ishenwei/nexus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

登录模块审核

Browse Source
This commit is contained in:
Shen Wei
2026-04-30 18:40:55 +08:00
parent 4030a91100
commit 57600598ac
34 changed files with 2544 additions and 2431 deletions
Download Patch File Download Diff File Expand all files Collapse all files

154
Project/fonrey/DATA_MODEL/DATA_MODEL_PERMISSION.md
View File

@@ -877,25 +877,25 @@ _本文档版本 v1.1 | 作者: Backend Architect | 更新时间 2026-04-24_
```sql
-- permission_defs
CREATE TABLE permission_defs (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
code VARCHAR(150) NOT NULL UNIQUE,
module VARCHAR(50) NOT NULL,
sub_module VARCHAR(50) NOT NULL DEFAULT '',
group_name VARCHAR(100) NOT NULL,
name VARCHAR(200) NOT NULL,
description TEXT NOT NULL DEFAULT '',
value_type VARCHAR(20) NOT NULL CHECK (value_type IN ('BOOLEAN','SCOPE','INTEGER')),
scope_choices JSONB NOT NULL DEFAULT '[]'::jsonb,
integer_min INTEGER,
integer_max INTEGER,
default_value JSONB NOT NULL DEFAULT '{"v":false}'::jsonb,
max_allowed_categories VARCHAR(50)[] NOT NULL DEFAULT ARRAY[]::VARCHAR[],
sort_order INTEGER NOT NULL DEFAULT 0,
is_active BOOLEAN NOT NULL DEFAULT TRUE,
is_deprecated BOOLEAN NOT NULL DEFAULT FALSE,
version INTEGER NOT NULL DEFAULT 1,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
id UUID PRIMARY KEY DEFAULT gen_random_uuid(), -- 主键(系统生成,业务无关)
code VARCHAR(150) NOT NULL UNIQUE, -- 权限码,格式 {module}.{sub_module}.{action}[.{qualifier}],全局唯一,创建后不可修改
module VARCHAR(50) NOT NULL, -- 一级模块标识,如 property / client / org
sub_module VARCHAR(50) NOT NULL DEFAULT '', -- 二级子模块标识;无子模块时为空字符串
group_name VARCHAR(100) NOT NULL, -- 权限分组显示名称(管理界面分组展示用)
name VARCHAR(200) NOT NULL, -- 权限项中文名称(管理界面展示)
description TEXT NOT NULL DEFAULT '', -- 权限项说明(管理界面 tooltip 文案)
value_type VARCHAR(20) NOT NULL CHECK (value_type IN ('BOOLEAN','SCOPE','INTEGER')), -- 权限值类型BOOLEAN=开关 / SCOPE=数据范围 / INTEGER=数量上限
scope_choices JSONB NOT NULL DEFAULT '[]'::jsonb, -- SCOPE 类型可选范围列表JSON 数组);非 SCOPE 类型为空数组
integer_min INTEGER, -- INTEGER 类型最小允许值;其他类型为 NULL
integer_max INTEGER, -- INTEGER 类型最大允许值;其他类型为 NULL
default_value JSONB NOT NULL DEFAULT '{"v":false}'::jsonb, -- 权限默认值,格式 {"v": false/scope_str/int}
max_allowed_categories VARCHAR(50)[] NOT NULL DEFAULT ARRAY[]::VARCHAR[], -- 可配置此权限的角色分类白名单;空数组=无限制
sort_order INTEGER NOT NULL DEFAULT 0, -- 同分组内排序权重(数值越小越靠前)
is_active BOOLEAN NOT NULL DEFAULT TRUE, -- 是否启用FALSE=已下线,前端配置页隐藏
is_deprecated BOOLEAN NOT NULL DEFAULT FALSE, -- 是否已废弃;废弃后不可被新角色引用
version INTEGER NOT NULL DEFAULT 1, -- 乐观锁版本号(每次更新+1
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(), -- 记录创建时间(系统自动)
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(), -- 记录最后更新时间(系统自动)
CONSTRAINT chk_code_format CHECK (code ~ '^[a-z_]+\.[a-z_]+(\.[a-z_]+){1,2}$')
);
CREATE INDEX idx_permission_defs_module ON permission_defs(module, sub_module, sort_order) WHERE is_active = TRUE;
@@ -903,18 +903,18 @@ CREATE INDEX idx_permission_defs_active ON permission_defs(is_active) WHERE is_a
