449 lines
18 KiB
Python
449 lines
18 KiB
Python
#!/usr/bin/env python3
|
|
"""
|
|
Integrated CRM Application - RBAC Permission Configuration
|
|
|
|
Defines roles, permission matrix, and CRUD table mappings for the
|
|
four-department CRM system (Sales, Marketing, Operations, Finance).
|
|
"""
|
|
|
|
# ============================================================
|
|
# ROLE DEFINITIONS
|
|
# ============================================================
|
|
# Format: role_id -> (display_name, description)
|
|
# Role IDs are used in perm_config; ensure_role() matches by name or ID.
|
|
ROLES = {
|
|
# --- 销售部门 Sales ---
|
|
"sales_director": ("销售总监", "销售部门最高负责人,全模块读写+审批"),
|
|
"sales_manager": ("销售经理", "销售团队管理,本部门数据读写+审批"),
|
|
"sales_rep": ("销售代表", "一线销售,本人数据读写"),
|
|
"sales_support": ("销售支持", "销售辅助岗位,全局只读"),
|
|
|
|
# --- 市场部门 Marketing ---
|
|
"marketing_director": ("市场总监", "市场部门最高负责人,全模块读写+审批"),
|
|
"marketing_manager": ("市场经理", "市场团队管理,本部门数据读写+审批"),
|
|
"marketing_specialist": ("市场专员", "一线市场人员,本人数据读写"),
|
|
"campaign_operator": ("活动运营", "市场活动运营,活动关联数据读写"),
|
|
|
|
# --- 运维部门 Operations ---
|
|
"ops_director": ("运维总监", "运维部门最高负责人,全模块读写+审批"),
|
|
"ops_manager": ("运维经理", "运维团队管理,本部门合同读写+审批"),
|
|
"ops_engineer": ("运维工程师", "运维技术人员,工单/合同相关读写"),
|
|
"customer_service": ("客服专员", "客户服务,客户管理读写+合同只读"),
|
|
|
|
# --- 财务部门 Finance ---
|
|
"finance_director": ("财务总监", "财务部门最高负责人,全模块读写+审批"),
|
|
"finance_manager": ("财务经理", "财务团队管理,合同/财务读写+审批"),
|
|
"accountant": ("会计", "财务核算,财务模块读写"),
|
|
"cashier": ("出纳", "收付款执行,收付款读写"),
|
|
|
|
# --- 系统级 System ---
|
|
"admin_superuser": ("系统管理员", "超级管理员,全平台所有权限"),
|
|
}
|
|
|
|
# ============================================================
|
|
# PERMISSION_MATRIX
|
|
# ============================================================
|
|
# Maps URL path patterns -> list of roles that can access.
|
|
# 路径不加 /main 前缀,统一使用相对于 wwwroot 的路径。
|
|
#
|
|
# RBAC 通配机制:
|
|
# - 角色展开为 orgtypeid.name、orgtypeid.*、*.name 三种 key
|
|
# - *.role_name 匹配所有机构的同名角色
|
|
#
|
|
# 权限级别通过路径分组体现:
|
|
# /api/*_create.dspy, /api/*_update.dspy, /api/*_delete.dspy -> 写操作
|
|
# /api/*_list.dspy, *.ui -> 读操作
|
|
# /api/*_list.dspy, *.ui -> read operations
|
|
#
|
|
# 初始化脚本通过遍历 wwwroot 文件系统展开具体路径,然后注册到 permission 表。
|
|
|
|
PERMISSION_MATRIX = {
|
|
# ========================================================
|
|
# Public / System Resources
|
|
# ========================================================
|
|
"bricks_static": {
|
|
"/bricks/**": ["any"], # All logged-in users
|
|
},
|
|
|
|
"rbac_public": {
|
|
"/login.ui": ["any"],
|
|
"/login.dspy": ["any"],
|
|
},
|
|
|
|
# ========================================================
|
|
# 客户管理 Customer Management
|
|
# ========================================================
|
|
# 模块文件: customer_list.ui, customer_edit.ui, customer_pool.ui,
|
|
# handover_list.ui, base.ui
|
|
# api/customers_list.dspy, api/customers_create.dspy,
|
|
# api/customers_update.dspy, api/customers_delete.dspy,
|
|
# api/customer_pool_list.dspy, api/handover_list.dspy
|
|
"customer_management_read": {
|
|
"/customer_management/customer_list.ui": [
|
|
"sales_director", "sales_manager", "sales_rep", "sales_support",
|
|
"marketing_director", "marketing_manager", "marketing_specialist", "campaign_operator",
|
|
"ops_director", "ops_manager", "ops_engineer", "customer_service",
|
|
"finance_director", "finance_manager", "accountant",
|
|
"admin_superuser",
|
|
],
|
|
"/customer_management/customer_edit.ui": [
|
|
"sales_director", "sales_manager", "sales_rep",
|
|
"customer_service",
|
|
"admin_superuser",
|
|
],
|
|
"/customer_management/customer_pool.ui": [
|
|
"sales_director", "sales_manager", "sales_rep",
|
|
"admin_superuser",
|
|
],
|
|
"/customer_management/handover_list.ui": [
|
|
"sales_director", "sales_manager",
|
|
"admin_superuser",
|
|
],
|
|
"/customer_management/base.ui": [
|
|
"sales_director", "sales_manager", "sales_rep", "sales_support",
|
|
"marketing_director", "marketing_manager",
|
|
"ops_director", "ops_manager",
