feat(admin): Add user management and upgrade to module permission system
Features - User Management (Phase 4.1): - Database: Add user_modules table for fine-grained module permissions - Database: Add 4 user permissions (view/create/edit/delete) to role_permissions - Backend: UserService (780 lines) - CRUD with tenant isolation - Backend: UserController + UserRoutes (648 lines) - 13 API endpoints - Backend: Batch import users from Excel - Frontend: UserListPage (412 lines) - list/filter/search/pagination - Frontend: UserFormPage (341 lines) - create/edit with module config - Frontend: UserDetailPage (393 lines) - details/tenant/module management - Frontend: 3 modal components (592 lines) - import/assign/configure - API: GET/POST/PUT/DELETE /api/admin/users/* endpoints Architecture Upgrade - Module Permission System: - Backend: Add getUserModules() method in auth.service - Backend: Login API returns modules array in user object - Frontend: AuthContext adds hasModule() method - Frontend: Navigation filters modules based on user.modules - Frontend: RouteGuard checks requiredModule instead of requiredVersion - Frontend: Remove deprecated version-based permission system - UX: Only show accessible modules in navigation (clean UI) - UX: Smart redirect after login (avoid 403 for regular users) Fixes: - Fix UTF-8 encoding corruption in ~100 docs files - Fix pageSize type conversion in userService (String to Number) - Fix authUser undefined error in TopNavigation - Fix login redirect logic with role-based access check - Update Git commit guidelines v1.2 with UTF-8 safety rules Database Changes: - CREATE TABLE user_modules (user_id, tenant_id, module_code, is_enabled) - ADD UNIQUE CONSTRAINT (user_id, tenant_id, module_code) - INSERT 4 permissions + role assignments - UPDATE PUBLIC tenant with 8 module subscriptions Technical: - Backend: 5 new files (~2400 lines) - Frontend: 10 new files (~2500 lines) - Docs: 1 development record + 2 status updates + 1 guideline update - Total: ~4900 lines of code Status: User management 100% complete, module permission system operational
This commit is contained in:
@@ -1,23 +1,28 @@
|
||||
# **集成部署补充指南:填补最后的缝隙**
|
||||
|
||||
文档版本: v1.0
|
||||
<EFBFBD>格<EFBFBD>: 閫<><E996AB> 5 銝芰𡠺蝡𧢲芋<F0A7A2B2>烾<EFBFBD><E783BE>鞉𧒄<E99E89><F0A79284><EFBFBD>蝏𡏭<E89D8F><F0A18FAD>𡁏<EFBFBD>扼<EFBFBD><E689BC><EFBFBD>撣<EFBFBD><E692A3><EFBFBD><EFBFBD><EFBFBD><EFBFBD>鞉𧋦<E99E89>桅<EFBFBD><E6A185>?
|
||||
## **<2A><> <20>喲睸<E596B2>桅<EFBFBD> 1嚗锭AE <20><><EFBFBD>蝵𤏸挪<F0A48FB8>?(靚<>鍂 DeepSeek/OpenAI)**
|
||||
目标: 解决 5 个独立模块集成时的网络连通性、发布效率和成本问题。
|
||||
|
||||
<EFBFBD>啁𠶖嚗𡁻<EFBFBD>蝵脣銁 VPC <20><><EFBFBD> SAE 暺䁅恕<E48185>䭾<EFBFBD>霈輸䔮<E8BCB8>祉<EFBFBD><E7A589>?
|
||||
<EFBFBD>擧<EFBFBD>嚗𡁜<EFBFBD>蝡航<EFBFBD><EFBFBD>?DeepSeek <20>亙藁隡朞<E99AA1><E69C9E>塚<EFBFBD>Python <20>滚𦛚<E6BB9A>䭾<EFBFBD>銝贝蝸<E8B49D>祉<EFBFBD> PDF<44>?
