allocations",
"financial_vouchers",
],
}
# ============================================================
# MODULE DIRECTORY MAP
# ============================================================
# Maps module name -> wwwroot subdirectory path for wildcard expansion.
# Used by init_permissions.py to locate files on disk.
MODULE_WWWROOT = {
"customer_management": "customer_management",
"opportunity_management": "opportunity_management",
"contract_management": "contract_management",
"financial_management": "financial_management",
"workflow_approval": "workflow_approval",
"unified_dashboard": "unified_dashboard",
"rbac": "rbac",
"appbase": "appbase",
"bricks": "bricks",
}
Reference in New Issue View Git Blame Copy Permalink