feat(auth,plugin): Q3 行级数据权限 — user_departments 表 + JWT 注入 department_ids + data_scope 接线

- 新增 user_departments 关联表（migration + entity） - JWT 中间件查询用户部门并注入 TenantContext.department_ids - role_permission entity 添加 data_scope 字段 - data_handler 接线行级数据权限过滤（list/count/aggregate） - DataScopeParams + build_scope_sql + merge_scope_condition 实现全链路
2026-04-17 21:42:40 +08:00
parent 9d18b7e079
commit 62eea3d20d
11 changed files with 326 additions and 17 deletions
--- a/crates/erp-auth/src/entity/mod.rs
+++ b/crates/erp-auth/src/entity/mod.rs
@@ -6,5 +6,6 @@ pub mod role;
 pub mod role_permission;
 pub mod user;
 pub mod user_credential;
+pub mod user_department;
 pub mod user_role;
 pub mod user_token;
--- a/crates/erp-auth/src/entity/role_permission.rs
+++ b/crates/erp-auth/src/entity/role_permission.rs
@@ -9,6 +9,8 @@ pub struct Model {
    #[sea_orm(primary_key, auto_increment = false)]
    pub permission_id: Uuid,
    pub tenant_id: Uuid,
+    /// 行级数据权限范围: all, self, department, department_tree
+    pub data_scope: String,
    pub created_at: DateTimeUtc,
    pub updated_at: DateTimeUtc,
    pub created_by: Uuid,
--- a/crates/erp-auth/src/entity/user_department.rs
+++ b/crates/erp-auth/src/entity/user_department.rs
@@ -0,0 +1,54 @@
+use sea_orm::entity::prelude::*;
+use serde::{Deserialize, Serialize};
+
+#[derive(Clone, Debug, PartialEq, DeriveEntityModel, Serialize, Deserialize)]
+#[sea_orm(table_name = "user_departments")]
+pub struct Model {
+    #[sea_orm(primary_key, auto_increment = false)]
+    pub user_id: Uuid,
+    #[sea_orm(primary_key, auto_increment = false)]
+    pub department_id: Uuid,
+    pub tenant_id: Uuid,
+    pub is_primary: bool,
+    pub created_at: DateTimeUtc,
+    pub updated_at: DateTimeUtc,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub created_by: Option<Uuid>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub updated_by: Option<Uuid>,
+    #[serde(skip_serializing_if = "Option::is_none")]
+    pub deleted_at: Option<DateTimeUtc>,
+    pub version: i32,
+}
+
+#[derive(Copy, Clone, Debug, EnumIter, DeriveRelation)]
+pub enum Relation {
+    #[sea_orm(
+        belongs_to = "super::user::Entity",
+        from = "Column::UserId",
+        to = "super::user::Column::Id",
+        on_delete = "Cascade"
+    )]
+    User,
+    #[sea_orm(
+        belongs_to = "super::department::Entity",
+        from = "Column::DepartmentId",
+        to = "super::department::Column::Id",
+        on_delete = "Cascade"
+    )]
+    Department,
+}
+
+impl Related<super::user::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::User.def()
+    }
+}
+
+impl Related<super::department::Entity> for Entity {
+    fn to() -> RelationDef {
+        Relation::Department.def()
+    }
+}
+
+impl ActiveModelBehavior for ActiveModel {}