# sdk-collection-permissions Specification

## Purpose
定义面向 `ManagePlatform` 用户的 SDK 直连权限配置能力，使角色绑定与 collection CRUD 授权能够通过 hooks 页面完成并映射到 PocketBase rules。
## Requirements
### Requirement: Role-based SDK direct access SHALL be configurable from hooks pages

The system SHALL provide a hooks-mounted management page that allows `ManagePlatform` users to assign roles to auth users and configure PocketBase SDK direct-access CRUD permissions by role and collection.

#### Scenario: Role is assigned to an auth user

- **WHEN** a management user selects a role for an auth user and saves the assignment
- **THEN** the system SHALL persist the role mapping used by the SDK direct-access permission model

#### Scenario: Collection operation is granted by role

- **WHEN** a management user authorizes a role for a collection operation such as list, view, create, update, or delete
- **THEN** the corresponding PocketBase collection access rule SHALL be updated for that role

### Requirement: Role identity SHALL be name-based in the management UI

The hooks permission page SHALL hide internal role IDs from the UI and present role assignments and selectors by role name only.

#### Scenario: Current role display hides role ID

- **WHEN** a management user views the role assignment page
- **THEN** current role labels and selectors SHALL show the role name without exposing the internal role ID

### Requirement: Permission editing SHALL be immediate and constrained by rule type

The permission page SHALL save authorization changes immediately after a checkbox toggle, SHALL render CRUD labels in Chinese, and SHALL prevent editing for operations already governed by public or custom rules.

#### Scenario: Authorization change auto-saves

- **WHEN** a management user toggles an editable permission checkbox
- **THEN** the change SHALL be persisted immediately without requiring a separate save button

#### Scenario: Public operation is read-only

- **WHEN** a collection operation is already publicly accessible
- **THEN** the page SHALL show a brief `可公开访问` notice and SHALL NOT render an editable authorization checkbox for that operation

#### Scenario: Custom operation is read-only

- **WHEN** a collection operation is governed by a custom rule
- **THEN** the page SHALL show `当前操作使用 custom 规则，禁止修改` and SHALL NOT render an editable authorization checkbox for that operation

### Requirement: Collection-level bulk selection SHALL respect editable operations only

The permission page SHALL provide a collection-level select-all control that applies only to editable operations, and the control SHALL be disabled when the collection has no editable operations.

#### Scenario: Collection select-all grants editable operations

- **WHEN** a management user enables the collection-level select-all control
- **THEN** all editable CRUD operations for the current role on that collection SHALL be granted and auto-saved

#### Scenario: Collection select-all is disabled when nothing is editable

- **WHEN** every operation in a collection is either public, custom, or otherwise not editable
- **THEN** the collection-level select-all control SHALL be disabled