用户操作权限增加角色权限过滤，优化角色/部门关系树生成，修复验证码空参数不验证问题

server/internal/logic/admin/dept.go

@@ -106,14 +106,6 @@ func (s *sAdminDept) Edit(ctx context.Context, in *adminin.DeptEditInp) (err err
 
 	// 修改
 	if in.Id > 0 {
-		// 获取父级tree
-		var pTree gdb.Value
-		pTree, err = dao.AdminDept.Ctx(ctx).WherePri(in.Pid).Fields("tree").Value()
-		if err != nil {
-			return
-		}
-		in.Tree = tree.GenLabel(pTree.String(), in.Id)
-
 		err = dao.AdminDept.Transaction(ctx, func(ctx context.Context, tx gdb.TX) error {
 			// 更新数据
 			_, err = dao.AdminDept.Ctx(ctx).Fields(adminin.DeptUpdateFields{}).WherePri(in.Id).Data(in).Update()
@@ -139,7 +131,7 @@ func updateChildrenTree(ctx context.Context, _id int64, _level int, _tree string
 	}
 	for _, child := range list {
 		child.Level = _level + 1
-		child.Tree = tree.GenLabel(_tree, child.Id)
+		child.Tree = tree.GenLabel(_tree, child.Pid)
 
 		if _, err = dao.AdminDept.Ctx(ctx).Where("id", child.Id).Data("level", child.Level, "tree", child.Tree).Update(); err != nil {
 			return

server/internal/logic/admin/member.go

@@ -799,11 +799,31 @@ func (s *sAdminMember) ClusterSyncSuperAdmin(ctx context.Context, message *gredi
 	s.LoadSuperAdmin(ctx)
 }
 
-// FilterAuthModel 过滤查询权限，如果不是超管则排除掉自己
+// FilterAuthModel 过滤用户操作权限
+// 非超管用户只能操作自己的下级角色用户，并且需要满足自身角色的数据权限设置
 func (s *sAdminMember) FilterAuthModel(ctx context.Context, memberId int64) *gdb.Model {
 	m := dao.AdminMember.Ctx(ctx)
-	if !s.VerifySuperId(ctx, memberId) {
-		m = m.Where("id <> ?", memberId)
+	if s.VerifySuperId(ctx, memberId) {
+		return m
 	}
-	return m.Handler(handler.FilterAuthWithField("id"))
+
+	var roleId int64
+	if contexts.GetUserId(ctx) == memberId {
+		// 当前登录用户直接从上下文中取角色ID
+		roleId = contexts.GetRoleId(ctx)
+	} else {
+		ro, err := dao.AdminMember.Ctx(ctx).Fields("role_id").Where("id", memberId).Value()
+		if err != nil {
+			g.Log().Panicf(ctx, "failed to get role information, err:%+v", err)
+			return nil
+		}
+		roleId = ro.Int64()
+	}
+
+	roleIds, err := service.AdminRole().GetSubRoleIds(ctx, roleId, false)
+	if err != nil {
+		g.Log().Panicf(ctx, "get the subordinate role permission exception, err:%+v", err)
+		return nil
+	}
+	return m.Where("id <> ?", memberId).WhereIn("role_id", roleIds).Handler(handler.FilterAuthWithField("id"))
 }

server/internal/logic/admin/role.go

@@ -174,14 +174,6 @@ func (s *sAdminRole) Edit(ctx context.Context, in *adminin.RoleEditInp) (err err
 
 	// 修改
 	if in.Id > 0 {
-		// 获取父级tree
-		var pTree gdb.Value
-		pTree, err = dao.AdminRole.Ctx(ctx).Where("id", in.Pid).Fields("tree").Value()
-		if err != nil {
-			return
-		}
-		in.Tree = tree.GenLabel(pTree.String(), in.Id)
-
 		err = dao.AdminRole.Transaction(ctx, func(ctx context.Context, tx gdb.TX) error {
 			// 更新数据
 			_, err = dao.AdminRole.Ctx(ctx).Fields(adminin.RoleUpdateFields{}).WherePri(in.Id).Data(in).Update()
@@ -211,7 +203,7 @@ func updateRoleChildrenTree(ctx context.Context, _id int64, _level int, _tree st
 	}
 	for _, child := range list {
 		child.Level = _level + 1
-		child.Tree = tree.GenLabel(_tree, child.Id)
+		child.Tree = tree.GenLabel(_tree, child.Pid)
 
 		if _, err = dao.AdminRole.Ctx(ctx).Where("id", child.Id).Data("level", child.Level, "tree", child.Tree).Update(); err != nil {
 			return
@@ -313,32 +305,37 @@ func (s *sAdminRole) treeList(pid int64, nodes []*entity.AdminRole) (list []*adm
 
