feat(auth,plugin): Q3 行级数据权限 — user_departments 表 + JWT 注入 department_ids + data_scope 接线

- 新增 user_departments 关联表（migration + entity） - JWT 中间件查询用户部门并注入 TenantContext.department_ids - role_permission entity 添加 data_scope 字段 - data_handler 接线行级数据权限过滤（list/count/aggregate） - DataScopeParams + build_scope_sql + merge_scope_condition 实现全链路
2026-04-17 21:42:40 +08:00
parent 9d18b7e079
commit 62eea3d20d
11 changed files with 326 additions and 17 deletions
--- a/crates/erp-auth/src/middleware/jwt_auth.rs
+++ b/crates/erp-auth/src/middleware/jwt_auth.rs
@@ -17,6 +17,10 @@ use crate::service::token_service::TokenService;
 /// middleware construction time, avoiding any circular dependency between
 /// erp-auth and erp-server.
 ///
+/// When `db` is provided, the middleware queries `user_departments` to populate
+/// `department_ids` in the `TenantContext`. If `db` is `None` or the query fails,
+/// `department_ids` defaults to an empty list (equivalent to "all" data scope).
+///
 /// # Errors
 ///
 /// Returns `AppError::Unauthorized` if:
@@ -26,6 +30,7 @@ use crate::service::token_service::TokenService;
 /// - The token type is not "access"
 pub async fn jwt_auth_middleware_fn(
    jwt_secret: String,
+    db: Option<sea_orm::DatabaseConnection>,
    req: Request<Body>,
    next: Next,
 ) -> Result<Response, AppError> {
@@ -47,14 +52,18 @@ pub async fn jwt_auth_middleware_fn(
        return Err(AppError::Unauthorized);
    }

-    // TODO: 待 user_positions 关联表建立后，从数据库查询用户所属部门 ID 列表
-    // 当前阶段 department_ids 为空列表，行级数据权限默认为 all
+    // 查询用户所属部门 ID 列表
+    let department_ids = match &db {
+        Some(conn) => fetch_user_department_ids(claims.sub, claims.tid, conn).await,
+        None => vec![],
+    };
+
    let ctx = TenantContext {
        tenant_id: claims.tid,
        user_id: claims.sub,
        roles: claims.roles,
        permissions: claims.permissions,
-        department_ids: vec![],
+        department_ids,
    };

    // Reconstruct the request with the TenantContext injected into extensions.
@@ -65,3 +74,25 @@ pub async fn jwt_auth_middleware_fn(

    Ok(next.run(req).await)
 }
+
+/// 查询用户所属的所有部门 ID（通过 user_departments 关联表）
+async fn fetch_user_department_ids(
+    user_id: uuid::Uuid,
+    tenant_id: uuid::Uuid,
+    db: &sea_orm::DatabaseConnection,
+) -> Vec<uuid::Uuid> {
+    use crate::entity::user_department;
+    use sea_orm::{ColumnTrait, EntityTrait, QueryFilter};
+
+    user_department::Entity::find()
+        .filter(user_department::Column::UserId.eq(user_id))
+        .filter(user_department::Column::TenantId.eq(tenant_id))
+        .filter(user_department::Column::DeletedAt.is_null())
+        .all(db)
+        .await
+        .map(|rows| rows.into_iter().map(|r| r.department_id).collect())
+        .unwrap_or_else(|e| {
+            tracing::warn!(error = %e, "查询用户部门列表失败，默认为空");
+            vec![]
+        })
+}