diff --git a/scripts/load_path.py b/scripts/load_path.py index 25c706d..a089220 100644 --- a/scripts/load_path.py +++ b/scripts/load_path.py @@ -1,81 +1,109 @@ #!/usr/bin/env python3 -"""RBAC permission registration for reallife_asset module.""" -import os, sys, subprocess +""" +reallife_asset 模块 RBAC 权限管理脚本 -# Find Sage root -home = os.path.expanduser("~") -sage_root = "" -for candidate in [ - os.path.join(home, "repos/sage"), - os.path.join(home, "sage"), -]: - if os.path.isdir(os.path.join(candidate, "wwwroot")): - sage_root = candidate - break +使用方法: + cd ~/repos/sage + ./py3/bin/python ~/repos/reallife_asset/scripts/load_path.py -if not sage_root: - print("ERROR: Cannot find Sage root") +每次代码变更如有新 path 出现,需同步更新此脚本。 +""" + +import subprocess +import os +import sys + + +def find_sage_root(): + candidates = [ + os.path.expanduser("~/repos/sage"), + os.path.expanduser("~/sage"), + os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__)))), + ] + for c in candidates: + if os.path.isdir(os.path.join(c, "py3")) and os.path.isdir(os.path.join(c, "wwwroot")): + return c + return None + + +SAGE_ROOT = find_sage_root() +if not SAGE_ROOT: + print("ERROR: Cannot find Sage root directory") sys.exit(1) -python = os.path.join(sage_root, "py3/bin/python") -set_perm = os.path.join(sage_root, "set_role_perm.py") +PYTHON = os.path.join(SAGE_ROOT, "py3", "bin", "python") +SET_PERM_SCRIPT = os.path.join(SAGE_ROOT, "set_role_perm.py") -# Permission definitions -paths_any = [ - "/reallife_asset/api/rl_callback.dspy", # Volcengine callback - no auth +MOD = "reallife_asset" + +# ============================================================ +# 权限路径定义 — 每次新增页面或API时同步更新 +# ============================================================ + +# any — 无需登录(菜单、静态资源、回调) +PATHS_ANY = [ + f"/{MOD}/menu.ui", + f"/{MOD}/imgs/%", + f"/{MOD}/api/rl_callback.dspy", # 供应商回调,无需登录 ] -paths_logined = [ - "/reallife_asset", - "/reallife_asset/index.ui", - "/reallife_asset/group_manage.ui", - "/reallife_asset/asset_manage.ui", - "/reallife_asset/create_validate.ui", - "/reallife_asset/upload_asset.ui", - "/reallife_asset/sync_groups.ui", - "/reallife_asset/rl_asset_group_list", - "/reallife_asset/rl_asset_group_list/index.ui", - "/reallife_asset/rl_asset_list", - "/reallife_asset/rl_asset_list/index.ui", - "/reallife_asset/api/rl_asset_group_create.dspy", - "/reallife_asset/api/rl_asset_group_update.dspy", - "/reallife_asset/api/rl_asset_group_delete.dspy", - "/reallife_asset/api/rl_asset_create.dspy", - "/reallife_asset/api/rl_asset_update.dspy", - "/reallife_asset/api/rl_asset_delete.dspy", - "/reallife_asset/api/sync_asset_status.dspy", - "/reallife_asset/api/check_validate.dspy", - "/reallife_asset/api/sync_from_vendor.dspy", - "/reallife_asset/api/sync_assets.dspy", - "/reallife_asset/api/get_rl_asset_group_list.dspy", - "/reallife_asset/api/get_rl_asset_list.dspy", - # Downapp user APIs - "/reallife_asset/api/rl_verify.dspy", - "/reallife_asset/api/rl_upload.dspy", - "/reallife_asset/api/rl_status.dspy", - "/reallife_asset/api/rl_query_groups.dspy", - # Vendor Config CRUD - "/reallife_asset/api/rl_vendor_config_create.dspy", - "/reallife_asset/api/rl_vendor_config_update.dspy", - "/reallife_asset/api/rl_vendor_config_delete.dspy", - "/reallife_asset/rl_vendor_config_list", - "/reallife_asset/rl_vendor_config_list/index.ui", - # Org-Group Mapping CRUD - "/reallife_asset/api/rl_org_group_create.dspy", - "/reallife_asset/api/rl_org_group_update.dspy", - "/reallife_asset/api/rl_org_group_delete.dspy", - "/reallife_asset/rl_org_group_list", - "/reallife_asset/rl_org_group_list/index.ui", + +# logined — 所有已登录用户(含客户) +PATHS_LOGINED = [ + # 模块入口 + f"/{MOD}", + f"/{MOD}/index.ui", + + # 客户可用页面 + f"/{MOD}/create_validate.ui", + f"/{MOD}/upload_asset.ui", + + # API — 所有 api/ 下的 .dspy(脚本内部通过 get_user() 做权限校验) + f"/{MOD}/api/%", ] +# reseller.operator — 管理员专属页面 +PATHS_OPERATOR = [ + f"/{MOD}/group_manage.ui", + f"/{MOD}/asset_manage.ui", + f"/{MOD}/vendor_config_manage.ui", + f"/{MOD}/vendor_config_edit.ui", + f"/{MOD}/org_group_manage.ui", + f"/{MOD}/sync_groups.ui", +] + +# owner.superuser — 同 operator +PATHS_SUPERUSER = PATHS_OPERATOR + +# ============================================================ +# 执行注册 +# ============================================================ + + def run_set_perm(role, path): - cmd = [python, set_perm, role, path] - print(f" {role:12s} {path}") - subprocess.run(cmd, cwd=sage_root) + cmd = [PYTHON, SET_PERM_SCRIPT, role, path] + result = subprocess.run(cmd, capture_output=True, text=True) + return result.returncode == 0 -print("Registering RBAC permissions for reallife_asset...") -for p in paths_any: - run_set_perm("any", p) -for p in paths_logined: - run_set_perm("logined", p) -print("Done.") +def register_role_paths(role, paths): + count = 0 + for p in paths: + if run_set_perm(role, p): + count += 1 + print(f" {role}: {count}/{len(paths)} paths registered") + return count + + +def main(): + print(f"Sage root: {SAGE_ROOT}") + total = 0 + total += register_role_paths("any", PATHS_ANY) + total += register_role_paths("logined", PATHS_LOGINED) + total += register_role_paths("reseller.operator", PATHS_OPERATOR) + total += register_role_paths("owner.superuser", PATHS_SUPERUSER) + print(f"\nDone. Total {total} permission entries registered.") + print("NOTE: Restart Sage after permission changes to reload RBAC cache.") + + +if __name__ == "__main__": + main()