From 6ecc0b5adb9255d0115865148697931b92d866ff Mon Sep 17 00:00:00 2001
From: huang <youdang2000@gmail.com>
Date: Thu, 26 Feb 2026 17:10:20 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E5=A5=97=E9=A4=90?=
 =?UTF-8?q?=E7=B3=BB=E5=88=97/=E5=A5=97=E9=A4=90=E5=88=86=E9=85=8D?=
 =?UTF-8?q?=E6=9D=83=E9=99=90=E8=BF=87=E6=BB=A4=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

代理用户只能看到自己分配出去的记录，而不是被分配的记录。

- 新增 ApplyAllocatorShopFilter 过滤函数
- ShopSeriesAllocationStore: List 和 GetByID 改用 ApplyAllocatorShopFilter
- ShopPackageAllocationStore: List 和 GetByID 改用 ApplyAllocatorShopFilter
- 平台用户和超管不受限制
- 代理用户只能看到 allocator_shop_id = 自己店铺ID 的记录

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 .../postgres/shop_package_allocation_store.go |  8 ++++----
 .../postgres/shop_series_allocation_store.go  |  8 ++++----
 pkg/middleware/data_scope.go                  | 20 +++++++++++++++++++
 3 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/internal/store/postgres/shop_package_allocation_store.go b/internal/store/postgres/shop_package_allocation_store.go
index 682f541..01f4f63 100644
--- a/internal/store/postgres/shop_package_allocation_store.go
+++ b/internal/store/postgres/shop_package_allocation_store.go
@@ -24,8 +24,8 @@ func (s *ShopPackageAllocationStore) Create(ctx context.Context, allocation *mod
 func (s *ShopPackageAllocationStore) GetByID(ctx context.Context, id uint) (*model.ShopPackageAllocation, error) {
 	var allocation model.ShopPackageAllocation
 	query := s.db.WithContext(ctx).Where("id = ?", id)
-	// 应用数据权限过滤
-	query = middleware.ApplyShopFilter(ctx, query)
+	// 应用数据权限过滤：代理只能访问自己分配出去的记录
+	query = middleware.ApplyAllocatorShopFilter(ctx, query)
 	if err := query.First(&allocation).Error; err != nil {
 		return nil, err
 	}
@@ -56,8 +56,8 @@ func (s *ShopPackageAllocationStore) List(ctx context.Context, opts *store.Query
 	var total int64
 
 	query := s.db.WithContext(ctx).Model(&model.ShopPackageAllocation{})
-	// 应用数据权限过滤
-	query = middleware.ApplyShopFilter(ctx, query)
+	// 应用数据权限过滤：代理只能看到自己分配出去的记录
+	query = middleware.ApplyAllocatorShopFilter(ctx, query)
 
 	if shopID, ok := filters["shop_id"].(uint); ok && shopID > 0 {
 		query = query.Where("shop_id = ?", shopID)
diff --git a/internal/store/postgres/shop_series_allocation_store.go b/internal/store/postgres/shop_series_allocation_store.go
index 491a255..f933ba4 100644
--- a/internal/store/postgres/shop_series_allocation_store.go
+++ b/internal/store/postgres/shop_series_allocation_store.go
@@ -24,8 +24,8 @@ func (s *ShopSeriesAllocationStore) Create(ctx context.Context, allocation *mode
 func (s *ShopSeriesAllocationStore) GetByID(ctx context.Context, id uint) (*model.ShopSeriesAllocation, error) {
 	var allocation model.ShopSeriesAllocation
 	query := s.db.WithContext(ctx).Where("id = ?", id)
-	// 应用数据权限过滤
-	query = middleware.ApplyShopFilter(ctx, query)
+	// 应用数据权限过滤：代理只能访问自己分配出去的记录
+	query = middleware.ApplyAllocatorShopFilter(ctx, query)
 	if err := query.First(&allocation).Error; err != nil {
 		return nil, err
 	}
@@ -57,8 +57,8 @@ func (s *ShopSeriesAllocationStore) List(ctx context.Context, opts *store.QueryO
 	var total int64
 
 	query := s.db.WithContext(ctx).Model(&model.ShopSeriesAllocation{})
-	// 应用数据权限过滤
-	query = middleware.ApplyShopFilter(ctx, query)
+	// 应用数据权限过滤：代理只能看到自己分配出去的记录
+	query = middleware.ApplyAllocatorShopFilter(ctx, query)
 
 	if shopID, ok := filters["shop_id"].(uint); ok && shopID > 0 {
 		query = query.Where("shop_id = ?", shopID)
diff --git a/pkg/middleware/data_scope.go b/pkg/middleware/data_scope.go
index c79ed9a..ca0a840 100644
--- a/pkg/middleware/data_scope.go
+++ b/pkg/middleware/data_scope.go
@@ -101,3 +101,23 @@ func ApplyShopIDFilter(ctx context.Context, query *gorm.DB) *gorm.DB {
 	}
 	return query.Where("id IN ?", shopIDs)
 }
+
+// ApplyAllocatorShopFilter 应用分配者店铺数据权限过滤
+// 用于 ShopSeriesAllocation、ShopPackageAllocation 等使用 allocator_shop_id 字段的表
+// 代理用户只能看到自己作为分配者的记录
+// 平台用户/超管：不添加条件（allocator_shop_id=0 表示平台分配）
+// 代理用户：WHERE allocator_shop_id = 当前用户店铺ID
+func ApplyAllocatorShopFilter(ctx context.Context, query *gorm.DB) *gorm.DB {
+	userType := GetUserTypeFromContext(ctx)
+	// 平台用户和超管不限制
+	if userType == constants.UserTypeSuperAdmin || userType == constants.UserTypePlatform {
+		return query
+	}
+	// 代理用户只能看到自己分配出去的记录
+	shopID := GetShopIDFromContext(ctx)
+	if shopID == 0 {
+		// 代理用户但无店铺ID，返回空结果
+		return query.Where("1 = 0")
+	}
+	return query.Where("allocator_shop_id = ?", shopID)
+}