Implement RBAC permission metadata types and examples per specification by Copilot · Pull Request #16 · objectstack-ai/objectql

Copilot · 2026-01-12T02:06:25Z

Permission Metadata Implementation

Original prompt

按照文档规范，帮我实现权限元数据

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Co-authored-by: hotlong <50353452+hotlong@users.noreply.github.com>

hotlong · 2026-01-12T02:22:54Z

参考主流低代码平台的实现方案，我需要区分 profile permission-set吗? 还有role在哪里定义

hotlong · 2026-01-12T02:24:07Z

参考主流低代码平台的实现方案，我需要区分 profile permission-set吗? 还有role在哪里定义

@copilot

Copilot · 2026-01-12T02:25:53Z

参考主流低代码平台的实现方案，我需要区分 profile permission-set吗? 还有role在哪里定义

@copilot

好问题！我的实现参考了 Salesforce 的行业标准做法：

1. Profile vs Permission Set 的区分是必要的：

Profile（配置文件）：每个用户的基础权限模板（1对1关系）
- 定义用户的默认访问级别
- 每个用户必须有且只有一个 profile
- 例如：Standard User、System Admin、Read Only
Permission Set（权限集）：在 profile 之上的附加权限（1对多关系）
- 授予额外功能而无需更改 profile
- 可分配给多个用户
- 例如：Finance Data Access、API Access

使用场景：

用户张三:
  Profile: standard_user (基础权限)
  Permission Sets: [finance_access, api_access] (附加权限)
  
最终权限 = standard_user + finance_access + api_access

这种设计的优势是灵活性 - 可以通过组合而非修改来扩展权限。

2. Role 的定义位置：

目前实现支持两个层级：

系统级（推荐）：在 *.app.yml 中定义

# main.app.yml
permissions:
  roles: [admin, manager, developer, user, viewer]

对象级（当前示例）：在 *.permission.yml 中引用

# projects.permission.yml
roles:  # 这里是引用系统级定义的 roles
  - admin
  - manager

建议在 ApplicationConfig 中集中定义 roles，permission 文件中只引用它们，这样可以保证一致性。我会更新文档说明这一点。

…ction - Add system-wide role definition in demo.app.yml - Update PERMISSIONS_GUIDE.md with comprehensive explanation of: - Role definition strategy (central vs per-object) - Profile vs Permission Set distinction (following Salesforce model) - When to use each pattern - Add documentation comments to permission.ts explaining roles field - Update permission examples to clarify roles are references - Add usage examples showing effective permission calculation Co-authored-by: hotlong <50353452+hotlong@users.noreply.github.com>

hotlong · 2026-01-12T02:28:52Z

参考主流低代码平台的实现方案，我需要区分 profile permission-set吗? 还有role在哪里定义

@copilot

好问题！我的实现参考了 Salesforce 的行业标准做法：

1. Profile vs Permission Set 的区分是必要的：

Profile（配置文件）：每个用户的基础权限模板（1对1关系）

定义用户的默认访问级别

每个用户必须有且只有一个 profile

例如：Standard User、System Admin、Read Only

Permission Set（权限集）：在 profile 之上的附加权限（1对多关系）

授予额外功能而无需更改 profile

可分配给多个用户

例如：Finance Data Access、API Access

使用场景：
用户张三:
  Profile: standard_user (基础权限)
  Permission Sets: [finance_access, api_access] (附加权限)
  
最终权限 = standard_user + finance_access + api_access
这种设计的优势是灵活性 - 可以通过组合而非修改来扩展权限。

2. Role 的定义位置：

目前实现支持两个层级：

系统级（推荐）：在 *.app.yml 中定义
# main.app.yml
permissions:
  roles: [admin, manager, developer, user, viewer]
对象级（当前示例）：在 *.permission.yml 中引用
# projects.permission.yml
roles:  # 这里是引用系统级定义的 roles
  - admin
  - manager
建议在 ApplicationConfig 中集中定义 roles，permission 文件中只引用它们，这样可以保证一致性。我会更新文档说明这一点。

salesforce中 permission set 相当于 role，而且没有必要要分拆profile @copilot

Copilot · 2026-01-12T02:31:46Z

参考主流低代码平台的实现方案，我需要区分 profile permission-set吗? 还有role在哪里定义
...