|
|
"finance_director", "finance_manager",
|
|
"customer_service",
|
|
"admin_superuser",
|
|
],
|
|
},
|
|
"customer_management_api_read": {
|
|
"/customer_management/api/customers_list.dspy": [
|
|
"sales_director", "sales_manager", "sales_rep", "sales_support",
|
|
"marketing_director", "marketing_manager", "marketing_specialist", "campaign_operator",
|
|
"ops_director", "ops_manager", "ops_engineer", "customer_service",
|
|
"finance_director", "finance_manager", "accountant",
|
|
"admin_superuser",
|
|
],
|
|
"/customer_management/api/customer_pool_list.dspy": [
|
|
"sales_director", "sales_manager", "sales_rep",
|
|
"admin_superuser",
|
|
],
|
|
"/customer_management/api/handover_list.dspy": [
|
|
"sales_director", "sales_manager",
|
|
"admin_superuser",
|
|
],
|
|
},
|
|
"customer_management_api_write": {
|
|
"/customer_management/api/customers_create.dspy": [
|
|
"sales_director", "sales_manager", "sales_rep",
|
|
"customer_service",
|
|
"admin_superuser",
|
|
],
|
|
"/customer_management/api/customers_update.dspy": [
|
|
"sales_director", "sales_manager", "sales_rep",
|
|
"customer_service",
|
|
"admin_superuser",
|
|
],
|
|
"/customer_management/api/customers_delete.dspy": [
|
|
"sales_director", "sales_manager",
|
|
"admin_superuser",
|
|
],
|
|
},
|
|
|
|
# ========================================================
|
|
# 商机管理 Opportunity Management
|
|
# ========================================================
|
|
# 模块文件: opportunity_management.ui, opportunity_edit.ui, base.ui
|
|
# api/opportunities_list.dspy, api/opportunities_create.dspy,
|
|
# api/opportunities_update.dspy, api/opportunities_delete.dspy,
|
|
# api/sales_stages_list.dspy
|
|
"opportunity_management_read": {
|
|
"/opportunity_management/opportunity_management.ui": [
|
|
"sales_director", "sales_manager", "sales_rep",
|
|
"marketing_director", "marketing_manager", "marketing_specialist",
|
|
"admin_superuser",
|
|
],
|
|
"/opportunity_management/opportunity_edit.ui": [
|
|
"sales_director", "sales_manager", "sales_rep",
|
|
"marketing_director", "marketing_manager", "marketing_specialist",
|
|
"admin_superuser",
|
|
],
|
|
"/opportunity_management/base.ui": [
|
|
"sales_director", "sales_manager", "sales_rep",
|
|
"marketing_director", "marketing_manager",
|
|
"admin_superuser",
|
|
],
|
|
},
|
|
"opportunity_management_api_read": {
|
|
"/opportunity_management/api/opportunities_list.dspy": [
|
|
"sales_director", "sales_manager", "sales_rep",
|
|
"marketing_director", "marketing_manager", "marketing_specialist",
|
|
"admin_superuser",
|
|
],
|
|
"/opportunity_management/api/sales_stages_list.dspy": [
|
|
"sales_director", "sales_manager", "sales_rep",
|
|
"marketing_director", "marketing_manager", "marketing_specialist",
|
|
"admin_superuser",
|
|
],
|
|
},
|
|
"opportunity_management_api_write": {
|
|
"/opportunity_management/api/opportunities_create.dspy": [
|
|
"sales_director", "sales_manager", "sales_rep",
|
|
"marketing_director", "marketing_manager", "marketing_specialist",
|
|
"admin_superuser",
|
|
],
|
|
"/opportunity_management/api/opportunities_update.dspy": [
|
|
"sales_director", "sales_manager", "sales_rep",
|
|
"marketing_director", "marketing_manager", "marketing_specialist",
|
|
"admin_superuser",
|
|
],
|
|
"/opportunity_management/api/opportunities_delete.dspy": [
|
|
"sales_director", "sales_manager",
|
|
"marketing_director", "marketing_manager",
|
|
"admin_superuser",
|
|
],
|
|
},
|
|
|
|
# ========================================================
|
|
# 合同管理 Contract Management
|
|
# ========================================================
|
|
# 模块文件: contract_list.ui, contract_edit.ui, contract_detail.ui,
|
|
# ai_config.ui
|
|
# api/contract_list.dspy, api/contracts_create.dspy,
|
|
# api/contracts_update.dspy, api/contracts_delete.dspy,
|
|
# api/check_contract.dspy
|
|
"contract_management_read": {
|
|
"/contract_management/contract_list.ui": [
|
|
"sales_director", "sales_manager", "sales_rep", "sales_support",
|
|