|
||||
### **<2A>寞<EFBFBD> A嚗鐭AT 蝵穃<E89DB5> (<28><><EFBFBD><EFBFBD>煺漣<E785BA>寞<EFBFBD>嚗峕綫<E5B395>?**
|
||||
## **🛑 关键问题 1:SAE 的外网访问 (调用 DeepSeek/OpenAI)**
|
||||
|
||||
现状:部署在 VPC 内的 SAE 默认无法访问公网。
|
||||
后果:后端调用 DeepSeek 接口会超时;Python 服务无法下载公网 PDF。
|
||||
|
||||
### **方案 A:NAT 网关 (标准生产方案,推荐)**
|
||||
|
||||
* **操作**:在 VPC 控制台创建一个 **公网 NAT 网关**,并绑定一个 **EIP**。配置 SNAT 条目,允许交换机内的实例访问公网。
|
||||
* **成本**:NAT 网关租赁费 \+ EIP 流量费/带宽费。
|
||||
* **优点**:稳定,无需修改应用配置。
|
||||
|
||||
* **<2A>滢<EFBFBD>**嚗𡁜銁 VPC <20>批<EFBFBD><E689B9>啣<EFBFBD>撱箔<E692B1>銝?**<2A>祉<EFBFBD> NAT 蝵穃<E89DB5>**嚗<>僎蝏穃<E89D8F>銝<EFBFBD>銝?**EIP**<2A><><EFBFBD>蝵?SNAT <20>∠𤌍嚗<F0A48C8D><E59A97>霈訾漱<E8A8BE>X㦤<EFBCB8><E3A6A4><EFBFBD>摰硺<E691B0>霈輸䔮<E8BCB8>祉<EFBFBD><E7A589>?
|
||||
* **<2A>鞉𧋦**嚗鐭AT 蝵穃<E89DB5>蝘蠘<E89D98>韐?\+ EIP 瘚<><E7989A>韐?撣血捐韐嫘<E99F90>?
|
||||
* **隡条<E99AA1>**嚗𡁶迅摰𡄯<E691B0><F0A184AF>𣳇<EFBFBD>靽格㺿摨𠉛鍂<F0A0899B>滨蔭<E6BBA8>?
|
||||
### **方案 B:SAE 绑定公网 IP (省钱方案)**
|
||||
|
||||
* **<EFBFBD>滢<EFBFBD>**嚗𡁜銁 SAE 摨𠉛鍂<F0A0899B>滨蔭 \-\> 蝵𤑳<E89DB5><F0A491B3>滨蔭 銝哨<E98A9D><E593A8>亦<EFBFBD><E4BAA6>臬炏<E887AC>舀<EFBFBD>撘<EFBFBD><E69298>?**<2A>祉<EFBFBD>霈輸䔮** <20>𣇉<EFBFBD>摰?EIP<EFBFBD>?
|
||||
* **瘜冽<EFBFBD>**嚗锭AE <20>𣂷<EFBFBD><F0A382B7>抒<EFBFBD><E68A92>祆<EFBFBD><E7A586>孵<EFBFBD><E5ADB5>啣<EFBFBD><E595A3>航<EFBFBD>銝齿𣈲<E9BDBF><F0A388B2>凒<EFBFBD>亦<EFBFBD>摰?EIP<49><50><EFBFBD><EFBFBD>靝<EFBFBD><E99D9D>舀<EFBFBD>嚗<EFBFBD><E59A97>憿餌鍂<E9A48C>寞<EFBFBD> A<>?
|
||||
## **<2A><>儭?<3F>喲睸<E596B2>桅<EFBFBD> 2嚗朞歲<E69C9E>踵㦤<E8B8B5>滨蔭 (憒<><E68692><EFBFBD>渲<EFBFBD> RDS)**
|
||||
* **操作**:在 SAE 应用配置 \-\> 网络配置 中,查看是否支持开启 **公网访问** 或绑定 EIP。
|
||||
* **注意**:SAE 某些旧版本或特定地域可能不支持直接绑定 EIP。如果不支持,必须用方案 A。
|
||||
|
||||
## **🛠️ 关键问题 2:跳板机配置 (如何直连 RDS)**
|
||||
|
||||
为了方便开发人员使用 Navicat/DBeaver 管理 RDS 数据,利用 **Dify ECS** 作为跳板机。
|
||||
|
||||
銝箔<EFBFBD><EFBFBD>嫣噶撘<EFBFBD><EFBFBD>睲犖<EFBFBD>䀝蝙<EFBFBD>?Navicat/DBeaver 蝞∠<E89D9E> RDS <20>唳旿嚗<E697BF>⏚<EFBFBD>?**Dify ECS** 雿靝蛹頝單踎<E596AE>箝<EFBFBD>?
|
||||
### **操作步骤**
|
||||
|
||||
1. **本地终端执行** (建立 SSH 隧道):
|
||||
@@ -27,16 +32,17 @@
|
||||
2. **Navicat 连接配置**:
|
||||
* 主机: localhost
|
||||
* 端口: 5433
|
||||
* <EFBFBD>冽<EFBFBD>/撖<><E69296>: RDS <20><>揭<EFBFBD>瑕<EFBFBD><E79195>?
