feat: 实现 RBAC 权限系统和数据权限控制 (004-rbac-data-permission)

主要功能: - 实现完整的 RBAC 权限系统（账号、角色、权限的多对多关联） - 基于 owner_id + shop_id 的自动数据权限过滤 - 使用 PostgreSQL WITH RECURSIVE 查询下级账号 - Redis 缓存优化下级账号查询性能（30分钟过期） - 支持多租户数据隔离和层级权限管理技术实现: - 新增 Account、Role、Permission 模型及关联关系表 - 实现 GORM Scopes 自动应用数据权限过滤 - 添加数据库迁移脚本（000002_rbac_data_permission、000003_add_owner_id_shop_id） - 完善错误码定义（1010-1027 为 RBAC 相关错误） - 重构 main.go 采用函数拆分提高可读性测试覆盖: - 添加 Account、Role、Permission 的集成测试 - 添加数据权限过滤的单元测试和集成测试 - 添加下级账号查询和缓存的单元测试 - 添加 API 回归测试确保向后兼容文档更新: - 更新 README.md 添加 RBAC 功能说明 - 更新 CLAUDE.md 添加技术栈和开发原则 - 添加 docs/004-rbac-data-permission/ 功能总结和使用指南 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-18 16:44:06 +08:00
parent e8eb5766cb
commit eaa70ac255
86 changed files with 15395 additions and 245 deletions
--- a/internal/model/account.go
+++ b/internal/model/account.go
@@ -0,0 +1,29 @@
+package model
+
+import (
+	"time"
+
+	"gorm.io/gorm"
+)
+
+// Account 账号模型
+type Account struct {
+	ID        uint           `gorm:"primarykey" json:"id"`
+	Username  string         `gorm:"uniqueIndex:idx_account_username,where:deleted_at IS NULL;not null;size:50" json:"username"`
+	Phone     string         `gorm:"uniqueIndex:idx_account_phone,where:deleted_at IS NULL;not null;size:20" json:"phone"`
+	Password  string         `gorm:"not null;size:255" json:"-"`      // 不返回给客户端
+	UserType  int            `gorm:"not null;index" json:"user_type"` // 1=root, 2=平台, 3=代理, 4=企业
+	ShopID    *uint          `gorm:"index" json:"shop_id,omitempty"`
+	ParentID  *uint          `gorm:"index" json:"parent_id,omitempty"`
+	Status    int            `gorm:"not null;default:1" json:"status"` // 0=禁用, 1=启用
+	Creator   uint           `gorm:"not null" json:"creator"`
+	Updater   uint           `gorm:"not null" json:"updater"`
+	CreatedAt time.Time      `gorm:"not null" json:"created_at"`
+	UpdatedAt time.Time      `gorm:"not null" json:"updated_at"`
+	DeletedAt gorm.DeletedAt `gorm:"index" json:"deleted_at,omitempty"`
+}
+
+// TableName 指定表名
+func (Account) TableName() string {
+	return "tb_account"
+}
--- a/internal/model/account_dto.go
+++ b/internal/model/account_dto.go
@@ -0,0 +1,49 @@
+package model
+
+// CreateAccountRequest 创建账号请求
+type CreateAccountRequest struct {
+	Username string `json:"username" validate:"required,min=3,max=50"`
+	Phone    string `json:"phone" validate:"required,len=11"`
+	Password string `json:"password" validate:"required,min=8,max=32"`
+	UserType int    `json:"user_type" validate:"required,min=1,max=4"`
+	ShopID   *uint  `json:"shop_id"`
+	ParentID *uint  `json:"parent_id"`
+}
+
+// UpdateAccountRequest 更新账号请求
+type UpdateAccountRequest struct {
+	Username *string `json:"username" validate:"omitempty,min=3,max=50"`
+	Phone    *string `json:"phone" validate:"omitempty,len=11"`
+	Password *string `json:"password" validate:"omitempty,min=8,max=32"`
+	Status   *int    `json:"status" validate:"omitempty,min=0,max=1"`
+}
+
+// AccountListRequest 账号列表查询请求
+type AccountListRequest struct {
+	Page     int    `json:"page" query:"page" validate:"omitempty,min=1"`
+	PageSize int    `json:"page_size" query:"page_size" validate:"omitempty,min=1,max=100"`
+	Username string `json:"username" query:"username" validate:"omitempty,max=50"`
+	Phone    string `json:"phone" query:"phone" validate:"omitempty,max=20"`
+	UserType *int   `json:"user_type" query:"user_type" validate:"omitempty,min=1,max=4"`