-- roles
CREATE TABLE roles (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
name VARCHAR(100) NOT NULL,
category VARCHAR(30) NOT NULL CHECK (category IN ('agent','store_manager','director','operator','custom')),
description TEXT NOT NULL DEFAULT '',
template_role_id UUID REFERENCES roles(id) ON DELETE SET NULL,
is_system_builtin BOOLEAN NOT NULL DEFAULT FALSE,
is_active BOOLEAN NOT NULL DEFAULT TRUE,
created_by UUID REFERENCES staff(id) ON DELETE SET NULL,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
updated_by UUID REFERENCES staff(id) ON DELETE SET NULL,
deleted_at TIMESTAMPTZ
id UUID PRIMARY KEY DEFAULT gen_random_uuid(), -- 主键(系统生成,业务无关)
name VARCHAR(100) NOT NULL, -- 角色显示名称(同租户内唯一,软删除后不参与唯一性校验)
category VARCHAR(30) NOT NULL CHECK (category IN ('agent','store_manager','director','operator','custom')), -- 角色分类agent=经纪人 / store_manager=门店管理 / director=区域管理 / operator=运营职能 / custom=自定义
description TEXT NOT NULL DEFAULT '', -- 角色说明文案
template_role_id UUID REFERENCES roles(id) ON DELETE SET NULL, -- 模板来源自引用从某内置角色克隆时记录NULL=无模板
is_system_builtin BOOLEAN NOT NULL DEFAULT FALSE, -- 是否系统内置角色TRUE=不可删除、不可改名
is_active BOOLEAN NOT NULL DEFAULT TRUE, -- 是否启用FALSE=角色已停用,员工不可再分配此角色
created_by UUID REFERENCES staff(id) ON DELETE SET NULL, -- 创建人(关联 staff 表);系统内置角色为 NULL
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(), -- 记录创建时间(系统自动)
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(), -- 记录最后更新时间(系统自动)
updated_by UUID REFERENCES staff(id) ON DELETE SET NULL, -- 最后修改人(关联 staff 表)
deleted_at TIMESTAMPTZ -- 软删除时间戳NULL=未删除非NULL=已软删除
);
CREATE UNIQUE INDEX idx_roles_name_active ON roles(name) WHERE deleted_at IS NULL;
CREATE INDEX idx_roles_category ON roles(category) WHERE deleted_at IS NULL;
@@ -922,13 +922,13 @@ CREATE INDEX idx_roles_template ON roles(template_role_id);
-- role_permissions
CREATE TABLE role_permissions (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
role_id UUID NOT NULL REFERENCES roles(id) ON DELETE CASCADE,
permission_def_id UUID NOT NULL REFERENCES permission_defs(id) ON DELETE RESTRICT,
value JSONB NOT NULL,
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
updated_by UUID REFERENCES staff(id) ON DELETE SET NULL
id UUID PRIMARY KEY DEFAULT gen_random_uuid(), -- 主键(系统生成,业务无关)
role_id UUID NOT NULL REFERENCES roles(id) ON DELETE CASCADE, -- 关联角色(角色删除则权限配置同步级联清除)
permission_def_id UUID NOT NULL REFERENCES permission_defs(id) ON DELETE RESTRICT, -- 关联权限定义(有角色引用时权限项不可删除)
value JSONB NOT NULL, -- 权限配置值,格式 {"v": false/scope_str/int},与 permission_defs.value_type 对应
created_at TIMESTAMPTZ NOT NULL DEFAULT NOW(), -- 记录创建时间(系统自动)
updated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(), -- 记录最后更新时间(系统自动)
updated_by UUID REFERENCES staff(id) ON DELETE SET NULL -- 最后修改人(关联 staff 表)
);
CREATE UNIQUE INDEX idx_role_permissions_uniq ON role_permissions(role_id, permission_def_id);
