Neo-ZQYY/db/zqyy_app/migrations/2026-03-27__fix_role_permissions.sql

-- AI_CHANGELOG
-- | 日期 | Prompt | 变更 |
-- |------|--------|------|
-- | 2026-03-27 | 权限改造 W3 | 修正角色-权限码映射：coach 仅 view_tasks，staff 仅 view_board+customer+coach，head_coach/manager 全权限 |

-- 迁移：修正角色-权限码映射
-- 原因：前后端权限不一致导致"页面能进但数据全空（403）"
-- 目标映射：
--   coach:      view_tasks
--   staff:      view_board, view_board_customer, view_board_coach
--   head_coach: view_tasks, view_board, view_board_finance, view_board_customer, view_board_coach
--   manager:    view_tasks, view_board, view_board_finance, view_board_customer, view_board_coach
-- 回滚：见文件末尾

BEGIN;

-- 1. 清空所有现有角色-权限关联（重建更安全，避免残留脏数据）
DELETE FROM auth.role_permissions
 WHERE role_id IN (SELECT id FROM auth.roles WHERE code IN ('coach', 'staff', 'head_coach', 'manager'));

-- 2. coach → view_tasks
INSERT INTO auth.role_permissions (role_id, permission_id)
SELECT r.id, p.id
  FROM auth.roles r, auth.permissions p
 WHERE r.code = 'coach' AND p.code IN ('view_tasks')
ON CONFLICT DO NOTHING;

-- 3. staff → view_board, view_board_customer, view_board_coach
INSERT INTO auth.role_permissions (role_id, permission_id)
SELECT r.id, p.id
  FROM auth.roles r, auth.permissions p
 WHERE r.code = 'staff' AND p.code IN ('view_board', 'view_board_customer', 'view_board_coach')
ON CONFLICT DO NOTHING;

-- 4. head_coach → 全部 5 个权限
INSERT INTO auth.role_permissions (role_id, permission_id)
SELECT r.id, p.id
  FROM auth.roles r, auth.permissions p
 WHERE r.code = 'head_coach'
ON CONFLICT DO NOTHING;

-- 5. manager → 全部 5 个权限
INSERT INTO auth.role_permissions (role_id, permission_id)
SELECT r.id, p.id
  FROM auth.roles r, auth.permissions p
 WHERE r.code = 'manager'
ON CONFLICT DO NOTHING;

COMMIT;

-- ═══════════════════════════════════════════════════════════
-- 回滚（恢复到改造前状态）
-- ═══════════════════════════════════════════════════════════
-- BEGIN;
-- DELETE FROM auth.role_permissions WHERE role_id IN (SELECT id FROM auth.roles WHERE code IN ('coach', 'staff', 'head_coach', 'manager'));
-- -- coach: view_tasks, view_board_coach
-- INSERT INTO auth.role_permissions (role_id, permission_id) SELECT r.id, p.id FROM auth.roles r, auth.permissions p WHERE r.code = 'coach' AND p.code IN ('view_tasks', 'view_board_coach') ON CONFLICT DO NOTHING;
-- -- staff: view_board, view_tasks
-- INSERT INTO auth.role_permissions (role_id, permission_id) SELECT r.id, p.id FROM auth.roles r, auth.permissions p WHERE r.code = 'staff' AND p.code IN ('view_board', 'view_tasks') ON CONFLICT DO NOTHING;
-- -- head_coach: view_board, view_tasks
-- INSERT INTO auth.role_permissions (role_id, permission_id) SELECT r.id, p.id FROM auth.roles r, auth.permissions p WHERE r.code = 'head_coach' AND p.code IN ('view_board', 'view_tasks') ON CONFLICT DO NOTHING;
-- -- manager: 全部 5 个
-- INSERT INTO auth.role_permissions (role_id, permission_id) SELECT r.id, p.id FROM auth.roles r, auth.permissions p WHERE r.code = 'manager' ON CONFLICT DO NOTHING;
-- COMMIT;

-- ═══════════════════════════════════════════════════════════
-- 验证
-- ═══════════════════════════════════════════════════════════
-- SELECT r.code, array_agg(p.code ORDER BY p.code)
--   FROM auth.role_permissions rp
--   JOIN auth.roles r ON r.id = rp.role_id
--   JOIN auth.permissions p ON p.id = rp.permission_id
--  GROUP BY r.code ORDER BY r.code;
-- 期望：
--   coach      = {view_tasks}
--   head_coach = {view_board,view_board_coach,view_board_customer,view_board_finance,view_tasks}
--   manager    = {view_board,view_board_coach,view_board_customer,view_board_finance,view_tasks}
--   staff      = {view_board,view_board_coach,view_board_customer}