feat: 增加分类权限控制

- 新增角色分类授权模型与超级管理员配置接口

- 接入助手、插件、工作流、知识库、素材的分类可见性过滤

- 增加角色页分类权限树与插件多分类可见性支持

easyflow-modules/easyflow-module-system/src/main/java/tech/easyflow/system/service/CategoryPermissionService.java

@@ -0,0 +1,19 @@
+package tech.easyflow.system.service;
+
+import tech.easyflow.system.entity.vo.RoleCategoryAccessSnapshot;
+
+import java.math.BigInteger;
+import java.util.Set;
+
+public interface CategoryPermissionService {
+
+    boolean isCurrentSuperAdmin();
+
+    RoleCategoryAccessSnapshot getCurrentAccess(String resourceType);
+
+    Set<BigInteger> getCurrentVisibleCategoryIds(String resourceType);
+
+    boolean canAccessCategory(String resourceType, BigInteger createdBy, BigInteger categoryId);
+
+    void assertCategoryResourceVisible(String resourceType, BigInteger createdBy, BigInteger categoryId, String message);
+}

easyflow-modules/easyflow-module-system/src/main/java/tech/easyflow/system/service/SysRoleCategoryScopeService.java

@@ -0,0 +1,16 @@
+package tech.easyflow.system.service;
+
+import com.mybatisflex.core.service.IService;
+import tech.easyflow.system.entity.SysRoleCategoryScope;
+import tech.easyflow.system.entity.vo.SysRoleCategoryScopeDetailVo;
+import tech.easyflow.system.entity.vo.SysRoleCategoryScopeItemVo;
+
+import java.math.BigInteger;
+import java.util.List;
+
+public interface SysRoleCategoryScopeService extends IService<SysRoleCategoryScope> {
+
+    SysRoleCategoryScopeDetailVo getRoleScopeDetail(BigInteger roleId);
+
+    void saveRoleScopes(BigInteger roleId, List<SysRoleCategoryScopeItemVo> scopes, BigInteger operatorId);
+}

easyflow-modules/easyflow-module-system/src/main/java/tech/easyflow/system/service/impl/CategoryPermissionServiceImpl.java