你说得对！我重新理解了：

在 ObjectQL 中，我们应该采用更简单的 RBAC 模型：

当前实现已经支持基于 Role 的权限：

# projects.permission.yml
roles: [admin, manager, user]

object_permissions:
  create: [admin, manager]  # 直接用 role 控制权限
  read: [admin, manager, user]

Profile 和 Permission Set 应该是可选的高级特性，不是核心概念。

大多数场景下，只需要：

Roles: 定义用户角色（admin, manager, user）
Object/Field Permissions: 基于角色分配权限
Record Rules: 基于条件的动态权限

Profile/PermissionSet 只在需要复杂权限组合时才用。

你建议我简化文档和示例，去掉 Profile/PermissionSet 的强调，把它们作为可选功能吗？还是保持现状但在文档中澄清 Role 是主要方式？

hotlong · 2026-01-12T02:36:29Z

按照 rbac 帮我优化所有文档和代码，作废 profile， permission set @copilot

hotlong · 2026-01-12T02:40:44Z

按照 rbac 帮我优化所有文档和代码，作废 profile， permission set @copilot

@copilot

…onSet Remove Profile and PermissionSet concepts to simplify the permission model: - Remove PermissionProfile and PermissionSet interfaces from permission.ts - Remove profiles and permission_sets fields from PermissionConfig - Remove profiles and permission_sets from tasks.permission.yml example - Update PERMISSIONS_GUIDE.md to focus on RBAC with roles - Remove Profile/PermissionSet sections from documentation - Update best practices to emphasize role-based design The system now follows pure Role-Based Access Control (RBAC): - Roles define user groups (admin, manager, user, etc.) - Permissions assigned directly to roles - No intermediate profile/permission set complexity - Simpler, more straightforward permission model Co-authored-by: hotlong <50353452+hotlong@users.noreply.github.com>

Copilot · 2026-01-12T02:44:27Z

按照 rbac 帮我优化所有文档和代码，作废 profile， permission set @copilot

@copilot

已完成 RBAC 简化，提交 8f34798：

移除的内容：

✅ 删除 PermissionProfile 和 PermissionSet 接口
✅ 从 PermissionConfig 中移除 profiles 和 permission_sets 字段
✅ 清理 tasks.permission.yml 示例中的相关配置
✅ 重写 PERMISSIONS_GUIDE.md，聚焦于纯 RBAC 模型

保留的核心功能：

✅ 基于角色的权限控制（Roles）
✅ 对象级权限（object_permissions）
✅ 字段级安全（field_permissions）
✅ 记录级规则（record_rules）
✅ 共享规则（sharing_rules）
✅ 行级安全（row_level_security）
✅ 字段掩码（field_masking）
✅ 审计追踪（audit）

现在的权限模型更简单直接：通过角色定义权限，无需 Profile/PermissionSet 的额外复杂度。

hotlong · 2026-01-12T02:49:51Z

更新规范文档 @copilot

Update docs/spec/permission.md to align with RBAC model: - Update overview to emphasize Role-Based Access Control (RBAC) - Remove section 7 "Profile-Based Permissions" - Remove section 8 "Permission Sets" - Renumber remaining sections (9->7, 10->8, 11->9, etc.) - Update best practices: replace "Role Hierarchy" with "Define Clear Roles" - Maintain all other sections: object/field permissions, record rules, sharing, actions, views, security features The specification now accurately documents the simplified RBAC permission model without Profile/PermissionSet concepts. Co-authored-by: hotlong <50353452+hotlong@users.noreply.github.com>

Copilot · 2026-01-12T02:53:36Z

更新规范文档 @copilot

已更新规范文档，提交 4c894f2：

更新内容（docs/spec/permission.md）：

✅ 更新概述，强调 RBAC 模型
✅ 删除第 7 节 "Profile-Based Permissions"
✅ 删除第 8 节 "Permission Sets"
✅ 重新编号后续章节（9→7, 10→8, 11→9...）
✅ 更新最佳实践：将 "Role Hierarchy" 改为 "Define Clear Roles"
✅ 保留所有核心功能章节

规范文档现在完全对齐 RBAC 模型，移除了 61 行 Profile/PermissionSet 相关内容。

Copilot

Pull request overview

This pull request implements comprehensive RBAC (Role-Based Access Control) permission metadata types and examples for ObjectQL. The implementation provides TypeScript type definitions for a complete permission system including object-level permissions, field-level security, record-level rules, sharing rules, action permissions, view permissions, and advanced security features.

