用户操作权限增加角色权限过滤，优化角色/部门关系树生成，修复验证码空参数不验证问题

2025-08-28 05:12:32 +08:00 · 2023-08-02 17:38:40 +08:00
parent e941e52d3e
commit 3df5236623
28 changed files with 1097 additions and 887 deletions
--- a/server/internal/logic/admin/dept.go
+++ b/server/internal/logic/admin/dept.go
@@ -106,14 +106,6 @@ func (s *sAdminDept) Edit(ctx context.Context, in *adminin.DeptEditInp) (err err

 	// 修改
 	if in.Id > 0 {
-		// 获取父级tree
-		var pTree gdb.Value
-		pTree, err = dao.AdminDept.Ctx(ctx).WherePri(in.Pid).Fields("tree").Value()
-		if err != nil {
-			return
-		}
-		in.Tree = tree.GenLabel(pTree.String(), in.Id)
-
 		err = dao.AdminDept.Transaction(ctx, func(ctx context.Context, tx gdb.TX) error {
 			// 更新数据
 			_, err = dao.AdminDept.Ctx(ctx).Fields(adminin.DeptUpdateFields{}).WherePri(in.Id).Data(in).Update()
@@ -139,7 +131,7 @@ func updateChildrenTree(ctx context.Context, _id int64, _level int, _tree string
 	}
 	for _, child := range list {
 		child.Level = _level + 1
-		child.Tree = tree.GenLabel(_tree, child.Id)
+		child.Tree = tree.GenLabel(_tree, child.Pid)

 		if _, err = dao.AdminDept.Ctx(ctx).Where("id", child.Id).Data("level", child.Level, "tree", child.Tree).Update(); err != nil {
 			return
--- a/server/internal/logic/admin/member.go
+++ b/server/internal/logic/admin/member.go
@@ -799,11 +799,31 @@ func (s *sAdminMember) ClusterSyncSuperAdmin(ctx context.Context, message *gredi
 	s.LoadSuperAdmin(ctx)
 }

-// FilterAuthModel 过滤查询权限，如果不是超管则排除掉自己
+// FilterAuthModel 过滤用户操作权限
+// 非超管用户只能操作自己的下级角色用户，并且需要满足自身角色的数据权限设置
 func (s *sAdminMember) FilterAuthModel(ctx context.Context, memberId int64) *gdb.Model {
 	m := dao.AdminMember.Ctx(ctx)
-	if !s.VerifySuperId(ctx, memberId) {
-		m = m.Where("id <> ?", memberId)
+	if s.VerifySuperId(ctx, memberId) {
+		return m
 	}
-	return m.Handler(handler.FilterAuthWithField("id"))
+
+	var roleId int64
+	if contexts.GetUserId(ctx) == memberId {
+		// 当前登录用户直接从上下文中取角色ID
+		roleId = contexts.GetRoleId(ctx)
+	} else {
+		ro, err := dao.AdminMember.Ctx(ctx).Fields("role_id").Where("id", memberId).Value()
+		if err != nil {
+			g.Log().Panicf(ctx, "failed to get role information, err:%+v", err)
+			return nil
+		}
+		roleId = ro.Int64()
+	}
+
+	roleIds, err := service.AdminRole().GetSubRoleIds(ctx, roleId, false)
+	if err != nil {
+		g.Log().Panicf(ctx, "get the subordinate role permission exception, err:%+v", err)
+		return nil
+	}
+	return m.Where("id <> ?", memberId).WhereIn("role_id", roleIds).Handler(handler.FilterAuthWithField("id"))
 }
--- a/server/internal/logic/admin/role.go
+++ b/server/internal/logic/admin/role.go
@@ -174,14 +174,6 @@ func (s *sAdminRole) Edit(ctx context.Context, in *adminin.RoleEditInp) (err err

 	// 修改
 	if in.Id > 0 {
-		// 获取父级tree
-		var pTree gdb.Value
-		pTree, err = dao.AdminRole.Ctx(ctx).Where("id", in.Pid).Fields("tree").Value()
-		if err != nil {
-			return
-		}
-		in.Tree = tree.GenLabel(pTree.String(), in.Id)
-
 		err = dao.AdminRole.Transaction(ctx, func(ctx context.Context, tx gdb.TX) error {
 			// 更新数据
 			_, err = dao.AdminRole.Ctx(ctx).Fields(adminin.RoleUpdateFields{}).WherePri(in.Id).Data(in).Update()
@@ -211,7 +203,7 @@ func updateRoleChildrenTree(ctx context.Context, _id int64, _level int, _tree st
 	}
 	for _, child := range list {
 		child.Level = _level + 1
-		child.Tree = tree.GenLabel(_tree, child.Id)
+		child.Tree = tree.GenLabel(_tree, child.Pid)

 		if _, err = dao.AdminRole.Ctx(ctx).Where("id", child.Id).Data("level", child.Level, "tree", child.Tree).Update(); err != nil {
 			return
@@ -313,32 +305,37 @@ func (s *sAdminRole) treeList(pid int64, nodes []*entity.AdminRole) (list []*adm

 // VerifyRoleId 验证角色ID
 func (s *sAdminRole) VerifyRoleId(ctx context.Context, id int64) (err error) {
-	var (
-		pid int64 = 0
-		mb        = contexts.GetUser(ctx)
-		mod       = dao.AdminRole.Ctx(ctx).Fields(dao.AdminRole.Columns().Id)
-	)
-
+	mb := contexts.GetUser(ctx)
 	if mb == nil {
 		err = gerror.New("用户信息获取失败！")
 		return
 	}

-	// 非超管只获取下级
-	if !service.AdminMember().VerifySuperId(ctx, mb.Id) {
-		pid = mb.RoleId
-		mod = mod.WhereNot(dao.AdminRole.Columns().Id, pid).WhereLike(dao.AdminRole.Columns().Tree, "%"+tree.GetIdLabel(pid)+"%")
-	}
-
-	columns, err := mod.Array()
+	ids, err := s.GetSubRoleIds(ctx, mb.RoleId, service.AdminMember().VerifySuperId(ctx, mb.Id))
 	if err != nil {
-		return err
+		err = gerror.New("验证角色信息失败！")
+		return
 	}

-	ids := g.NewVar(columns).Int64s()
 	if !validate.InSlice(ids, id) {
 		err = gerror.New("角色ID是无效的")
 		return
 	}
 	return
 }
+
+// GetSubRoleIds 获取所有下级角色ID
+func (s *sAdminRole) GetSubRoleIds(ctx context.Context, roleId int64, isSuper bool) (ids []int64, err error) {
+	mod := dao.AdminRole.Ctx(ctx).Fields(dao.AdminRole.Columns().Id)
+	if !isSuper {
+		mod = mod.WhereNot(dao.AdminRole.Columns().Id, roleId).WhereLike(dao.AdminRole.Columns().Tree, "%"+tree.GetIdLabel(roleId)+"%")
+	}
+
+	columns, err := mod.Array()
+	if err != nil {
+		return nil, err
+	}
+
+	ids = g.NewVar(columns).Int64s()
+	return
+}