npm - openxiangda - Versions diffs - 1.0.40 → 1.0.42 - Mend

openxiangda 1.0.40 → 1.0.42

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/README.md +12 -0
package/lib/cli.js +9 -1
package/openxiangda-skills/references/openxiangda-api.md +7 -0
package/openxiangda-skills/references/permissions-settings.md +27 -4
package/openxiangda-skills/skills/openxiangda-permission-settings/SKILL.md +5 -0
package/package.json +1 -1
package/packages/sdk/dist/runtime/index.cjs +2 -1
package/packages/sdk/dist/runtime/index.cjs.map +1 -1
package/packages/sdk/dist/runtime/index.d.mts +17 -1
package/packages/sdk/dist/runtime/index.d.ts +17 -1
package/packages/sdk/dist/runtime/index.mjs +2 -1
package/packages/sdk/dist/runtime/index.mjs.map +1 -1

package/README.md CHANGED Viewed

@@ -108,6 +108,18 @@ openxiangda workspace bind --profile dev --app-type APP_XXXX
 表单页、流程表单页和自定义代码页都应在 `sy-lowcode-app-workspace` 中实现，由 `openxiangda workspace publish --profile <name>` 统一构建、上传 OSS 并注册到平台。`openxiangda form create`、`form publish`、`page publish` 只作为底层修复/诊断命令，不作为 AI 生成页面的主入口。
+运行时页面读取当前用户信息时，优先使用 `sdk.user.getCurrent<PageUserRecord>()`。用户对象会返回常规组织成员关系 `departments`，也会返回系统维护的所属单位字段 `affiliatedDepartmentId` / `affiliatedDepartment`。`departments` 表示用户真实所在的部门、班级、专业等成员关系；`affiliatedDepartment` 表示业务上用于统计、筛选和展示的归属单位，通常是学院、单位或在源单位缺失时可用的具体部门节点，不用于替代权限部门成员关系。
+```ts
+import type { PageUserRecord } from "openxiangda/runtime"
+const currentUser = await sdk.user.getCurrent<PageUserRecord>()
+const user = currentUser.result
+const affiliatedDepartmentName = user?.affiliatedDepartment?.name
+const affiliatedDepartmentExternalId = user?.affiliatedDepartment?.externalId
+```
 工程化资源放在工作区 `src/resources/` 下，由 `openxiangda resource validate|plan|publish|pull` 管理。`workspace publish` 会先构建并注册 workspace 表单/页面，再执行非破坏性资源 upsert，这样菜单、权限组、流程和表单设置可以解析最新的 profile-local ID。需要删除平台中 manifest 未声明的资源时，显式传 `--prune`。连接器页面运行时通过 `sdk.connector.invoke()` / `sdk.connector.call("connector.api")` 调用平台运行时接口，第三方密钥只保存在后端连接器配置中。
 多表只读查询和固定口径统计优先声明 `src/resources/data-views/*.json` 数据视图，而不是在页面里手写多次单表查询再拼数据。默认数据视图是行级联表视图，适合工单+客户、订单+商品、项目+成员、报表列表、跨页面复用查询等读多写少场景；`viewType: "aggregate"` 是统计聚合视图，适合按客户、状态、月份等维度预聚合 count/sum/avg/min/max。发布时 CLI 会把 `formCode` 解析为当前 profile 的 `formUuid`，平台创建 PostgreSQL materialized view；页面通过 `sdk.dataView.query(code, params)` 查询行级视图，通过 `sdk.dataView.stats(code, params)` 查询聚合视图，也可以用 `sdk.dataSource.run()` 路由 `dataView.query` / `dataView.stats`。发布前应为常用筛选、排序、统计维度和时间桶声明 `indexes`，并确认用户能接受的刷新延迟；默认不要设置低于 5 分钟的定时刷新。数据视图只读，刷新后才反映源表变化，不适合单表 CRUD、写回源表、强实时状态、临时 BI 查询或简单 linkedForm 下拉。