@@ -0,0 +1,115 @@
+package tech.easyflow.system.service.impl;
+
+import cn.dev33.satoken.stp.StpUtil;
+import cn.hutool.core.collection.CollectionUtil;
+import com.mybatisflex.core.query.QueryWrapper;
+import org.springframework.stereotype.Service;
+import tech.easyflow.common.constant.Constants;
+import tech.easyflow.common.entity.LoginAccount;
+import tech.easyflow.common.satoken.util.SaTokenUtil;
+import tech.easyflow.common.web.exceptions.BusinessException;
+import tech.easyflow.system.entity.SysRole;
+import tech.easyflow.system.entity.SysRoleCategoryScope;
+import tech.easyflow.system.entity.SysRoleCategoryScopeItem;
+import tech.easyflow.system.entity.vo.RoleCategoryAccessSnapshot;
+import tech.easyflow.system.enums.CategoryScopeMode;
+import tech.easyflow.system.mapper.SysRoleCategoryScopeItemMapper;
+import tech.easyflow.system.mapper.SysRoleCategoryScopeMapper;
+import tech.easyflow.system.service.CategoryPermissionService;
+import tech.easyflow.system.service.SysRoleService;
+
+import javax.annotation.Resource;
+import java.math.BigInteger;
+import java.util.Collections;
+import java.util.LinkedHashSet;
+import java.util.List;
+import java.util.Set;
+import java.util.stream.Collectors;
+
+@Service
+public class CategoryPermissionServiceImpl implements CategoryPermissionService {
+
+    @Resource
+    private SysRoleService sysRoleService;
+
+    @Resource
+    private SysRoleCategoryScopeMapper sysRoleCategoryScopeMapper;
+
+    @Resource
+    private SysRoleCategoryScopeItemMapper sysRoleCategoryScopeItemMapper;
+
+    @Override
+    public boolean isCurrentSuperAdmin() {
+        if (!StpUtil.isLogin()) {
+            return false;
+        }
+        LoginAccount loginAccount = SaTokenUtil.getLoginAccount();
+        return loginAccount != null && isSuperAdmin(loginAccount.getId());
+    }
+
+    @Override
+    public RoleCategoryAccessSnapshot getCurrentAccess(String resourceType) {
+        if (!StpUtil.isLogin()) {
+            return new RoleCategoryAccessSnapshot(resourceType, null, false, true, Collections.emptySet());
+        }
+        LoginAccount loginAccount = SaTokenUtil.getLoginAccount();
+        if (loginAccount == null) {
+            return new RoleCategoryAccessSnapshot(resourceType, null, false, true, Collections.emptySet());
+        }
+        BigInteger accountId = loginAccount.getId();
+        if (isSuperAdmin(accountId)) {
+            return new RoleCategoryAccessSnapshot(resourceType, accountId, true, true, Collections.emptySet());
+        }
+        List<SysRole> roles = sysRoleService.getRolesByAccountId(accountId);
+        if (CollectionUtil.isEmpty(roles)) {
+            return new RoleCategoryAccessSnapshot(resourceType, accountId, false, false, Collections.emptySet());
+        }
+        List<BigInteger> roleIds = roles.stream().map(SysRole::getId).collect(Collectors.toList());
+        QueryWrapper scopeWrapper = QueryWrapper.create()
+                .in(SysRoleCategoryScope::getRoleId, roleIds)
+                .eq(SysRoleCategoryScope::getResourceType, resourceType);
+        List<SysRoleCategoryScope> scopes = sysRoleCategoryScopeMapper.selectListByQuery(scopeWrapper);
+        if (CollectionUtil.isEmpty(scopes)) {
+            return new RoleCategoryAccessSnapshot(resourceType, accountId, false, false, Collections.emptySet());
+        }
+        boolean allAccess = scopes.stream()
+                .anyMatch(item -> CategoryScopeMode.ALL.getCode().equalsIgnoreCase(item.getScopeMode()));
+        if (allAccess) {
+            return new RoleCategoryAccessSnapshot(resourceType, accountId, false, true, Collections.emptySet());
+        }
+        List<BigInteger> scopeIds = scopes.stream().map(SysRoleCategoryScope::getId).collect(Collectors.toList());
+        if (CollectionUtil.isEmpty(scopeIds)) {
+            return new RoleCategoryAccessSnapshot(resourceType, accountId, false, false, Collections.emptySet());
+        }
+        QueryWrapper itemWrapper = QueryWrapper.create().in(SysRoleCategoryScopeItem::getScopeId, scopeIds);
+        List<SysRoleCategoryScopeItem> items = sysRoleCategoryScopeItemMapper.selectListByQuery(itemWrapper);
+        Set<BigInteger> categoryIds = items.stream()
+                .map(SysRoleCategoryScopeItem::getCategoryId)
+                .collect(Collectors.toCollection(LinkedHashSet::new));
+        return new RoleCategoryAccessSnapshot(resourceType, accountId, false, false, categoryIds);
+    }
+
+    @Override
+    public Set<BigInteger> getCurrentVisibleCategoryIds(String resourceType) {
+        return getCurrentAccess(resourceType).getCategoryIds();
+    }
+
+    @Override
+    public boolean canAccessCategory(String resourceType, BigInteger createdBy, BigInteger categoryId) {
+        RoleCategoryAccessSnapshot snapshot = getCurrentAccess(resourceType);
+        return snapshot.canAccess(createdBy, categoryId);
+    }
+
+    @Override
+    public void assertCategoryResourceVisible(String resourceType, BigInteger createdBy, BigInteger categoryId, String message) {
+        if (!canAccessCategory(resourceType, createdBy, categoryId)) {
+            throw new BusinessException(message == null ? "无权限访问该资源" : message);
+        }
+    }
+
+    private boolean isSuperAdmin(BigInteger accountId) {
+        List<SysRole> roles = sysRoleService.getRolesByAccountId(accountId);
+        return CollectionUtil.isNotEmpty(roles)
+                && roles.stream().anyMatch(item -> Constants.SUPER_ADMIN_ROLE_CODE.equals(item.getRoleKey()));
+    }
+}

easyflow-modules/easyflow-module-system/src/main/java/tech/easyflow/system/service/impl/SysRoleCategoryScopeServiceImpl.java

