新增 rbac 模块权限初始化脚本

基于角色职责分析的四层权限模型：

1. Public (any): 18个路径 - 登录/注册/认证/静态资源
2. Logined (11角色): 29个路径 - 用户自助服务、API Key CRUD
3. Admin (5角色): 35个路径 - 用户管理、机构管理、供应商/分销商
4. Superuser (1角色): 27个路径 - 角色/权限/机构类型管理

总计: 18 + 29*11 + 35*5 + 27*1 = 592 条权限记录

setup_rbac_perms.sh

@@ -0,0 +1,274 @@
+#!/bin/bash
+# setup_rbac_perms.sh
+# 为 rbac 模块配置 RBAC 角色权限
+#
+# 角色职责定义：
+#   owner.superuser   — 系统级：机构类型管理、角色管理、权限管理、添加业主管理员
+#                       系统初始化时由代码自动创建
+#   *.admin           — 机构级：添加本机构人员、分配人员角色
+#   reseller.operator — 运营：产品管理、供应商合同、定价、统一折扣、营销
+#   reseller.sale     — 销售：客户管理、客户特殊折扣
+#   reseller.accountant — 财务：线下充值、对账结算
+#   reseller.maintainer — 运维维护
+#   customer.customer — 终端客户用户
+#   logined           — 所有已登录用户
+#
+# 权限分级策略（基于rbac业务功能分析）：
+#   1. public   — 登录/注册/密码重置等认证相关，any 角色可用
+#   2. logined  — 用户自助服务（个人信息、API Key管理），所有登录用户可用
+#   3. admin    — 用户管理、角色分配、机构管理，仅 superuser 和机构管理员
+#   4. superuser — 系统级管理（机构类型/角色/权限/缓存刷新），仅 owner.superuser
+#
+# 运行位置: sage 项目根目录 (包含 set_role_perm.py 的目录)
+# 用法: bash setup_rbac_perms.sh
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+cd "$SCRIPT_DIR"
+
+COUNT=0
+set_perm() {
+    local role="$1"
+    local path="$2"
+    python set_role_perm.py "${role}" "${path}"
+    COUNT=$((COUNT + 1))
+}
+
+# 角色分组
+ALL_LOGINED=("logined" "owner.superuser" "owner.admin" "reseller.admin" "provider.admin" "customer.admin" "reseller.operator" "reseller.sale" "reseller.accountant" "reseller.maintainer" "customer.customer")
+ADMIN_ROLES=("owner.superuser" "owner.admin" "reseller.admin" "provider.admin" "customer.admin")
+SUPERUSER_ONLY=("owner.superuser")
+
+echo "============================================"
+echo "  rbac 模块权限初始化"
+echo "============================================"
+
+# =============================================
+# 层级 1: PUBLIC — 登录/注册/认证
+# 任何用户（含未登录）均可访问
+# =============================================
+echo ""
+echo ">>> [1/4] Public: 登录/注册/认证 (any)"
+
+PUBLIC_PATHS=(
+    # 登录页面
+    "/rbac/user/login.ui"
+    "/rbac/userpassword_login.ui"
+    "/rbac/user/wechat_login.ui"
+    "/rbac/user/up_login.dspy"
+    "/rbac/userpassword_login.dspy"
+    "/rbac/phone_login.dspy"
+    # 注册
+    "/rbac/user/register.ui"
+    "/rbac/user/register.dspy"
+    # 短信验证码
+    "/rbac/gen_sms_code.dspy"
+    # 扫码
+    "/rbac/qr_scan.ui"
+    # 用户同步
+    "/rbac/usersync/index.dspy"
+    # 图片资源
+    "/rbac/imgs/organization.svg"
+    "/rbac/imgs/orgtype.svg"
+    "/rbac/imgs/permission.svg"
+    "/rbac/imgs/role.svg"
+    "/rbac/imgs/rolepermission.svg"
+    "/rbac/imgs/userrole.svg"
+    "/rbac/imgs/users.svg"
+)
+
+for p in "${PUBLIC_PATHS[@]}"; do
+    set_perm "any" "${p}"
+done
+
+# =============================================
+# 层级 2: LOGINED — 用户自助服务
+# 所有登录用户可用
+# =============================================
+echo ""
+echo ">>> [2/4] Logined: 用户自助服务 (所有登录用户)"
+
+LOGINED_PATHS=(
+    # 用户个人信息
+    "/rbac/user/userinfo.ui"
+    "/rbac/user/user.ui"
+    "/rbac/user/user_panel.ui"