+	Status   *int   `json:"status" query:"status" validate:"omitempty,min=0,max=1"`
+}
+
+// AccountResponse 账号响应
+type AccountResponse struct {
+	ID        uint   `json:"id"`
+	Username  string `json:"username"`
+	Phone     string `json:"phone"`
+	UserType  int    `json:"user_type"`
+	ShopID    *uint  `json:"shop_id,omitempty"`
+	ParentID  *uint  `json:"parent_id,omitempty"`
+	Status    int    `json:"status"`
+	Creator   uint   `json:"creator"`
+	Updater   uint   `json:"updater"`
+	CreatedAt string `json:"created_at"`
+	UpdatedAt string `json:"updated_at"`
+}
+
+// AssignRolesRequest 分配角色请求
+type AssignRolesRequest struct {
+	RoleIDs []uint `json:"role_ids" validate:"required,min=1"`
+}
--- a/internal/model/account_role.go
+++ b/internal/model/account_role.go
@@ -0,0 +1,25 @@
+package model
+
+import (
+	"time"
+
+	"gorm.io/gorm"
+)
+
+// AccountRole 账号-角色关联模型
+type AccountRole struct {
+	ID        uint           `gorm:"primarykey" json:"id"`
+	AccountID uint           `gorm:"not null;index;uniqueIndex:idx_account_role_unique,where:deleted_at IS NULL" json:"account_id"`
+	RoleID    uint           `gorm:"not null;index;uniqueIndex:idx_account_role_unique,where:deleted_at IS NULL" json:"role_id"`
+	Status    int            `gorm:"not null;default:1" json:"status"`
+	Creator   uint           `gorm:"not null" json:"creator"`
+	Updater   uint           `gorm:"not null" json:"updater"`
+	CreatedAt time.Time      `gorm:"not null" json:"created_at"`
+	UpdatedAt time.Time      `gorm:"not null" json:"updated_at"`
+	DeletedAt gorm.DeletedAt `gorm:"index" json:"deleted_at,omitempty"`
+}
+
+// TableName 指定表名
+func (AccountRole) TableName() string {
+	return "tb_account_role"
+}
--- a/internal/model/account_role_dto.go
+++ b/internal/model/account_role_dto.go
@@ -0,0 +1,16 @@
+package model
+
+// AccountRoleResponse 账号-角色关联响应
+type AccountRoleResponse struct {
+	ID        uint   `json:"id"`
+	AccountID uint   `json:"account_id"`
+	RoleID    uint   `json:"role_id"`
+	Status    int    `json:"status"`
+	CreatedAt string `json:"created_at"`
+}
+
+// AccountRolesResponse 账号的角色列表响应
+type AccountRolesResponse struct {
+	AccountID uint            `json:"account_id"`
+	Roles     []*RoleResponse `json:"roles"`
+}
--- a/internal/model/permission.go
+++ b/internal/model/permission.go
@@ -0,0 +1,29 @@
+package model
+
+import (
+	"time"
+
+	"gorm.io/gorm"
+)
+
+// Permission 权限模型
+type Permission struct {
+	ID        uint           `gorm:"primarykey" json:"id"`
+	PermName  string         `gorm:"not null;size:50" json:"perm_name"`
+	PermCode  string         `gorm:"uniqueIndex:idx_permission_code,where:deleted_at IS NULL;not null;size:100" json:"perm_code"`
+	PermType  int            `gorm:"not null;index" json:"perm_type"` // 1=菜单, 2=按钮
+	URL       string         `gorm:"size:255" json:"url,omitempty"`
+	ParentID  *uint          `gorm:"index" json:"parent_id,omitempty"`
+	Sort      int            `gorm:"not null;default:0" json:"sort"`
+	Status    int            `gorm:"not null;default:1" json:"status"`
+	Creator   uint           `gorm:"not null" json:"creator"`
+	Updater   uint           `gorm:"not null" json:"updater"`
+	CreatedAt time.Time      `gorm:"not null" json:"created_at"`
+	UpdatedAt time.Time      `gorm:"not null" json:"updated_at"`
+	DeletedAt gorm.DeletedAt `gorm:"index" json:"deleted_at,omitempty"`
+}
+
+// TableName 指定表名
+func (Permission) TableName() string {