@@ -0,0 +1,172 @@
+package tech.easyflow.system.service.impl;
+
+import cn.hutool.core.collection.CollectionUtil;
+import com.mybatisflex.core.query.QueryWrapper;
+import com.mybatisflex.spring.service.impl.ServiceImpl;
+import org.springframework.stereotype.Service;
+import org.springframework.transaction.annotation.Transactional;
+import tech.easyflow.system.entity.SysRoleCategoryScope;
+import tech.easyflow.system.entity.SysRoleCategoryScopeItem;
+import tech.easyflow.system.entity.vo.SysRoleCategoryScopeDetailVo;
+import tech.easyflow.system.entity.vo.SysRoleCategoryScopeItemVo;
+import tech.easyflow.system.enums.CategoryResourceType;
+import tech.easyflow.system.enums.CategoryScopeMode;
+import tech.easyflow.system.mapper.SysRoleCategoryScopeItemMapper;
+import tech.easyflow.system.mapper.SysRoleCategoryScopeMapper;
+import tech.easyflow.system.service.SysRoleCategoryScopeService;
+
+import javax.annotation.Resource;
+import java.math.BigInteger;
+import java.util.ArrayList;
+import java.util.Date;
+import java.util.LinkedHashMap;
+import java.util.LinkedHashSet;
+import java.util.List;
+import java.util.Map;
+import java.util.Set;
+import java.util.stream.Collectors;
+
+@Service
+public class SysRoleCategoryScopeServiceImpl extends ServiceImpl<SysRoleCategoryScopeMapper, SysRoleCategoryScope>
+        implements SysRoleCategoryScopeService {
+
+    @Resource
+    private SysRoleCategoryScopeMapper sysRoleCategoryScopeMapper;
+
+    @Resource
+    private SysRoleCategoryScopeItemMapper sysRoleCategoryScopeItemMapper;
+
+    @Override
+    public SysRoleCategoryScopeDetailVo getRoleScopeDetail(BigInteger roleId) {
+        SysRoleCategoryScopeDetailVo detailVo = new SysRoleCategoryScopeDetailVo();
+        detailVo.setRoleId(roleId);
+        if (roleId == null) {
+            detailVo.setScopes(defaultScopes());
+            return detailVo;
+        }
+
+        QueryWrapper scopeWrapper = QueryWrapper.create().eq(SysRoleCategoryScope::getRoleId, roleId);
+        List<SysRoleCategoryScope> scopes = list(scopeWrapper);
+        if (CollectionUtil.isEmpty(scopes)) {
+            detailVo.setScopes(defaultScopes());
+            return detailVo;
+        }
+
+        List<BigInteger> scopeIds = scopes.stream().map(SysRoleCategoryScope::getId).collect(Collectors.toList());
+        Map<BigInteger, List<BigInteger>> scopeItemMap = new LinkedHashMap<>();
+        if (CollectionUtil.isNotEmpty(scopeIds)) {
+            QueryWrapper itemWrapper = QueryWrapper.create().in(SysRoleCategoryScopeItem::getScopeId, scopeIds);
+            List<SysRoleCategoryScopeItem> items = sysRoleCategoryScopeItemMapper.selectListByQuery(itemWrapper);
+            scopeItemMap = items.stream().collect(Collectors.groupingBy(
+                    SysRoleCategoryScopeItem::getScopeId,
+                    LinkedHashMap::new,
+                    Collectors.mapping(SysRoleCategoryScopeItem::getCategoryId, Collectors.toList())
+            ));
+        }
+
+        Map<String, SysRoleCategoryScope> scopeMap = scopes.stream().collect(Collectors.toMap(
+                SysRoleCategoryScope::getResourceType,
+                item -> item,
+                (left, right) -> left,
+                LinkedHashMap::new
+        ));
+
+        List<SysRoleCategoryScopeItemVo> result = new ArrayList<>();
+        for (String resourceType : CategoryResourceType.allCodes()) {
+            SysRoleCategoryScope existing = scopeMap.get(resourceType);
+            SysRoleCategoryScopeItemVo itemVo = new SysRoleCategoryScopeItemVo();
+            itemVo.setResourceType(resourceType);
+            if (existing == null) {
+                itemVo.setScopeMode(CategoryScopeMode.CUSTOM.getCode());
+                itemVo.setCategoryIds(new ArrayList<>());
+            } else {
+                itemVo.setScopeMode(CategoryScopeMode.from(existing.getScopeMode()).getCode());
+                itemVo.setCategoryIds(new ArrayList<>(scopeItemMap.getOrDefault(existing.getId(), new ArrayList<>())));
+            }
+            result.add(itemVo);
+        }
+        detailVo.setScopes(result);
+        return detailVo;
