285 lines
9.9 KiB
MySQL
285 lines
9.9 KiB
MySQL
|
|
create table if not exists sys_user_data_scope_user (
|
|||
|
|
id bigserial primary key,
|
|||
|
|
tenant_id bigint not null,
|
|||
|
|
viewer_user_id bigint not null,
|
|||
|
|
owner_user_id bigint not null,
|
|||
|
|
resource_type varchar(50) not null default 'ALL',
|
|||
|
|
enabled boolean not null default true,
|
|||
|
|
expire_at timestamptz,
|
|||
|
|
remark varchar(500),
|
|||
|
|
created_by bigint,
|
|||
|
|
created_at timestamptz not null default now(),
|
|||
|
|
updated_at timestamptz not null default now(),
|
|||
|
|
is_deleted integer not null default 0
|
|||
|
|
);
|
|||
|
|
|
|||
|
|
create unique index if not exists uk_user_data_scope_user
|
|||
|
|
on sys_user_data_scope_user (tenant_id, viewer_user_id, owner_user_id, resource_type)
|
|||
|
|
where is_deleted = 0;
|
|||
|
|
|
|||
|
|
create index if not exists idx_user_data_scope_viewer
|
|||
|
|
on sys_user_data_scope_user (tenant_id, viewer_user_id, resource_type, enabled);
|
|||
|
|
|
|||
|
|
create index if not exists idx_user_data_scope_owner
|
|||
|
|
on sys_user_data_scope_user (tenant_id, owner_user_id);
|
|||
|
|
|
|||
|
|
comment on table sys_user_data_scope_user is '用户到用户的数据可见范围授权';
|
|||
|
|
comment on column sys_user_data_scope_user.viewer_user_id is '被授权查看数据的用户ID';
|
|||
|
|
comment on column sys_user_data_scope_user.owner_user_id is '数据归属用户ID';
|
|||
|
|
comment on column sys_user_data_scope_user.resource_type is '授权资源类型:OPPORTUNITY/EXPANSION/DAILY_REPORT/CHECKIN等';
|
|||
|
|
|
|||
|
|
do $$
|
|||
|
|
declare
|
|||
|
|
v_system_parent_id bigint;
|
|||
|
|
v_menu_perm_id bigint;
|
|||
|
|
v_view_perm_id bigint;
|
|||
|
|
v_update_perm_id bigint;
|
|||
|
|
v_has_role_permission_tenant boolean;
|
|||
|
|
begin
|
|||
|
|
perform setval('sys_permission_perm_id_seq', coalesce((select max(perm_id) from sys_permission), 0) + 1, false);
|
|||
|
|
perform setval('sys_role_permission_id_seq', coalesce((select max(id) from sys_role_permission), 0) + 1, false);
|
|||
|
|
|
|||
|
|
select exists (
|
|||
|
|
select 1
|
|||
|
|
from information_schema.columns
|
|||
|
|
where table_schema = current_schema()
|
|||
|
|
and table_name = 'sys_role_permission'
|
|||
|
|
and column_name = 'tenant_id'
|
|||
|
|
) into v_has_role_permission_tenant;
|
|||
|
|
|
|||
|
|
select perm_id
|
|||
|
|
into v_system_parent_id
|
|||
|
|
from sys_permission
|
|||
|
|
where code = 'system'
|
|||
|
|
and coalesce(is_deleted, 0) = 0
|
|||
|
|
order by perm_id
|
|||
|
|
limit 1;
|
|||
|
|
|
|||
|
|
if v_system_parent_id is null then
|
|||
|
|
insert into sys_permission (
|
|||
|
|
parent_id, name, code, perm_type, level, path, component, icon,
|
|||
|
|
sort_order, is_visible, status, description, meta, is_deleted, created_at, updated_at
|
|||
|
|
) values (
