unis_crm/sql/20260701_user_data_scope_us...

285 lines
9.9 KiB
SQL
Raw Blame History

This file contains ambiguous Unicode characters!

This file contains ambiguous Unicode characters that may be confused with others in your current locale. If your use case is intentional and legitimate, you can safely ignore this warning. Use the Escape button to highlight these characters.

create table if not exists sys_user_data_scope_user (
id bigserial primary key,
tenant_id bigint not null,
viewer_user_id bigint not null,
owner_user_id bigint not null,
resource_type varchar(50) not null default 'ALL',
enabled boolean not null default true,
expire_at timestamptz,
remark varchar(500),
created_by bigint,
created_at timestamptz not null default now(),
updated_at timestamptz not null default now(),
is_deleted integer not null default 0
);
create unique index if not exists uk_user_data_scope_user
on sys_user_data_scope_user (tenant_id, viewer_user_id, owner_user_id, resource_type)
where is_deleted = 0;
create index if not exists idx_user_data_scope_viewer
on sys_user_data_scope_user (tenant_id, viewer_user_id, resource_type, enabled);
create index if not exists idx_user_data_scope_owner
on sys_user_data_scope_user (tenant_id, owner_user_id);
comment on table sys_user_data_scope_user is '用户到用户的数据可见范围授权';
comment on column sys_user_data_scope_user.viewer_user_id is '被授权查看数据的用户ID';
comment on column sys_user_data_scope_user.owner_user_id is '数据归属用户ID';
comment on column sys_user_data_scope_user.resource_type is '授权资源类型OPPORTUNITY/EXPANSION/DAILY_REPORT/CHECKIN等';
do $$
declare
v_system_parent_id bigint;
v_menu_perm_id bigint;
v_view_perm_id bigint;
v_update_perm_id bigint;
v_has_role_permission_tenant boolean;
begin
perform setval('sys_permission_perm_id_seq', coalesce((select max(perm_id) from sys_permission), 0) + 1, false);
perform setval('sys_role_permission_id_seq', coalesce((select max(id) from sys_role_permission), 0) + 1, false);
select exists (
select 1
from information_schema.columns
where table_schema = current_schema()
and table_name = 'sys_role_permission'
and column_name = 'tenant_id'
) into v_has_role_permission_tenant;
select perm_id
into v_system_parent_id
from sys_permission
where code = 'system'
and coalesce(is_deleted, 0) = 0
order by perm_id
limit 1;
if v_system_parent_id is null then
insert into sys_permission (
parent_id, name, code, perm_type, level, path, component, icon,
sort_order, is_visible, status, description, meta, is_deleted, created_at, updated_at
) values (
null, '系统管理', 'system', 'directory', 1, null, null, 'SettingOutlined',
110, 1, 1, '系统管理目录', '{}'::jsonb, 0, now(), now()
)
returning perm_id into v_system_parent_id;
end if;
select perm_id
into v_menu_perm_id
from sys_permission
where code = 'menu:data-scope-users'
order by perm_id
limit 1;
if v_menu_perm_id is null then
insert into sys_permission (
parent_id, name, code, perm_type, level, path, component, icon,
sort_order, is_visible, status, description, meta, is_deleted, created_at, updated_at
) values (
v_system_parent_id, '数据授权管理', 'menu:data-scope-users', 'menu', 2,
'/data-scope-users', null, 'TeamOutlined', 8, 1, 1,
'配置用户可额外查看哪些人员名下的数据', jsonb_build_object('tenantScoped', true), 0, now(), now()
)
returning perm_id into v_menu_perm_id;
else
update sys_permission
set parent_id = v_system_parent_id,
name = '数据授权管理',
perm_type = 'menu',
level = 2,
path = '/data-scope-users',
component = null,
icon = 'TeamOutlined',
sort_order = 8,
is_visible = 1,
status = 1,
description = '配置用户可额外查看哪些人员名下的数据',
meta = jsonb_build_object('tenantScoped', true),
is_deleted = 0,
updated_at = now()
where perm_id = v_menu_perm_id;
end if;
select perm_id
into v_view_perm_id
from sys_permission
where code = 'user_data_scope:view'
order by perm_id
limit 1;
if v_view_perm_id is null then
insert into sys_permission (
parent_id, name, code, perm_type, level, path, component, icon,
sort_order, is_visible, status, description, meta, is_deleted, created_at, updated_at
) values (
v_menu_perm_id, '查看数据授权', 'user_data_scope:view', 'button', 3,
null, null, null, 1, 1, 1, '查看用户数据授权配置', '{}'::jsonb, 0, now(), now()
)
returning perm_id into v_view_perm_id;
else
update sys_permission
set parent_id = v_menu_perm_id,
name = '查看数据授权',
perm_type = 'button',
level = 3,
sort_order = 1,
is_visible = 1,
status = 1,
description = '查看用户数据授权配置',