CREATE INDEX idx_role_permissions_role ON role_permissions(role_id);
@@ -936,14 +936,14 @@ CREATE INDEX idx_role_permissions_def ON role_permissions(permission_def_id);
-- staff_roles
CREATE TABLE staff_roles (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
staff_id UUID NOT NULL REFERENCES staff(id) ON DELETE CASCADE,
role_id UUID NOT NULL REFERENCES roles(id) ON DELETE RESTRICT,
is_primary BOOLEAN NOT NULL DEFAULT FALSE,
assigned_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
assigned_by UUID REFERENCES staff(id) ON DELETE SET NULL,
valid_from DATE,
valid_until DATE
id UUID PRIMARY KEY DEFAULT gen_random_uuid(), -- 主键(系统生成,业务无关)
staff_id UUID NOT NULL REFERENCES staff(id) ON DELETE CASCADE, -- 员工 ID员工删除则角色分配同步级联删除
role_id UUID NOT NULL REFERENCES roles(id) ON DELETE RESTRICT, -- 角色 ID有员工使用的角色不可删除
is_primary BOOLEAN NOT NULL DEFAULT FALSE, -- 是否主角色;每员工同时仅可有 1 个主角色(唯一索引保障)
assigned_at TIMESTAMPTZ NOT NULL DEFAULT NOW(), -- 角色分配时间(系统自动)
assigned_by UUID REFERENCES staff(id) ON DELETE SET NULL, -- 分配操作人(关联 staff 表NULL=系统自动分配
valid_from DATE, -- 角色有效期开始日期NULL=立即生效
valid_until DATE -- 角色有效期结束日期NULL=永久有效
);
CREATE UNIQUE INDEX idx_staff_roles_uniq ON staff_roles(staff_id, role_id);
CREATE UNIQUE INDEX idx_staff_roles_primary ON staff_roles(staff_id) WHERE is_primary = TRUE;
@@ -951,32 +951,32 @@ CREATE INDEX idx_staff_roles_role ON staff_roles(role_id);
-- staff_permission_overrides
CREATE TABLE staff_permission_overrides (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
staff_id UUID NOT NULL REFERENCES staff(id) ON DELETE CASCADE,
permission_def_id UUID NOT NULL REFERENCES permission_defs(id) ON DELETE RESTRICT,
value JSONB NOT NULL,
id UUID PRIMARY KEY DEFAULT gen_random_uuid(), -- 主键(系统生成,业务无关)
staff_id UUID NOT NULL REFERENCES staff(id) ON DELETE CASCADE, -- 员工 ID员工删除则个人覆盖配置同步级联删除
permission_def_id UUID NOT NULL REFERENCES permission_defs(id) ON DELETE RESTRICT, -- 关联权限定义
value JSONB NOT NULL, -- 覆盖配置值,格式与 role_permissions.value 一致
override_mode VARCHAR(10) NOT NULL DEFAULT 'REPLACE'
CHECK (override_mode IN ('REPLACE','RESTRICT','GRANT')),
reason TEXT NOT NULL DEFAULT '',
modified_by UUID REFERENCES staff(id) ON DELETE SET NULL,
modified_at TIMESTAMPTZ NOT NULL DEFAULT NOW()
CHECK (override_mode IN ('REPLACE','RESTRICT','GRANT')), -- 覆盖模式REPLACE=完全替换角色权限 / RESTRICT=向下收紧 / GRANT=向上提升
reason TEXT NOT NULL DEFAULT '', -- 覆盖理由(操作审计留存)
modified_by UUID REFERENCES staff(id) ON DELETE SET NULL, -- 修改操作人(关联 staff 表)
modified_at TIMESTAMPTZ NOT NULL DEFAULT NOW() -- 修改时间(系统自动)
);
CREATE UNIQUE INDEX idx_staff_overrides_uniq ON staff_permission_overrides(staff_id, permission_def_id);
CREATE INDEX idx_staff_overrides_staff ON staff_permission_overrides(staff_id);
-- staff_data_scopes
CREATE TABLE staff_data_scopes (
id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
staff_id UUID NOT NULL REFERENCES staff(id) ON DELETE CASCADE,
scope_type VARCHAR(20) NOT NULL
id UUID PRIMARY KEY DEFAULT gen_random_uuid(), -- 主键(系统生成,业务无关)
