feat(permission): add business write permission (BWP) for system administrators (#813)#613
Merged
Conversation
…migration - User model (biz + storage) 新增 BusinessWritePermission bool 字段, GORM tag: column=business_write_permission, default=true, not null - 新增 migrateProjectDirectorToSystemAdmin 迁移函数,将持有 项目总监(700001)的用户迁移为系统管理员(700017),幂等可重入 - AutoMigrate 中调用迁移函数,schema 变更后自动执行 DML - initOpPermission 种子数据移除项目总监(700001)条目 - convertBizUser/convertModelUser 双向映射新增字段 - CreateUserArgs 新增 BusinessWritePermission *bool,newUser 默认 true - initUsers 内置用户显式设置 BusinessWritePermission=true data-upgrade: B-20260508_project_director_to_system_admin Fixes #813
…ation 覆盖 design.md 5.1.4 测试矩阵的 4 个场景: - only_700001: 仅持有项目总监 -> 迁移为系统管理员 - both_700001_700017: 同时持有 -> 仅保留系统管理员 - repeat_migration: 重复执行 -> 无变化无报错 - migrated_user_bwp: 迁移后 BWP 默认 true 测试依赖 test_util.go 提供的 MySQL 测试环境 Fixes #813
…unctions - Add BusinessWritePermission *bool to UpdateUser and AddUser request structs - Add BusinessWritePermission bool to GetUser, ListUser, GetUserOpPermission response structs - Add isBusinessWrite bool param to CanOpGlobal, CanOpProject, IsUserProjectAdmin, GetCanOpDBUsers - When isBusinessWrite=true and user BWP=false, admin/sys admin identity does not grant access - Add userRepo to OpPermissionVerifyUsecase for querying user BWP in permission checks - Implement role switch reset: non-system-admin users always have BWP=true - Service layer passes BWP between API and biz layers - All existing callers pass isBusinessWrite=false to preserve current behavior Refs: dms-ee#813
…udbeaver - cloudbeaver.go: CanOpGlobal call changed to isBusinessWrite=true (SQL workbench entry is a business-write operation) - op_permission_verify_test.go: 22 test cases covering CanOpGlobal, IsUserProjectAdmin, and GetCanOpDBUsers with BWP combinations from design.md 5.1.1 test matrix - user_test.go: 5 test cases covering UpdateUser BWP field handling from design.md 5.1.5 test matrix (set false/true, role switch reset, non-admin ignored, global management user)
…i18n messages Filter out system administrators with BusinessWritePermission=false in the DMS NotifyMessage service entry point. This covers notifications sent by SQLE via DMS API (dmsobject.Notify), so SQLE side needs no modification. Also add i18n message for BWP audit record.
Add a new function GetUserOpPermissionWithBWP that returns BusinessWritePermission alongside OpPermissionList and IsAdmin. This allows SQLE to check BWP status when verifying user permissions, enabling server-side enforcement of BWP policy. Issue: #813
…sers When admin/sys has BusinessWritePermission=false, the GetUser API no longer hardcodes IsManager=true for all projects. Instead it checks actual project-level authorization from user_op_permissions, so the frontend useBusinessWritePermission hook can correctly detect that admin is NOT a project manager and properly disable business write buttons. Fixes #813
…ission (#813) The sys user (700201) is used exclusively for internal DMS-to-SQLE communication (e.g., SQL audit during data export workflow creation). It must never be restricted by BWP settings, so always report business_write_permission=true for the sys user regardless of the database value. This fixes the 4011 error when creating data export workflows.
…orInternal (#813) ListMembersForInternal previously passed isBusinessWrite=false to IsUserProjectAdmin, causing built-in admin/sys users to always be marked as project admins regardless of their BWP status. This led to admin appearing in workflow approval candidate sets even when BWP was off and no datasource permissions were assigned. Change isBusinessWrite to true so that admin/sys users with BWP=off must have explicit project-level admin permissions to be included as project admins in the internal member listing.
PR Reviewer Guide 🔍(Review updated until commit 91cb204)
|
|
Persistent review updated to latest commit 3c0fbfe |
PR Code Suggestions ✨Latest suggestions up to 406fafa Explore these optional code suggestions:
Previous suggestionsSuggestions up to commit 3c0fbfe
Suggestions up to commit 3c0fbfe
|
|
Persistent review updated to latest commit 406fafa |
iwanghc
approved these changes
May 12, 2026
…value from 'true' to 'false'
|
Persistent review updated to latest commit 91cb204 |
|
Failed to generate code suggestions for PR |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
User description
Add BusinessWritePermission field to User model, allowing system administrators to have their business write capabilities toggled independently of resource management.
Key changes:
Fixes actiontech/dms-ee#813
Description
新增 BusinessWritePermission 字段至 User 模型,控制系统管理员业务写权
修改 OpPermission 及相关权限校验函数,添加 isBusinessWrite 参数
更新 API、Swagger 定义及数据库模型以支持新字段
增加单元测试覆盖业务写权及权限判断逻辑,更新国际化提示信息
Diagram Walkthrough
File Walkthrough
20 files
为用户增添 BusinessWritePermission 字段及接口更新修改 opPermissionVerifyUsecase 调用增加 isBusinessWrite 参数更新 CanOpProject 调用,传入业务写权标志调整 CanOpGlobal 权限调用传入业务写权标志删除冗余权限项,调整系统管理员权限判断逻辑扩展权限验证接口,添加 isBusinessWrite 参数及辅助函数调整项目更新中的权限判断传入业务写权参数更新角色操作中全局权限检查调用逻辑为用户结构新增 BusinessWritePermission 字段及更新相关逻辑修改用户组操作中全局权限校验调用更新参数更新业务标签接口中权限检查调用的参数调整传递 userRepo 参数以支持 BusinessWritePermission 校验更新配置服务中全局权限调用,增加业务写权参数调整项目成员服务调用 IsUserProjectAdmin 传入业务写权标志更新服务初始化时 opPermissionVerifyUsecase 创建方式修改新增及更新用户接口传递 BusinessWritePermission 字段更新数据转换逻辑包含 BusinessWritePermission 字段更新数据库模型增加 BusinessWritePermission 字段定义调整 SQL Workbench 中全局权限调用传参更新新增 GetUserOpPermissionWithBWP 接口支持业务写权字段2 files
增加单元测试覆盖业务写权相关逻辑添加用户业务写权逻辑的单元测试案例6 files
增加修改业务写权提示国际化消息添加 BusinessWritePermission 字段到用户 API 定义更新 Swagger JSON 定义包含业务写权字段更新 Swagger YAML 文件,添加 BusinessWritePermission 属性更新英文国际化文件,加入业务写权提示消息更新中文国际化文件,增加业务写权提示消息1 files