feat(admin): add user-level direct permission system and enhance activity tracking

Features: - Add user_permissions table for direct user-to-permission grants (ops:user-ops) - Merge role_permissions + user_permissions in auth chain (login, middleware, getCurrentUser) - Add getUserQueryScope support for USER role with ops:user-ops (cross-tenant access) - Unify cross-tenant operation checks via getUserQueryScope (remove hardcoded SUPER_ADMIN checks) - Add 3 new API endpoints: GET/PUT /:id/permissions, GET /options/permissions - Support ops:user-ops as alternative permission on all user/tenant management routes - Frontend: add user-ops permission toggle on UserFormPage and UserDetailPage - Enhance DC module activity tracking (StreamAIController, SessionController, QuickActionController) - Fix DC AIController user ID extraction and feature name consistency - Add verify-activity-tracking.ts validation script - Update deployment checklist and admin module documentation DB Migration: 20260309_add_user_permissions_table Made-with: Cursor
2026-03-10 09:02:35 +08:00
parent 971e903acf
commit 097e7920ab
19 changed files with 693 additions and 87 deletions
--- a/backend/prisma/schema.prisma
+++ b/backend/prisma/schema.prisma
@@ -47,6 +47,7 @@ model User {
  updatedAt           DateTime         @updatedAt @map("updated_at")
  tenant_members      tenant_members[]
  user_modules        user_modules[]
+  user_permissions    user_permissions[]
  iitUserMappings     IitUserMapping[]
  departments         departments?     @relation(fields: [department_id], references: [id])
  tenants             tenants          @relation(fields: [tenant_id], references: [id])
@@ -1775,6 +1776,7 @@ model permissions {
  module           String?
  created_at       DateTime           @default(now())
  role_permissions role_permissions[]
+  user_permissions user_permissions[]

  @@schema("platform_schema")
 }
@@ -1790,6 +1792,20 @@ model role_permissions {
  @@schema("platform_schema")
 }

+/// 用户直授权限表（不依赖角色，单独给用户授予权限）
+model user_permissions {
+  id            Int         @id @default(autoincrement())
+  user_id       String
+  permission_id Int
+  created_at    DateTime    @default(now())
+  user          User        @relation(fields: [user_id], references: [id], onDelete: Cascade)
+  permissions   permissions @relation(fields: [permission_id], references: [id], onDelete: Cascade)
+
+  @@unique([user_id, permission_id])
+  @@index([user_id])
+  @@schema("platform_schema")
+}
+
 model tenant_members {
  id        String   @id
  tenant_id String