meta = '{}'::jsonb,
is_deleted = 0,
updated_at = now()
where perm_id = v_view_perm_id;
end if;
select perm_id
into v_update_perm_id
from sys_permission
where code = 'user_data_scope:update'
order by perm_id
limit 1;
if v_update_perm_id is null then
insert into sys_permission (
parent_id, name, code, perm_type, level, path, component, icon,
sort_order, is_visible, status, description, meta, is_deleted, created_at, updated_at
) values (
v_menu_perm_id, '修改数据授权', 'user_data_scope:update', 'button', 3,
null, null, null, 2, 1, 1, '保存用户数据授权配置', '{}'::jsonb, 0, now(), now()
)
returning perm_id into v_update_perm_id;
else
update sys_permission
set parent_id = v_menu_perm_id,
name = '修改数据授权',
perm_type = 'button',
level = 3,
sort_order = 2,
is_visible = 1,
status = 1,
description = '保存用户数据授权配置',
meta = '{}'::jsonb,
is_deleted = 0,
updated_at = now()
where perm_id = v_update_perm_id;
end if;
if v_has_role_permission_tenant then
insert into sys_role_permission (role_id, perm_id, tenant_id, is_deleted, created_at, updated_at)
select role_source.role_id, perm_source.perm_id, role_source.tenant_id, 0, now(), now()
from (
select distinct role_id, tenant_id
from (
select r.role_id, r.tenant_id
from sys_role r
where coalesce(r.is_deleted, 0) = 0
and (
r.role_code in ('TENANT_ADMIN', 'ADMIN', 'SYS_ADMIN', 'PLATFORM_ADMIN', 'SUPER_ADMIN')
or r.role_name ilike '%管理员%'
or r.role_name ilike '%admin%'
)
union
select r.role_id, r.tenant_id
from sys_user u
join sys_user_role ur on ur.user_id = u.user_id and coalesce(ur.is_deleted, 0) = 0
join sys_role r on r.role_id = ur.role_id and coalesce(r.is_deleted, 0) = 0
where coalesce(u.is_deleted, 0) = 0
and u.username = 'admin'
) granted_roles
) role_source
cross join (
select unnest(array[v_menu_perm_id, v_view_perm_id, v_update_perm_id]) as perm_id
) perm_source
where perm_source.perm_id is not null
and not exists (
select 1
from sys_role_permission rp
where rp.role_id = role_source.role_id
and rp.perm_id = perm_source.perm_id
);
update sys_role_permission rp
set tenant_id = coalesce(rp.tenant_id, r.tenant_id),
is_deleted = 0,
updated_at = now()
from sys_role r,
sys_permission p
where rp.role_id = r.role_id
and p.perm_id = rp.perm_id
and coalesce(r.is_deleted, 0) = 0
and p.code in ('menu:data-scope-users', 'user_data_scope:view', 'user_data_scope:update')
and (
r.role_code in ('TENANT_ADMIN', 'ADMIN', 'SYS_ADMIN', 'PLATFORM_ADMIN', 'SUPER_ADMIN')
or r.role_name ilike '%管理员%'
or r.role_name ilike '%admin%'
or exists (
select 1
from sys_user u
join sys_user_role ur on ur.user_id = u.user_id and coalesce(ur.is_deleted, 0) = 0
where coalesce(u.is_deleted, 0) = 0
and u.username = 'admin'
and ur.role_id = r.role_id
)
);
else
insert into sys_role_permission (role_id, perm_id, is_deleted, created_at, updated_at)
select role_source.role_id, perm_source.perm_id, 0, now(), now()
from (
select distinct role_id
from (
select r.role_id
from sys_role r
where coalesce(r.is_deleted, 0) = 0
and (
r.role_code in ('TENANT_ADMIN', 'ADMIN', 'SYS_ADMIN', 'PLATFORM_ADMIN', 'SUPER_ADMIN')
or r.role_name ilike '%管理员%'
or r.role_name ilike '%admin%'
)
union
select r.role_id
from sys_user u
join sys_user_role ur on ur.user_id = u.user_id and coalesce(ur.is_deleted, 0) = 0
join sys_role r on r.role_id = ur.role_id and coalesce(r.is_deleted, 0) = 0
where coalesce(u.is_deleted, 0) = 0
and u.username = 'admin'
) granted_roles
) role_source
cross join (
select unnest(array[v_menu_perm_id, v_view_perm_id, v_update_perm_id]) as perm_id
) perm_source
where perm_source.perm_id is not null
and not exists (
select 1
from sys_role_permission rp
where rp.role_id = role_source.role_id
and rp.perm_id = perm_source.perm_id
);
update sys_role_permission rp
set is_deleted = 0,
updated_at = now()
from sys_role r,
sys_permission p
where rp.role_id = r.role_id
and p.perm_id = rp.perm_id
and coalesce(r.is_deleted, 0) = 0
and p.code in ('menu:data-scope-users', 'user_data_scope:view', 'user_data_scope:update')
and (
r.role_code in ('TENANT_ADMIN', 'ADMIN', 'SYS_ADMIN', 'PLATFORM_ADMIN', 'SUPER_ADMIN')
or r.role_name ilike '%管理员%'
or r.role_name ilike '%admin%'
or exists (
select 1
from sys_user u
join sys_user_role ur on ur.user_id = u.user_id and coalesce(ur.is_deleted, 0) = 0
where coalesce(u.is_deleted, 0) = 0
and u.username = 'admin'
and ur.role_id = r.role_id
)
);
end if;
end
$$;