feat: 实现 RBAC 权限系统和数据权限控制 (004-rbac-data-permission)

主要功能: - 实现完整的 RBAC 权限系统（账号、角色、权限的多对多关联） - 基于 owner_id + shop_id 的自动数据权限过滤 - 使用 PostgreSQL WITH RECURSIVE 查询下级账号 - Redis 缓存优化下级账号查询性能（30分钟过期） - 支持多租户数据隔离和层级权限管理技术实现: - 新增 Account、Role、Permission 模型及关联关系表 - 实现 GORM Scopes 自动应用数据权限过滤 - 添加数据库迁移脚本（000002_rbac_data_permission、000003_add_owner_id_shop_id） - 完善错误码定义（1010-1027 为 RBAC 相关错误） - 重构 main.go 采用函数拆分提高可读性测试覆盖: - 添加 Account、Role、Permission 的集成测试 - 添加数据权限过滤的单元测试和集成测试 - 添加下级账号查询和缓存的单元测试 - 添加 API 回归测试确保向后兼容文档更新: - 更新 README.md 添加 RBAC 功能说明 - 更新 CLAUDE.md 添加技术栈和开发原则 - 添加 docs/004-rbac-data-permission/ 功能总结和使用指南 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-18 16:44:06 +08:00
parent e8eb5766cb
commit eaa70ac255
86 changed files with 15395 additions and 245 deletions
--- a/tests/integration/error_handler_test.go
+++ b/tests/integration/error_handler_test.go
@@ -85,7 +85,7 @@ func TestErrorHandler_ValidationError_Returns400(t *testing.T) {

 	resp, err := app.Test(req, -1)
 	require.NoError(t, err)
-	defer resp.Body.Close()
+	defer func() { _ = resp.Body.Close() }()

 	// 验证 HTTP 状态码
 	assert.Equal(t, 400, resp.StatusCode, "参数验证失败应返回 400 状态码")
@@ -129,7 +129,7 @@ func TestErrorHandler_ResourceNotFound_Returns404(t *testing.T) {
 	req := httptest.NewRequest("GET", "/api/test/users/99999", nil)
 	resp, err := app.Test(req, -1)
 	require.NoError(t, err)
-	defer resp.Body.Close()
+	defer func() { _ = resp.Body.Close() }()

 	// 验证 HTTP 状态码
 	assert.Equal(t, 404, resp.StatusCode, "资源未找到应返回 404 状态码")
@@ -172,7 +172,7 @@ func TestErrorHandler_AuthenticationFailed_Returns401(t *testing.T) {
 	req := httptest.NewRequest("GET", "/api/test/protected", nil)
 	resp, err := app.Test(req, -1)
 	require.NoError(t, err)
-	defer resp.Body.Close()
+	defer func() { _ = resp.Body.Close() }()

 	// 验证 HTTP 状态码
 	assert.Equal(t, 401, resp.StatusCode, "认证失败应返回 401 状态码")
@@ -293,7 +293,7 @@ func TestErrorHandler_ResponseFormatConsistency(t *testing.T) {

 			resp, err := app.Test(req, -1)
 			require.NoError(t, err)
-			defer resp.Body.Close()
+			defer func() { _ = resp.Body.Close() }()

 			// 验证 HTTP 状态码
 			assert.Equal(t, tc.expectedHTTP, resp.StatusCode,
@@ -354,7 +354,7 @@ func TestPanic_BasicPanicRecovery(t *testing.T) {
 	req := httptest.NewRequest("GET", "/api/test/panic", nil)
 	resp, err := app.Test(req, -1)
 	require.NoError(t, err)
-	defer resp.Body.Close()
+	defer func() { _ = resp.Body.Close() }()

 	// 验证 panic 被捕获并转换为 500 错误
 	assert.Equal(t, 500, resp.StatusCode, "panic 应返回 500 状态码")
@@ -401,14 +401,14 @@ func TestPanic_ServiceContinuesAfterRecovery(t *testing.T) {
 	panicReq := httptest.NewRequest("GET", "/api/test/panic-endpoint", nil)
 	panicResp, err := app.Test(panicReq, -1)
 	require.NoError(t, err)
-	panicResp.Body.Close()
+	_ = panicResp.Body.Close()
 	assert.Equal(t, 500, panicResp.StatusCode, "panic 应返回 500")

 	// 第二次请求：验证服务仍然正常运行
 	normalReq := httptest.NewRequest("GET", "/api/test/normal-endpoint", nil)
 	normalResp, err := app.Test(normalReq, -1)
 	require.NoError(t, err)
-	defer normalResp.Body.Close()
+	defer func() { _ = normalResp.Body.Close() }()

 	// 验证正常请求仍然成功
 	assert.Equal(t, 200, normalResp.StatusCode, "panic 后正常请求应成功")
@@ -452,7 +452,7 @@ func TestPanic_ConcurrentPanicHandling(t *testing.T) {
 				results <- 0
 				return
 			}
-			defer resp.Body.Close()
+			defer func() { _ = resp.Body.Close() }()
 			results <- resp.StatusCode
 		}(i)
 	}
@@ -490,7 +490,7 @@ func TestPanic_StackTraceLogging(t *testing.T) {
 	req := httptest.NewRequest("GET", "/api/test/panic-with-stack", nil)
 	resp, err := app.Test(req, -1)
 	require.NoError(t, err)
-	defer resp.Body.Close()
+	defer func() { _ = resp.Body.Close() }()

