template-monorepo/internal/model/permission/domain/entity/permission.go

package entity

import (
	"gateway/internal/model/permission/domain/enum"

	"go.mongodb.org/mongo-driver/v2/bson"
)

// Permission is the platform-wide permission catalog node. Tenants may not
// create permissions; they pick from the catalog when assigning to roles.
//
// Tree model: Parent holds the parent ObjectID hex (or empty for root).
// Category nodes (no HTTPPath) are UI-only and never written to Casbin
// policy.
type Permission struct {
	ID          bson.ObjectID       `bson:"_id,omitempty"`
	Parent      string              `bson:"parent,omitempty"`       // parent ObjectID hex; empty = root
	Name        string              `bson:"name"`                   // dot-notation, unique platform-wide
	HTTPMethods string              `bson:"http_methods,omitempty"` // "GET" or "GET|POST|PATCH"
	HTTPPath    string              `bson:"http_path,omitempty"`    // keyMatch2 pattern, e.g. /api/v1/members/*
	Status      enum.Status         `bson:"status"`
	Type        enum.PermissionType `bson:"type"`
	CreateAt    int64               `bson:"create_at"`
	UpdateAt    int64               `bson:"update_at"`
}

// CollectionName returns the MongoDB collection for permissions.
func (Permission) CollectionName() string {
	return "permissions"
}

// IsLeaf reports whether the permission is a Casbin-enforceable leaf
// (i.e. has both http_path and http_methods set). Category nodes return
// false and are never written to policy rules.
func (p *Permission) IsLeaf() bool {
	return p != nil && p.HTTPPath != "" && p.HTTPMethods != ""
}
feat(permission): add RBAC module with Casbin enforcement and policy reload - Multi-tenant RBAC: permission catalog, roles, role-permission mapping, user-role assignment, and external IdP role mapping (zitadel/ldap/scim). - Casbin enforcer with Redis-backed adapter and Pub/Sub reload for multi-instance policy sync; HTTP middleware enforces (tenant, role, path, method) with platform admin bypass. - /api/v1/permissions routes: catalog, me, policy/reload, roles CRUD, role permissions, user roles, role mappings. - New error scope (31) for Permission and biz code descriptions. - Wire Permission module into ServiceContext, config, mongo-index, and add cmd/permission-seed CLI plus etc/rbac.conf model. - Redis client gains lazy PubSubClient helper (go-zero wrapper lacks Subscribe). - Rewrite internal/model/member/README to cover Tenant/Member/Identity. Co-authored-by: Cursor <cursoragent@cursor.com> 2026-05-21 08:47:35 +00:00			`package entity`

			`import (`
			`"gateway/internal/model/permission/domain/enum"`

			`"go.mongodb.org/mongo-driver/v2/bson"`
			`)`

			`// Permission is the platform-wide permission catalog node. Tenants may not`
			`// create permissions; they pick from the catalog when assigning to roles.`
			`//`
			`// Tree model: Parent holds the parent ObjectID hex (or empty for root).`
			`// Category nodes (no HTTPPath) are UI-only and never written to Casbin`
			`// policy.`
			`type Permission struct {`
			ID bson.ObjectID `bson:"_id,omitempty"`
			Parent string `bson:"parent,omitempty"` // parent ObjectID hex; empty = root
			Name string `bson:"name"` // dot-notation, unique platform-wide
			HTTPMethods string `bson:"http_methods,omitempty"` // "GET" or "GET\|POST\|PATCH"
			HTTPPath string `bson:"http_path,omitempty"` // keyMatch2 pattern, e.g. /api/v1/members/*
			Status enum.Status `bson:"status"`
			Type enum.PermissionType `bson:"type"`
			CreateAt int64 `bson:"create_at"`
			UpdateAt int64 `bson:"update_at"`
			`}`

			`// CollectionName returns the MongoDB collection for permissions.`
			`func (Permission) CollectionName() string {`
			`return "permissions"`
			`}`

			`// IsLeaf reports whether the permission is a Casbin-enforceable leaf`
			`// (i.e. has both http_path and http_methods set). Category nodes return`
			`// false and are never written to policy rules.`
			`func (p *Permission) IsLeaf() bool {`
			`return p != nil && p.HTTPPath != "" && p.HTTPMethods != ""`
			`}`