#!/bin/bash # setup_rbac_perms.sh # 为 rbac 模块配置 RBAC 角色权限 # # 角色职责定义: # owner.superuser — 系统级:机构类型管理、角色管理、权限管理、添加业主管理员 # 系统初始化时由代码自动创建 # *.admin — 机构级:添加本机构人员、分配人员角色 # reseller.operator — 运营:产品管理、供应商合同、定价、统一折扣、营销 # reseller.sale — 销售:客户管理、客户特殊折扣 # reseller.accountant — 财务:线下充值、对账结算 # reseller.maintainer — 运维维护 # customer.customer — 终端客户用户 # logined — 所有已登录用户 # # 权限分级策略(基于rbac业务功能分析): # 1. public — 登录/注册/密码重置等认证相关,any 角色可用 # 2. logined — 用户自助服务(个人信息、API Key管理),所有登录用户可用 # 3. admin — 用户管理、角色分配、机构管理,仅 superuser 和机构管理员 # 4. superuser — 系统级管理(机构类型/角色/权限/缓存刷新),仅 owner.superuser # # 运行位置: sage 项目根目录 (包含 set_role_perm.py 的目录) # 用法: bash setup_rbac_perms.sh set -e SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" cd "$SCRIPT_DIR" COUNT=0 set_perm() { local role="$1" local path="$2" python set_role_perm.py "${role}" "${path}" COUNT=$((COUNT + 1)) } # 角色分组 ALL_LOGINED=("logined" "owner.superuser" "owner.admin" "reseller.admin" "provider.admin" "customer.admin" "reseller.operator" "reseller.sale" "reseller.accountant" "reseller.maintainer" "customer.customer") ADMIN_ROLES=("owner.superuser" "owner.admin" "reseller.admin" "provider.admin" "customer.admin") SUPERUSER_ONLY=("owner.superuser") echo "============================================" echo " rbac 模块权限初始化" echo "============================================" # ============================================= # 层级 1: PUBLIC — 登录/注册/认证 # 任何用户(含未登录)均可访问 # ============================================= echo "" echo ">>> [1/4] Public: 登录/注册/认证 (any)" PUBLIC_PATHS=( # 登录页面 "/rbac/user/login.ui" "/rbac/userpassword_login.ui" "/rbac/user/wechat_login.ui" "/rbac/user/up_login.dspy" "/rbac/userpassword_login.dspy" "/rbac/phone_login.dspy" # 注册 "/rbac/user/register.ui" "/rbac/user/register.dspy" # 短信验证码 "/rbac/gen_sms_code.dspy" # 扫码 "/rbac/qr_scan.ui" # 用户同步 "/rbac/usersync/index.dspy" # 图片资源 "/rbac/imgs/organization.svg" "/rbac/imgs/orgtype.svg" "/rbac/imgs/permission.svg" "/rbac/imgs/role.svg" "/rbac/imgs/rolepermission.svg" "/rbac/imgs/userrole.svg" "/rbac/imgs/users.svg" ) for p in "${PUBLIC_PATHS[@]}"; do set_perm "any" "${p}" done # ============================================= # 层级 2: LOGINED — 用户自助服务 # 所有登录用户可用 # ============================================= echo "" echo ">>> [2/4] Logined: 用户自助服务 (所有登录用户)" LOGINED_PATHS=( # 用户个人信息 "/rbac/user/userinfo.ui" "/rbac/user/user.ui" "/rbac/user/user_panel.ui" "/rbac/user/myrole.ui" "/rbac/usermenu.ui" # 登出 "/rbac/user/logout.dspy" # 密码重置 "/rbac/user/reset_password/index.ui" "/rbac/user/reset_password/reset_password.dspy" # 角色查询(只读,用户可查看自己的角色) "/rbac/get_normal_roles.dspy" # ========== User API Key CRUD(用户管理自己的API Key) ========== "/rbac/user/userapikey/index.ui" "/rbac/user/userapikey/get_userapikey.dspy" "/rbac/user/userapikey/add_userapikey.dspy" "/rbac/user/userapikey/update_userapikey.dspy" "/rbac/user/userapikey/delete_userapikey.dspy" "/rbac/userapp" "/rbac/userapp/index.ui" "/rbac/userapp/get_userapp.dspy" "/rbac/userapp/add_userapp.dspy" "/rbac/userapp/update_userapp.dspy" "/rbac/userapp/delete_userapp.dspy" # ========== User Department CRUD(用户管理自己的部门信息) ========== "/rbac/userdepartment" "/rbac/userdepartment/index.ui" "/rbac/userdepartment/get_userdepartment.dspy" "/rbac/userdepartment/add_userdepartment.dspy" "/rbac/userdepartment/update_userdepartment.dspy" "/rbac/userdepartment/delete_userdepartment.dspy" # ========== User Role CRUD(用户角色关联,用户可查看自己的角色) ========== "/rbac/userrole" "/rbac/userrole/index.ui" "/rbac/userrole/get_userrole.dspy" ) for p in "${LOGINED_PATHS[@]}"; do for role in "${ALL_LOGINED[@]}"; do set_perm "${role}" "${p}" done done # ============================================= # 层级 3: ADMIN — 机构管理(用户/角色/机构) # superuser + 各机构管理员 # ============================================= echo "" echo ">>> [3/4] Admin: 机构管理 (superuser + 机构管理员)" ADMIN_PATHS=( # ========== 添加管理员/供应商/分销商 ========== "/rbac/add_adminuser.ui" "/rbac/add_adminuser.dspy" "/rbac/add_provider.ui" "/rbac/add_provider.dspy" "/rbac/get_provider.dspy" "/rbac/add_reseller.dspy" "/rbac/get_reseller.dspy" # ========== Users CRUD(用户管理) ========== "/rbac/users" "/rbac/users/index.ui" "/rbac/users/get_users.dspy" "/rbac/users/add_users.dspy" "/rbac/users/update_users.dspy" "/rbac/users/delete_users.dspy" # ========== Provider CRUD(供应商管理,alias=provider) ========== "/rbac/provider" "/rbac/provider/index.ui" "/rbac/provider/get_provider.dspy" "/rbac/provider/add_provider.dspy" "/rbac/provider/update_provider.dspy" "/rbac/provider/delete_provider.dspy" # ========== Reseller CRUD(分销商管理,alias=reseller) ========== "/rbac/reseller" "/rbac/reseller/index.ui" "/rbac/reseller/get_reseller.dspy" "/rbac/reseller/add_reseller.dspy" "/rbac/reseller/update_reseller.dspy" "/rbac/reseller/delete_reseller.dspy" # ========== Organization CRUD(机构管理) ========== "/rbac/organization" "/rbac/organization/index.ui" "/rbac/organization/get_organization.dspy" "/rbac/organization/add_organization.dspy" "/rbac/organization/update_organization.dspy" "/rbac/organization/delete_organization.dspy" # ========== User Role CRUD(管理员可分配角色) ========== "/rbac/userrole/add_userrole.dspy" "/rbac/userrole/update_userrole.dspy" "/rbac/userrole/delete_userrole.dspy" # ========== 管理员菜单 ========== "/rbac/admin_menu.ui" ) for p in "${ADMIN_PATHS[@]}"; do for role in "${ADMIN_ROLES[@]}"; do set_perm "${role}" "${p}" done done # ============================================= # 层级 4: SUPERUSER — 系统级管理 # 仅 owner.superuser # ============================================= echo "" echo ">>> [4/4] Superuser: 系统级管理 (仅 owner.superuser)" SUPERUSER_PATHS=( # 添加超级管理员(系统初始化) "/rbac/add_superuser.dspy" # ========== Role CRUD(角色管理 — 系统级) ========== "/rbac/role" "/rbac/role/index.ui" "/rbac/role/get_role.dspy" "/rbac/role/add_role.dspy" "/rbac/role/update_role.dspy" "/rbac/role/delete_role.dspy" # ========== Role Permission CRUD(角色权限管理 — 系统级) ========== "/rbac/rolepermission" "/rbac/rolepermission/index.ui" "/rbac/rolepermission/get_rolepermission.dspy" "/rbac/rolepermission/add_rolepermission.dspy" "/rbac/rolepermission/update_rolepermission.dspy" "/rbac/rolepermission/delete_rolepermission.dspy" # ========== Permission CRUD(权限管理 — 系统级) ========== "/rbac/permission" "/rbac/permission/index.ui" "/rbac/permission/get_permission.dspy" "/rbac/permission/add_permission.dspy" "/rbac/permission/update_permission.dspy" "/rbac/permission/delete_permission.dspy" # ========== Org Types CRUD(机构类型管理 — 系统级) ========== "/rbac/orgtypes" "/rbac/orgtypes/index.ui" "/rbac/orgtypes/get_orgtypes.dspy" "/rbac/orgtypes/add_orgtypes.dspy" "/rbac/orgtypes/update_orgtypes.dspy" "/rbac/orgtypes/delete_orgtypes.dspy" # 刷新权限缓存(系统级操作) "/rbac/refresh_userperm.dspy" # 获取所有角色(含系统级角色) "/rbac/get_all_roles.dspy" ) for p in "${SUPERUSER_PATHS[@]}"; do for role in "${SUPERUSER_ONLY[@]}"; do set_perm "${role}" "${p}" done done # ============================================= # 完成 # ============================================= echo "" echo "============================================" echo " 权限配置完成,共设置 ${COUNT} 条权限" echo "============================================" echo "" echo "权限摘要:" echo " Public (any): ${#PUBLIC_PATHS[@]} 个路径 x 1 角色 = ${#PUBLIC_PATHS[@]} 条" echo " Logined (所有登录用户): ${#LOGINED_PATHS[@]} 个路径 x ${#ALL_LOGINED[@]} 角色 = $((${#LOGINED_PATHS[@]} * ${#ALL_LOGINED[@]})) 条" echo " Admin (superuser+机构管理员): ${#ADMIN_PATHS[@]} 个路径 x ${#ADMIN_ROLES[@]} 角色 = $((${#ADMIN_PATHS[@]} * ${#ADMIN_ROLES[@]})) 条" echo " Superuser (系统级): ${#SUPERUSER_PATHS[@]} 个路径 x ${#SUPERUSER_ONLY[@]} 角色 = $((${#SUPERUSER_PATHS[@]} * ${#SUPERUSER_ONLY[@]})) 条" echo "" echo "注意: 修改权限后需重启应用以刷新 RBAC 缓存。"