package/lib/cli.js CHANGED Viewed

@@ -2310,7 +2310,7 @@ async function permission(args) {
     const target = getWorkspaceTarget(config, profileName, flags);
     const formUuid = flags['form-uuid'] || resolveOptionalFormUuid(target.bound, flags['form-code']);
     if (!groupCode || !name || !formUuid) {
-      fail('用法: openxiangda permission form-group-create <groupCode> --form-code <formCode>|--form-uuid <FORM_XXX> --name <text> --type <submit|view>');
+      fail('用法: openxiangda permission form-group-create <groupCode> --form-code <formCode>|--form-uuid <FORM_XXX> --name <text> --type <submit|view> [--field-access-policy-json <file|json>]');
     }
     const data = await requestWithAuth(
       config,
@@ -2334,6 +2334,14 @@ async function permission(args) {
                 ),
               }
             : {}),
+          ...(flags['field-access-policy-json']
+            ? {
+                fieldAccessPolicy: readJsonArg(
+                  flags['field-access-policy-json'],
+                  'field-access-policy-json'
+                ),
+              }
+            : {}),
           ...(flags['data-permission-json']
             ? {
                 dataPermission: readJsonArg(

package/openxiangda-skills/references/openxiangda-api.md CHANGED Viewed

@@ -458,10 +458,17 @@ Body:
   "dataScope": [{ "type": "self" }],
   "operations": ["view"],
   "fieldPermissions": [],
+  "fieldAccessPolicy": {
+    "defaultAccess": "edit",
+    "fields": [{ "fieldId": "internalRemark", "access": "readonly" }]
+  },
   "dataPermission": null
 }
 ```
+`fieldPermissions` is only the frontend display-default state. Use
+`fieldAccessPolicy` for backend-enforced field access.
 ### GET `/apps/:appType/forms/:formUuid/permission-groups/:groupId`
 Requires Bearer token. Returns form permission group detail.

package/openxiangda-skills/references/permissions-settings.md CHANGED Viewed

@@ -86,20 +86,43 @@ View group:
   "fieldPermissions": [
     {
       "componentName": "Text",
-      "fieldName": "客户名称",
-      "label": "customerName",
+      "fieldName": "customerName",
+      "label": "客户名称",
       "value": "FORM_FILED_VIEW"
     }
-  ]
+  ],
+  "fieldAccessPolicy": {
+    "defaultAccess": "edit",
+    "fields": [
+      { "fieldId": "internalRemark", "access": "readonly" },
+      { "fieldId": "marginAmount", "access": "hidden" }
+    ]
+  }
 }
 ```
-Field permission values:
+`fieldPermissions` remains a frontend display-default setting. Do not treat it as real data
+read/write permission. Real backend field access is controlled by `fieldAccessPolicy`.
+Frontend display-default field permission values:
 - `FORM_FILED_EDIT`
 - `FORM_FILED_VIEW`
 - `FORM_FILED_HIDDEN`
+Real field access policy:
+- `defaultAccess`: one of `edit`, `readonly`, `hidden`; omitted/null policies are equivalent
+  to `{ "defaultAccess": "edit", "fields": [] }`.
+- `fields`: exception list keyed by schema field ID, such as `textField_xxx`; only store
+  fields whose access differs from `defaultAccess`.
+- `edit` means visible and editable.
+- `readonly` means visible but not editable.
+- `hidden` means not visible and not editable.
+- If multiple matched view groups apply to the same user, field access merges by
+  `edit > readonly > hidden`.
+- App administrators bypass `fieldAccessPolicy`.
 Common data scopes:
 - `all`

package/openxiangda-skills/skills/openxiangda-permission-settings/SKILL.md CHANGED Viewed

@@ -82,10 +82,15 @@ openxiangda permission form-group-create sales_limited \
   --roles sales \
   --data-scope-json data-scope.json \
   --field-permissions-json fields.json \
+  --field-access-policy-json field-access-policy.json \
   --data-permission-json data-permission.json \
   --profile dev
 ```
+`fieldPermissions` is the frontend display-default state. Use `fieldAccessPolicy`
+for real backend read/write field access (`edit`, `readonly`, `hidden`) with
+`defaultAccess` plus field-ID exceptions.
 ## Inspection
 ```bash

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "openxiangda",
-  "version": "1.0.40",
+  "version": "1.0.42",
   "description": "OpenXiangda CLI, workspace build tools, runtime SDK, and form components.",
   "private": false,
   "bin": {

package/packages/sdk/dist/runtime/index.cjs CHANGED Viewed

@@ -2276,7 +2276,8 @@ var useCurrentUser = () => {
       isGuest,
       isInternalUser: !isGuest,
       displayName: user.name || user.username || user.id,
-      primaryDepartment: user.departments?.[0] || null
+      primaryDepartment: user.departments?.[0] || null,
+      affiliatedDepartment: user.affiliatedDepartment || null
     };
   }, [user]);
 };