+	return "tb_permission"
+}
--- a/internal/model/permission_dto.go
+++ b/internal/model/permission_dto.go
@@ -0,0 +1,59 @@
+package model
+
+// CreatePermissionRequest 创建权限请求
+type CreatePermissionRequest struct {
+	PermName string `json:"perm_name" validate:"required,min=1,max=50"`
+	PermCode string `json:"perm_code" validate:"required,min=1,max=100"`
+	PermType int    `json:"perm_type" validate:"required,min=1,max=2"`
+	URL      string `json:"url" validate:"omitempty,max=255"`
+	ParentID *uint  `json:"parent_id"`
+	Sort     int    `json:"sort" validate:"omitempty,min=0"`
+}
+
+// UpdatePermissionRequest 更新权限请求
+type UpdatePermissionRequest struct {
+	PermName *string `json:"perm_name" validate:"omitempty,min=1,max=50"`
+	PermCode *string `json:"perm_code" validate:"omitempty,min=1,max=100"`
+	URL      *string `json:"url" validate:"omitempty,max=255"`
+	ParentID *uint   `json:"parent_id"`
+	Sort     *int    `json:"sort" validate:"omitempty,min=0"`
+	Status   *int    `json:"status" validate:"omitempty,min=0,max=1"`
+}
+
+// PermissionListRequest 权限列表查询请求
+type PermissionListRequest struct {
+	Page     int    `json:"page" query:"page" validate:"omitempty,min=1"`
+	PageSize int    `json:"page_size" query:"page_size" validate:"omitempty,min=1,max=100"`
+	PermName string `json:"perm_name" query:"perm_name" validate:"omitempty,max=50"`
+	PermCode string `json:"perm_code" query:"perm_code" validate:"omitempty,max=100"`
+	PermType *int   `json:"perm_type" query:"perm_type" validate:"omitempty,min=1,max=2"`
+	ParentID *uint  `json:"parent_id" query:"parent_id"`
+	Status   *int   `json:"status" query:"status" validate:"omitempty,min=0,max=1"`
+}
+
+// PermissionResponse 权限响应
+type PermissionResponse struct {
+	ID        uint   `json:"id"`
+	PermName  string `json:"perm_name"`
+	PermCode  string `json:"perm_code"`
+	PermType  int    `json:"perm_type"`
+	URL       string `json:"url,omitempty"`
+	ParentID  *uint  `json:"parent_id,omitempty"`
+	Sort      int    `json:"sort"`
+	Status    int    `json:"status"`
+	Creator   uint   `json:"creator"`
+	Updater   uint   `json:"updater"`
+	CreatedAt string `json:"created_at"`
+	UpdatedAt string `json:"updated_at"`
+}
+
+// PermissionTreeNode 权限树节点（用于层级展示）
+type PermissionTreeNode struct {
+	ID       uint                  `json:"id"`
+	PermName string                `json:"perm_name"`
+	PermCode string                `json:"perm_code"`
+	PermType int                   `json:"perm_type"`
+	URL      string                `json:"url,omitempty"`
+	Sort     int                   `json:"sort"`
+	Children []*PermissionTreeNode `json:"children,omitempty"`
+}
--- a/internal/model/role.go
+++ b/internal/model/role.go
@@ -0,0 +1,26 @@
+package model
+
+import (
+	"time"
+
+	"gorm.io/gorm"
+)
+
+// Role 角色模型
+type Role struct {
+	ID        uint           `gorm:"primarykey" json:"id"`
+	RoleName  string         `gorm:"not null;size:50" json:"role_name"`
+	RoleDesc  string         `gorm:"size:255" json:"role_desc"`
+	RoleType  int            `gorm:"not null;index" json:"role_type"` // 1=超级, 2=代理, 3=企业
+	Status    int            `gorm:"not null;default:1" json:"status"`
+	Creator   uint           `gorm:"not null" json:"creator"`
+	Updater   uint           `gorm:"not null" json:"updater"`
+	CreatedAt time.Time      `gorm:"not null" json:"created_at"`
+	UpdatedAt time.Time      `gorm:"not null" json:"updated_at"`
