-- ============================================================================ -- govdoc 模块权限种子 -- 用途: -- 1. 为 govdoc 模块插入权限点到 permissions 表 -- 2. 为默认角色分发角色-权限映射到 role_permissions 表 -- 3. 幂等执行,重复跑会更新 description / display_name 等可刷新字段 -- -- 权限键格式:govdoc:{resource}:{action} -- 角色分发遵循《内部公文模块接口与权限设计》§5 -- ============================================================================ BEGIN; -- --------------------------------------------------------------------------- -- 1. 权限点定义 -- --------------------------------------------------------------------------- INSERT INTO permissions ( permission_key, module, resource, action, description, display_name, permission_type, is_system, metadata, created_at, updated_at, sort_order, route_id, api_path, api_method ) VALUES -- 模块权限 ('govdoc:module:read', 'govdoc', 'module', 'read', '查看内部公文处理模块菜单', '查看公文模块', 'MENU', TRUE, '{"group":"govdoc"}'::jsonb, NOW(), NOW(), 10, NULL, '/govdoc', 'GET'), -- 文档权限 ('govdoc:document:create', 'govdoc', 'document', 'create', '上传公文文档', '上传公文', 'API', TRUE, '{"group":"govdoc"}'::jsonb, NOW(), NOW(), 20, NULL, '/api/govdoc/documents', 'POST'), ('govdoc:document:read', 'govdoc', 'document', 'read', '查看公文文档列表与详情', '查看公文', 'API', TRUE, '{"group":"govdoc"}'::jsonb, NOW(), NOW(), 21, NULL, '/api/govdoc/documents', 'GET'), ('govdoc:document:update', 'govdoc', 'document', 'update', '更新公文文档基础信息', '编辑公文', 'API', TRUE, '{"group":"govdoc"}'::jsonb, NOW(), NOW(), 22, NULL, '/api/govdoc/documents/{DocumentId}', 'PATCH'), ('govdoc:document:delete', 'govdoc', 'document', 'delete', '删除公文文档', '删除公文', 'API', TRUE, '{"group":"govdoc"}'::jsonb, NOW(), NOW(), 23, NULL, '/api/govdoc/documents/{DocumentId}', 'DELETE'), -- 审查运行权限 ('govdoc:run:create', 'govdoc', 'run', 'create', '发起公文格式审查', '发起审查', 'API', TRUE, '{"group":"govdoc"}'::jsonb, NOW(), NOW(), 30, NULL, '/api/govdoc/runs', 'POST'), ('govdoc:run:read', 'govdoc', 'run', 'read', '查看审查运行状态', '查看审查状态', 'API', TRUE, '{"group":"govdoc"}'::jsonb, NOW(), NOW(), 31, NULL, '/api/govdoc/runs/{RunId}', 'GET'), ('govdoc:run:retry', 'govdoc', 'run', 'retry', '失败后重试审查', '重试审查', 'API', TRUE, '{"group":"govdoc"}'::jsonb, NOW(), NOW(), 32, NULL, '/api/govdoc/runs/{RunId}/retry', 'POST'), -- 报告与结果权限 ('govdoc:report:read', 'govdoc', 'report', 'read', '下载审查报告(HTML/DOCX/原文)', '下载报告', 'API', TRUE, '{"group":"govdoc"}'::jsonb, NOW(), NOW(), 40, NULL, '/api/govdoc/runs/{RunId}/report', 'GET'), ('govdoc:result:read', 'govdoc', 'result', 'read', '查看审查结果(findings/entities/summary)', '查看审查结果', 'API', TRUE, '{"group":"govdoc"}'::jsonb, NOW(), NOW(), 41, NULL, '/api/govdoc/runs/{RunId}/result', 'GET'), -- 规则权限 ('govdoc:rule:read', 'govdoc', 'rule', 'read', '查看公文规则清单与详情', '查看规则', 'API', TRUE, '{"group":"govdoc"}'::jsonb, NOW(), NOW(), 50, NULL, '/api/govdoc/rules', 'GET'), ('govdoc:rule:manage', 'govdoc', 'rule', 'manage', '发布、更新、切换规则版本', '管理规则', 'API', TRUE, '{"group":"govdoc"}'::jsonb, NOW(), NOW(), 51, NULL, '/api/govdoc/rule-versions', 'POST'), -- 配置权限(可选) ('govdoc:settings:read', 'govdoc', 'settings', 'read', '查看公文模块配置', '查看设置', 'API', TRUE, '{"group":"govdoc"}'::jsonb, NOW(), NOW(), 60, NULL, '/api/govdoc/settings', 'GET'), ('govdoc:settings:update', 'govdoc', 'settings', 'update', '修改公文模块配置', '修改设置', 'API', TRUE, '{"group":"govdoc"}'::jsonb, NOW(), NOW(), 61, NULL, '/api/govdoc/settings', 'PATCH') ON CONFLICT (permission_key) DO UPDATE SET module = EXCLUDED.module, resource = EXCLUDED.resource, action = EXCLUDED.action, description = EXCLUDED.description, display_name = EXCLUDED.display_name, api_path = EXCLUDED.api_path, api_method = EXCLUDED.api_method, updated_at = NOW(); -- --------------------------------------------------------------------------- -- 2. 