fix(sql): fix sql script

2026-01-31 11:11:55 +08:00
parent ce12b997f4
commit d071e1a27d
32 changed files with 1687 additions and 133 deletions
--- a/src/services/authorization.rs
+++ b/src/services/authorization.rs
@@ -1,3 +1,4 @@
+use crate::utils::authz::filter_permissions_by_enabled_apps;
 use common_telemetry::AppError;
 use sqlx::PgPool;
 use tracing::instrument;
@@ -34,6 +35,13 @@ impl AuthorizationService {
        tenant_id: Uuid,
        user_id: Uuid,
    ) -> Result<Vec<String>, AppError> {
+        let enabled_apps: Vec<String> =
+            sqlx::query_scalar("SELECT enabled_apps FROM tenant_entitlements WHERE tenant_id = $1")
+                .bind(tenant_id)
+                .fetch_optional(&self.pool)
+                .await?
+                .unwrap_or_default();
+
        let query = r#"
            SELECT DISTINCT p.code
            FROM permissions p
@@ -47,7 +55,7 @@ impl AuthorizationService {
            .bind(user_id)
            .fetch_all(&self.pool)
            .await?;
-        Ok(rows)
+        Ok(filter_permissions_by_enabled_apps(rows, &enabled_apps))
    }

    #[instrument(skip(self))]
@@ -76,4 +84,38 @@ impl AuthorizationService {
            Err(AppError::PermissionDenied(permission_code.to_string()))
        }
    }
+
+    #[instrument(skip(self))]
+    pub async fn list_platform_permissions_for_user(
+        &self,
+        user_id: Uuid,
+    ) -> Result<Vec<String>, AppError> {
+        let query = r#"
+            SELECT DISTINCT p.code
+            FROM permissions p
+            JOIN role_permissions rp ON rp.permission_id = p.id
+            JOIN user_roles ur ON ur.role_id = rp.role_id
+            JOIN roles r ON r.id = ur.role_id
+            WHERE ur.user_id = $1 AND r.is_system = TRUE
+        "#;
+        let rows = sqlx::query_scalar::<_, String>(query)
+            .bind(user_id)
+            .fetch_all(&self.pool)
+            .await?;
+        Ok(rows)
+    }
+
+    #[instrument(skip(self))]
+    pub async fn require_platform_permission(
+        &self,
+        user_id: Uuid,
+        permission_code: &str,
+    ) -> Result<(), AppError> {
+        let permissions = self.list_platform_permissions_for_user(user_id).await?;
+        if permissions.iter().any(|p| p == permission_code) {
+            Ok(())
+        } else {
+            Err(AppError::PermissionDenied(permission_code.to_string()))
+        }
+    }
 }