fix: 修复套餐系列/套餐分配权限过滤问题
All checks were successful
构建并部署到测试环境(无 SSH) / build-and-deploy (push) Successful in 7m19s
All checks were successful
构建并部署到测试环境(无 SSH) / build-and-deploy (push) Successful in 7m19s
代理用户只能看到自己分配出去的记录,而不是被分配的记录。 - 新增 ApplyAllocatorShopFilter 过滤函数 - ShopSeriesAllocationStore: List 和 GetByID 改用 ApplyAllocatorShopFilter - ShopPackageAllocationStore: List 和 GetByID 改用 ApplyAllocatorShopFilter - 平台用户和超管不受限制 - 代理用户只能看到 allocator_shop_id = 自己店铺ID 的记录 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
@@ -24,8 +24,8 @@ func (s *ShopPackageAllocationStore) Create(ctx context.Context, allocation *mod
|
||||
func (s *ShopPackageAllocationStore) GetByID(ctx context.Context, id uint) (*model.ShopPackageAllocation, error) {
|
||||
var allocation model.ShopPackageAllocation
|
||||
query := s.db.WithContext(ctx).Where("id = ?", id)
|
||||
// 应用数据权限过滤
|
||||
query = middleware.ApplyShopFilter(ctx, query)
|
||||
// 应用数据权限过滤:代理只能访问自己分配出去的记录
|
||||
query = middleware.ApplyAllocatorShopFilter(ctx, query)
|
||||
if err := query.First(&allocation).Error; err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@@ -56,8 +56,8 @@ func (s *ShopPackageAllocationStore) List(ctx context.Context, opts *store.Query
|
||||
var total int64
|
||||
|
||||
query := s.db.WithContext(ctx).Model(&model.ShopPackageAllocation{})
|
||||
// 应用数据权限过滤
|
||||
query = middleware.ApplyShopFilter(ctx, query)
|
||||
// 应用数据权限过滤:代理只能看到自己分配出去的记录
|
||||
query = middleware.ApplyAllocatorShopFilter(ctx, query)
|
||||
|
||||
if shopID, ok := filters["shop_id"].(uint); ok && shopID > 0 {
|
||||
query = query.Where("shop_id = ?", shopID)
|
||||
|
||||
@@ -24,8 +24,8 @@ func (s *ShopSeriesAllocationStore) Create(ctx context.Context, allocation *mode
|
||||
func (s *ShopSeriesAllocationStore) GetByID(ctx context.Context, id uint) (*model.ShopSeriesAllocation, error) {
|
||||
var allocation model.ShopSeriesAllocation
|
||||
query := s.db.WithContext(ctx).Where("id = ?", id)
|
||||
// 应用数据权限过滤
|
||||
query = middleware.ApplyShopFilter(ctx, query)
|
||||
// 应用数据权限过滤:代理只能访问自己分配出去的记录
|
||||
query = middleware.ApplyAllocatorShopFilter(ctx, query)
|
||||
if err := query.First(&allocation).Error; err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@@ -57,8 +57,8 @@ func (s *ShopSeriesAllocationStore) List(ctx context.Context, opts *store.QueryO
|
||||
var total int64
|
||||
|
||||
query := s.db.WithContext(ctx).Model(&model.ShopSeriesAllocation{})
|
||||
// 应用数据权限过滤
|
||||
query = middleware.ApplyShopFilter(ctx, query)
|
||||
// 应用数据权限过滤:代理只能看到自己分配出去的记录
|
||||
query = middleware.ApplyAllocatorShopFilter(ctx, query)
|
||||
|
||||
if shopID, ok := filters["shop_id"].(uint); ok && shopID > 0 {
|
||||
query = query.Where("shop_id = ?", shopID)
|
||||
|
||||
@@ -101,3 +101,23 @@ func ApplyShopIDFilter(ctx context.Context, query *gorm.DB) *gorm.DB {
|
||||
}
|
||||
return query.Where("id IN ?", shopIDs)
|
||||
}
|
||||
|
||||
// ApplyAllocatorShopFilter 应用分配者店铺数据权限过滤
|
||||
// 用于 ShopSeriesAllocation、ShopPackageAllocation 等使用 allocator_shop_id 字段的表
|
||||
// 代理用户只能看到自己作为分配者的记录
|
||||
// 平台用户/超管:不添加条件(allocator_shop_id=0 表示平台分配)
|
||||
// 代理用户:WHERE allocator_shop_id = 当前用户店铺ID
|
||||
func ApplyAllocatorShopFilter(ctx context.Context, query *gorm.DB) *gorm.DB {
|
||||
userType := GetUserTypeFromContext(ctx)
|
||||
// 平台用户和超管不限制
|
||||
if userType == constants.UserTypeSuperAdmin || userType == constants.UserTypePlatform {
|
||||
return query
|
||||
}
|
||||
// 代理用户只能看到自己分配出去的记录
|
||||
shopID := GetShopIDFromContext(ctx)
|
||||
if shopID == 0 {
|
||||
// 代理用户但无店铺ID,返回空结果
|
||||
return query.Where("1 = 0")
|
||||
}
|
||||
return query.Where("allocator_shop_id = ?", shopID)
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user