feat(auth): data_scope 行级数据权限 — DataScope 枚举 + 中间件加载

- TenantContext 新增 permission_data_scopes: HashMap<String, DataScope> - DataScope 枚举: All/SelfOnly/Department/DepartmentTree - JWT 中间件查询 role_permissions.data_scope 填充到上下文 - rbac::get_data_scope() 供 service 层按权限获取数据范围 - 默认 All，完全向后兼容现有行为
2026-04-27 19:31:19 +08:00
parent d5c9654370
commit 633bf8c62d
3 changed files with 103 additions and 2 deletions
--- a/crates/erp-core/src/rbac.rs
+++ b/crates/erp-core/src/rbac.rs
@@ -1,5 +1,5 @@
 use crate::error::AppError;
-use crate::types::TenantContext;
+use crate::types::{DataScope, TenantContext};

 /// Check whether the `TenantContext` includes the specified permission code.
 ///
@@ -38,6 +38,16 @@ pub fn require_role(ctx: &TenantContext, role: &str) -> Result<(), AppError> {
    }
 }

+/// 获取指定权限的数据范围。默认 All（向后兼容）。
+///
+/// Service 层根据返回值追加对应的查询过滤条件。
+pub fn get_data_scope(ctx: &TenantContext, permission: &str) -> DataScope {
+    ctx.permission_data_scopes
+        .get(permission)
+        .cloned()
+        .unwrap_or(DataScope::All)
+}
+
 #[cfg(test)]
 mod tests {
    use super::*;
@@ -50,6 +60,7 @@ mod tests {
            roles: roles.into_iter().map(String::from).collect(),
            permissions: permissions.into_iter().map(String::from).collect(),
            department_ids: vec![],
+            permission_data_scopes: std::collections::HashMap::new(),
        }
    }