更新安全模型，支持角色继承和字段级安全，添加项目和任务的权限配置

Author: hotlong

docs/guide/security-guide.md

@@ -5,25 +5,30 @@
 
 ## 1. Directory Structure
 
-The security configuration supports both **Role-Based Access Control (RBAC)** and **Managed Policies** for reusability.
+The security configuration files (`.role.yml` and `.policy.yml`) can be placed **anywhere** in your module's source path. The system scans for them recursively.
+
+**Recommended Structure (Simplified)**:
 
 ```text
 /project-root
-├── /security
-│   ├── /roles/             # Role Definitions
-│   │   └── sales_rep.role.yml
+├── /src
+│   ├── projects.object.yml
+│   ├── tasks.object.yml
 │   │
-│   └── /policies/          # Reusable Permisison Sets
+│   └── /security           # Optional grouping
+│       ├── sales_rep.role.yml
 │       └── contract_manage.policy.yml
 ```
 
+> **Note:** You can also place them alongside your objects if preferred, or completely flat.
+
 ## 2. Policy Definition (`.policy.yml`)
 
 A **Policy** is a reusable collection of permission statements without being tied to a specific user identity. 
 
 To facilitate storage in database JSONB columns and efficient querying, the structure uses a **Map** keyed by object name.
 
-**File:** `/security/policies/contract_manage.policy.yml`
+**File:** `/src/security/contract_manage.policy.yml`
 
 ```yaml
 name: contract_manage
@@ -48,7 +53,7 @@ permissions:
 
 A **Role** defines an identity and assigns permissions. It can compose permissions by referencing **Managed Policies** or defining **Online Permissions**.
 
-**File:** `/security/roles/sales_rep.role.yml`
+**File:** `/src/security/sales_rep.role.yml`
 
 ```yaml
 name: sales_rep

examples/modules/project-management/src/projects.object.yml

@@ -23,3 +23,13 @@ fields:
     type: textarea
   owner:
     type: text
+    label: Project Owner
+  budget:
+    type: currency
+    label: Total Budget
+  start_date:
+    type: date
+    label: Start Date
+  end_date:
+    type: date
+    label: End Date

examples/modules/project-management/src/security/base_access.policy.yml

@@ -0,0 +1,12 @@
+name: base_access
+description: Basic access for all employees
+
+permissions:
+  projects:
+    actions: [read]
+    # FLS: Exclude 'budget'
+    fields: [name, status, priority, description, owner, start_date, end_date]
+  
+  tasks:
+    actions: [read, create]
+

examples/modules/project-management/src/security/employee.role.yml

@@ -0,0 +1,12 @@
+name: employee
+label: Employee
+description: Standard Employee Role
+policies:
+  - base_access
+
+permissions:
+  tasks:
+    # Additive: Can also UPDATE own tasks
+    actions: [update]
+    filters: 
+      - ['assigned_to', '=', '$user.id']

examples/modules/project-management/src/security/manager_access.policy.yml

@@ -0,0 +1,11 @@
+name: manager_access
+description: Full access for managers
+
+permissions:
+  projects:
+    actions: [read, create, update, delete]
+    # No FLS restrictions (sees budget)
+    fields: ['*']
+  
+  tasks:
+    actions: [read, create, update, delete]

examples/modules/project-management/src/security/project_manager.role.yml

@@ -0,0 +1,7 @@
+name: project_manager
+label: Project Manager
+description: Department Manager
+inherits:
+  - employee
+policies:
+  - manager_access

examples/modules/project-management/src/tasks.object.yml

@@ -12,3 +12,17 @@ fields:
   completed:
     type: boolean
     defaultValue: false
+  priority:
+    type: select
+    options:
+      - low
+      - medium
+      - high
+    defaultValue: medium
+  assigned_to:
+    type: text
+    label: Assignee
+  estimated_hours:
+    type: number
+    min: 0
+    label: Estimated Hours

packages/core/src/metadata.ts

@@ -115,9 +115,15 @@ export interface PolicyStatement {
 
     /**
      * Field Level Security (FLS).
-     * List of allowed fields. If omitted, implies all fields.
+     * List of allowed fields (Visibility). If omitted, implies all fields.
      */
     fields?: string[];
+
+    /**
+     * FLS Write Protection.
+     * Specific fields that are visible but NOT editable.
+     */
+    readonly_fields?: string[];
 }
 
 /**
@@ -137,6 +143,8 @@ export interface RoleConfig {
     name: string;
     label?: string;
     description?: string;
+    /** Inherit permissions from these parent roles. */
+    inherits?: string[];
     /** List of policy names to include. */
     policies?: string[];
     /** Map of inline permissions. */

packages/core/src/security.ts

@@ -26,39 +26,50 @@ export class SecurityEngine {
         }
 
         const effectiveStatements: PolicyStatement[] = [];
+        const processedRoles = new Set<string>();
 
