hms/crates/erp-server/migration/src/m20260417_000034_seed_plugin_permissions.rs

use sea_orm_migration::prelude::*;

/// 为已存在的租户补充 plugin 模块权限，并分配给 admin 角色。
/// seed_tenant_auth 只在租户创建时执行，已存在的租户缺少 plugin 相关权限。
#[derive(DeriveMigrationName)]
pub struct Migration;

#[async_trait::async_trait]
impl MigrationTrait for Migration {
    async fn up(&self, manager: &SchemaManager) -> Result<(), DbErr> {
        let db = manager.get_connection();

        // 插入 plugin 权限（如果不存在）
        db.execute(sea_orm::Statement::from_string(
            sea_orm::DatabaseBackend::Postgres,
            r#"
            INSERT INTO permissions (id, tenant_id, code, name, resource, action, description, created_at, updated_at, created_by, updated_by, deleted_at, version)
            SELECT gen_random_uuid(), t.id, 'plugin.admin', '插件管理', 'plugin', 'admin', '管理插件全生命周期', NOW(), NOW(), '00000000-0000-0000-0000-000000000000', '00000000-0000-0000-0000-000000000000', NULL, 1
            FROM tenant t
            WHERE NOT EXISTS (
                SELECT 1 FROM permissions p WHERE p.code = 'plugin.admin' AND p.tenant_id = t.id AND p.deleted_at IS NULL
            )
            "#.to_string(),
        )).await.map_err(|e| DbErr::Custom(e.to_string()))?;

        db.execute(sea_orm::Statement::from_string(
            sea_orm::DatabaseBackend::Postgres,
            r#"
            INSERT INTO permissions (id, tenant_id, code, name, resource, action, description, created_at, updated_at, created_by, updated_by, deleted_at, version)
            SELECT gen_random_uuid(), t.id, 'plugin.list', '查看插件', 'plugin', 'list', '查看插件列表', NOW(), NOW(), '00000000-0000-0000-0000-000000000000', '00000000-0000-0000-0000-000000000000', NULL, 1
            FROM tenant t
            WHERE NOT EXISTS (
                SELECT 1 FROM permissions p WHERE p.code = 'plugin.list' AND p.tenant_id = t.id AND p.deleted_at IS NULL
            )
            "#.to_string(),
        )).await.map_err(|e| DbErr::Custom(e.to_string()))?;

        // 将 plugin 权限分配给 admin 角色（如果尚未分配）
        db.execute(sea_orm::Statement::from_string(
            sea_orm::DatabaseBackend::Postgres,
            r#"
            INSERT INTO role_permissions (role_id, permission_id, tenant_id, created_at, updated_at, created_by, updated_by, deleted_at, version)
            SELECT r.id, p.id, r.tenant_id, NOW(), NOW(), '00000000-0000-0000-0000-000000000000', '00000000-0000-0000-0000-000000000000', NULL, 1
            FROM roles r
            JOIN permissions p ON p.tenant_id = r.tenant_id AND p.code IN ('plugin.admin', 'plugin.list') AND p.deleted_at IS NULL
            WHERE r.code = 'admin' AND r.deleted_at IS NULL
              AND NOT EXISTS (
                SELECT 1 FROM role_permissions rp
                WHERE rp.role_id = r.id AND rp.permission_id = p.id AND rp.deleted_at IS NULL
              )
            "#.to_string(),
        )).await.map_err(|e| DbErr::Custom(e.to_string()))?;

        Ok(())
    }

    async fn down(&self, manager: &SchemaManager) -> Result<(), DbErr> {
        let db = manager.get_connection();

        // 删除 plugin 权限的角色关联
        db.execute(sea_orm::Statement::from_string(
            sea_orm::DatabaseBackend::Postgres,
            r#"
            DELETE FROM role_permissions
            WHERE permission_id IN (
                SELECT id FROM permissions WHERE code IN ('plugin.admin', 'plugin.list')
            )
            "#
            .to_string(),
        ))
        .await
        .map_err(|e| DbErr::Custom(e.to_string()))?;

        // 删除 plugin 权限
        db.execute(sea_orm::Statement::from_string(
            sea_orm::DatabaseBackend::Postgres,
            "DELETE FROM permissions WHERE code IN ('plugin.admin', 'plugin.list')".to_string(),
        ))
        .await
        .map_err(|e| DbErr::Custom(e.to_string()))?;

        Ok(())
    }
}