"marketing_director", "marketing_manager",
|
|
"ops_director", "ops_manager", "ops_engineer",
|
|
"finance_director", "finance_manager", "accountant", "cashier",
|
|
"admin_superuser",
|
|
],
|
|
"/contract_management/contract_edit.ui": [
|
|
"sales_director", "sales_manager",
|
|
"ops_director", "ops_manager",
|
|
"finance_director", "finance_manager",
|
|
"admin_superuser",
|
|
],
|
|
"/contract_management/contract_detail.ui": [
|
|
"sales_director", "sales_manager", "sales_rep", "sales_support",
|
|
"ops_director", "ops_manager", "ops_engineer",
|
|
"finance_director", "finance_manager", "accountant", "cashier",
|
|
"admin_superuser",
|
|
],
|
|
"/contract_management/ai_config.ui": [
|
|
"sales_director", "sales_manager",
|
|
"ops_director",
|
|
"finance_director",
|
|
"admin_superuser",
|
|
],
|
|
"/contract_management/base.ui": [
|
|
"sales_director", "sales_manager",
|
|
"ops_director", "ops_manager",
|
|
"finance_director", "finance_manager",
|
|
"admin_superuser",
|
|
],
|
|
},
|
|
"contract_management_api_read": {
|
|
"/contract_management/api/contract_list.dspy": [
|
|
"sales_director", "sales_manager", "sales_rep", "sales_support",
|
|
"ops_director", "ops_manager", "ops_engineer",
|
|
"finance_director", "finance_manager", "accountant", "cashier",
|
|
"admin_superuser",
|
|
],
|
|
"/contract_management/api/check_contract.dspy": [
|
|
"sales_director", "sales_manager",
|
|
"ops_director", "ops_manager",
|
|
"finance_director", "finance_manager",
|
|
"admin_superuser",
|
|
],
|
|
},
|
|
"contract_management_api_write": {
|
|
"/contract_management/api/contracts_create.dspy": [
|
|
"sales_director", "sales_manager",
|
|
"ops_director", "ops_manager",
|
|
"finance_director", "finance_manager",
|
|
"admin_superuser",
|
|
],
|
|
"/contract_management/api/contracts_update.dspy": [
|
|
"sales_director", "sales_manager",
|
|
"ops_director", "ops_manager",
|
|
"finance_director", "finance_manager",
|
|
"admin_superuser",
|
|
],
|
|
"/contract_management/api/contracts_delete.dspy": [
|
|
"sales_director", "sales_manager",
|
|
"ops_director",
|
|
"finance_director",
|
|
"admin_superuser",
|
|
],
|
|
},
|
|
|
|
# ========================================================
|
|
# 财务管理 Financial Management
|
|
# ========================================================
|
|
# 模块文件: index.ui, receivables.ui, receivable_edit.ui,
|
|
# payments.ui, receipts.ui, financial_vouchers.ui
|
|
# api/receivables.dspy, api/receivables_list.dspy,
|
|
# api/receivables_create.dspy, api/receivables_update.dspy,
|
|
# api/receivables_delete.dspy
|
|
"financial_management_read": {
|
|
"/financial_management/index.ui": [
|
|
"sales_director", "sales_manager",
|
|
"ops_director", "ops_manager",
|
|
"finance_director", "finance_manager", "accountant", "cashier",
|
|
"admin_superuser",
|
|
],
|
|
"/financial_management/receivables.ui": [
|
|
"sales_director", "sales_manager",
|
|
"finance_director", "finance_manager", "accountant", "cashier",
|
|
"admin_superuser",
|
|
],
|
|
"/financial_management/receivable_edit.ui": [
|
|
"finance_director", "finance_manager", "accountant",
|
|
"admin_superuser",
|
|
],
|
|
"/financial_management/payments.ui": [
|
|
"finance_director", "finance_manager", "accountant", "cashier",
|
|
"admin_superuser",
|
|
],
|
|
"/financial_management/receipts.ui": [
|
|
"finance_director", "finance_manager", "accountant", "cashier",
|
|
"admin_superuser",
|
|
],
|
|
"/financial_management/financial_vouchers.ui": [
|
|
"finance_director", "finance_manager", "accountant",
|
|
"admin_superuser",
|
|
],
|
|
},
|
|
"financial_management_api_read": {
|
|
"/financial_management/api/receivables.dspy": [
|
|
"sales_director", "sales_manager",
|
|
"finance_director", "finance_manager", "accountant", "cashier",
|
|
"admin_superuser",
|
|
],
|
|
"/financial_management/api/receivables_list.dspy": [
|
|
"sales_director", "sales_manager",
|
|
"finance_director", "finance_manager", "accountant", "cashier",
|
|
"admin_superuser",
|
|
],
|
|
"/financial_management/api/debug_receivables.dspy": [
