leaudit-platform-backend/scripts/创建sql/seed_contract_templates_rbac.sql

BEGIN;

-- ============================================================================
-- LeAudit Platform Contract Template RBAC Seed
-- 目标：
--   1. 补齐合同模板读写删权限
--   2. 给角色分配模板权限，其中上传/更新/删除仅开放给地区管理员 admin
-- 说明：
--   - 依赖 user_rbac_schema_patch.sql
--   - 依赖合同模板前端路由已存在于 sys_routes
--   - 幂等脚本，可重复执行
-- ============================================================================

WITH route_map AS (
    SELECT id, route_path
    FROM sys_routes
    WHERE deleted_at IS NULL
      AND route_path IN ('/contract-template/list', '/contract-template/search')
)
INSERT INTO permissions (
    permission_key,
    module,
    resource,
    action,
    description,
    display_name,
    permission_type,
    is_system,
    metadata,
    created_at,
    updated_at,
    created_by,
    updated_by,
    parent_id,
    sort_order,
    route_id,
    api_path,
    api_method,
    related_routes
)
SELECT
    seed.permission_key,
    seed.module,
    seed.resource,
    seed.action,
    seed.description,
    seed.display_name,
    'API',
    TRUE,
    NULL::jsonb,
    NOW(),
    NOW(),
    NULL::bigint,
    NULL::bigint,
    NULL::bigint,
    seed.sort_order,
    route_map.id,
    seed.api_path,
    seed.api_method,
    NULL::bigint[]
FROM (
    VALUES
        ('contract_template:list:read',   'contract_template', 'list',   'read', '查看合同模板列表', '查看合同模板列表', '/contract-template/list',   310, '/api/v3/contract-templates',      'GET'),
        ('contract_template:search:read', 'contract_template', 'search', 'read', '搜索合同模板',     '搜索合同模板',     '/contract-template/search', 311, '/api/v3/contract-templates/search','GET'),
        ('contract_template:detail:read', 'contract_template', 'detail', 'read', '查看合同模板详情', '查看合同模板详情', '/contract-template/list',   312, '/api/v3/contract-templates/{id}', 'GET'),
        ('contract_template:create:write', 'contract_template', 'create', 'write', '上传合同模板',   '上传合同模板',     '/contract-template/list',   313, '/api/v3/contract-templates',      'POST'),
        ('contract_template:update:write', 'contract_template', 'update', 'write', '更新合同模板',   '更新合同模板',     '/contract-template/list',   314, '/api/v3/contract-templates/{id}', 'PUT'),
        ('contract_template:delete:delete', 'contract_template', 'delete', 'delete', '删除合同模板', '删除合同模板',     '/contract-template/list',   315, '/api/v3/contract-templates/{id}', 'DELETE')
) AS seed(
    permission_key,
    module,
    resource,
    action,
    description,
    display_name,
    route_path,
    sort_order,
    api_path,
    api_method
)
JOIN route_map ON route_map.route_path = seed.route_path
ON CONFLICT (permission_key) DO UPDATE SET
    module = EXCLUDED.module,
    resource = EXCLUDED.resource,
    action = EXCLUDED.action,
    description = EXCLUDED.description,
    display_name = EXCLUDED.display_name,
    permission_type = EXCLUDED.permission_type,
    is_system = EXCLUDED.is_system,
    route_id = EXCLUDED.route_id,
    api_path = EXCLUDED.api_path,
    api_method = EXCLUDED.api_method,
    sort_order = EXCLUDED.sort_order,
    updated_at = NOW();

WITH role_map AS (
    SELECT id, role_key
    FROM roles
    WHERE role_key IN ('super_admin', 'provincial_admin', 'admin')
),
perm_map AS (
    SELECT id, permission_key
    FROM permissions
    WHERE permission_key LIKE 'contract_template:%'
),
seed(role_key, permission_key, grant_type, data_scope) AS (
    VALUES
        ('super_admin', 'contract_template:list:read', 'GRANT', 'ALL'),
        ('super_admin', 'contract_template:search:read', 'GRANT', 'ALL'),
        ('super_admin', 'contract_template:detail:read', 'GRANT', 'ALL'),

        ('provincial_admin', 'contract_template:list:read', 'GRANT', 'ALL'),
        ('provincial_admin', 'contract_template:search:read', 'GRANT', 'ALL'),
        ('provincial_admin', 'contract_template:detail:read', 'GRANT', 'ALL'),

        ('admin', 'contract_template:list:read', 'GRANT', 'DEPT'),
        ('admin', 'contract_template:search:read', 'GRANT', 'DEPT'),
        ('admin', 'contract_template:detail:read', 'GRANT', 'DEPT'),
        ('admin', 'contract_template:create:write', 'GRANT', 'DEPT'),
        ('admin', 'contract_template:update:write', 'GRANT', 'DEPT'),
        ('admin', 'contract_template:delete:delete', 'GRANT', 'DEPT')
)
INSERT INTO role_permissions (
    role_id,
    permission_id,
    grant_type,
    data_scope,
    created_at,
    updated_at
)
SELECT
    role_map.id,
    perm_map.id,
    seed.grant_type,
    seed.data_scope,
    NOW(),
    NOW()
FROM seed
JOIN role_map ON role_map.role_key = seed.role_key
JOIN perm_map ON perm_map.permission_key = seed.permission_key
ON CONFLICT (role_id, permission_id) DO UPDATE SET
    grant_type = EXCLUDED.grant_type,
    data_scope = EXCLUDED.data_scope,
    updated_at = NOW();

DELETE FROM role_permissions rp
USING roles r, permissions p
WHERE rp.role_id = r.id
  AND rp.permission_id = p.id
  AND r.role_key IN ('super_admin', 'provincial_admin')
  AND p.permission_key IN (
      'contract_template:create:write',
      'contract_template:update:write',
      'contract_template:delete:delete'
  );

COMMIT;