|
||||
* *<EFBFBD>毺<EFBFBD>嚗𡁏<EFBFBD><EFBFBD>誯<EFBFBD>朞<EFBFBD> ECS 頧砍<E9A0A7><E7A08D>啣<EFBFBD>蝵?RDS<EFBFBD>?
|
||||
* 用户/密码: RDS 的账号密码
|
||||
* *原理:流量通过 ECS 转发到内网 RDS。*
|
||||
|
||||
## **<EFBFBD><EFBFBD> <20>喲睸<E596B2>桅<EFBFBD> 3嚗帋<E59A97><E5B88B>桀<EFBFBD>撣<EFBFBD><E692A3><EFBFBD>?(NoOps 蟡𧼮膥)**
|
||||
## **🚀 关键问题 3:一键发布脚本 (NoOps 神器)**
|
||||
|
||||
为 1-2 人团队定制的极简发布脚本。保存为 deploy.sh。
|
||||
|
||||
銝?1-2 鈭箏𣪧<E7AE8F>笔<EFBFBD><E7AC94>嗥<EFBFBD><E597A5><EFBFBD><EFBFBD><EFBFBD>穃<EFBFBD><E7A983>𡁏𧋦<F0A1818F><F0A78BA6><EFBFBD>摮䀝蛹 deploy.sh<73>?
|
||||
\#\!/bin/bash
|
||||
set \-e
|
||||
|
||||
\# \================= <EFBFBD>滨蔭<EFBFBD>?\=================
|
||||
\# \================= 配置区 \=================
|
||||
ACR\_REGISTRY="registry.cn-hangzhou.aliyuncs.com"
|
||||
NAMESPACE="clinical-research"
|
||||
TIMESTAMP=$(date \+%Y%m%d%H%M)
|
||||
@@ -49,7 +55,7 @@ function build\_and\_push() {
|
||||
SERVICE\_NAME=$1
|
||||
DIR\_NAME=$2
|
||||
|
||||
echo \-e "${GREEN}\>\>\> 撘<EFBFBD>憪𧢲<EFBFBD>撱?$SERVICE\_NAME ...${NC}"
|
||||
echo \-e "${GREEN}\>\>\> 开始构建 $SERVICE\_NAME ...${NC}"
|
||||
|
||||
\# 进入目录
|
||||
cd $DIR\_NAME
|
||||
@@ -58,26 +64,26 @@ function build\_and\_push() {
|
||||
IMAGE\_URL="$ACR\_REGISTRY/$NAMESPACE/$SERVICE\_NAME:$TIMESTAMP"
|
||||
docker build \-t $IMAGE\_URL .
|
||||
|
||||
\# 2\. <EFBFBD>券<EFBFBD><EFBFBD><EFBFBD><EFBFBD>?
|
||||
\# 2\. 推送镜像
|
||||
echo \-e "${GREEN}\>\>\> 推送镜像到 ACR ...${NC}"
|
||||
docker push $IMAGE\_URL
|
||||
|
||||
\# 3\. 颲枏枂<EFBFBD>湔鰵<EFBFBD><EFBFBD><EFBFBD> (憒<><E68692>摰㕑<E691B0>鈭?aliyun-cli <20>臭誑<E887AD>芸𢆡<E88AB8>湔鰵嚗<E9B0B5>炏<EFBFBD>蹱<EFBFBD><E8B9B1>?
|
||||
echo \-e "${GREEN}\>\>\> <EFBFBD>?$SERVICE\_NAME <EFBFBD>𨅯<EFBFBD>撌脣停蝏?${NC}"
|
||||
\# 3\. 输出更新指引 (如果安装了 aliyun-cli 可以自动更新,否则手动)
|
||||
echo \-e "${GREEN}\>\>\> ✅ $SERVICE\_NAME 镜像已就绪:${NC}"
|
||||
echo $IMAGE\_URL
|
||||
echo "请在 SAE 控制台将 \[$SERVICE\_NAME\] 的镜像版本更新为: $TIMESTAMP"
|
||||
|
||||
\# <EFBFBD>𧼮<EFBFBD><EFBFBD>寧𤌍敶?
|
||||
\# 回到根目录
|
||||
cd ..
|
||||
echo "----------------------------------------"
|
||||
}
|
||||
|
||||
\# \================= 銝餅<EFBFBD>蝔?\=================
|
||||
\# \================= 主流程 \=================
|
||||
|
||||
\# 1\. <EFBFBD>函蔡 Python 敺格<EFBFBD><EFBFBD>?
