允许代理看
All checks were successful
构建并部署到测试环境(无 SSH) / build-and-deploy (push) Successful in 10m11s

This commit is contained in:
2026-05-09 11:03:32 +08:00
parent 0b86720534
commit 6a6672d0e4
3 changed files with 41 additions and 4 deletions

View File

@@ -12,11 +12,13 @@ import (
)
// registerRefundRoutes 注册退款管理路由
// 平台用户(超级管理员和平台用户)可访问
// 平台和代理账号可访问,企业账号禁止访问
func registerRefundRoutes(router fiber.Router, handler *admin.RefundHandler, doc *openapi.Generator, basePath string) {
refund := router.Group("/refunds", func(c *fiber.Ctx) error {
userType := middleware.GetUserTypeFromContext(c.UserContext())
if userType != constants.UserTypeSuperAdmin && userType != constants.UserTypePlatform {
if userType != constants.UserTypeSuperAdmin &&
userType != constants.UserTypePlatform &&
userType != constants.UserTypeAgent {
return errors.New(errors.CodeForbidden, "无权限访问退款管理功能")
}
return c.Next()

View File

@@ -193,6 +193,9 @@ func (s *Service) Approve(ctx context.Context, id uint, req *dto.ApproveRefundRe
if userID == 0 {
return errors.New(errors.CodeUnauthorized, "未授权访问")
}
if err := ensureRefundProcessor(ctx); err != nil {
return err
}
refund, err := s.refundStore.GetByID(ctx, id)
if err != nil {
@@ -267,6 +270,9 @@ func (s *Service) Reject(ctx context.Context, id uint, req *dto.RejectRefundRequ
if userID == 0 {
return errors.New(errors.CodeUnauthorized, "未授权访问")
}
if err := ensureRefundProcessor(ctx); err != nil {
return err
}
now := time.Now()
result := s.db.WithContext(ctx).
@@ -296,6 +302,9 @@ func (s *Service) Return(ctx context.Context, id uint, req *dto.ReturnRefundRequ
if userID == 0 {
return errors.New(errors.CodeUnauthorized, "未授权访问")
}
if err := ensureRefundProcessor(ctx); err != nil {
return err
}
now := time.Now()
result := s.db.WithContext(ctx).
@@ -318,6 +327,15 @@ func (s *Service) Return(ctx context.Context, id uint, req *dto.ReturnRefundRequ
return nil
}
// ensureRefundProcessor 确保只有平台侧账号可以处理审批类动作。
func ensureRefundProcessor(ctx context.Context) error {
userType := middleware.GetUserTypeFromContext(ctx)
if userType == constants.UserTypeSuperAdmin || userType == constants.UserTypePlatform {
return nil
}
return errors.New(errors.CodeForbidden, "无权限处理退款申请")
}
// Resubmit 重新提交退款申请
// 条件更新 WHERE status=4已退回修改部分字段后重新进入待审批状态
func (s *Service) Resubmit(ctx context.Context, id uint, req *dto.ResubmitRefundRequest) error {

View File

@@ -40,7 +40,7 @@ func (s *RefundStore) GetByID(ctx context.Context, id uint) (*model.RefundReques
Select("tb_refund_request.*, tb_shop.shop_name AS shop_name").
Joins("LEFT JOIN tb_shop ON tb_shop.id = tb_refund_request.shop_id AND tb_shop.deleted_at IS NULL").
Where("tb_refund_request.id = ?", id)
query = middleware.ApplyShopFilter(ctx, query)
query = applyRefundScope(ctx, query)
if err := query.First(&req).Error; err != nil {
return nil, err
}
@@ -69,7 +69,7 @@ func (s *RefundStore) List(ctx context.Context, opts *store.QueryOptions, filter
Model(&model.RefundRequest{}).
Select("tb_refund_request.*, tb_shop.shop_name AS shop_name").
Joins("LEFT JOIN tb_shop ON tb_shop.id = tb_refund_request.shop_id AND tb_shop.deleted_at IS NULL")
query = middleware.ApplyShopFilter(ctx, query)
query = applyRefundScope(ctx, query)
if filters != nil {
if filters.Status != nil {
@@ -109,6 +109,23 @@ func (s *RefundStore) List(ctx context.Context, opts *store.QueryOptions, filter
return requests, total, nil
}
// applyRefundScope 应用退款单专属数据权限。
// 退款申请对代理按创建人隔离,避免上级代理通过店铺层级看到下级申请。
func applyRefundScope(ctx context.Context, query *gorm.DB) *gorm.DB {
switch middleware.GetUserTypeFromContext(ctx) {
case constants.UserTypeSuperAdmin, constants.UserTypePlatform:
return query
case constants.UserTypeAgent:
userID := middleware.GetUserIDFromContext(ctx)
if userID == 0 {
return query.Where("1 = 0")
}
return query.Where("tb_refund_request.creator = ?", userID)
default:
return query.Where("1 = 0")
}
}
// FindActiveByOrderID 查找订单关联的活跃退款申请(状态为待审批、已通过)
func (s *RefundStore) FindActiveByOrderID(ctx context.Context, orderID uint) (*model.RefundRequest, error) {
var req model.RefundRequest