+    "/rbac/user/myrole.ui"
+    "/rbac/usermenu.ui"
+    # 登出
+    "/rbac/user/logout.dspy"
+    # 密码重置
+    "/rbac/user/reset_password/index.ui"
+    "/rbac/user/reset_password/reset_password.dspy"
+    # 角色查询（只读，用户可查看自己的角色）
+    "/rbac/get_normal_roles.dspy"
+
+    # ========== User API Key CRUD（用户管理自己的API Key） ==========
+    "/rbac/user/userapikey/index.ui"
+    "/rbac/user/userapikey/get_userapikey.dspy"
+    "/rbac/user/userapikey/add_userapikey.dspy"
+    "/rbac/user/userapikey/update_userapikey.dspy"
+    "/rbac/user/userapikey/delete_userapikey.dspy"
+    "/rbac/userapp"
+    "/rbac/userapp/index.ui"
+    "/rbac/userapp/get_userapp.dspy"
+    "/rbac/userapp/add_userapp.dspy"
+    "/rbac/userapp/update_userapp.dspy"
+    "/rbac/userapp/delete_userapp.dspy"
+
+    # ========== User Department CRUD（用户管理自己的部门信息） ==========
+    "/rbac/userdepartment"
+    "/rbac/userdepartment/index.ui"
+    "/rbac/userdepartment/get_userdepartment.dspy"
+    "/rbac/userdepartment/add_userdepartment.dspy"
+    "/rbac/userdepartment/update_userdepartment.dspy"
+    "/rbac/userdepartment/delete_userdepartment.dspy"
+
+    # ========== User Role CRUD（用户角色关联，用户可查看自己的角色） ==========
+    "/rbac/userrole"
+    "/rbac/userrole/index.ui"
+    "/rbac/userrole/get_userrole.dspy"
+)
+
+for p in "${LOGINED_PATHS[@]}"; do
+    for role in "${ALL_LOGINED[@]}"; do
+        set_perm "${role}" "${p}"
+    done
+done
+
+# =============================================
+# 层级 3: ADMIN — 机构管理（用户/角色/机构）
+# superuser + 各机构管理员
+# =============================================
+echo ""
+echo ">>> [3/4] Admin: 机构管理 (superuser + 机构管理员)"
+
+ADMIN_PATHS=(
+    # ========== 添加管理员/供应商/分销商 ==========
+    "/rbac/add_adminuser.ui"
+    "/rbac/add_adminuser.dspy"
+    "/rbac/add_provider.ui"
+    "/rbac/add_provider.dspy"
+    "/rbac/get_provider.dspy"
+    "/rbac/add_reseller.dspy"
+    "/rbac/get_reseller.dspy"
+
+    # ========== Users CRUD（用户管理） ==========
+    "/rbac/users"
+    "/rbac/users/index.ui"
+    "/rbac/users/get_users.dspy"
+    "/rbac/users/add_users.dspy"
+    "/rbac/users/update_users.dspy"
+    "/rbac/users/delete_users.dspy"
+
+    # ========== Provider CRUD（供应商管理，alias=provider） ==========
+    "/rbac/provider"
+    "/rbac/provider/index.ui"
+    "/rbac/provider/get_provider.dspy"
+    "/rbac/provider/add_provider.dspy"
+    "/rbac/provider/update_provider.dspy"
+    "/rbac/provider/delete_provider.dspy"
+
+    # ========== Reseller CRUD（分销商管理，alias=reseller） ==========
+    "/rbac/reseller"
+    "/rbac/reseller/index.ui"
+    "/rbac/reseller/get_reseller.dspy"
+    "/rbac/reseller/add_reseller.dspy"
+    "/rbac/reseller/update_reseller.dspy"
+    "/rbac/reseller/delete_reseller.dspy"
+
+    # ========== Organization CRUD（机构管理） ==========
+    "/rbac/organization"
+    "/rbac/organization/index.ui"
+    "/rbac/organization/get_organization.dspy"
+    "/rbac/organization/add_organization.dspy"
+    "/rbac/organization/update_organization.dspy"
