fix: 权限固定为全局

src/Application/TakeoutSaaS.Application/Identity/Contracts/PermissionDto.cs

@@ -15,7 +15,7 @@ public sealed class PermissionDto
     public long Id { get; init; }
 
     /// <summary>
-    /// 租户 ID。
+    /// 租户 ID（固定权限时为基准租户）。
     /// </summary>
     [JsonConverter(typeof(SnowflakeIdJsonConverter))]
     public long TenantId { get; init; }
@@ -42,7 +42,7 @@ public sealed class PermissionDto
     public string Name { get; init; } = string.Empty;
 
     /// <summary>
-    /// 权限编码（租户内唯一）。
+    /// 权限编码（全局唯一）。
     /// </summary>
     public string Code { get; init; } = string.Empty;
 

src/Application/TakeoutSaaS.Application/Identity/Handlers/CreatePermissionCommandHandler.cs

@@ -3,6 +3,8 @@ using TakeoutSaaS.Application.Identity.Commands;
 using TakeoutSaaS.Application.Identity.Contracts;
 using TakeoutSaaS.Domain.Identity.Entities;
 using TakeoutSaaS.Domain.Identity.Repositories;
+using TakeoutSaaS.Shared.Abstractions.Constants;
+using TakeoutSaaS.Shared.Abstractions.Exceptions;
 using TakeoutSaaS.Shared.Abstractions.Tenancy;
 
 namespace TakeoutSaaS.Application.Identity.Handlers;
@@ -23,10 +25,16 @@ public sealed class CreatePermissionCommandHandler(
     /// <returns>创建后的权限 DTO。</returns>
     public async Task<PermissionDto> Handle(CreatePermissionCommand request, CancellationToken cancellationToken)
     {
-        // 1. 获取租户上下文
+        // 1. 权限固定时禁止新增
+        if (!PermissionPolicy.CanMaintainPermissions)
+        {
+            throw new BusinessException(ErrorCodes.Forbidden, "权限已固定，禁止新增");
+        }
+
+        // 2. 获取租户上下文
         var tenantId = tenantProvider.GetCurrentTenantId();
 
-        // 2. 构建权限实体
+        // 3. 构建权限实体
         var normalizedType = string.IsNullOrWhiteSpace(request.Type)
             ? "leaf"
             : request.Type.Trim().ToLowerInvariant();
@@ -44,11 +52,11 @@ public sealed class CreatePermissionCommandHandler(
             Description = request.Description
         };
 
-        // 3. 持久化
+        // 4. 持久化
         await permissionRepository.AddAsync(permission, cancellationToken);
         await permissionRepository.SaveChangesAsync(cancellationToken);
 
-        // 4. 返回 DTO
+        // 5. 返回 DTO
         return new PermissionDto
         {
             Id = permission.Id,

src/Application/TakeoutSaaS.Application/Identity/Handlers/DeletePermissionCommandHandler.cs

@@ -1,6 +1,8 @@
 using MediatR;
 using TakeoutSaaS.Application.Identity.Commands;
 using TakeoutSaaS.Domain.Identity.Repositories;
+using TakeoutSaaS.Shared.Abstractions.Constants;
+using TakeoutSaaS.Shared.Abstractions.Exceptions;
 using TakeoutSaaS.Shared.Abstractions.Tenancy;
 
 namespace TakeoutSaaS.Application.Identity.Handlers;
@@ -21,14 +23,20 @@ public sealed class DeletePermissionCommandHandler(
     /// <returns>执行结果。</returns>
     public async Task<bool> Handle(DeletePermissionCommand request, CancellationToken cancellationToken)
     {
-        // 1. 获取租户上下文
+        // 1. 权限固定时禁止删除
+        if (!PermissionPolicy.CanMaintainPermissions)
+        {
+            throw new BusinessException(ErrorCodes.Forbidden, "权限已固定，禁止删除");
+        }
+
+        // 2. 获取租户上下文
         var tenantId = tenantProvider.GetCurrentTenantId();
 
-        // 2. 删除权限
+        // 3. 删除权限
         await permissionRepository.DeleteAsync(request.PermissionId, tenantId, cancellationToken);
         await permissionRepository.SaveChangesAsync(cancellationToken);
 
-        // 3. 返回执行结果
+        // 4. 返回执行结果
         return true;
     }
 }

src/Application/TakeoutSaaS.Application/Identity/Handlers/UpdatePermissionCommandHandler.cs

@@ -2,6 +2,8 @@ using MediatR;
 using TakeoutSaaS.Application.Identity.Commands;
 using TakeoutSaaS.Application.Identity.Contracts;
 using TakeoutSaaS.Domain.Identity.Repositories;
+using TakeoutSaaS.Shared.Abstractions.Constants;
+using TakeoutSaaS.Shared.Abstractions.Exceptions;
 using TakeoutSaaS.Shared.Abstractions.Tenancy;
 
 namespace TakeoutSaaS.Application.Identity.Handlers;
@@ -22,7 +24,13 @@ public sealed class UpdatePermissionCommandHandler(
     /// <returns>更新后的权限 DTO 或 null。</returns>
     public async Task<PermissionDto?> Handle(UpdatePermissionCommand request, CancellationToken cancellationToken)
     {
-        // 1. 获取租户上下文并查询权限
+        // 1. 权限固定时禁止修改
+        if (!PermissionPolicy.CanMaintainPermissions)
+        {
+            throw new BusinessException(ErrorCodes.Forbidden, "权限已固定，禁止修改");
+        }
+
+        // 2. 获取租户上下文并查询权限
         var tenantId = tenantProvider.GetCurrentTenantId();
         var permission = await permissionRepository.FindByIdAsync(request.PermissionId, tenantId, cancellationToken);
         if (permission == null)
@@ -30,7 +38,7 @@ public sealed class UpdatePermissionCommandHandler(
             return null;
         }
 
-        // 2. 更新字段
+        // 3. 更新字段
         var normalizedType = string.IsNullOrWhiteSpace(request.Type)
             ? "leaf"
             : request.Type.Trim().ToLowerInvariant();
@@ -45,11 +53,11 @@ public sealed class UpdatePermissionCommandHandler(
         permission.Name = request.Name;
         permission.Description = request.Description;
 
-        // 3. 持久化
+        // 4. 持久化
         await permissionRepository.UpdateAsync(permission, cancellationToken);
         await permissionRepository.SaveChangesAsync(cancellationToken);
 
-        // 4. 返回 DTO
+        // 5. 返回 DTO
         return new PermissionDto
         {
             Id = permission.Id,

src/Application/TakeoutSaaS.Application/Identity/PermissionPolicy.cs

@@ -0,0 +1,12 @@
+namespace TakeoutSaaS.Application.Identity;
+
+/// <summary>
+/// 权限管理策略。
+/// </summary>
+public static class PermissionPolicy
+{
+    /// <summary>
+    /// 是否允许维护权限定义（固定权限时为 false）。
+    /// </summary>
+    public static bool CanMaintainPermissions => false;
+}