TanWenyan/leaudit-platform-backend
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
68d0b4c8785b7e06dfd0efee8bc9a4b0e5a39e4d
leaudit-platform-backend/scripts/创建sql/rbac_entry_module_super_admin_only.sql
T
wren 68d0b4c878 feat: update audit platform workspace
2026-05-25 09:50:01 +08:00

67 lines
2.6 KiB
PL/PgSQL
Raw Blame History

-- ============================================================================
-- 入口模块管理权限收口:仅系统超级管理员维护入口模块
-- 说明:
-- 1. 不在代码里硬编码角色名,运行时仍然只认 RBAC 权限点。
-- 2. 本脚本只调整默认 RBAC 数据,把 admin / provincial_admin 的入口模块管理能力移除。
-- 3. 若后续确需给某个角色开放入口模块管理,请通过角色权限页面重新分配。
-- 4. 可重复执行。
-- ============================================================================
BEGIN;
-- 保证系统超级管理员拥有入口模块路由。
INSERT INTO role_route (role_id, route_id, permission, status, created_at, updated_at)
SELECT r.id, sr.id, 'RW', 1, NOW(), NOW()
FROM roles r
JOIN sys_routes sr ON sr.route_path = '/entry-modules' AND sr.deleted_at IS NULL
WHERE r.role_key = 'super_admin'
ON CONFLICT (role_id, route_id) DO UPDATE SET
permission = EXCLUDED.permission,
status = EXCLUDED.status,
updated_at = NOW();
-- 保证系统超级管理员拥有入口模块全部权限点。
INSERT INTO role_permissions (role_id, permission_id, grant_type, data_scope, created_at, updated_at)
SELECT r.id, p.id, 'GRANT', 'ALL', NOW(), NOW()
FROM roles r
JOIN permissions p ON p.permission_key LIKE 'entry_module:%'
WHERE r.role_key = 'super_admin'
ON CONFLICT (role_id, permission_id) DO UPDATE SET
grant_type = EXCLUDED.grant_type,
data_scope = EXCLUDED.data_scope,
updated_at = NOW();
-- 移除地区管理员 / 旧省级管理员的入口模块权限点。
DELETE FROM role_permissions rp
USING roles r, permissions p
WHERE rp.role_id = r.id
AND rp.permission_id = p.id
AND r.role_key IN ('admin', 'provincial_admin')
AND p.permission_key LIKE 'entry_module:%';
-- 移除地区管理员 / 旧省级管理员的入口模块管理菜单。
DELETE FROM role_route rr
USING roles r, sys_routes sr
WHERE rr.role_id = r.id
AND rr.route_id = sr.id
AND r.role_key IN ('admin', 'provincial_admin')
AND sr.route_path = '/entry-modules';
COMMIT;
-- 验证结果:应只看到 super_admin 拥有入口模块权限。
SELECT r.role_key, p.permission_key
FROM roles r
JOIN role_permissions rp ON rp.role_id = r.id
JOIN permissions p ON p.id = rp.permission_id
WHERE p.permission_key LIKE 'entry_module:%'
ORDER BY r.role_key, p.permission_key;
-- 验证结果:admin / provincial_admin 不应再拥有 /entry-modules 路由。
SELECT r.role_key, sr.route_path, rr.permission, rr.status
FROM roles r
JOIN role_route rr ON rr.role_id = r.id
JOIN sys_routes sr ON sr.id = rr.route_id
WHERE sr.route_path = '/entry-modules'
ORDER BY r.role_key;
Reference in New Issue View Git Blame Copy Permalink