feat: scaffold Django multi-tenant project with 5 of 9 apps

Phase 1 scaffolding: config/, core/, base models, AES-256-GCM phone encryption, enums mirror apps.tenant: Tenant + Domain (django-tenants) apps.org: 11 models (OrgUnit hierarchy, Staff, audit logs) apps.account: 4 models (UserAccount as AUTH_USER_MODEL, login/password tracking) apps.permission: 7 models (RBAC + overrides + datascope + append-only changelog) apps.region: 5 models (District, BusinessArea, MetroLine, MetroStation, School) All migrations generated, manage.py check passes
2026-04-29 17:01:55 +08:00
parent 61535a53c2
commit 9a7d06b34e
116 changed files with 3411 additions and 0 deletions
--- a/apps/permission/models/role.py
+++ b/apps/permission/models/role.py
@@ -0,0 +1,91 @@
+from django.db import models
+
+from core.enums import PermissionRoleCategory
+from core.models.base import SoftDeleteModel, TimeStampedModel
+
+
+class Role(SoftDeleteModel):
+    name = models.CharField(max_length=100)
+    category = models.CharField(max_length=30, choices=PermissionRoleCategory.choices)
+    description = models.TextField(blank=True, default="")
+    template_role = models.ForeignKey(
+        "fonrey_permission.Role",
+        null=True,
+        blank=True,
+        on_delete=models.SET_NULL,
+        related_name="derived_roles",
+    )
+    is_system_builtin = models.BooleanField(default=False)
+    is_active = models.BooleanField(default=True)
+    created_by = models.ForeignKey(
+        "org.Staff",
+        null=True,
+        blank=True,
+        on_delete=models.SET_NULL,
+        related_name="permission_roles_created",
+    )
+    updated_by = models.ForeignKey(
+        "org.Staff",
+        null=True,
+        blank=True,
+        on_delete=models.SET_NULL,
+        related_name="permission_roles_updated",
+    )
+
+    class Meta:
+        db_table = "roles"
+        constraints = [
+            models.UniqueConstraint(
+                fields=["name"],
+                name="uq_roles_name_active",
+                condition=models.Q(deleted_at__isnull=True),
+            ),
+        ]
+        indexes = [
+            models.Index(
+                fields=["category"],
+                name="idx_roles_category",
+                condition=models.Q(deleted_at__isnull=True),
+            ),
+            models.Index(fields=["template_role"], name="idx_roles_template"),
+        ]
+
+    def __str__(self) -> str:
+        return f"{self.name} ({self.category})"
+
+
+class RolePermission(TimeStampedModel):
+    role = models.ForeignKey(
+        "fonrey_permission.Role",
+        on_delete=models.CASCADE,
+        related_name="permissions",
+    )
+    permission_def = models.ForeignKey(
+        "fonrey_permission.PermissionDef",
+        on_delete=models.PROTECT,
+        related_name="role_assignments",
+    )
+    value = models.JSONField()
+    updated_by = models.ForeignKey(
+        "org.Staff",
+        null=True,
+        blank=True,
+        on_delete=models.SET_NULL,
+        related_name="role_permissions_updated",
+    )
+
+    class Meta:
+        db_table = "role_permissions"
+        constraints = [
+            models.UniqueConstraint(
+                fields=["role", "permission_def"],
+                name="uq_role_permissions",
+            ),
+        ]
+        indexes = [
+            models.Index(fields=["role"], name="idx_role_permissions_role"),
+            models.Index(fields=["permission_def"], name="idx_role_permissions_def"),
+        ]
+
+    def __str__(self) -> str:
+        return f"{self.role.name} → {self.permission_def.code}"