porsche/hr-portal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
360533393f6c449a50cbf9ce59712d5867cfce42
hr-portal/backend/app/schemas/permission.py
Porsche Chen 360533393f feat: HR Portal - Complete Multi-Tenant System with Redis Session Storage 
Major Features:
-  Multi-tenant architecture (tenant isolation)
-  Employee CRUD with lifecycle management (onboarding/offboarding)
-  Department tree structure with email domain management
-  Company info management (single-record editing)
-  System functions CRUD (permission management)
-  Email account management (multi-account per employee)
-  Keycloak SSO integration (auth.lab.taipei)
-  Redis session storage (10.1.0.254:6379)
  - Solves Cookie 4KB limitation
  - Cross-system session sharing
  - Sliding expiration (8 hours)
  - Automatic token refresh

Technical Stack:
Backend:
- FastAPI + SQLAlchemy
- PostgreSQL 16 (10.1.0.20:5433)
- Keycloak Admin API integration
- Docker Mailserver integration (SSH)
- Alembic migrations

Frontend:
- Next.js 14 (App Router)
- NextAuth 4 with Keycloak Provider
- Redis session storage (ioredis)
- Tailwind CSS

Infrastructure:
- Redis 7 (10.1.0.254:6379) - Session + Cache
- Keycloak 26.1.0 (auth.lab.taipei)
- Docker Mailserver (10.1.0.254)

Architecture Highlights:
- Session管理由 Keycloak + Redis 統一控制
- 支援多系統 (HR/WebMail/Calendar/Drive/Office) 共享 session
- Token 自動刷新,異質服務整合
- 未來可無縫遷移到雲端

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-02-23 20:12:43 +08:00

168 lines
5.1 KiB
Python
Raw Blame History

"""
權限 Schemas
"""
from datetime import datetime
from typing import Optional
from pydantic import BaseModel, Field, ConfigDict, field_validator
from app.schemas.base import BaseSchema, TimestampSchema
# 系統名稱常數
VALID_SYSTEMS = ["gitea", "portainer", "traefik", "keycloak"]
# 存取層級常數
VALID_ACCESS_LEVELS = ["admin", "user", "readonly"]
class PermissionBase(BaseSchema):
"""權限基礎 Schema"""
system_name: str = Field(..., description="系統名稱: gitea, portainer, traefik, keycloak")
access_level: str = Field("user", description="存取層級: admin, user, readonly")
@field_validator('system_name')
@classmethod
def validate_system_name(cls, v):
"""驗證系統名稱"""
if v.lower() not in VALID_SYSTEMS:
raise ValueError(f"system_name 必須是以下之一: {', '.join(VALID_SYSTEMS)}")
return v.lower()
@field_validator('access_level')
@classmethod
def validate_access_level(cls, v):
"""驗證存取層級"""
if v.lower() not in VALID_ACCESS_LEVELS:
raise ValueError(f"access_level 必須是以下之一: {', '.join(VALID_ACCESS_LEVELS)}")
return v.lower()
class PermissionCreate(PermissionBase):
"""創建權限 Schema"""
employee_id: int = Field(..., description="員工 ID")
granted_by: Optional[int] = Field(None, description="授予人 ID")
model_config = ConfigDict(
json_schema_extra={
"example": {
"employee_id": 1,
"system_name": "gitea",
"access_level": "user",
"granted_by": 2
}
}
)
class PermissionUpdate(BaseSchema):
"""更新權限 Schema"""
access_level: str = Field(..., description="存取層級: admin, user, readonly")
granted_by: Optional[int] = Field(None, description="授予人 ID")
@field_validator('access_level')
@classmethod
def validate_access_level(cls, v):
"""驗證存取層級"""
if v.lower() not in VALID_ACCESS_LEVELS:
raise ValueError(f"access_level 必須是以下之一: {', '.join(VALID_ACCESS_LEVELS)}")
return v.lower()
class PermissionInDB(PermissionBase):
"""資料庫中的權限 Schema"""
id: int
tenant_id: int
employee_id: int
granted_at: datetime
granted_by: Optional[int] = None
model_config = ConfigDict(from_attributes=True)
class PermissionResponse(PermissionInDB):
"""權限響應 Schema (包含關聯資料)"""
employee_name: Optional[str] = Field(None, description="員工姓名")
employee_number: Optional[str] = Field(None, description="員工編號")
granted_by_name: Optional[str] = Field(None, description="授予人姓名")
model_config = ConfigDict(
json_schema_extra={
"example": {
"id": 1,
"tenant_id": 1,
"employee_id": 1,
"system_name": "gitea",
"access_level": "admin",
"granted_at": "2020-01-01T00:00:00",
"granted_by": 2,
"employee_name": "陳保時",
"employee_number": "EMP001",
"granted_by_name": "管理員"
}
}
)
class PermissionListItem(BaseSchema):
"""權限列表項 Schema (簡化版)"""
id: int
employee_id: int
system_name: str
access_level: str
granted_at: datetime
employee_name: Optional[str] = None
employee_number: Optional[str] = None
model_config = ConfigDict(from_attributes=True)
class PermissionBatchCreate(BaseSchema):
"""批量創建權限 Schema"""
employee_id: int = Field(..., description="員工 ID")
permissions: list[PermissionBase] = Field(..., description="權限列表")
granted_by: Optional[int] = Field(None, description="授予人 ID")
model_config = ConfigDict(
json_schema_extra={
"example": {
"employee_id": 1,
"permissions": [
{"system_name": "gitea", "access_level": "user"},
{"system_name": "portainer", "access_level": "readonly"}
],
"granted_by": 2
}
}
)
class PermissionFilter(BaseSchema):
"""權限篩選 Schema"""
employee_id: Optional[int] = Field(None, description="員工 ID")
system_name: Optional[str] = Field(None, description="系統名稱")
access_level: Optional[str] = Field(None, description="存取層級")
@field_validator('system_name')
@classmethod
def validate_system_name(cls, v):
"""驗證系統名稱"""
if v and v.lower() not in VALID_SYSTEMS:
raise ValueError(f"system_name 必須是以下之一: {', '.join(VALID_SYSTEMS)}")
return v.lower() if v else None
@field_validator('access_level')
@classmethod
def validate_access_level(cls, v):
"""驗證存取層級"""
if v and v.lower() not in VALID_ACCESS_LEVELS:
raise ValueError(f"access_level 必須是以下之一: {', '.join(VALID_ACCESS_LEVELS)}")
return v.lower() if v else None
Reference in New Issue View Git Blame Copy Permalink