staff_id UUID NOT NULL REFERENCES staff(id) ON DELETE CASCADE, -- 员工 ID
scope_type VARCHAR(20) NOT NULL -- 数据范围类型self=本人 / group=小组 / store=门店 / area=大区 / region=区域 / company=全公司 / custom_unit=自定义单元
CHECK (scope_type IN ('self','group','store','area','region','company','custom_unit')),
org_unit_id UUID REFERENCES org_units(id) ON DELETE RESTRICT,
is_readable BOOLEAN NOT NULL DEFAULT TRUE,
is_writable BOOLEAN NOT NULL DEFAULT FALSE,
granted_by UUID REFERENCES staff(id) ON DELETE SET NULL,
granted_at TIMESTAMPTZ NOT NULL DEFAULT NOW(),
expires_at TIMESTAMPTZ,
reason TEXT NOT NULL DEFAULT '',
org_unit_id UUID REFERENCES org_units(id) ON DELETE RESTRICT, -- 自定义组织单元scope_type=custom_unit 时必填,其他为 NULL
is_readable BOOLEAN NOT NULL DEFAULT TRUE, -- 是否有读权限
is_writable BOOLEAN NOT NULL DEFAULT FALSE, -- 是否有写权限
granted_by UUID REFERENCES staff(id) ON DELETE SET NULL, -- 授权操作人(关联 staff 表)
granted_at TIMESTAMPTZ NOT NULL DEFAULT NOW(), -- 授权时间(系统自动)
expires_at TIMESTAMPTZ, -- 到期时间NULL=永久有效
reason TEXT NOT NULL DEFAULT '', -- 数据范围授权理由(操作审计留存)
CONSTRAINT chk_custom_unit_has_org CHECK (
(scope_type = 'custom_unit' AND org_unit_id IS NOT NULL) OR
(scope_type <> 'custom_unit')
@@ -988,22 +988,22 @@ CREATE INDEX idx_data_scopes_expires ON staff_data_scopes(expires_at) WHERE expi
-- permission_change_logs (append-only, no deleted_at)
CREATE TABLE permission_change_logs (
id UUID NOT NULL DEFAULT gen_random_uuid(),
id UUID NOT NULL DEFAULT gen_random_uuid(), -- 主键(与 operated_at 组成复合主键,分区表要求)
operated_at TIMESTAMPTZ NOT NULL DEFAULT NOW(), -- 分区键(原 operated_at 前置)
target_type VARCHAR(30) NOT NULL
target_type VARCHAR(30) NOT NULL -- 操作对象类型role / role_permission / staff_role / staff_override / staff_scope
CHECK (target_type IN ('role','role_permission','staff_role','staff_override','staff_scope')),
target_id UUID NOT NULL,
staff_id UUID REFERENCES staff(id) ON DELETE SET NULL,
role_id UUID REFERENCES roles(id) ON DELETE SET NULL,
permission_code VARCHAR(150),
action VARCHAR(20) NOT NULL
target_id UUID NOT NULL, -- 操作对象 ID
staff_id UUID REFERENCES staff(id) ON DELETE SET NULL, -- 被操作员工 ID如分配/撤销角色时的目标员工)
role_id UUID REFERENCES roles(id) ON DELETE SET NULL, -- 被操作角色 ID
permission_code VARCHAR(150), -- 操作涉及的权限码(冗余存储,避免关联查询)
action VARCHAR(20) NOT NULL -- 操作类型create=新建 / update=修改 / delete=删除 / assign=分配 / revoke=撤销
CHECK (action IN ('create','update','delete','assign','revoke')),
old_value JSONB,
new_value JSONB,
operator_id UUID NOT NULL REFERENCES staff(id) ON DELETE RESTRICT,
operator_ip INET,
user_agent TEXT,
reason TEXT NOT NULL DEFAULT '',
old_value JSONB, -- 变更前值create 时为 NULL
new_value JSONB, -- 变更后值delete 时为 NULL
operator_id UUID NOT NULL REFERENCES staff(id) ON DELETE RESTRICT, -- 操作人员工 IDRESTRICT操作记录保留操作人不可删除
operator_ip INET, -- 操作人来源 IP
user_agent TEXT, -- 操作人客户端 UA
reason TEXT NOT NULL DEFAULT '', -- 操作理由(可选,审计留存)
PRIMARY KEY (id, operated_at) -- 分区表主键必须包含分区键
) PARTITION BY RANGE (operated_at);