+    }
+
+    @Override
+    @Transactional(rollbackFor = Exception.class)
+    public void saveRoleScopes(BigInteger roleId, List<SysRoleCategoryScopeItemVo> scopes, BigInteger operatorId) {
+        QueryWrapper scopeWrapper = QueryWrapper.create().eq(SysRoleCategoryScope::getRoleId, roleId);
+        List<SysRoleCategoryScope> existingScopes = sysRoleCategoryScopeMapper.selectListByQuery(scopeWrapper);
+        if (CollectionUtil.isNotEmpty(existingScopes)) {
+            List<BigInteger> existingScopeIds = existingScopes.stream()
+                    .map(SysRoleCategoryScope::getId)
+                    .collect(Collectors.toList());
+            if (CollectionUtil.isNotEmpty(existingScopeIds)) {
+                QueryWrapper itemDeleteWrapper = QueryWrapper.create().in(SysRoleCategoryScopeItem::getScopeId, existingScopeIds);
+                sysRoleCategoryScopeItemMapper.deleteByQuery(itemDeleteWrapper);
+            }
+            sysRoleCategoryScopeMapper.deleteByQuery(scopeWrapper);
+        }
+
+        Date now = new Date();
+        for (SysRoleCategoryScopeItemVo itemVo : normalizeScopes(scopes)) {
+            SysRoleCategoryScope scope = new SysRoleCategoryScope();
+            scope.setRoleId(roleId);
+            scope.setResourceType(itemVo.getResourceType());
+            scope.setScopeMode(itemVo.getScopeMode());
+            scope.setCreated(now);
+            scope.setCreatedBy(operatorId);
+            scope.setModified(now);
+            scope.setModifiedBy(operatorId);
+            sysRoleCategoryScopeMapper.insert(scope);
+
+            if (!CategoryScopeMode.CUSTOM.getCode().equals(itemVo.getScopeMode())
+                    || CollectionUtil.isEmpty(itemVo.getCategoryIds())) {
+                continue;
+            }
+            for (BigInteger categoryId : itemVo.getCategoryIds()) {
+                SysRoleCategoryScopeItem scopeItem = new SysRoleCategoryScopeItem();
+                scopeItem.setScopeId(scope.getId());
+                scopeItem.setCategoryId(categoryId);
+                sysRoleCategoryScopeItemMapper.insert(scopeItem);
+            }
+        }
+    }
+
+    private List<SysRoleCategoryScopeItemVo> defaultScopes() {
+        return normalizeScopes(null);
+    }
+
+    private List<SysRoleCategoryScopeItemVo> normalizeScopes(List<SysRoleCategoryScopeItemVo> scopes) {
+        Map<String, SysRoleCategoryScopeItemVo> scopeMap = new LinkedHashMap<>();
+        if (CollectionUtil.isNotEmpty(scopes)) {
+            for (SysRoleCategoryScopeItemVo itemVo : scopes) {
+                if (itemVo == null) {
+                    continue;
+                }
+                String resourceType = CategoryResourceType.from(itemVo.getResourceType()).getCode();
+                CategoryScopeMode scopeMode = CategoryScopeMode.from(itemVo.getScopeMode());
+                SysRoleCategoryScopeItemVo normalized = new SysRoleCategoryScopeItemVo();
+                normalized.setResourceType(resourceType);
+                normalized.setScopeMode(scopeMode.getCode());
+                Set<BigInteger> categoryIds = itemVo.getCategoryIds() == null
+                        ? new LinkedHashSet<>()
+                        : itemVo.getCategoryIds().stream()
+                        .filter(item -> item != null)
+                        .collect(Collectors.toCollection(LinkedHashSet::new));
+                normalized.setCategoryIds(new ArrayList<>(categoryIds));
+                scopeMap.put(resourceType, normalized);
+            }
+        }
+
+        List<SysRoleCategoryScopeItemVo> result = new ArrayList<>();
+        for (String resourceType : CategoryResourceType.allCodes()) {
+            SysRoleCategoryScopeItemVo itemVo = scopeMap.get(resourceType);
+            if (itemVo == null) {
+                itemVo = new SysRoleCategoryScopeItemVo();
+                itemVo.setResourceType(resourceType);
+                itemVo.setScopeMode(CategoryScopeMode.CUSTOM.getCode());
+                itemVo.setCategoryIds(new ArrayList<>());
+            }
+            result.add(itemVo);
+        }
+        return result;
+    }
+}