|
|||
|
|
null, '系统管理', 'system', 'directory', 1, null, null, 'SettingOutlined',
|
|||
|
|
110, 1, 1, '系统管理目录', '{}'::jsonb, 0, now(), now()
|
|||
|
|
)
|
|||
|
|
returning perm_id into v_system_parent_id;
|
|||
|
|
end if;
|
|||
|
|
|
|||
|
|
select perm_id
|
|||
|
|
into v_menu_perm_id
|
|||
|
|
from sys_permission
|
|||
|
|
where code = 'menu:data-scope-users'
|
|||
|
|
order by perm_id
|
|||
|
|
limit 1;
|
|||
|
|
|
|||
|
|
if v_menu_perm_id is null then
|
|||
|
|
insert into sys_permission (
|
|||
|
|
parent_id, name, code, perm_type, level, path, component, icon,
|
|||
|
|
sort_order, is_visible, status, description, meta, is_deleted, created_at, updated_at
|
|||
|
|
) values (
|
|||
|
|
v_system_parent_id, '数据授权管理', 'menu:data-scope-users', 'menu', 2,
|
|||
|
|
'/data-scope-users', null, 'TeamOutlined', 8, 1, 1,
|
|||
|
|
'配置用户可额外查看哪些人员名下的数据', jsonb_build_object('tenantScoped', true), 0, now(), now()
|
|||
|
|
)
|
|||
|
|
returning perm_id into v_menu_perm_id;
|
|||
|
|
else
|
|||
|
|
update sys_permission
|
|||
|
|
set parent_id = v_system_parent_id,
|
|||
|
|
name = '数据授权管理',
|
|||
|
|
perm_type = 'menu',
|
|||
|
|
level = 2,
|
|||
|
|
path = '/data-scope-users',
|
|||
|
|
component = null,
|
|||
|
|
icon = 'TeamOutlined',
|
|||
|
|
sort_order = 8,
|
|||
|
|
is_visible = 1,
|
|||
|
|
status = 1,
|
|||
|
|
description = '配置用户可额外查看哪些人员名下的数据',
|
|||
|
|
meta = jsonb_build_object('tenantScoped', true),
|
|||
|
|
is_deleted = 0,
|
|||
|
|
updated_at = now()
|
|||
|
|
where perm_id = v_menu_perm_id;
|
|||
|
|
end if;
|
|||
|
|
|
|||
|
|
select perm_id
|
|||
|
|
into v_view_perm_id
|
|||
|
|
from sys_permission
|
|||
|
|
where code = 'user_data_scope:view'
|
|||
|
|
order by perm_id
|
|||
|
|
limit 1;
|
|||
|
|
|
|||
|
|
if v_view_perm_id is null then
|
|||
|
|
insert into sys_permission (
|
|||
|
|
parent_id, name, code, perm_type, level, path, component, icon,
|
|||
|
|
sort_order, is_visible, status, description, meta, is_deleted, created_at, updated_at
|
|||
|
|
) values (
|
|||
|
|
v_menu_perm_id, '查看数据授权', 'user_data_scope:view', 'button', 3,
|
|||
|
|
null, null, null, 1, 1, 1, '查看用户数据授权配置', '{}'::jsonb, 0, now(), now()
|
|||
|
|
)
|
|||
|
|
returning perm_id into v_view_perm_id;
|
|||
|
|
else
|
|||
|
|
update sys_permission
|
|||
|
|
set parent_id = v_menu_perm_id,
|
|||
|
|
name = '查看数据授权',
|
|||
|
|
perm_type = 'button',
|
|||
|
|
level = 3,
|
|||
|
|
sort_order = 1,
|
|||
|
|
is_visible = 1,
|
|||
|
|
status = 1,
|
|||
|
|
description = '查看用户数据授权配置',
|
|||
|
|
meta = '{}'::jsonb,
|
|||
|
|
is_deleted = 0,
|
|||
|
|
updated_at = now()
|
|||
|
|
where perm_id = v_view_perm_id;
|
|||
|
|
end if;
|
|||
|
|
|
|||
|
|
select perm_id
|
|||
|
|
into v_update_perm_id
|
|||
|
|
from sys_permission
|
|||
|
|
where code = 'user_data_scope:update'