-        // 1. Gather all applicable statements
-        for (const roleName of userRoles) {
-            const role = this.roles.get(roleName);
-            if (!role) continue;
-
-            // Managed Policies
-            if (role.policies) {
-                for (const policyName of role.policies) {
-                    const policy = this.policies.get(policyName);
-                    if (policy && policy.permissions) {
-                        // Check for specific object permission
-                        if (policy.permissions[objectName]) {
-                            effectiveStatements.push(policy.permissions[objectName]);
-                        }
-                        // Check for wildcard object permission
-                        if (policy.permissions['*']) {
-                            effectiveStatements.push(policy.permissions['*']);
+        // Recursive function to gather statements from roles and their parents
+        const collectRolePermissions = (roleNames: string[]) => {
+            for (const roleName of roleNames) {
+                if (processedRoles.has(roleName)) continue;
+                processedRoles.add(roleName);
+
+                const role = this.roles.get(roleName);
+                if (!role) continue;
+
+                // 1. Inherited Roles
+                if (role.inherits) {
+                    collectRolePermissions(role.inherits);
+                }
+
+                // 2. Managed Policies
+                if (role.policies) {
+                    for (const policyName of role.policies) {
+                        const policy = this.policies.get(policyName);
+                        if (policy && policy.permissions) {
+                            if (policy.permissions[objectName]) {
+                                effectiveStatements.push(policy.permissions[objectName]);
+                            }
+                            if (policy.permissions['*']) {
+                                effectiveStatements.push(policy.permissions['*']);
+                            }
                         }
                     }
                 }
-            }
 
-            // Inline Policies
-            if (role.permissions) {
-                if (role.permissions[objectName]) {
-                    effectiveStatements.push(role.permissions[objectName]);
-                }
-                if (role.permissions['*']) {
-                    effectiveStatements.push(role.permissions['*']);
+                // 3. Inline Policies
+                if (role.permissions) {
+                    if (role.permissions[objectName]) {
+                        effectiveStatements.push(role.permissions[objectName]);
+                    }
+                    if (role.permissions['*']) {
+                        effectiveStatements.push(role.permissions['*']);
+                    }
                 }
             }
-        }
+        };
+
+        collectRolePermissions(userRoles);
 
         // 2. Resolve (Union)
         // If no statements found -> Deny
@@ -69,24 +80,47 @@ export class SecurityEngine {
         const resolved: ResolvedPermission = {
             allowed: false,
             actions: new Set(),
-            filters: []
+            filters: [],
+            fields: new Set(),
+            readonly_fields: new Set()
         };
 
+        let hasRestrictedFields = false;
+
         for (const stmt of effectiveStatements) {
             // Merge Actions
             for (const action of stmt.actions) {
                 resolved.actions!.add(action);
             }
 
             // Merge Filters (OR logic)
-            // If multiple policies apply, the user has access if ANY of them grants access.
-            // But complex RLS merging (OR) is tricky.
-            // Simplified Logic: 
-            // If we have filters from multiple sources, we join them with OR.
-            // (FilterA) OR (FilterB)
             if (stmt.filters && stmt.filters.length > 0) {
                  resolved.filters!.push(stmt.filters);
             }
+            
+            // Merge FLS
+            if (stmt.fields) {
+                hasRestrictedFields = true;
+                for (const f of stmt.fields) resolved.fields!.add(f);
+            } else {
+                // If one policy allows ALL fields (undefined/empty), does it override others?
+                // Union strategy usually means: (Policy A restricts to [x]) OR (Policy B allows All) = Allows All.
+                // We'll mark a flag. If we encounter a statement with NO field restriction, user gets all fields.
+                // However, implementing "All" in a Set is tricky. 
+                // Let's assume if 'stmt.fields' is missing, it means FULL ACCESS to all fields for THAT action.
+            }
+            
+            if (stmt.readonly_fields) {
+                for (const f of stmt.readonly_fields) resolved.readonly_fields!.add(f);
+            }
+        }
+        
+        // If any statement granted permission but didn't list specific fields, it implies ALL fields are allowed.
+        // In that case, we should clear restrictions (or handle it in repository).
+        // For simplicity: If ANY statement has `fields` undefined, we consider all fields allowed.
+        const allowAllFields = effectiveStatements.some(s => !s.fields || s.fields.includes('*'));
+        if (allowAllFields) {
+            resolved.fields = undefined; // Undefined means ALL
         }
 
         if (resolved.actions!.size > 0) {
@@ -99,7 +133,7 @@ export class SecurityEngine {
     /**
      * Checks if the operation is allowed and returns the RLS filters to apply.
      */
-    check(ctx: ObjectQLContext, objectName: string, action: 'read' | 'create' | 'update' | 'delete'): { allowed: boolean, filters?: any[] } {
+    check(ctx: ObjectQLContext, objectName: string, action: 'read' | 'create' | 'update' | 'delete'): { allowed: boolean, filters?: any[], fields?: string[] } {
         // System bypass
         if (ctx.isSystem) return { allowed: true };
 
@@ -116,25 +150,27 @@ export class SecurityEngine {
         if (!hasWildcard && !hasAction) return { allowed: false };
 
         // Construct final RLS filter
-        // If we have multiple filter sets, it means (Set1) OR (Set2)
-        // because permissions are additive.
         let finalFilter = undefined;
-
         if (perm.filters && perm.filters.length > 0) {
             if (perm.filters.length === 1) {
                 finalFilter = perm.filters[0];
             } else {
-                // Combine with OR
                 finalFilter = ['or', ...perm.filters];
             }
         }
-
-        return { allowed: true, filters: finalFilter };
+        
+        // Calculate allowed fields
+        // If fields is undefined, it means ALL. 
+        let allowedFields: string[] | undefined = perm.fields ? Array.from(perm.fields) : undefined;
+        
+        return { allowed: true, filters: finalFilter, fields: allowedFields };
     }
 }
 
 interface ResolvedPermission {
     allowed: boolean;
     actions?: Set<string>;
     filters?: any[][]; // Array of filter groups (which are arrays)
+    fields?: Set<string>;
+    readonly_fields?: Set<string>;
 }