refactor: 数据权限过滤从 GORM Callback 改为 Store 层显式调用

- 移除 RegisterDataPermissionCallback 和 SkipDataPermission 机制 - 在 Auth 中间件预计算 SubordinateShopIDs 并注入 Context - 新增 ApplyShopFilter/ApplyEnterpriseFilter/ApplyOwnerShopFilter 等 Helper 函数 - 所有 Store 层查询方法显式调用数据权限过滤函数 - 权限检查函数 CanManageShop/CanManageEnterprise 改为从 Context 获取数据 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-26 16:38:52 +08:00
parent 4ba1f5b99d
commit 03a0960c4d
46 changed files with 1573 additions and 705 deletions
--- a/internal/service/account/service.go
+++ b/internal/service/account/service.go
@@ -17,13 +17,18 @@ import (
 	"gorm.io/gorm"
 )

+// ShopStoreInterface 店铺存储接口（仅用于获取店铺信息）
+type ShopStoreInterface interface {
+	GetByIDs(ctx context.Context, ids []uint) ([]*model.Shop, error)
+}
+
 // Service 账号业务服务
 type Service struct {
 	accountStore     *postgres.AccountStore
 	roleStore        *postgres.RoleStore
 	accountRoleStore *postgres.AccountRoleStore
 	shopRoleStore    *postgres.ShopRoleStore
-	shopStore        middleware.ShopStoreInterface
+	shopStore        ShopStoreInterface
 	enterpriseStore  middleware.EnterpriseStoreInterface
 	auditService     AuditServiceInterface
 }
@@ -38,7 +43,7 @@ func New(
 	roleStore *postgres.RoleStore,
 	accountRoleStore *postgres.AccountRoleStore,
 	shopRoleStore *postgres.ShopRoleStore,
-	shopStore middleware.ShopStoreInterface,
+	shopStore ShopStoreInterface,
 	enterpriseStore middleware.EnterpriseStoreInterface,
 	auditService AuditServiceInterface,
 ) *Service {
@@ -79,13 +84,13 @@ func (s *Service) Create(ctx context.Context, req *dto.CreateAccountRequest) (*m
 	}

 	if req.UserType == constants.UserTypeAgent && req.ShopID != nil {
-		if err := middleware.CanManageShop(ctx, *req.ShopID, s.shopStore); err != nil {
+		if err := middleware.CanManageShop(ctx, *req.ShopID); err != nil {
 			return nil, err
 		}
 	}

 	if req.UserType == constants.UserTypeEnterprise && req.EnterpriseID != nil {
-		if err := middleware.CanManageEnterprise(ctx, *req.EnterpriseID, s.enterpriseStore, s.shopStore); err != nil {
+		if err := middleware.CanManageEnterprise(ctx, *req.EnterpriseID, s.enterpriseStore); err != nil {
 			return nil, err
 		}
 	}
@@ -190,7 +195,7 @@ func (s *Service) Update(ctx context.Context, id uint, req *dto.UpdateAccountReq
 		if account.ShopID == nil {
 			return nil, errors.New(errors.CodeForbidden, "无权限操作该账号")
 		}
-		if err := middleware.CanManageShop(ctx, *account.ShopID, s.shopStore); err != nil {
+		if err := middleware.CanManageShop(ctx, *account.ShopID); err != nil {
 			return nil, errors.New(errors.CodeForbidden, "无权限操作该资源或资源不存在")
 		}
 	}
@@ -291,7 +296,7 @@ func (s *Service) Delete(ctx context.Context, id uint) error {
 		if account.ShopID == nil {
 			return errors.New(errors.CodeForbidden, "无权限操作该账号")
 		}
-		if err := middleware.CanManageShop(ctx, *account.ShopID, s.shopStore); err != nil {
+		if err := middleware.CanManageShop(ctx, *account.ShopID); err != nil {
 			return errors.New(errors.CodeForbidden, "无权限操作该资源或资源不存在")
 		}
 	}
@@ -407,7 +412,7 @@ func (s *Service) AssignRoles(ctx context.Context, accountID uint, roleIDs []uin
 		if account.ShopID == nil {
 			return nil, errors.New(errors.CodeForbidden, "无权限操作该账号")
 		}
-		if err := middleware.CanManageShop(ctx, *account.ShopID, s.shopStore); err != nil {
+		if err := middleware.CanManageShop(ctx, *account.ShopID); err != nil {
 			return nil, errors.New(errors.CodeForbidden, "无权限操作该资源或资源不存在")
 		}
 	}
@@ -558,7 +563,7 @@ func (s *Service) RemoveRole(ctx context.Context, accountID, roleID uint) error
 		if account.ShopID == nil {
 			return errors.New(errors.CodeForbidden, "无权限操作该账号")
 		}
-		if err := middleware.CanManageShop(ctx, *account.ShopID, s.shopStore); err != nil {
+		if err := middleware.CanManageShop(ctx, *account.ShopID); err != nil {
 			return errors.New(errors.CodeForbidden, "无权限操作该资源或资源不存在")
 		}
 	}