|
|||
|
|
order by perm_id
|
|||
|
|
limit 1;
|
|||
|
|
|
|||
|
|
if v_update_perm_id is null then
|
|||
|
|
insert into sys_permission (
|
|||
|
|
parent_id, name, code, perm_type, level, path, component, icon,
|
|||
|
|
sort_order, is_visible, status, description, meta, is_deleted, created_at, updated_at
|
|||
|
|
) values (
|
|||
|
|
v_menu_perm_id, '修改数据授权', 'user_data_scope:update', 'button', 3,
|
|||
|
|
null, null, null, 2, 1, 1, '保存用户数据授权配置', '{}'::jsonb, 0, now(), now()
|
|||
|
|
)
|
|||
|
|
returning perm_id into v_update_perm_id;
|
|||
|
|
else
|
|||
|
|
update sys_permission
|
|||
|
|
set parent_id = v_menu_perm_id,
|
|||
|
|
name = '修改数据授权',
|
|||
|
|
perm_type = 'button',
|
|||
|
|
level = 3,
|
|||
|
|
sort_order = 2,
|
|||
|
|
is_visible = 1,
|
|||
|
|
status = 1,
|
|||
|
|
description = '保存用户数据授权配置',
|
|||
|
|
meta = '{}'::jsonb,
|
|||
|
|
is_deleted = 0,
|
|||
|
|
updated_at = now()
|
|||
|
|
where perm_id = v_update_perm_id;
|
|||
|
|
end if;
|
|||
|
|
|
|||
|
|
if v_has_role_permission_tenant then
|
|||
|
|
insert into sys_role_permission (role_id, perm_id, tenant_id, is_deleted, created_at, updated_at)
|
|||
|
|
select role_source.role_id, perm_source.perm_id, role_source.tenant_id, 0, now(), now()
|
|||
|
|
from (
|
|||
|
|
select distinct role_id, tenant_id
|
|||
|
|
from (
|
|||
|
|
select r.role_id, r.tenant_id
|
|||
|
|
from sys_role r
|
|||
|
|
where coalesce(r.is_deleted, 0) = 0
|
|||
|
|
and (
|
|||
|
|
r.role_code in ('TENANT_ADMIN', 'ADMIN', 'SYS_ADMIN', 'PLATFORM_ADMIN', 'SUPER_ADMIN')
|
|||
|
|
or r.role_name ilike '%管理员%'
|
|||
|
|
or r.role_name ilike '%admin%'
|
|||
|
|
)
|
|||
|
|
union
|
|||
|
|
select r.role_id, r.tenant_id
|
|||
|
|
from sys_user u
|
|||
|
|
join sys_user_role ur on ur.user_id = u.user_id and coalesce(ur.is_deleted, 0) = 0
|
|||
|
|
join sys_role r on r.role_id = ur.role_id and coalesce(r.is_deleted, 0) = 0
|
|||
|
|
where coalesce(u.is_deleted, 0) = 0
|
|||
|
|
and u.username = 'admin'
|
|||
|
|
) granted_roles
|
|||
|
|
) role_source
|
|||
|
|
cross join (
|
|||
|
|
select unnest(array[v_menu_perm_id, v_view_perm_id, v_update_perm_id]) as perm_id
|
|||
|
|
) perm_source
|
|||
|
|
where perm_source.perm_id is not null
|
|||
|
|
and not exists (
|
|||
|
|
select 1
|
|||
|
|
from sys_role_permission rp
|
|||
|
|
where rp.role_id = role_source.role_id
|
|||
|
|
and rp.perm_id = perm_source.perm_id
|
|||
|
|
);
|
|||
|
|
|
|||
|
|
update sys_role_permission rp
|
|||
|
|
set tenant_id = coalesce(rp.tenant_id, r.tenant_id),
|
|||
|
|
is_deleted = 0,
|
|||
|
|
updated_at = now()
|
|||
|
|
from sys_role r,
|
|||
|
|
sys_permission p
|
|||
|
|
where rp.role_id = r.role_id
|
|||
|
|
and p.perm_id = rp.perm_id
|
|||
|
|
and coalesce(r.is_deleted, 0) = 0
|
|||
|
|