Changes:

Added TypeScript type definitions for permission metadata in packages/types/src/permission.ts
Exported permission types from the main types package
Created comprehensive example permission files demonstrating various RBAC scenarios
Added system-wide role definitions to the demo application configuration
Created detailed documentation guide explaining the permission system
Updated the permission specification to emphasize the pure RBAC model

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
packages/types/src/permission.ts	Comprehensive TypeScript type definitions for RBAC permission system (477 lines) including interfaces for object/field/record permissions, sharing rules, actions, views, and security features
packages/types/src/index.ts	Export statement added for permission types
examples/starters/basic-script/src/tasks.permission.yml	Advanced permission rules example demonstrating complex scenarios including lookup conditions, sharing rules, RLS, and audit configuration
examples/starters/basic-script/src/projects.permission.yml	Enhanced example with comprehensive permission features for projects object
examples/starters/basic-script/src/demo.app.yml	Added central role definitions (admin, manager, developer, user, viewer)
examples/starters/basic-script/PERMISSIONS_GUIDE.md	345-line comprehensive guide explaining RBAC concepts, examples, and best practices
docs/spec/permission.md	Updated specification emphasizing RBAC model, removed Profile/PermissionSet concepts, renumbered sections correctly

Copilot · 2026-01-12T03:03:14Z

+  - project_manager
+  - team_lead


Role mismatch detected: The tasks.permission.yml file references roles "project_manager" and "team_lead" which are not defined in demo.app.yml. The demo.app.yml only defines the following roles: admin, manager, developer, user, viewer.

Either update demo.app.yml to include these roles, or update tasks.permission.yml to use the existing roles defined in demo.app.yml (e.g., use "manager" instead of "project_manager").

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Initial plan

e22bbd8

Copilot AI assigned Copilot and hotlong Jan 12, 2026

Copilot started work on behalf of hotlong January 12, 2026 02:06 View session

Copilot AI and others added 3 commits January 12, 2026 02:11

Add permission metadata type definitions and examples

31fb0ef

Co-authored-by: hotlong <50353452+hotlong@users.noreply.github.com>

Complete permission metadata implementation with docs and validation

781b7dc

Co-authored-by: hotlong <50353452+hotlong@users.noreply.github.com>

Address code review feedback on permission types

4827515

Co-authored-by: hotlong <50353452+hotlong@users.noreply.github.com>

Copilot AI changed the title ~~[WIP] Add implementation of permission metadata according to documentation~~ Implement permission metadata types and examples per specification Jan 12, 2026

Copilot AI requested a review from hotlong January 12, 2026 02:20

Copilot finished work on behalf of hotlong January 12, 2026 02:20

Copilot started work on behalf of hotlong January 12, 2026 02:24 View session

Copilot finished work on behalf of hotlong January 12, 2026 02:30

Copilot started work on behalf of hotlong January 12, 2026 02:30 View session

Copilot finished work on behalf of hotlong January 12, 2026 02:32

Copilot started work on behalf of hotlong January 12, 2026 02:41 View session

Copilot AI changed the title ~~Implement permission metadata types and examples per specification~~ Implement RBAC permission metadata types and examples per specification Jan 12, 2026

Copilot finished work on behalf of hotlong January 12, 2026 02:46

Copilot started work on behalf of hotlong January 12, 2026 02:50 View session

Copilot finished work on behalf of hotlong January 12, 2026 02:54

hotlong approved these changes Jan 12, 2026

View reviewed changes

hotlong requested a review from Copilot January 12, 2026 02:57

Copilot started reviewing on behalf of hotlong January 12, 2026 02:58 View session

Copilot AI reviewed Jan 12, 2026

View reviewed changes

更新 PERMISSIONS_GUIDE.md

e68e20c

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

hotlong marked this pull request as ready for review January 12, 2026 03:52

Merge branch 'main' into copilot/add-permission-metadata-implementation

d9f0be2

hotlong merged commit dd1d2b5 into main Jan 12, 2026
0 of 2 checks passed

Conversation

Copilot AI commented Jan 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Permission Metadata Implementation

Uh oh!

hotlong commented Jan 12, 2026

Uh oh!

hotlong commented Jan 12, 2026

Uh oh!

Copilot AI commented Jan 12, 2026

Uh oh!

hotlong commented Jan 12, 2026

Uh oh!

Copilot AI commented Jan 12, 2026

Uh oh!

hotlong commented Jan 12, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

hotlong commented Jan 12, 2026

Uh oh!

Copilot AI commented Jan 12, 2026

Uh oh!

hotlong commented Jan 12, 2026

Uh oh!

Copilot AI commented Jan 12, 2026

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Copilot AI Jan 12, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Copilot AI commented Jan 12, 2026 •

edited

Loading

hotlong commented Jan 12, 2026 •

edited

Loading