hailin
/
it0
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
it0/it0-web-admin
History
hailin 0ab7261129 feat(auth): introduce platform_admin role with proper access separation 
新增 platform_admin 角色,将平台超管与租户管理员的权限彻底分离。

## 后端变更

### auth-service — role-type.vo.ts
- 新增 RoleType.PLATFORM_ADMIN = 'platform_admin'
- DEFAULT_ROLE_PERMISSIONS 中为 PLATFORM_ADMIN 添加空权限集(平台层操作,不参与租户内权限体系)

### auth-service — tenant.controller.ts
- 移除类级别 @Roles('admin'),改为方法级别精细控制:
  - 租户 CRUD(列表/创建/GET/:id/PATCH/:id/PUT/:id/DELETE/:id)→ @Roles('platform_admin')
  - 成员管理(listMembers/updateMember/removeMember)→ @Roles('admin')
  - 邀请管理(listInvites/createInvite/revokeInvite)→ @Roles('admin')
  - 租户管理员可继续管理自己团队的成员和邀请,但无法访问跨租户的租户 CRUD

### auth-service — user.controller.ts
- /api/v1/auth/users(跨租户用户列表/CRUD)→ @Roles('platform_admin')
- 原来任意 admin 均可查看所有用户,现仅平台超管可访问

### version-service — guards/platform-admin.guard.ts(新文件)
- 新增 PlatformAdminGuard:从 Authorization: Bearer <JWT> 中 base64 解码 payload,
  检查 roles 包含 'platform_admin'(无需重复验签,Kong 已完成签名校验)
- 不依赖 @nestjs/passport,轻量、无额外依赖

### version-service — version.controller.ts
- 整个 /api/v1/versions 控制器挂载 @UseGuards(PlatformAdminGuard)
- App 版本管理(上传/发布/删除 APK/IPA)仅平台超管可操作

## 前端变更

### it0-web-admin — sidebar.tsx
- 登录时从 localStorage.user.roles 检测是否为 platform_admin
- 平台超管侧边栏:仪表盘 / 租户管理 / 用户(跨租户)/ App版本 / 账单(套餐+概览+账单记录)/ 设置
- 租户用户侧边栏:仪表盘 / Agent配置 / Runbooks / 常驻指令 / 服务器 / 监控 / 终端 / 安全 / 审计 / 通信 / 账单(概览+账单记录,无套餐管理)/ 设置

## 创建第一个平台超管账号
直接更新数据库:
  UPDATE it0_t_default.users SET roles = '{platform_admin}' WHERE email = 'xxx@xxx.com';
或通过已有 platform_admin 账号调用 POST /api/v1/auth/users 并指定 role: 'platform_admin'

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 		2026-03-07 00:57:40 -08:00
..
public/icons feat: rename app from IT0 to iAgent (我智能体) 2026-02-22 06:39:40 -08:00
src feat(auth): introduce platform_admin role with proper access separation 2026-03-07 00:57:40 -08:00
.dockerignore fix: add Dockerfiles and fix docker-compose build configuration 2026-02-19 04:31:23 -08:00
Dockerfile fix: copy public/ directory in web-admin Dockerfile for static assets 2026-02-22 06:28:45 -08:00
deploy.sh feat: add deployment scripts with SSL support for production 2026-02-09 17:44:27 -08:00
next-env.d.ts feat: add dual tenant registration (self-service + invitation) 2026-02-22 03:10:18 -08:00
next.config.js fix: add Dockerfiles and fix docker-compose build configuration 2026-02-19 04:31:23 -08:00
package-lock.json feat: add multi-language (i18n) support to web admin with Chinese and English 2026-02-22 04:56:04 -08:00
package.json feat: add multi-language (i18n) support to web admin with Chinese and English 2026-02-22 04:56:04 -08:00
postcss.config.js Initial commit: IT0 AI-powered server cluster operations platform 2026-02-08 22:54:37 -08:00
tailwind.config.ts feat: redesign sidebar with icons, collapse toggle, and improved theme 2026-02-22 02:09:28 -08:00
tsconfig.json Initial commit: IT0 AI-powered server cluster operations platform 2026-02-08 22:54:37 -08:00