feat(role&permission): migrate the roles and permissions from freeleaps to authentication

2025-09-16 16:28:15 +08:00 · 2025-09-16 16:28:15 +08:00 · a3f8d7b8cf
commit a3f8d7b8cf
parent 4f09a5e4df
3 changed files with 70 additions and 14 deletions
--- a/apps/authentication/backend/models/permission/constants.py
+++ b/apps/authentication/backend/models/permission/constants.py
@ -12,7 +12,10 @@ class DefaultRole:

 # Default roles, which all tenants will have, cannot be modified.
 class DefaultRoleEnum(Enum):
-    ADMIN = DefaultRole("Administrator", "admin", "Have all permissions", 0)
+    ADMIN = DefaultRole("Admin", "admin", "Have all permissions", 1)
+    OPERATOR = DefaultRole("Operator", "operator", "System operator with deployment and management permissions", 10)
+    DEVELOPER = DefaultRole("Developer", "developer", "Developer with git and issue management access", 100)
+    QA = DefaultRole("QA", "qa", "Quality assurance with bug and testing permissions", 1000)


@dataclass(frozen=True)  # frozen=True
@ -24,9 +27,15 @@ class DefaultPermission:

 # Default permissions, which all tenants will have, cannot be modified.
 class DefaultPermissionEnum(Enum):
-    CHANGE_ROLES = DefaultPermission("change:roles", "Change roles", "Add/Update/Delete roles")
-    CHANGE_PERMISSIONS = DefaultPermission("change:permissions", "Change permissions", "Add/Update/Remove permissions")
-    ASSIGN_ROLES = DefaultPermission("assign:roles", "Assign roles", "Assign roles to user")
+    INVITE_COLLABORATOR = DefaultPermission("invite:collaborator", "Add/Remove participants", "Add/Remove participants")
+    PUBLISH_PRODUCTION = DefaultPermission("publish:production", "Deploy to production", "Deploy to production")
+    EDIT_PRODUCT = DefaultPermission("edit:product", "View product management UX", "View product management UX")
+    ACCESS_GIT_REPOSITORIES = DefaultPermission("access:git_repositories", "Access to git repositories", "Access to git repositories")
+    ACCESS_ISSUE_MANAGEMENT = DefaultPermission("access:issue_management", "Access to issue management", "Access to issue management")
+    PUBLISH_ALPHA = DefaultPermission("publish:alpha", "Access to alpha deployment", "Access to alpha deployment")
+    OPEN_BUGS = DefaultPermission("open:bugs", "Open/Close/Re-open bugs", "Open/Close/Re-open bugs")
+    QA_FAILED_PASSED = DefaultPermission("qa:failed_passed", "Update QA status - QA failed/passed", "Update QA status - QA failed/passed")
+    QA_TEST_REPORTS = DefaultPermission("qa:test_reports", "Update QA status - Test reports", "Update QA status - Test reports (Test coverage)")


 class AdministrativeRole(IntEnum):
--- a/apps/authentication/backend/models/permission/models.py
+++ b/apps/authentication/backend/models/permission/models.py
@ -26,6 +26,7 @@ class RoleDoc(Document):
    role_description: Optional[str] = None
    permission_ids: list[str]
    role_level: int
+    revision_id: Optional[str] = None  # Revision ID for version control
    created_at: datetime = datetime.now()  # Creation timestamp, auto-generated
    updated_at: datetime = datetime.now()  # Last update timestamp, auto-updated
    is_default: bool = False
--- a/apps/authentication/webapi/providers/permission_initialize.py
+++ b/apps/authentication/webapi/providers/permission_initialize.py
@ -10,12 +10,9 @@ def register(app):

