fix(sql): fix sql script

src/services/auth.rs

@@ -1,4 +1,5 @@
 use crate::models::{CreateUserRequest, LoginRequest, LoginResponse, User};
+use crate::utils::authz::filter_permissions_by_enabled_apps;
 use crate::utils::{hash_password, sign, verify_password};
 use common_telemetry::AppError;
 use rand::RngCore;
@@ -143,8 +144,29 @@ impl AuthService {
         .fetch_all(&self.pool)
         .await?;
 
+        let (enabled_apps, apps_version) = sqlx::query_as::<_, (Vec<String>, i32)>(
+            r#"
+            SELECT enabled_apps, version
+            FROM tenant_entitlements
+            WHERE tenant_id = $1
+            "#,
+        )
+        .bind(user.tenant_id)
+        .fetch_optional(&self.pool)
+        .await?
+        .unwrap_or_else(|| (vec![], 0));
+
+        let permissions = filter_permissions_by_enabled_apps(permissions, &enabled_apps);
+
         // 3. 签发 Access Token
-        let access_token = sign(user.id, user.tenant_id, roles, permissions)?;
+        let access_token = sign(
+            user.id,
+            user.tenant_id,
+            roles,
+            permissions,
+            enabled_apps,
+            apps_version,
+        )?;
 
         // 4. 生成 Refresh Token
         let mut refresh_bytes = [0u8; 32];
@@ -197,11 +219,14 @@ impl AuthService {
         sqlx::query(
             r#"
                 INSERT INTO role_permissions (role_id, permission_id)
-                SELECT $1, p.id FROM permissions p
+                SELECT $1, p.id
+                FROM permissions p
+                WHERE ($2::uuid = '00000000-0000-0000-0000-000000000001' OR p.code NOT LIKE 'iam:%')
                 ON CONFLICT DO NOTHING
             "#,
         )
         .bind(role_id)
+        .bind(tenant_id)
         .execute(&mut **tx)
         .await?;