and p.code in ('menu:data-scope-users', 'user_data_scope:view', 'user_data_scope:update')
|
|||
|
|
and (
|
|||
|
|
r.role_code in ('TENANT_ADMIN', 'ADMIN', 'SYS_ADMIN', 'PLATFORM_ADMIN', 'SUPER_ADMIN')
|
|||
|
|
or r.role_name ilike '%管理员%'
|
|||
|
|
or r.role_name ilike '%admin%'
|
|||
|
|
or exists (
|
|||
|
|
select 1
|
|||
|
|
from sys_user u
|
|||
|
|
join sys_user_role ur on ur.user_id = u.user_id and coalesce(ur.is_deleted, 0) = 0
|
|||
|
|
where coalesce(u.is_deleted, 0) = 0
|
|||
|
|
and u.username = 'admin'
|
|||
|
|
and ur.role_id = r.role_id
|
|||
|
|
)
|
|||
|
|
);
|
|||
|
|
else
|
|||
|
|
insert into sys_role_permission (role_id, perm_id, is_deleted, created_at, updated_at)
|
|||
|
|
select role_source.role_id, perm_source.perm_id, 0, now(), now()
|
|||
|
|
from (
|
|||
|
|
select distinct role_id
|
|||
|
|
from (
|
|||
|
|
select r.role_id
|
|||
|
|
from sys_role r
|
|||
|
|
where coalesce(r.is_deleted, 0) = 0
|
|||
|
|
and (
|
|||
|
|
r.role_code in ('TENANT_ADMIN', 'ADMIN', 'SYS_ADMIN', 'PLATFORM_ADMIN', 'SUPER_ADMIN')
|
|||
|
|
or r.role_name ilike '%管理员%'
|
|||
|
|
or r.role_name ilike '%admin%'
|
|||
|
|
)
|
|||
|
|
union
|
|||
|
|
select r.role_id
|
|||
|
|
from sys_user u
|
|||
|
|
join sys_user_role ur on ur.user_id = u.user_id and coalesce(ur.is_deleted, 0) = 0
|
|||
|
|
join sys_role r on r.role_id = ur.role_id and coalesce(r.is_deleted, 0) = 0
|
|||
|
|
where coalesce(u.is_deleted, 0) = 0
|
|||
|
|
and u.username = 'admin'
|
|||
|
|
) granted_roles
|
|||
|
|
) role_source
|
|||
|
|
cross join (
|
|||
|
|
select unnest(array[v_menu_perm_id, v_view_perm_id, v_update_perm_id]) as perm_id
|
|||
|
|
) perm_source
|
|||
|
|
where perm_source.perm_id is not null
|
|||
|
|
and not exists (
|
|||
|
|
select 1
|
|||
|
|
from sys_role_permission rp
|
|||
|
|
where rp.role_id = role_source.role_id
|
|||
|
|
and rp.perm_id = perm_source.perm_id
|
|||
|
|
);
|
|||
|
|
|
|||
|
|
update sys_role_permission rp
|
|||
|
|
set is_deleted = 0,
|
|||
|
|
updated_at = now()
|
|||
|
|
from sys_role r,
|
|||
|
|
sys_permission p
|
|||
|
|
where rp.role_id = r.role_id
|
|||
|
|
and p.perm_id = rp.perm_id
|
|||
|
|
and coalesce(r.is_deleted, 0) = 0
|
|||
|
|
and p.code in ('menu:data-scope-users', 'user_data_scope:view', 'user_data_scope:update')
|
|||
|
|
and (
|
|||
|
|
r.role_code in ('TENANT_ADMIN', 'ADMIN', 'SYS_ADMIN', 'PLATFORM_ADMIN', 'SUPER_ADMIN')
|
|||
|
|
or r.role_name ilike '%管理员%'
|
|||
|
|
or r.role_name ilike '%admin%'
|
|||
|
|
or exists (
|
|||
|
|
select 1
|
|||
|
|
from sys_user u
|
|||
|
|
join sys_user_role ur on ur.user_id = u.user_id and coalesce(ur.is_deleted, 0) = 0
|
|||
|
|
where coalesce(u.is_deleted, 0) = 0
|
|||
|
|
and u.username = 'admin'
|
|||
|
|
and ur.role_id = r.role_id
|
|||
|
|
)
|
|||
|
|
);
|
|||
|
|
end if;
|
|||
|
|
end
|
|||
|
|
$$;
|