 // VerifyRoleId 验证角色ID
 func (s *sAdminRole) VerifyRoleId(ctx context.Context, id int64) (err error) {
-	var (
-		pid int64 = 0
-		mb        = contexts.GetUser(ctx)
-		mod       = dao.AdminRole.Ctx(ctx).Fields(dao.AdminRole.Columns().Id)
-	)
-
+	mb := contexts.GetUser(ctx)
 	if mb == nil {
 		err = gerror.New("用户信息获取失败！")
 		return
 	}
 
-	// 非超管只获取下级
-	if !service.AdminMember().VerifySuperId(ctx, mb.Id) {
-		pid = mb.RoleId
-		mod = mod.WhereNot(dao.AdminRole.Columns().Id, pid).WhereLike(dao.AdminRole.Columns().Tree, "%"+tree.GetIdLabel(pid)+"%")
-	}
-
-	columns, err := mod.Array()
+	ids, err := s.GetSubRoleIds(ctx, mb.RoleId, service.AdminMember().VerifySuperId(ctx, mb.Id))
 	if err != nil {
-		return err
+		err = gerror.New("验证角色信息失败！")
+		return
 	}
 
-	ids := g.NewVar(columns).Int64s()
 	if !validate.InSlice(ids, id) {
 		err = gerror.New("角色ID是无效的")
 		return
 	}
 	return
 }
+
+// GetSubRoleIds 获取所有下级角色ID
+func (s *sAdminRole) GetSubRoleIds(ctx context.Context, roleId int64, isSuper bool) (ids []int64, err error) {
+	mod := dao.AdminRole.Ctx(ctx).Fields(dao.AdminRole.Columns().Id)
+	if !isSuper {
+		mod = mod.WhereNot(dao.AdminRole.Columns().Id, roleId).WhereLike(dao.AdminRole.Columns().Tree, "%"+tree.GetIdLabel(roleId)+"%")
+	}
+
+	columns, err := mod.Array()
+	if err != nil {
+		return nil, err
+	}
+
+	ids = g.NewVar(columns).Int64s()
+	return
+}

server/internal/logic/middleware/init.go

@@ -17,7 +17,6 @@ import (
 	"github.com/gogf/gf/v2/text/gstr"
 	"go.opentelemetry.io/otel/attribute"
 	"hotgo/internal/consts"
-	"hotgo/internal/global"
 	"hotgo/internal/library/addons"
 	"hotgo/internal/library/contexts"
 	"hotgo/internal/library/response"
@@ -27,12 +26,14 @@ import (
 	"hotgo/utility/validate"
 	"net/http"
 	"strings"
+	"sync"
 )
 
 type sMiddleware struct {
 	LoginUrl      string                      // 登录路由地址
 	DemoWhiteList g.Map                       // 演示模式放行的路由白名单
 	FilterRoutes  map[string]ghttp.RouterItem // 支持预处理的web路由
+	routeMutex    sync.Mutex
 }
 
 func init() {
@@ -52,7 +53,7 @@ func NewMiddleware() *sMiddleware {
 
 // Ctx 初始化请求上下文
 func (s *sMiddleware) Ctx(r *ghttp.Request) {
-	if global.JaegerSwitch {
+	if g.Cfg().MustGet(r.Context(), "jaeger.switch").Bool() {
 		ctx, span := gtrace.NewSpan(r.Context(), "middleware.ctx")
 		span.SetAttributes(attribute.KeyValue{
 			Key:   "traceID",

server/internal/logic/middleware/pre_filter.go

@@ -13,6 +13,13 @@ import (
 func (s *sMiddleware) GetFilterRoutes(r *ghttp.Request) map[string]ghttp.RouterItem {
 	// 首次访问时加载
 	if s.FilterRoutes == nil {
+		s.routeMutex.Lock()
+		defer s.routeMutex.Unlock()
+
+		if s.FilterRoutes != nil {
+			return s.FilterRoutes
+		}
+
 		s.FilterRoutes = make(map[string]ghttp.RouterItem)
 		for _, v := range r.Server.GetRoutes() {
 			// 非规范路由不加载