feat: add load_path.py with role-based wildcard % coverage

2026-05-29 00:52:24 +08:00 · 2026-05-29 00:52:24 +08:00 · 38650389b1
commit 38650389b1
parent 598ca58a26
1 changed files with 97 additions and 69 deletions
--- a/scripts/load_path.py
+++ b/scripts/load_path.py
@ -1,81 +1,109 @@
 #!/usr/bin/env python3
-"""RBAC permission registration for reallife_asset module."""
+"""
-import os, sys, subprocess
+reallife_asset 模块 RBAC 权限管理脚本
-# Find Sage root
+使用方法:
-home = os.path.expanduser("~")
+    cd ~/repos/sage
-sage_root = ""
+    ./py3/bin/python ~/repos/reallife_asset/scripts/load_path.py
 for candidate in [
    os.path.join(home, "repos/sage"),
    os.path.join(home, "sage"),
 ]:
    if os.path.isdir(os.path.join(candidate, "wwwroot")):
        sage_root = candidate
        break
-if not sage_root:
+每次代码变更如有新 path 出现，需同步更新此脚本。
-    print("ERROR: Cannot find Sage root")
+"""
 import subprocess
 import os
 import sys
 def find_sage_root():
    candidates = [
        os.path.expanduser("~/repos/sage"),
        os.path.expanduser("~/sage"),
        os.path.dirname(os.path.dirname(os.path.dirname(os.path.abspath(__file__)))),
    ]
    for c in candidates:
        if os.path.isdir(os.path.join(c, "py3")) and os.path.isdir(os.path.join(c, "wwwroot")):
            return c
    return None
 SAGE_ROOT = find_sage_root()
 if not SAGE_ROOT:
    print("ERROR: Cannot find Sage root directory")
    sys.exit(1)
-python = os.path.join(sage_root, "py3/bin/python")
+PYTHON = os.path.join(SAGE_ROOT, "py3", "bin", "python")
-set_perm = os.path.join(sage_root, "set_role_perm.py")
+SET_PERM_SCRIPT = os.path.join(SAGE_ROOT, "set_role_perm.py")
-# Permission definitions
+MOD = "reallife_asset"
-paths_any = [
+
-    "/reallife_asset/api/rl_callback.dspy",  # Volcengine callback - no auth
+# ============================================================
 # 权限路径定义 — 每次新增页面或API时同步更新
 # ============================================================
 # any — 无需登录（菜单、静态资源、回调）
 PATHS_ANY = [
    f"/{MOD}/menu.ui",
    f"/{MOD}/imgs/%",
    f"/{MOD}/api/rl_callback.dspy",    # 供应商回调，无需登录
 ]
-paths_logined = [
+
-    "/reallife_asset",
+# logined — 所有已登录用户（含客户）
-    "/reallife_asset/index.ui",
+PATHS_LOGINED = [
-    "/reallife_asset/group_manage.ui",
+    # 模块入口
-    "/reallife_asset/asset_manage.ui",
+    f"/{MOD}",
-    "/reallife_asset/create_validate.ui",
+    f"/{MOD}/index.ui",
-    "/reallife_asset/upload_asset.ui",
+
-    "/reallife_asset/sync_groups.ui",
+    # 客户可用页面
-    "/reallife_asset/rl_asset_group_list",
+    f"/{MOD}/create_validate.ui",
-    "/reallife_asset/rl_asset_group_list/index.ui",
+    f"/{MOD}/upload_asset.ui",
-    "/reallife_asset/rl_asset_list",
+
-    "/reallife_asset/rl_asset_list/index.ui",
+    # API — 所有 api/ 下的 .dspy（脚本内部通过 get_user() 做权限校验）
-    "/reallife_asset/api/rl_asset_group_create.dspy",
+    f"/{MOD}/api/%",
    "/reallife_asset/api/rl_asset_group_update.dspy",
    "/reallife_asset/api/rl_asset_group_delete.dspy",
    "/reallife_asset/api/rl_asset_create.dspy",
    "/reallife_asset/api/rl_asset_update.dspy",
    "/reallife_asset/api/rl_asset_delete.dspy",
    "/reallife_asset/api/sync_asset_status.dspy",
    "/reallife_asset/api/check_validate.dspy",
    "/reallife_asset/api/sync_from_vendor.dspy",
    "/reallife_asset/api/sync_assets.dspy",
    "/reallife_asset/api/get_rl_asset_group_list.dspy",
    "/reallife_asset/api/get_rl_asset_list.dspy",
    # Downapp user APIs
    "/reallife_asset/api/rl_verify.dspy",
    "/reallife_asset/api/rl_upload.dspy",
    "/reallife_asset/api/rl_status.dspy",
    "/reallife_asset/api/rl_query_groups.dspy",
    # Vendor Config CRUD
    "/reallife_asset/api/rl_vendor_config_create.dspy",
    "/reallife_asset/api/rl_vendor_config_update.dspy",
    "/reallife_asset/api/rl_vendor_config_delete.dspy",
    "/reallife_asset/rl_vendor_config_list",
    "/reallife_asset/rl_vendor_config_list/index.ui",
    # Org-Group Mapping CRUD
    "/reallife_asset/api/rl_org_group_create.dspy",
    "/reallife_asset/api/rl_org_group_update.dspy",
    "/reallife_asset/api/rl_org_group_delete.dspy",
    "/reallife_asset/rl_org_group_list",
    "/reallife_asset/rl_org_group_list/index.ui",
 ]
 # reseller.operator — 管理员专属页面
 PATHS_OPERATOR = [
    f"/{MOD}/group_manage.ui",
    f"/{MOD}/asset_manage.ui",
    f"/{MOD}/vendor_config_manage.ui",
    f"/{MOD}/vendor_config_edit.ui",
    f"/{MOD}/org_group_manage.ui",
    f"/{MOD}/sync_groups.ui",
 ]
 # owner.superuser — 同 operator
 PATHS_SUPERUSER = PATHS_OPERATOR
 # ============================================================
 # 执行注册
 # ============================================================
 def run_set_perm(role, path):
-    cmd = [python, set_perm, role, path]
+    cmd = [PYTHON, SET_PERM_SCRIPT, role, path]
-    print(f"  {role:12s} {path}")
+    result = subprocess.run(cmd, capture_output=True, text=True)
-    subprocess.run(cmd, cwd=sage_root)
+    return result.returncode == 0
 print("Registering RBAC permissions for reallife_asset...")
 for p in paths_any:
    run_set_perm("any", p)
 for p in paths_logined:
    run_set_perm("logined", p)
-print("Done.")
+def register_role_paths(role, paths):
    count = 0
    for p in paths:
        if run_set_perm(role, p):
            count += 1
    print(f"  {role}: {count}/{len(paths)} paths registered")
    return count
 def main():
    print(f"Sage root: {SAGE_ROOT}")
    total = 0
    total += register_role_paths("any", PATHS_ANY)
    total += register_role_paths("logined", PATHS_LOGINED)
    total += register_role_paths("reseller.operator", PATHS_OPERATOR)
    total += register_role_paths("owner.superuser", PATHS_SUPERUSER)
    print(f"\nDone. Total {total} permission entries registered.")
    print("NOTE: Restart Sage after permission changes to reload RBAC cache.")
 if __name__ == "__main__":
    main()