diff --git a/src/plugin/admin/app/common/Auth.php b/src/plugin/admin/app/common/Auth.php
index 4363356..bb1dcfb 100644
--- a/src/plugin/admin/app/common/Auth.php
+++ b/src/plugin/admin/app/common/Auth.php
@@ -9,40 +9,38 @@ use plugin\admin\app\model\Role;
class Auth
{
/**
- * 获取管理员及子管理员id数组
+ * 获取子管理员角色id数组
+ * @param bool $with_self
* @param array $admin_ids
* @return array
*/
- public static function getDescendantRoleIds(array $admin_ids = []): array
+ public static function getDescendantRoleIds(bool $with_self = false): array
{
- if (!$admin_ids) {
- $admin = admin();
- if (!$admin) {
- return [];
- }
- $role_ids = $admin['roles'];
- $rules = Role::whereIn('id', $role_ids)->pluck('rules')->toArray();
- if ($rules && in_array('*', $rules)) {
- return Admin::pluck('id')->toArray();
- }
- } else {
- $role_ids = AdminRole::whereIn('admin_id', $admin_ids)->pluck('role_id');
+ if (!$admin = admin()) {
+ return [];
+ }
+ $role_ids = $admin['roles'];
+ $rules = Role::whereIn('id', $role_ids)->pluck('rules')->toArray();
+ if ($rules && in_array('*', $rules)) {
+ return Role::pluck('id')->toArray();
}
$roles = Role::get();
$tree = new Tree($roles);
- $descendants = $tree->getDescendant($role_ids, true);
+ $descendants = $tree->getDescendant($role_ids, $with_self);
return array_column($descendants, 'id');
}
/**
* 获取管理员及子管理员id数组
+ * @param bool $with_self
* @param array $admin_ids
* @return array
*/
- public static function getDescendantAdminIds(array $admin_ids = []): array
+ public static function getDescendantAdminIds(bool $with_self = false, array $admin_ids = []): array
{
- return AdminRole::whereIn('role_id', static::getDescendantRoleIds())->pluck('admin_id')->toArray();
+ $role_ids = static::getDescendantRoleIds($with_self);
+ return AdminRole::whereIn('role_id', $role_ids)->pluck('admin_id')->toArray();
}
/**
@@ -53,8 +51,7 @@ class Auth
public static function isSupperAdmin(int $admin_id = 0): bool
{
if (!$admin_id) {
- $roles = admin('roles');
- if (!$roles) {
+ if (!$roles = admin('roles')) {
return false;
}
} else {
diff --git a/src/plugin/admin/app/controller/AdminController.php b/src/plugin/admin/app/controller/AdminController.php
index 7a39be8..4f58d7a 100644
--- a/src/plugin/admin/app/controller/AdminController.php
+++ b/src/plugin/admin/app/controller/AdminController.php
@@ -2,6 +2,7 @@
namespace plugin\admin\app\controller;
+use plugin\admin\app\common\Auth;
use plugin\admin\app\model\Admin;
use plugin\admin\app\model\AdminRole;
use support\exception\BusinessException;
@@ -19,6 +20,18 @@ class AdminController extends Crud
*/
protected $model = null;
+ /**
+ * 开启auth数据限制
+ * @var string
+ */
+ protected $dataLimit = 'auth';
+
+ /**
+ * 以id为数据限制字段
+ * @var string
+ */
+ protected $dataLimitField = 'id';
+
/**
* 构造函数
* @return void
@@ -47,6 +60,9 @@ class AdminController extends Crud
{
[$where, $format, $limit, $field, $order] = $this->selectInput($request);
$query = $this->doSelect($where, $field, $order);
+ if ($format === 'select') {
+ return $this->formatSelect($query->get());
+ }
$paginator = $query->paginate($limit);
$items = $paginator->items();
$admin_ids = array_column($items, 'id');
@@ -55,9 +71,11 @@ class AdminController extends Crud
foreach ($roles as $role) {
$roles_map[$role['admin_id']][] = $role['role_id'];
}
+ $login_admin_id = admin_id();
foreach ($items as $index => $item) {
$admin_id = $item['id'];
$items[$index]['roles'] = isset($roles_map[$admin_id]) ? implode(',', $roles_map[$admin_id]) : '';
+ $items[$index]['show_toolbar'] = $admin_id != $login_admin_id;
}
return json(['code' => 0, 'msg' => 'ok', 'count' => $paginator->total(), 'data' => $items]);
}
@@ -75,6 +93,9 @@ class AdminController extends Crud
$admin_id = $this->doInsert($data);
$role_ids = $request->post('roles');
$role_ids = $role_ids ? explode(',', $role_ids) : [];
+ if (!Auth::isSupperAdmin() && array_diff($role_ids, Auth::getDescendantRoleIds())) {
+ return $this->json(1, '角色超出权限范围');
+ }
AdminRole::where('admin_id', $admin_id)->delete();
foreach ($role_ids as $id) {
$admin_role = new AdminRole;
@@ -102,7 +123,16 @@ class AdminController extends Crud
return $this->json(1, '缺少参数');
}
$role_ids = $role_ids ? explode(',', $role_ids) : [];
