// // Copyright (C) 2024 veypi // 2025-03-04 16:08:06 // Distributed under terms of the MIT license. // package middleware import ( "github.com/veypi/vbase/cfg" "github.com/veypi/vbase/models" ) // InitOrgPolicies 为组织初始化默认策略和角色 func InitOrgPolicies(orgID string) error { // 创建默认策略 policies := getDefaultPolicies() for _, policy := range policies { var count int64 cfg.DB().Model(&models.Policy{}).Where("code = ?", policy.Code).Count(&count) if count == 0 { if err := cfg.DB().Create(&policy).Error; err != nil { return err } } } // 创建默认角色 roles := getDefaultRoles() for _, role := range roles { role.OrgID = orgID var count int64 cfg.DB().Model(&models.Role{}).Where("code = ? AND org_id = ?", role.Code, orgID).Count(&count) if count == 0 { if err := cfg.DB().Create(&role).Error; err != nil { return err } } } return nil } // getDefaultPolicies 获取默认策略列表 func getDefaultPolicies() []models.Policy { return []models.Policy{ { Code: "user:read", Name: "读取用户信息", Resource: "user", Action: "read", Effect: models.PolicyEffectAllow, Scope: models.PolicyScopeOrg, }, { Code: "user:update", Name: "更新用户信息", Resource: "user", Action: "update", Effect: models.PolicyEffectAllow, Condition: "owner", Scope: models.PolicyScopeOrg, }, { Code: "role:manage", Name: "管理角色", Resource: "role", Action: "*", Effect: models.PolicyEffectAllow, Condition: "admin", Scope: models.PolicyScopeOrg, }, { Code: "policy:manage", Name: "管理策略", Resource: "policy", Action: "*", Effect: models.PolicyEffectAllow, Condition: "admin", Scope: models.PolicyScopeOrg, }, { Code: "org:read", Name: "读取组织信息", Resource: "org", Action: "read", Effect: models.PolicyEffectAllow, Scope: models.PolicyScopeOrg, }, { Code: "org:update", Name: "更新组织信息", Resource: "org", Action: "update", Effect: models.PolicyEffectAllow, Condition: "admin", Scope: models.PolicyScopeOrg, }, { Code: "org:delete", Name: "删除组织", Resource: "org", Action: "delete", Effect: models.PolicyEffectAllow, Condition: "owner", Scope: models.PolicyScopeOrg, }, { Code: "member:manage", Name: "管理成员", Resource: "org_member", Action: "*", Effect: models.PolicyEffectAllow, Condition: "admin", Scope: models.PolicyScopeOrg, }, { Code: "resource:read", Name: "读取资源", Resource: "resource", Action: "read", Effect: models.PolicyEffectAllow, Scope: models.PolicyScopeOrg, }, { Code: "resource:write", Name: "写入资源", Resource: "resource", Action: "create,update,delete", Effect: models.PolicyEffectAllow, Condition: "owner", Scope: models.PolicyScopeOrg, }, } } // getDefaultRoles 获取默认角色列表 func getDefaultRoles() []models.Role { return []models.Role{ { Name: "管理员", Code: models.RoleCodeAdmin, Description: "组织管理员,可以管理成员、角色和策略", Scope: models.PolicyScopeOrg, IsSystem: true, }, { Name: "开发者", Code: models.RoleCodeDeveloper, Description: "开发者,可以创建和管理资源", Scope: models.PolicyScopeOrg, IsSystem: true, }, { Name: "只读用户", Code: models.RoleCodeViewer, Description: "只读访问权限", Scope: models.PolicyScopeOrg, IsSystem: true, }, } }