"""
Portal RBAC权限初始化 — superuser角色
为owner.superuser授予Portal所有权限

Portal包含:
- 公开页面 (wwwroot下的.ui和静态文件)
- CMS管理CRUD页面 (cms模块wwwroot，路由到/cms/)
- appbase系统基础模块

用法: cd ~/repos/portal && py3/bin/python init_superuser_permissions.py
"""
import os, sys, subprocess

def find_app_root():
    return os.path.dirname(os.path.abspath(__file__))

app_root = find_app_root()
sage_root = None
for c in [os.path.expanduser("~/repos/sage"), os.path.expanduser("~/sage")]:
    if os.path.isdir(os.path.join(c, "py3", "bin")):
        sage_root = c
        break
if not sage_root:
    sage_root = app_root

py = os.path.join(sage_root, "py3", "bin", "python")
sp = os.path.join(sage_root, "set_role_perm.py") if os.path.exists(os.path.join(sage_root, "set_role_perm.py")) else None

if not sp:
    print("ERROR: 找不到set_role_perm.py")
    sys.exit(1)

def run(role, paths):
    env = os.environ.copy()
    env['SAGE_RBAC_DB'] = 'ocai_cms'
    for p in paths:
        print(f"  {role:30s} {p}")
        subprocess.run([py, sp, role, p], cwd=sage_root, capture_output=True, env=env)

# ─── superuser — 所有权限 ───
superuser_paths = [
    # 公开页面
    "/index.ui", "/news.ui", "/news_detail.ui",
    "/cases.ui", "/products.ui",
    "/cms_styles.css", "/cms_scripts.js",
    "/menu.ui", "/admin.ui",

    # 公开API
    "/api/get_published_content.dspy",
    "/api/get_content_detail.dspy",
    "/api/get_config.dspy",
    "/api/get_sections.dspy",
    "/api/submit_lead.dspy",

    # CMS管理 — 由cms模块提供，路由到 /cms/
    "/cms",
    "/cms/admin.ui", "/cms/menu.ui",

    # CMS Content CRUD
    "/cms/cms_content_list", "/cms/cms_content_list/%",
    "/cms/api/cms_content_create.dspy",
    "/cms/api/cms_content_update.dspy",
    "/cms/api/cms_content_delete.dspy",
    "/cms/api/cms_content_list.dspy",
    "/cms/api/submit_content_approval.dspy",

    # CMS Categories
    "/cms/cms_categories_list", "/cms/cms_categories_list/%",
    "/cms/api/cms_categories_create.dspy",
    "/cms/api/cms_categories_update.dspy",
    "/cms/api/cms_categories_delete.dspy",
    "/cms/api/cms_categories_list.dspy",
    "/cms/api/category_options.dspy",

    # CMS Sections
    "/cms/cms_sections_list", "/cms/cms_sections_list/%",
    "/cms/api/cms_sections_create.dspy",
    "/cms/api/cms_sections_update.dspy",
    "/cms/api/cms_sections_delete.dspy",
    "/cms/api/cms_sections_list.dspy",

    # CMS Site Config
    "/cms/cms_site_config_list", "/cms/cms_site_config_list/%",
    "/cms/api/cms_site_config_create.dspy",
    "/cms/api/cms_site_config_update.dspy",
    "/cms/api/cms_site_config_delete.dspy",
    "/cms/api/cms_site_config_list.dspy",

    # CMS Leads
    "/cms/cms_leads_list", "/cms/cms_leads_list/%",
    "/cms/api/cms_leads_create.dspy",
    "/cms/api/cms_leads_update.dspy",
    "/cms/api/cms_leads_delete.dspy",
    "/cms/api/cms_leads_list.dspy",

    # DingTalk Approvals (cms模块内)
    "/cms/api/submit_approval.dspy",
    "/cms/api/dingtalk_callback.dspy",
    "/cms/dd_approvals", "/cms/dd_approvals/%",
    "/cms/api/dd_approvals_create.dspy",
    "/cms/api/dd_approvals_update.dspy",
    "/cms/api/dd_approvals_delete.dspy",
    "/cms/api/dd_approvals_list.dspy",
    "/cms/dd_approval_configs", "/cms/dd_approval_configs/%",
    "/cms/api/dd_approval_configs_create.dspy",
    "/cms/api/dd_approval_configs_update.dspy",
    "/cms/api/dd_approval_configs_delete.dspy",
    "/cms/api/dd_approval_configs_list.dspy",

    # appbase 系统基础模块
    "/appbase/appcodes_kv", "/appbase/appcodes_kv/%",
    "/appbase/appcodes", "/appbase/appcodes/%",
    "/appbase/params", "/appbase/params/%",
    "/appbase/svgicon", "/appbase/svgicon/%",
    "/appbase/cron/index.ui",

    # rbac模块 (登录后管理页面)
    "/rbac",
    "/rbac/index.ui", "/rbac/admin_menu.ui", "/rbac/usermenu.ui",
    "/rbac/add_adminuser.dspy", "/rbac/add_adminuser.ui",
    "/rbac/add_provider.dspy", "/rbac/add_provider.ui",
    "/rbac/add_reseller.dspy", "/rbac/add_superuser.dspy",
    "/rbac/find_unauth_files.dspy",
    "/rbac/get_all_roles.dspy", "/rbac/get_normal_roles.dspy",
    "/rbac/get_provider.dspy", "/rbac/get_reseller.dspy",
    "/rbac/list_path_roles.dspy", "/rbac/list_path_roles.ui",
    "/rbac/organization", "/rbac/orgtypes",
    "/rbac/permission", "/rbac/provider", "/rbac/reseller",
    "/rbac/refresh_userperm.dspy",
    "/rbac/role", "/rbac/rolepermission",
    "/rbac/stat_active_users.ui", "/rbac/stat_total_orgs.ui", "/rbac/stat_total_users.ui",
    "/rbac/user", "/rbac/user/myrole.ui", "/rbac/user/user.ui", "/rbac/user/user_panel.ui",
    "/rbac/user/userapikey", "/rbac/user/userapikey/%",
    "/rbac/user/userinfo.ui", "/rbac/user/edit_profile.dspy", "/rbac/user/save_profile.dspy",
    "/rbac/user/wechat_login.ui",
    "/rbac/userapp", "/rbac/userdepartment", "/rbac/userrole",
    "/rbac/users", "/rbac/usersync", "/rbac/usersync/index.dspy",
]

print("=== Portal RBAC权限初始化 — superuser ===")
print(f"\n--- owner.superuser (超级管理员) ---")
run("owner.superuser", superuser_paths)
print("\n完成")