+	DeletedAt gorm.DeletedAt `gorm:"index" json:"deleted_at,omitempty"`
+}
+
+// TableName 指定表名
+func (Role) TableName() string {
+	return "tb_role"
+}
--- a/internal/model/role_dto.go
+++ b/internal/model/role_dto.go
@@ -0,0 +1,42 @@
+package model
+
+// CreateRoleRequest 创建角色请求
+type CreateRoleRequest struct {
+	RoleName string `json:"role_name" validate:"required,min=1,max=50"`
+	RoleDesc string `json:"role_desc" validate:"omitempty,max=255"`
+	RoleType int    `json:"role_type" validate:"required,min=1,max=3"`
+}
+
+// UpdateRoleRequest 更新角色请求
+type UpdateRoleRequest struct {
+	RoleName *string `json:"role_name" validate:"omitempty,min=1,max=50"`
+	RoleDesc *string `json:"role_desc" validate:"omitempty,max=255"`
+	Status   *int    `json:"status" validate:"omitempty,min=0,max=1"`
+}
+
+// RoleListRequest 角色列表查询请求
+type RoleListRequest struct {
+	Page     int    `json:"page" query:"page" validate:"omitempty,min=1"`
+	PageSize int    `json:"page_size" query:"page_size" validate:"omitempty,min=1,max=100"`
+	RoleName string `json:"role_name" query:"role_name" validate:"omitempty,max=50"`
+	RoleType *int   `json:"role_type" query:"role_type" validate:"omitempty,min=1,max=3"`
+	Status   *int   `json:"status" query:"status" validate:"omitempty,min=0,max=1"`
+}
+
+// RoleResponse 角色响应
+type RoleResponse struct {
+	ID        uint   `json:"id"`
+	RoleName  string `json:"role_name"`
+	RoleDesc  string `json:"role_desc"`
+	RoleType  int    `json:"role_type"`
+	Status    int    `json:"status"`
+	Creator   uint   `json:"creator"`
+	Updater   uint   `json:"updater"`
+	CreatedAt string `json:"created_at"`
+	UpdatedAt string `json:"updated_at"`
+}
+
+// AssignPermissionsRequest 分配权限请求
+type AssignPermissionsRequest struct {
+	PermIDs []uint `json:"perm_ids" validate:"required,min=1"`
+}
--- a/internal/model/role_permission.go
+++ b/internal/model/role_permission.go
@@ -0,0 +1,25 @@
+package model
+
+import (
+	"time"
+
+	"gorm.io/gorm"
+)
+
+// RolePermission 角色-权限关联模型
+type RolePermission struct {
+	ID        uint           `gorm:"primarykey" json:"id"`
+	RoleID    uint           `gorm:"not null;index;uniqueIndex:idx_role_permission_unique,where:deleted_at IS NULL" json:"role_id"`
+	PermID    uint           `gorm:"not null;index;uniqueIndex:idx_role_permission_unique,where:deleted_at IS NULL" json:"perm_id"`
+	Status    int            `gorm:"not null;default:1" json:"status"`
+	Creator   uint           `gorm:"not null" json:"creator"`
+	Updater   uint           `gorm:"not null" json:"updater"`
+	CreatedAt time.Time      `gorm:"not null" json:"created_at"`
+	UpdatedAt time.Time      `gorm:"not null" json:"updated_at"`
+	DeletedAt gorm.DeletedAt `gorm:"index" json:"deleted_at,omitempty"`
+}
+
+// TableName 指定表名
+func (RolePermission) TableName() string {
+	return "tb_role_permission"
+}
--- a/internal/model/role_permission_dto.go
+++ b/internal/model/role_permission_dto.go
@@ -0,0 +1,16 @@
+package model
+
+// RolePermissionResponse 角色-权限关联响应
+type RolePermissionResponse struct {
+	ID        uint   `json:"id"`
+	RoleID    uint   `json:"role_id"`
+	PermID    uint   `json:"perm_id"`
+	Status    int    `json:"status"`
+	CreatedAt string `json:"created_at"`
+}
+
+// RolePermissionsResponse 角色的权限列表响应
+type RolePermissionsResponse struct {
+	RoleID      uint                  `json:"role_id"`
+	Permissions []*PermissionResponse `json:"permissions"`
+}