feat(auth,plugin): Q3 行级数据权限 — user_departments 表 + JWT 注入 department_ids + data_scope 接线

- 新增 user_departments 关联表（migration + entity）
- JWT 中间件查询用户部门并注入 TenantContext.department_ids
- role_permission entity 添加 data_scope 字段
- data_handler 接线行级数据权限过滤（list/count/aggregate）
- DataScopeParams + build_scope_sql + merge_scope_condition 实现全链路

crates/erp-auth/src/entity/mod.rs

@@ -6,5 +6,6 @@ pub mod role;
 pub mod role_permission;
 pub mod user;
 pub mod user_credential;
+pub mod user_department;
 pub mod user_role;
 pub mod user_token;

crates/erp-auth/src/entity/role_permission.rs

@@ -9,6 +9,8 @@ pub struct Model {
     #[sea_orm(primary_key, auto_increment = false)]
     pub permission_id: Uuid,
     pub tenant_id: Uuid,
+    /// 行级数据权限范围: all, self, department, department_tree
+    pub data_scope: String,
     pub created_at: DateTimeUtc,
     pub updated_at: DateTimeUtc,
     pub created_by: Uuid,

crates/erp-auth/src/entity/user_department.rs

@@ -0,0 +1,54 @@
+use sea_orm::entity::prelude::*;
+use serde::{Deserialize, Serialize};
+
+#[derive(Clone, Debug, PartialEq, DeriveEntityModel, Serialize, Deserialize)]
+#[sea_orm(table_name = "user_departments")]
+pub struct Model {
+    #[sea_orm(primary_key, auto_increment = false)]
+    pub user_id: Uuid,
+    #[sea_orm(primary_key, auto_increment = false)]
+    pub department_id: Uuid,
+    pub tenant_id: Uuid,
+    pub is_primary: bool,
+    pub created_at: DateTimeUtc,
+    pub updated_at: DateTimeUtc,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub created_by: Option<Uuid>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub updated_by: Option<Uuid>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub deleted_at: Option<DateTimeUtc>,
+    pub version: i32,
+}
+
+#[derive(Copy, Clone, Debug, EnumIter, DeriveRelation)]
+pub enum Relation {
+    #[sea_orm(
+        belongs_to = "super::user::Entity",
+        from = "Column::UserId",
+        to = "super::user::Column::Id",
+        on_delete = "Cascade"
+    )]
+    User,
+    #[sea_orm(
+        belongs_to = "super::department::Entity",
+        from = "Column::DepartmentId",
+        to = "super::department::Column::Id",
+        on_delete = "Cascade"
+    )]
+    Department,
+}
+
+impl Related<super::user::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::User.def()
+    }
+}
+
+impl Related<super::department::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::Department.def()
+    }
+}
+
+impl ActiveModelBehavior for ActiveModel {}

crates/erp-auth/src/middleware/jwt_auth.rs

@@ -17,6 +17,10 @@ use crate::service::token_service::TokenService;
 /// middleware construction time, avoiding any circular dependency between
 /// erp-auth and erp-server.
 ///
+/// When `db` is provided, the middleware queries `user_departments` to populate
+/// `department_ids` in the `TenantContext`. If `db` is `None` or the query fails,
+/// `department_ids` defaults to an empty list (equivalent to "all" data scope).
+///
 /// # Errors
 ///
 /// Returns `AppError::Unauthorized` if:
@@ -26,6 +30,7 @@ use crate::service::token_service::TokenService;
 /// - The token type is not "access"
 pub async fn jwt_auth_middleware_fn(
     jwt_secret: String,
+    db: Option<sea_orm::DatabaseConnection>,
     req: Request<Body>,
     next: Next,
 ) -> Result<Response, AppError> {
@@ -47,14 +52,18 @@ pub async fn jwt_auth_middleware_fn(
         return Err(AppError::Unauthorized);
     }
 
-    // TODO: 待 user_positions 关联表建立后，从数据库查询用户所属部门 ID 列表
-    // 当前阶段 department_ids 为空列表，行级数据权限默认为 all
+    // 查询用户所属部门 ID 列表
+    let department_ids = match &db {
+        Some(conn) => fetch_user_department_ids(claims.sub, claims.tid, conn).await,
+        None => vec![],
+    };
+
     let ctx = TenantContext {
         tenant_id: claims.tid,
         user_id: claims.sub,
         roles: claims.roles,
         permissions: claims.permissions,
-        department_ids: vec![],
+        department_ids,
     };
 
     // Reconstruct the request with the TenantContext injected into extensions.
@@ -65,3 +74,25 @@ pub async fn jwt_auth_middleware_fn(
 
     Ok(next.run(req).await)
 }
+
+/// 查询用户所属的所有部门 ID（通过 user_departments 关联表）
+async fn fetch_user_department_ids(
+    user_id: uuid::Uuid,
+    tenant_id: uuid::Uuid,
+    db: &sea_orm::DatabaseConnection,
+) -> Vec<uuid::Uuid> {
+    use crate::entity::user_department;
+    use sea_orm::{ColumnTrait, EntityTrait, QueryFilter};
+
+    user_department::Entity::find()
+        .filter(user_department::Column::UserId.eq(user_id))
+        .filter(user_department::Column::TenantId.eq(tenant_id))
+        .filter(user_department::Column::DeletedAt.is_null())
+        .all(db)
+        .await
+        .map(|rows| rows.into_iter().map(|r| r.department_id).collect())
+        .unwrap_or_else(|e| {
+            tracing::warn!(error = %e, "查询用户部门列表失败，默认为空");
+            vec![]
+        })
+}

crates/erp-auth/src/service/role_service.rs

@@ -311,6 +311,7 @@ impl RoleService {
                 role_id: Set(role_id),
                 permission_id: Set(*perm_id),
                 tenant_id: Set(tenant_id),
+                data_scope: Set("all".to_string()),
                 created_at: Set(now),
                 updated_at: Set(now),
                 created_by: Set(operator_id),

crates/erp-auth/src/service/seed.rs

@@ -410,6 +410,7 @@ pub async fn seed_tenant_auth(
             role_id: Set(admin_role_id),
             permission_id: Set(*perm_id),
             tenant_id: Set(tenant_id),
+            data_scope: Set("all".to_string()),
             created_at: Set(now),
             updated_at: Set(now),
             created_by: Set(system_user_id),
@@ -450,6 +451,7 @@ pub async fn seed_tenant_auth(
                 role_id: Set(viewer_role_id),
                 permission_id: Set(perm_ids[*idx]),
                 tenant_id: Set(tenant_id),
+                data_scope: Set("all".to_string()),
                 created_at: Set(now),
                 updated_at: Set(now),
                 created_by: Set(system_user_id),