    @app.on_event("startup")
    async def init_admin_permission():
-        # Initialize permissions if not exist
-        default_permission_ids = []
-        for default_permission in \
-                [DefaultPermissionEnum.CHANGE_PERMISSIONS,
-                 DefaultPermissionEnum.CHANGE_ROLES,
-                 DefaultPermissionEnum.ASSIGN_ROLES]:
+        # Initialize all permissions if not exist
+        permission_id_map = {}
+        for default_permission in DefaultPermissionEnum:
            if not await PermissionDoc.find_one(
                    {str(PermissionDoc.permission_key): default_permission.value.permission_key}):
                doc = await PermissionDoc(
@ -24,17 +21,66 @@ def register(app):
                    description=default_permission.value.permission_description,
                    is_default=True,
                ).insert()
-                default_permission_ids.append(str(doc.id))
-        logging.info(f"default permissions initialized {default_permission_ids}")
+                permission_id_map[default_permission.value.permission_key] = str(doc.id)
+            else:
+                # Get existing permission ID
+                existing_doc = await PermissionDoc.find_one(
+                    {str(PermissionDoc.permission_key): default_permission.value.permission_key})
+                permission_id_map[default_permission.value.permission_key] = str(existing_doc.id)
+        
+        logging.info(f"default permissions initialized {list(permission_id_map.keys())}")
+        
+        # Define role permission mappings based on the provided data
+        role_permission_mappings = {
+            DefaultRoleEnum.ADMIN: [
+                DefaultPermissionEnum.PUBLISH_ALPHA,
+                DefaultPermissionEnum.PUBLISH_PRODUCTION,
+                DefaultPermissionEnum.INVITE_COLLABORATOR,
+                DefaultPermissionEnum.EDIT_PRODUCT,
+                DefaultPermissionEnum.ACCESS_GIT_REPOSITORIES,
+                DefaultPermissionEnum.ACCESS_ISSUE_MANAGEMENT,
+                DefaultPermissionEnum.OPEN_BUGS,
+                DefaultPermissionEnum.QA_FAILED_PASSED,
+                DefaultPermissionEnum.QA_TEST_REPORTS
+            ],
+            DefaultRoleEnum.OPERATOR: [
+                DefaultPermissionEnum.PUBLISH_ALPHA,
+                DefaultPermissionEnum.PUBLISH_PRODUCTION,
+                DefaultPermissionEnum.EDIT_PRODUCT,
+                DefaultPermissionEnum.ACCESS_GIT_REPOSITORIES,
+                DefaultPermissionEnum.ACCESS_ISSUE_MANAGEMENT,
+                DefaultPermissionEnum.OPEN_BUGS,
+                DefaultPermissionEnum.QA_FAILED_PASSED,
+                DefaultPermissionEnum.QA_TEST_REPORTS,
+            ],
+            DefaultRoleEnum.DEVELOPER: [
+                DefaultPermissionEnum.ACCESS_GIT_REPOSITORIES,
+                DefaultPermissionEnum.ACCESS_ISSUE_MANAGEMENT,
+                DefaultPermissionEnum.PUBLISH_ALPHA,
+            ],
+            DefaultRoleEnum.QA: [
+                DefaultPermissionEnum.OPEN_BUGS,
+                DefaultPermissionEnum.QA_FAILED_PASSED,
+                DefaultPermissionEnum.QA_TEST_REPORTS,
+            ],
+        }
+        
        # Initialize roles if not exist
        default_role_ids = []
-        for default_role in [DefaultRoleEnum.ADMIN]:
+        for default_role in DefaultRoleEnum:
            if not await RoleDoc.find_one({str(RoleDoc.role_key): default_role.value.role_key}):
+                # Get permission IDs for this role
+                role_permission_ids = []
+                if default_role in role_permission_mappings:
+                    for permission in role_permission_mappings[default_role]:
+                        if permission.value.permission_key in permission_id_map:
+                            role_permission_ids.append(permission_id_map[permission.value.permission_key])
+                
                doc = await RoleDoc(
                    role_key=default_role.value.role_key,
                    role_name=default_role.value.role_name,
                    role_description=default_role.value.role_description,
-                    permission_ids=default_permission_ids,
+                    permission_ids=role_permission_ids,
                    role_level=default_role.value.role_level,
                    is_default=True,
                ).insert()