+ $is_supper_admin = Auth::isSupperAdmin();
$exist_role_ids = AdminRole::where('admin_id', $admin_id)->pluck('role_id')->toArray();
+ $descendant_role_ids = Auth::getDescendantRoleIds();
+ if (!$is_supper_admin && !array_intersect($exist_role_ids, $descendant_role_ids)) {
+ return $this->json(1, '无权限更改该记录');
+ }
+ if (!$is_supper_admin && array_diff($role_ids, $descendant_role_ids)) {
+ return $this->json(1, '角色超出权限范围');
+ }
+
// 删除
$delete_ids = array_diff($exist_role_ids, $role_ids);
AdminRole::whereIn('role_id', $delete_ids)->where('admin_id', $admin_id)->delete();
@@ -135,6 +165,9 @@ class AdminController extends Crud
if (in_array(admin_id(), $ids)) {
return $this->json(1, '不能删除自己');
}
+ if (!Auth::isSupperAdmin() && array_diff($ids, Auth::getDescendantAdminIds())) {
+ return $this->json(1, '无数据权限');
+ }
$this->model->whereIn($primary_key, $ids)->delete();
AdminRole::whereIn('admin_id', $ids)->delete();
return $this->json(0);
diff --git a/src/plugin/admin/app/controller/Crud.php b/src/plugin/admin/app/controller/Crud.php
index dff8fc2..7b77841 100644
--- a/src/plugin/admin/app/controller/Crud.php
+++ b/src/plugin/admin/app/controller/Crud.php
@@ -63,6 +63,7 @@ class Crud extends Base
* 删除
* @param Request $request
* @return Response
+ * @throws BusinessException
*/
public function delete(Request $request): Response
{
@@ -82,7 +83,8 @@ class Crud extends Base
$field = $request->get('field');
$order = $request->get('order', 'asc');
$format = $request->get('format', 'normal');
- $limit = $request->get('limit', $format === 'tree' ? 1000 : 10);
+ $limit = (int)$request->get('limit', $format === 'tree' ? 1000 : 10);
+ $limit = $limit <= 0 ? 10 : $limit;
$order = $order === 'asc' ? 'asc' : 'desc';
$where = $request->get();
$page = (int)$request->get('page');
@@ -107,7 +109,10 @@ class Crud extends Base
if ($this->dataLimit === 'personal') {
$where[$this->dataLimitField] = admin_id();
} elseif ($this->dataLimit === 'auth') {
- $where[$this->dataLimitField] = ['in', Auth::getAdminIds()];
+ $primary_key = $this->model->getKeyName();
+ if (!Auth::isSupperAdmin() && (!isset($where[$primary_key]) || $this->dataLimitField != $primary_key)) {
+ $where[$this->dataLimitField] = ['in', Auth::getDescendantAdminIds(true)];
+ }
}
return [$where, $format, $limit, $field, $order, $page];
}
@@ -175,6 +180,17 @@ class Crud extends Base
if (isset($data[$password_filed])) {
$data[$password_filed] = Util::passwordHash($data[$password_filed]);
}
+
+ if (!Auth::isSupperAdmin() && $this->dataLimit) {
+ if (empty($data[$this->dataLimitField])) {
+ $data[$this->dataLimitField] = admin_id();;
+ } else {
+ $admin_id = $data[$this->dataLimitField];
+ if (!in_array($admin_id, Auth::getDescendantAdminIds(true))) {
+ throw new BusinessException('无数据权限');
+ }
+ }
+ }
return $data;
}
@@ -206,6 +222,12 @@ class Crud extends Base
$primary_key = $this->model->getKeyName();
$id = $request->post($primary_key);
$data = $this->inputFilter($request->post());
+ if (!Auth::isSupperAdmin() && $this->dataLimit && !empty($data[$this->dataLimitField])) {
+ $admin_id = $data[$this->dataLimitField];
+ if (!in_array($admin_id, Auth::getDescendantAdminIds(true))) {
+ throw new BusinessException('无数据权限');
+ }
+ }
$password_filed = 'password';
if (isset($data[$password_filed])) {
// 密码为空,则不更新密码
@@ -278,11 +300,22 @@ class Crud extends Base
* 删除前置方法
* @param Request $request
* @return array
+ * @throws BusinessException
*/
protected function deleteInput(Request $request): array
{
$primary_key = $this->model->getKeyName();
- return (array)$request->post($primary_key, []);
+ if (!$primary_key) {
+ throw new BusinessException('该表无主键,不支持删除');
+ }
+ $ids = (array)$request->post($primary_key, []);
+ if (!Auth::isSupperAdmin() && $this->dataLimit) {
+ $admin_ids = $this->model->where($primary_key, $ids)->pluck($this->dataLimitField)->toArray();
+ if (array_diff($admin_ids, Auth::getDescendantAdminIds(true))) {
+ throw new BusinessException('无数据权限');
+ }
+ }
+ return $ids;
}
/**
diff --git a/src/plugin/admin/app/view/admin/index.html b/src/plugin/admin/app/view/admin/index.html
index e1b7f36..7acafb3 100644
--- a/src/plugin/admin/app/view/admin/index.html
+++ b/src/plugin/admin/app/view/admin/index.html
@@ -89,8 +89,10 @@