|
||||
\# 1\. 部署 Python 微服务
|
||||
\# build\_and\_push "extraction-service" "extraction\_service"
|
||||
|
||||
\# 2\. <EFBFBD>函蔡 Node.js <EFBFBD>𡒊垢 (霈啣<E99C88><E595A3><EFBFBD><EFBFBD>甇?Prisma)
|
||||
\# 2\. 部署 Node.js 后端 (记得先同步 Prisma)
|
||||
\# cp \-r prisma backend/prisma
|
||||
build\_and\_push "backend-service" "backend"
|
||||
\# rm \-rf backend/prisma
|
||||
@@ -87,21 +93,22 @@ build\_and\_push "backend-service" "backend"
|
||||
|
||||
echo \-e "${GREEN}🎉 所有构建任务完成!${NC}"
|
||||
|
||||
## **<EFBFBD><EFBFBD> <20>喲睸<E596B2>桅<EFBFBD> 4嚗鐾SS <20><><EFBFBD>銝舘楝敺<E6A59D><E695BA><EFBFBD>?*
|
||||
## **🔐 关键问题 4:OSS 权限与路径规划**
|
||||
|
||||
为了防止文件混乱,建议在 Bucket 内划分明确的目录结构,并通过 IAM Policy 限制权限(可选)。
|
||||
|
||||
銝箔<EFBFBD><EFBFBD>脫迫<EFBFBD><EFBFBD>辣瘛瑚僚嚗<EFBFBD>遣霈桀銁 Bucket <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>蝖桃<E89D96><E6A183>桀<EFBFBD>蝏𤘪<E89D8F>嚗<EFBFBD>僎<EFBFBD>朞<EFBFBD> IAM Policy <20>𣂼<EFBFBD><F0A382BC><EFBFBD><EFBFBD>嚗<EFBFBD>虾<EFBFBD>㚁<EFBFBD><E39A81>?
|
||||
**推荐目录结构**:
|
||||
|
||||
clinical-research-files/
|
||||
<EFBFBD>鎿<EFBFBD><EFBFBD><EFBFBD> pkb/ \# 銝芯犖<EFBFBD>亥<EFBFBD>摨𤘪<EFBFBD>隞?
|
||||
<EFBFBD>? <20>婙<EFBFBD><E5A999><EFBFBD> {userId}/ \# <EFBFBD>厩鍂<EFBFBD>琿<EFBFBD>蝳?
|
||||
<EFBFBD>鎿<EFBFBD><EFBFBD><EFBFBD> asl/ \# <EFBFBD><EFBFBD>讃蝑偦<EFBFBD>㗇<EFBFBD>隞?
|
||||
<EFBFBD>? <20>婙<EFBFBD><E5A999><EFBFBD> {projectId}/ \# <EFBFBD>厰★<EFBFBD>桅<EFBFBD>蝳?
|
||||
├── pkb/ \# 个人知识库文件
|
||||
│ └── {userId}/ \# 按用户隔离
|
||||
├── asl/ \# 文献筛选文件
|
||||
│ └── {projectId}/ \# 按项目隔离
|
||||
├── dc/ \# 数据清洗文件
|
||||
<EFBFBD>? <20>婙<EFBFBD><E5A999><EFBFBD> {tempId}/ \# 銝湔𧒄銝𠹺<EFBFBD>
|
||||
│ └── {tempId}/ \# 临时上传
|
||||
└── system/ \# 系统资源
|
||||
|
||||
**应用代码逻辑**:
|
||||
|
||||
* **蝘<EFBFBD><EFBFBD>霂餃<EFBFBD>**: Bucket <EFBFBD><EFBFBD><EFBFBD>霈曆蛹 **Private**<EFBFBD>?
|
||||
* **<EFBFBD>滨垢霈輸䔮**: <EFBFBD>𡒊垢雿輻鍂 ossClient.signatureUrl() <EFBFBD><EFBFBD><EFBFBD>撣行<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>?URL (憒?1 撠𤩺𧒄) 餈𥪜<E9A488>蝏坔<E89D8F>蝡胯<E89DA1>?*銝亦<E98A9D><E4BAA6>滨垢<E6BBA8>湔𦻖<E6B994>朞<EFBFBD><E69C9E>祉<EFBFBD> URL 霈輸䔮<E8BCB8>?*
|
||||
* **私有读写**: Bucket 权限设为 **Private**。
|
||||
* **前端访问**: 后端使用 ossClient.signatureUrl() 生成带有效期的 URL (如 1 小时) 返回给前端。**严禁前端直接通过公网 URL 访问。**
|
||||
Reference in New Issue
Block a user