角色权限分发 -- --------------------------------------------------------------------------- WITH role_map AS ( SELECT id, role_key FROM roles WHERE role_key IN ('super_admin', 'provincial_admin', 'admin', 'common') ), perm_map AS ( SELECT id, permission_key FROM permissions WHERE permission_key LIKE 'govdoc:%' ), seed(role_key, permission_key, grant_type, data_scope) AS ( VALUES -- super_admin: 全部权限 ('super_admin', 'govdoc:module:read', 'GRANT', 'ALL'), ('super_admin', 'govdoc:document:create', 'GRANT', 'ALL'), ('super_admin', 'govdoc:document:read', 'GRANT', 'ALL'), ('super_admin', 'govdoc:document:update', 'GRANT', 'ALL'), ('super_admin', 'govdoc:document:delete', 'GRANT', 'ALL'), ('super_admin', 'govdoc:run:create', 'GRANT', 'ALL'), ('super_admin', 'govdoc:run:read', 'GRANT', 'ALL'), ('super_admin', 'govdoc:run:retry', 'GRANT', 'ALL'), ('super_admin', 'govdoc:report:read', 'GRANT', 'ALL'), ('super_admin', 'govdoc:result:read', 'GRANT', 'ALL'), ('super_admin', 'govdoc:rule:read', 'GRANT', 'ALL'), ('super_admin', 'govdoc:rule:manage', 'GRANT', 'ALL'), ('super_admin', 'govdoc:settings:read', 'GRANT', 'ALL'), ('super_admin', 'govdoc:settings:update', 'GRANT', 'ALL'), -- provincial_admin: 全部业务权限 ('provincial_admin', 'govdoc:module:read', 'GRANT', 'ALL'), ('provincial_admin', 'govdoc:document:create', 'GRANT', 'ALL'), ('provincial_admin', 'govdoc:document:read', 'GRANT', 'ALL'), ('provincial_admin', 'govdoc:document:update', 'GRANT', 'ALL'), ('provincial_admin', 'govdoc:document:delete', 'GRANT', 'ALL'), ('provincial_admin', 'govdoc:run:create', 'GRANT', 'ALL'), ('provincial_admin', 'govdoc:run:read', 'GRANT', 'ALL'), ('provincial_admin', 'govdoc:run:retry', 'GRANT', 'ALL'), ('provincial_admin', 'govdoc:report:read', 'GRANT', 'ALL'), ('provincial_admin', 'govdoc:result:read', 'GRANT', 'ALL'), ('provincial_admin', 'govdoc:rule:read', 'GRANT', 'ALL'), ('provincial_admin', 'govdoc:rule:manage', 'GRANT', 'ALL'), ('provincial_admin', 'govdoc:settings:read', 'GRANT', 'ALL'), ('provincial_admin', 'govdoc:settings:update', 'GRANT', 'ALL'), -- admin: 模块读写 + 规则查看,不含规则管理与配置修改 ('admin', 'govdoc:module:read', 'GRANT', 'REGION'), ('admin', 'govdoc:document:create', 'GRANT', 'REGION'), ('admin', 'govdoc:document:read', 'GRANT', 'REGION'), ('admin', 'govdoc:document:update', 'GRANT', 'REGION'), ('admin', 'govdoc:document:delete', 'GRANT', 'REGION'), ('admin', 'govdoc:run:create', 'GRANT', 'REGION'), ('admin', 'govdoc:run:read', 'GRANT', 'REGION'), ('admin', 'govdoc:run:retry', 'GRANT', 'REGION'), ('admin', 'govdoc:report:read', 'GRANT', 'REGION'), ('admin', 'govdoc:result:read', 'GRANT', 'REGION'), ('admin', 'govdoc:rule:read', 'GRANT', 'REGION'), -- common: 模块查看 + 文档上传/查看 + 审查发起/查看 + 报告/结果查看 + 规则查看 ('common', 'govdoc:module:read', 'GRANT', 'OWN'), ('common', 'govdoc:document:create', 'GRANT', 'OWN'), ('common', 'govdoc:document:read', 'GRANT', 'OWN'), ('common', 'govdoc:run:create', 'GRANT', 'OWN'), ('common', 'govdoc:run:read', 'GRANT', 'OWN'), ('common', 'govdoc:report:read', 'GRANT', 'OWN'), ('common', 'govdoc:result:read', 'GRANT', 'OWN'), ('common', 'govdoc:rule:read', 'GRANT', 'OWN') ) INSERT INTO role_permissions (role_id, permission_id, grant_type, data_scope, created_at, updated_at) SELECT rm.id, pm.id, seed.grant_type, seed.data_scope, NOW(), NOW() FROM seed JOIN role_map rm ON rm.role_key = seed.role_key JOIN perm_map pm ON pm.permission_key = seed.permission_key ON CONFLICT (role_id, permission_id) DO UPDATE SET grant_type = EXCLUDED.grant_type, data_scope = EXCLUDED.data_scope, updated_at = NOW(); COMMIT;