|
|
"finance_director", "finance_manager", "accountant",
|
|
"admin_superuser",
|
|
],
|
|
"/financial_management/api/test_env.dspy": [
|
|
"admin_superuser",
|
|
],
|
|
},
|
|
"financial_management_api_write": {
|
|
"/financial_management/api/receivables_create.dspy": [
|
|
"finance_director", "finance_manager", "accountant",
|
|
"admin_superuser",
|
|
],
|
|
"/financial_management/api/receivables_update.dspy": [
|
|
"finance_director", "finance_manager", "accountant", "cashier",
|
|
"admin_superuser",
|
|
],
|
|
"/financial_management/api/receivables_delete.dspy": [
|
|
"finance_director", "finance_manager",
|
|
"admin_superuser",
|
|
],
|
|
},
|
|
|
|
# ========================================================
|
|
# 审批管理 Workflow Approval (placeholder)
|
|
# ========================================================
|
|
"workflow_approval": {
|
|
"/workflow_approval/**": [
|
|
"sales_director", "sales_manager",
|
|
"marketing_director", "marketing_manager",
|
|
"ops_director", "ops_manager",
|
|
"finance_director", "finance_manager", "accountant",
|
|
"admin_superuser",
|
|
],
|
|
},
|
|
|
|
# ========================================================
|
|
# 统一仪表盘 Unified Dashboard (placeholder)
|
|
# ========================================================
|
|
"unified_dashboard": {
|
|
"/unified_dashboard/**": [
|
|
"sales_director", "sales_manager", "sales_rep",
|
|
"marketing_director", "marketing_manager",
|
|
"ops_director", "ops_manager",
|
|
"finance_director", "finance_manager", "accountant",
|
|
"admin_superuser",
|
|
],
|
|
},
|
|
|
|
# ========================================================
|
|
# RBAC Admin (system admin only)
|
|
# ========================================================
|
|
"rbac_admin": {
|
|
"/rbac/**": ["admin_superuser"],
|
|
},
|
|
|
|
# ========================================================
|
|
# AppBase (system admin + department directors)
|
|
# ========================================================
|
|
"appbase": {
|
|
"/appbase/**": [
|
|
"admin_superuser",
|
|
"sales_director", "marketing_director",
|
|
"ops_director", "finance_director",
|
|
],
|
|
},
|
|
|
|
# ========================================================
|
|
# Main app pages (login redirect, base layout)
|
|
# ========================================================
|
|
"main_app": {
|
|
"/base.ui": ["logined"], # All logged-in users
|
|
"/index.ui": ["logined"],
|
|
},
|
|
}
|
|
|
|
# ============================================================
|
|
# CRUD TABLE PERMISSIONS
|
|
# ============================================================
|
|
# Maps module -> list of database tables. The init script registers
|
|
# CRUD API endpoints for each table.
|
|
CRUD_TABLES = {
|
|
"customer_management": [
|
|
"customers",
|
|
"customer_pool",
|
|
"customer_handover",
|
|
"customer_handover_items",
|
|
],
|
|
"opportunity_management": [
|
|
"opportunities",
|
|
"sales_stages",
|
|
"opportunity_stage_history",
|
|
],
|
|
"contract_management": [
|
|
"contracts",
|
|
"contract_milestones",
|
|
"contract_versions",
|
|
"contract_attachments",
|
|
"orders",
|
|
"order_payments",
|
|
],
|
|
"financial_management": [
|
|
"receivables",
|
|
"payments",
|
|
"receipts",
|
|
"receipt_allocations",
|
|
"financial_vouchers",
|
|
],
|
|
}
|
|
|
|
# ============================================================
|
|
# MODULE DIRECTORY MAP
|
|
# ============================================================
|
|
# Maps module name -> wwwroot subdirectory path for wildcard expansion.
|
|
# Used by init_permissions.py to locate files on disk.
|
|
MODULE_WWWROOT = {
|
|
"customer_management": "customer_management",
|
|
"opportunity_management": "opportunity_management",
|
|
"contract_management": "contract_management",
|
|
"financial_management": "financial_management",
|
|
"workflow_approval": "workflow_approval",
|
|
"unified_dashboard": "unified_dashboard",
|
|
"rbac": "rbac",
|
|
"appbase": "appbase",
|
|
"bricks": "bricks",
|
|
}
|