diff --git a/setup_rbac_perms.sh b/setup_rbac_perms.sh new file mode 100644 index 0000000..e1822ab --- /dev/null +++ b/setup_rbac_perms.sh @@ -0,0 +1,274 @@ +#!/bin/bash +# setup_rbac_perms.sh +# 为 rbac 模块配置 RBAC 角色权限 +# +# 角色职责定义: +# owner.superuser — 系统级:机构类型管理、角色管理、权限管理、添加业主管理员 +# 系统初始化时由代码自动创建 +# *.admin — 机构级:添加本机构人员、分配人员角色 +# reseller.operator — 运营:产品管理、供应商合同、定价、统一折扣、营销 +# reseller.sale — 销售:客户管理、客户特殊折扣 +# reseller.accountant — 财务:线下充值、对账结算 +# reseller.maintainer — 运维维护 +# customer.customer — 终端客户用户 +# logined — 所有已登录用户 +# +# 权限分级策略(基于rbac业务功能分析): +# 1. public — 登录/注册/密码重置等认证相关,any 角色可用 +# 2. logined — 用户自助服务(个人信息、API Key管理),所有登录用户可用 +# 3. admin — 用户管理、角色分配、机构管理,仅 superuser 和机构管理员 +# 4. superuser — 系统级管理(机构类型/角色/权限/缓存刷新),仅 owner.superuser +# +# 运行位置: sage 项目根目录 (包含 set_role_perm.py 的目录) +# 用法: bash setup_rbac_perms.sh + +set -e + +SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" +cd "$SCRIPT_DIR" + +COUNT=0 +set_perm() { + local role="$1" + local path="$2" + python set_role_perm.py "${role}" "${path}" + COUNT=$((COUNT + 1)) +} + +# 角色分组 +ALL_LOGINED=("logined" "owner.superuser" "owner.admin" "reseller.admin" "provider.admin" "customer.admin" "reseller.operator" "reseller.sale" "reseller.accountant" "reseller.maintainer" "customer.customer") +ADMIN_ROLES=("owner.superuser" "owner.admin" "reseller.admin" "provider.admin" "customer.admin") +SUPERUSER_ONLY=("owner.superuser") + +echo "============================================" +echo " rbac 模块权限初始化" +echo "============================================" + +# ============================================= +# 层级 1: PUBLIC — 登录/注册/认证 +# 任何用户(含未登录)均可访问 +# ============================================= +echo "" +echo ">>> [1/4] Public: 登录/注册/认证 (any)" + +PUBLIC_PATHS=( + # 登录页面 + "/rbac/user/login.ui" + "/rbac/userpassword_login.ui" + "/rbac/user/wechat_login.ui" + "/rbac/user/up_login.dspy" + "/rbac/userpassword_login.dspy" + "/rbac/phone_login.dspy" + # 注册 + "/rbac/user/register.ui" + "/rbac/user/register.dspy" + # 短信验证码 + "/rbac/gen_sms_code.dspy" + # 扫码 + "/rbac/qr_scan.ui" + # 用户同步 + "/rbac/usersync/index.dspy" + # 图片资源 + "/rbac/imgs/organization.svg" + "/rbac/imgs/orgtype.svg" + "/rbac/imgs/permission.svg" + "/rbac/imgs/role.svg" + "/rbac/imgs/rolepermission.svg" + "/rbac/imgs/userrole.svg" + "/rbac/imgs/users.svg" +) + +for p in "${PUBLIC_PATHS[@]}"; do + set_perm "any" "${p}" +done + +# ============================================= +# 层级 2: LOGINED — 用户自助服务 +# 所有登录用户可用 +# ============================================= +echo "" +echo ">>> [2/4] Logined: 用户自助服务 (所有登录用户)" + +LOGINED_PATHS=( + # 用户个人信息 + "/rbac/user/userinfo.ui" + "/rbac/user/user.ui" + "/rbac/user/user_panel.ui" + "/rbac/user/myrole.ui" + "/rbac/usermenu.ui" + # 登出 + "/rbac/user/logout.dspy" + # 密码重置 + "/rbac/user/reset_password/index.ui" + "/rbac/user/reset_password/reset_password.dspy" + # 角色查询(只读,用户可查看自己的角色) + "/rbac/get_normal_roles.dspy" + + # ========== User API Key CRUD(用户管理自己的API Key) ========== + "/rbac/user/userapikey/index.ui" + "/rbac/user/userapikey/get_userapikey.dspy" + "/rbac/user/userapikey/add_userapikey.dspy" + "/rbac/user/userapikey/update_userapikey.dspy" + "/rbac/user/userapikey/delete_userapikey.dspy" + "/rbac/userapp" + "/rbac/userapp/index.ui" + "/rbac/userapp/get_userapp.dspy" + "/rbac/userapp/add_userapp.dspy" + "/rbac/userapp/update_userapp.dspy" + "/rbac/userapp/delete_userapp.dspy" + + # ========== User Department CRUD(用户管理自己的部门信息) ========== + "/rbac/userdepartment" + "/rbac/userdepartment/index.ui" + "/rbac/userdepartment/get_userdepartment.dspy" + "/rbac/userdepartment/add_userdepartment.dspy" + "/rbac/userdepartment/update_userdepartment.dspy" + "/rbac/userdepartment/delete_userdepartment.dspy" + + # ========== User Role CRUD(用户角色关联,用户可查看自己的角色) ========== + "/rbac/userrole" + "/rbac/userrole/index.ui" + "/rbac/userrole/get_userrole.dspy" +) + +for p in "${LOGINED_PATHS[@]}"; do + for role in "${ALL_LOGINED[@]}"; do + set_perm "${role}" "${p}" + done +done + +# ============================================= +# 层级 3: ADMIN — 机构管理(用户/角色/机构) +# superuser + 各机构管理员 +# ============================================= +echo "" +echo ">>> [3/4] Admin: 机构管理 (superuser + 机构管理员)" + +ADMIN_PATHS=( + # ========== 添加管理员/供应商/分销商 ========== + "/rbac/add_adminuser.ui" + "/rbac/add_adminuser.dspy" + "/rbac/add_provider.ui" + "/rbac/add_provider.dspy" + "/rbac/get_provider.dspy" + "/rbac/add_reseller.dspy" + "/rbac/get_reseller.dspy" + + # ========== Users CRUD(用户管理) ========== + "/rbac/users" + "/rbac/users/index.ui" + "/rbac/users/get_users.dspy" + "/rbac/users/add_users.dspy" + "/rbac/users/update_users.dspy" + "/rbac/users/delete_users.dspy" + + # ========== Provider CRUD(供应商管理,alias=provider) ========== + "/rbac/provider" + "/rbac/provider/index.ui" + "/rbac/provider/get_provider.dspy" + "/rbac/provider/add_provider.dspy" + "/rbac/provider/update_provider.dspy" + "/rbac/provider/delete_provider.dspy" + + # ========== Reseller CRUD(分销商管理,alias=reseller) ========== + "/rbac/reseller" + "/rbac/reseller/index.ui" + "/rbac/reseller/get_reseller.dspy" + "/rbac/reseller/add_reseller.dspy" + "/rbac/reseller/update_reseller.dspy" + "/rbac/reseller/delete_reseller.dspy" + + # ========== Organization CRUD(机构管理) ========== + "/rbac/organization" + "/rbac/organization/index.ui" + "/rbac/organization/get_organization.dspy" + "/rbac/organization/add_organization.dspy" + "/rbac/organization/update_organization.dspy" + "/rbac/organization/delete_organization.dspy" + + # ========== User Role CRUD(管理员可分配角色) ========== + "/rbac/userrole/add_userrole.dspy" + "/rbac/userrole/update_userrole.dspy" + "/rbac/userrole/delete_userrole.dspy" + + # ========== 管理员菜单 ========== + "/rbac/admin_menu.ui" +) + +for p in "${ADMIN_PATHS[@]}"; do + for role in "${ADMIN_ROLES[@]}"; do + set_perm "${role}" "${p}" + done +done + +# ============================================= +# 层级 4: SUPERUSER — 系统级管理 +# 仅 owner.superuser +# ============================================= +echo "" +echo ">>> [4/4] Superuser: 系统级管理 (仅 owner.superuser)" + +SUPERUSER_PATHS=( + # 添加超级管理员(系统初始化) + "/rbac/add_superuser.dspy" + + # ========== Role CRUD(角色管理 — 系统级) ========== + "/rbac/role" + "/rbac/role/index.ui" + "/rbac/role/get_role.dspy" + "/rbac/role/add_role.dspy" + "/rbac/role/update_role.dspy" + "/rbac/role/delete_role.dspy" + + # ========== Role Permission CRUD(角色权限管理 — 系统级) ========== + "/rbac/rolepermission" + "/rbac/rolepermission/index.ui" + "/rbac/rolepermission/get_rolepermission.dspy" + "/rbac/rolepermission/add_rolepermission.dspy" + "/rbac/rolepermission/update_rolepermission.dspy" + "/rbac/rolepermission/delete_rolepermission.dspy" + + # ========== Permission CRUD(权限管理 — 系统级) ========== + "/rbac/permission" + "/rbac/permission/index.ui" + "/rbac/permission/get_permission.dspy" + "/rbac/permission/add_permission.dspy" + "/rbac/permission/update_permission.dspy" + "/rbac/permission/delete_permission.dspy" + + # ========== Org Types CRUD(机构类型管理 — 系统级) ========== + "/rbac/orgtypes" + "/rbac/orgtypes/index.ui" + "/rbac/orgtypes/get_orgtypes.dspy" + "/rbac/orgtypes/add_orgtypes.dspy" + "/rbac/orgtypes/update_orgtypes.dspy" + "/rbac/orgtypes/delete_orgtypes.dspy" + + # 刷新权限缓存(系统级操作) + "/rbac/refresh_userperm.dspy" + + # 获取所有角色(含系统级角色) + "/rbac/get_all_roles.dspy" +) + +for p in "${SUPERUSER_PATHS[@]}"; do + for role in "${SUPERUSER_ONLY[@]}"; do + set_perm "${role}" "${p}" + done +done + +# ============================================= +# 完成 +# ============================================= +echo "" +echo "============================================" +echo " 权限配置完成,共设置 ${COUNT} 条权限" +echo "============================================" +echo "" +echo "权限摘要:" +echo " Public (any): ${#PUBLIC_PATHS[@]} 个路径 x 1 角色 = ${#PUBLIC_PATHS[@]} 条" +echo " Logined (所有登录用户): ${#LOGINED_PATHS[@]} 个路径 x ${#ALL_LOGINED[@]} 角色 = $((${#LOGINED_PATHS[@]} * ${#ALL_LOGINED[@]})) 条" +echo " Admin (superuser+机构管理员): ${#ADMIN_PATHS[@]} 个路径 x ${#ADMIN_ROLES[@]} 角色 = $((${#ADMIN_PATHS[@]} * ${#ADMIN_ROLES[@]})) 条" +echo " Superuser (系统级): ${#SUPERUSER_PATHS[@]} 个路径 x ${#SUPERUSER_ONLY[@]} 角色 = $((${#SUPERUSER_PATHS[@]} * ${#SUPERUSER_ONLY[@]})) 条" +echo "" +echo "注意: 修改权限后需重启应用以刷新 RBAC 缓存。"