 	// 验证 panic 被捕获
 	assert.Equal(t, 500, resp.StatusCode, "panic 应返回 500 状态码")
@@ -536,7 +536,7 @@ func TestPanic_NilPointerDereference(t *testing.T) {
 	req := httptest.NewRequest("GET", "/api/test/nil-pointer", nil)
 	resp, err := app.Test(req, -1)
 	require.NoError(t, err)
-	defer resp.Body.Close()
+	defer func() { _ = resp.Body.Close() }()

 	assert.Equal(t, 500, resp.StatusCode, "空指针 panic 应返回 500")

@@ -556,7 +556,7 @@ func TestPanic_ArrayOutOfBounds(t *testing.T) {
 	req := httptest.NewRequest("GET", "/api/test/out-of-bounds", nil)
 	resp, err := app.Test(req, -1)
 	require.NoError(t, err)
-	defer resp.Body.Close()
+	defer func() { _ = resp.Body.Close() }()

 	assert.Equal(t, 500, resp.StatusCode, "数组越界 panic 应返回 500")

@@ -580,7 +580,7 @@ func TestErrorClassification_ValidationError_WarnLevel(t *testing.T) {

 	resp, err := app.Test(req, -1)
 	require.NoError(t, err)
-	defer resp.Body.Close()
+	defer func() { _ = resp.Body.Close() }()

 	// 验证 HTTP 状态码
 	assert.Equal(t, 400, resp.StatusCode, "参数验证失败应返回 400")
@@ -614,7 +614,7 @@ func TestErrorClassification_PermissionDenied_WarnLevel(t *testing.T) {
 	req := httptest.NewRequest("GET", "/api/test/permission-warn", nil)
 	resp, err := app.Test(req, -1)
 	require.NoError(t, err)
-	defer resp.Body.Close()
+	defer func() { _ = resp.Body.Close() }()

 	// 验证 HTTP 状态码
 	assert.Equal(t, 403, resp.StatusCode, "权限不足应返回 403")
@@ -650,7 +650,7 @@ func TestErrorClassification_DatabaseError_ErrorLevel(t *testing.T) {
 	req := httptest.NewRequest("GET", "/api/test/database-error", nil)
 	resp, err := app.Test(req, -1)
 	require.NoError(t, err)
-	defer resp.Body.Close()
+	defer func() { _ = resp.Body.Close() }()

 	// 验证 HTTP 状态码
 	assert.Equal(t, 500, resp.StatusCode, "数据库错误应返回 500")
@@ -735,7 +735,7 @@ func TestErrorClassification_SensitiveInfoHidden(t *testing.T) {
 			req := httptest.NewRequest("GET", tc.path, nil)
 			resp, err := app.Test(req, -1)
 			require.NoError(t, err)
-			defer resp.Body.Close()
+			defer func() { _ = resp.Body.Close() }()

 			assert.Equal(t, tc.expectedStatus, resp.StatusCode, "HTTP 状态码应正确")

@@ -777,7 +777,7 @@ func TestErrorClassification_RateLimitExceeded_Returns429(t *testing.T) {
 	req := httptest.NewRequest("GET", "/api/test/rate-limit", nil)
 	resp, err := app.Test(req, -1)
 	require.NoError(t, err)
-	defer resp.Body.Close()
+	defer func() { _ = resp.Body.Close() }()

 	// 验证 HTTP 状态码
 	assert.Equal(t, 429, resp.StatusCode, "限流应返回 429 状态码")
@@ -834,7 +834,7 @@ func TestErrorClassification_ServiceUnavailable_Returns503(t *testing.T) {
 	req := httptest.NewRequest("GET", "/api/test/service-unavailable", nil)
 	resp, err := app.Test(req, -1)
 	require.NoError(t, err)
-	defer resp.Body.Close()
+	defer func() { _ = resp.Body.Close() }()

 	// 验证 HTTP 状态码
 	assert.Equal(t, 503, resp.StatusCode, "服务不可用应返回 503 状态码")
@@ -878,7 +878,7 @@ func TestErrorTracking_LogCompleteness_IncludesRequestID(t *testing.T) {

 	resp, err := app.Test(req, -1)
 	require.NoError(t, err)
-	defer resp.Body.Close()
+	defer func() { _ = resp.Body.Close() }()

 	// 验证响应包含 Request ID
 	responseRequestID := resp.Header.Get("X-Request-ID")
@@ -922,7 +922,7 @@ func TestErrorTracking_RequestContext_AllFields(t *testing.T) {

 	resp, err := app.Test(req, -1)
 	require.NoError(t, err)
-	defer resp.Body.Close()
+	defer func() { _ = resp.Body.Close() }()

 	// 验证响应
 	assert.Equal(t, 400, resp.StatusCode, "应返回 400 错误")
@@ -953,7 +953,7 @@ func TestErrorTracking_PanicStackTrace_IncludesLocation(t *testing.T) {
 	req := httptest.NewRequest("GET", "/api/test/panic-stack-trace", nil)
 	resp, err := app.Test(req, -1)
 	require.NoError(t, err)
-	defer resp.Body.Close()
+	defer func() { _ = resp.Body.Close() }()

 	// 验证 panic 被捕获
 	assert.Equal(t, 500, resp.StatusCode, "panic 应返回 500 状态码")
@@ -1052,7 +1052,7 @@ func TestErrorTracking_RequestIDTracing_EndToEnd(t *testing.T) {

 			resp, err := app.Test(req, -1)
 			require.NoError(t, err)
-			defer resp.Body.Close()
+			defer func() { _ = resp.Body.Close() }()

 			// 验证 HTTP 状态码
 			assert.Equal(t, tc.expectedStatus, resp.StatusCode,