+    "/rbac/organization/delete_organization.dspy"
+
+    # ========== User Role CRUD（管理员可分配角色） ==========
+    "/rbac/userrole/add_userrole.dspy"
+    "/rbac/userrole/update_userrole.dspy"
+    "/rbac/userrole/delete_userrole.dspy"
+
+    # ========== 管理员菜单 ==========
+    "/rbac/admin_menu.ui"
+)
+
+for p in "${ADMIN_PATHS[@]}"; do
+    for role in "${ADMIN_ROLES[@]}"; do
+        set_perm "${role}" "${p}"
+    done
+done
+
+# =============================================
+# 层级 4: SUPERUSER — 系统级管理
+# 仅 owner.superuser
+# =============================================
+echo ""
+echo ">>> [4/4] Superuser: 系统级管理 (仅 owner.superuser)"
+
+SUPERUSER_PATHS=(
+    # 添加超级管理员（系统初始化）
+    "/rbac/add_superuser.dspy"
+
+    # ========== Role CRUD（角色管理 — 系统级） ==========
+    "/rbac/role"
+    "/rbac/role/index.ui"
+    "/rbac/role/get_role.dspy"
+    "/rbac/role/add_role.dspy"
+    "/rbac/role/update_role.dspy"
+    "/rbac/role/delete_role.dspy"
+
+    # ========== Role Permission CRUD（角色权限管理 — 系统级） ==========
+    "/rbac/rolepermission"
+    "/rbac/rolepermission/index.ui"
+    "/rbac/rolepermission/get_rolepermission.dspy"
+    "/rbac/rolepermission/add_rolepermission.dspy"
+    "/rbac/rolepermission/update_rolepermission.dspy"
+    "/rbac/rolepermission/delete_rolepermission.dspy"
+
+    # ========== Permission CRUD（权限管理 — 系统级） ==========
+    "/rbac/permission"
+    "/rbac/permission/index.ui"
+    "/rbac/permission/get_permission.dspy"
+    "/rbac/permission/add_permission.dspy"
+    "/rbac/permission/update_permission.dspy"
+    "/rbac/permission/delete_permission.dspy"
+
+    # ========== Org Types CRUD（机构类型管理 — 系统级） ==========
+    "/rbac/orgtypes"
+    "/rbac/orgtypes/index.ui"
+    "/rbac/orgtypes/get_orgtypes.dspy"
+    "/rbac/orgtypes/add_orgtypes.dspy"
+    "/rbac/orgtypes/update_orgtypes.dspy"
+    "/rbac/orgtypes/delete_orgtypes.dspy"
+
+    # 刷新权限缓存（系统级操作）
+    "/rbac/refresh_userperm.dspy"
+
+    # 获取所有角色（含系统级角色）
+    "/rbac/get_all_roles.dspy"
+)
+
+for p in "${SUPERUSER_PATHS[@]}"; do
+    for role in "${SUPERUSER_ONLY[@]}"; do
+        set_perm "${role}" "${p}"
+    done
+done
+
+# =============================================
+# 完成
+# =============================================
+echo ""
+echo "============================================"
+echo "  权限配置完成，共设置 ${COUNT} 条权限"
+echo "============================================"
+echo ""
+echo "权限摘要:"
+echo "  Public (any):                  ${#PUBLIC_PATHS[@]} 个路径 x 1 角色 = ${#PUBLIC_PATHS[@]} 条"
+echo "  Logined (所有登录用户):        ${#LOGINED_PATHS[@]} 个路径 x ${#ALL_LOGINED[@]} 角色 = $((${#LOGINED_PATHS[@]} * ${#ALL_LOGINED[@]})) 条"
+echo "  Admin (superuser+机构管理员):  ${#ADMIN_PATHS[@]} 个路径 x ${#ADMIN_ROLES[@]} 角色 = $((${#ADMIN_PATHS[@]} * ${#ADMIN_ROLES[@]})) 条"
+echo "  Superuser (系统级):            ${#SUPERUSER_PATHS[@]} 个路径 x ${#SUPERUSER_ONLY[@]} 角色 = $((${#SUPERUSER_PATHS[@]} * ${#SUPERUSER_ONLY[@]})) 条"
+echo ""
+echo "注意: 修改权限后需重启应用以刷新 RBAC 缓存。"