From 5fb38aa579e870b4b35f84d300691d0e352ccd86 Mon Sep 17 00:00:00 2001 From: walkor Date: Wed, 21 Dec 2022 19:07:50 +0800 Subject: [PATCH] save --- src/plugin/admin/app/common/Auth.php | 35 ++++++++--------- .../admin/app/controller/AdminController.php | 33 ++++++++++++++++ src/plugin/admin/app/controller/Crud.php | 39 +++++++++++++++++-- src/plugin/admin/app/view/admin/index.html | 2 + 4 files changed, 87 insertions(+), 22 deletions(-) diff --git a/src/plugin/admin/app/common/Auth.php b/src/plugin/admin/app/common/Auth.php index 4363356..bb1dcfb 100644 --- a/src/plugin/admin/app/common/Auth.php +++ b/src/plugin/admin/app/common/Auth.php @@ -9,40 +9,38 @@ use plugin\admin\app\model\Role; class Auth { /** - * 获取管理员及子管理员id数组 + * 获取子管理员角色id数组 + * @param bool $with_self * @param array $admin_ids * @return array */ - public static function getDescendantRoleIds(array $admin_ids = []): array + public static function getDescendantRoleIds(bool $with_self = false): array { - if (!$admin_ids) { - $admin = admin(); - if (!$admin) { - return []; - } - $role_ids = $admin['roles']; - $rules = Role::whereIn('id', $role_ids)->pluck('rules')->toArray(); - if ($rules && in_array('*', $rules)) { - return Admin::pluck('id')->toArray(); - } - } else { - $role_ids = AdminRole::whereIn('admin_id', $admin_ids)->pluck('role_id'); + if (!$admin = admin()) { + return []; + } + $role_ids = $admin['roles']; + $rules = Role::whereIn('id', $role_ids)->pluck('rules')->toArray(); + if ($rules && in_array('*', $rules)) { + return Role::pluck('id')->toArray(); } $roles = Role::get(); $tree = new Tree($roles); - $descendants = $tree->getDescendant($role_ids, true); + $descendants = $tree->getDescendant($role_ids, $with_self); return array_column($descendants, 'id'); } /** * 获取管理员及子管理员id数组 + * @param bool $with_self * @param array $admin_ids * @return array */ - public static function getDescendantAdminIds(array $admin_ids = []): array + public static function getDescendantAdminIds(bool $with_self = false, array $admin_ids = []): array { - return AdminRole::whereIn('role_id', static::getDescendantRoleIds())->pluck('admin_id')->toArray(); + $role_ids = static::getDescendantRoleIds($with_self); + return AdminRole::whereIn('role_id', $role_ids)->pluck('admin_id')->toArray(); } /** @@ -53,8 +51,7 @@ class Auth public static function isSupperAdmin(int $admin_id = 0): bool { if (!$admin_id) { - $roles = admin('roles'); - if (!$roles) { + if (!$roles = admin('roles')) { return false; } } else { diff --git a/src/plugin/admin/app/controller/AdminController.php b/src/plugin/admin/app/controller/AdminController.php index 7a39be8..4f58d7a 100644 --- a/src/plugin/admin/app/controller/AdminController.php +++ b/src/plugin/admin/app/controller/AdminController.php @@ -2,6 +2,7 @@ namespace plugin\admin\app\controller; +use plugin\admin\app\common\Auth; use plugin\admin\app\model\Admin; use plugin\admin\app\model\AdminRole; use support\exception\BusinessException; @@ -19,6 +20,18 @@ class AdminController extends Crud */ protected $model = null; + /** + * 开启auth数据限制 + * @var string + */ + protected $dataLimit = 'auth'; + + /** + * 以id为数据限制字段 + * @var string + */ + protected $dataLimitField = 'id'; + /** * 构造函数 * @return void @@ -47,6 +60,9 @@ class AdminController extends Crud { [$where, $format, $limit, $field, $order] = $this->selectInput($request); $query = $this->doSelect($where, $field, $order); + if ($format === 'select') { + return $this->formatSelect($query->get()); + } $paginator = $query->paginate($limit); $items = $paginator->items(); $admin_ids = array_column($items, 'id'); @@ -55,9 +71,11 @@ class AdminController extends Crud foreach ($roles as $role) { $roles_map[$role['admin_id']][] = $role['role_id']; } + $login_admin_id = admin_id(); foreach ($items as $index => $item) { $admin_id = $item['id']; $items[$index]['roles'] = isset($roles_map[$admin_id]) ? implode(',', $roles_map[$admin_id]) : ''; + $items[$index]['show_toolbar'] = $admin_id != $login_admin_id; } return json(['code' => 0, 'msg' => 'ok', 'count' => $paginator->total(), 'data' => $items]); } @@ -75,6 +93,9 @@ class AdminController extends Crud $admin_id = $this->doInsert($data); $role_ids = $request->post('roles'); $role_ids = $role_ids ? explode(',', $role_ids) : []; + if (!Auth::isSupperAdmin() && array_diff($role_ids, Auth::getDescendantRoleIds())) { + return $this->json(1, '角色超出权限范围'); + } AdminRole::where('admin_id', $admin_id)->delete(); foreach ($role_ids as $id) { $admin_role = new AdminRole; @@ -102,7 +123,16 @@ class AdminController extends Crud return $this->json(1, '缺少参数'); } $role_ids = $role_ids ? explode(',', $role_ids) : []; + $is_supper_admin = Auth::isSupperAdmin(); $exist_role_ids = AdminRole::where('admin_id', $admin_id)->pluck('role_id')->toArray(); + $descendant_role_ids = Auth::getDescendantRoleIds(); + if (!$is_supper_admin && !array_intersect($exist_role_ids, $descendant_role_ids)) { + return $this->json(1, '无权限更改该记录'); + } + if (!$is_supper_admin && array_diff($role_ids, $descendant_role_ids)) { + return $this->json(1, '角色超出权限范围'); + } + // 删除 $delete_ids = array_diff($exist_role_ids, $role_ids); AdminRole::whereIn('role_id', $delete_ids)->where('admin_id', $admin_id)->delete(); @@ -135,6 +165,9 @@ class AdminController extends Crud if (in_array(admin_id(), $ids)) { return $this->json(1, '不能删除自己'); } + if (!Auth::isSupperAdmin() && array_diff($ids, Auth::getDescendantAdminIds())) { + return $this->json(1, '无数据权限'); + } $this->model->whereIn($primary_key, $ids)->delete(); AdminRole::whereIn('admin_id', $ids)->delete(); return $this->json(0); diff --git a/src/plugin/admin/app/controller/Crud.php b/src/plugin/admin/app/controller/Crud.php index dff8fc2..7b77841 100644 --- a/src/plugin/admin/app/controller/Crud.php +++ b/src/plugin/admin/app/controller/Crud.php @@ -63,6 +63,7 @@ class Crud extends Base * 删除 * @param Request $request * @return Response + * @throws BusinessException */ public function delete(Request $request): Response { @@ -82,7 +83,8 @@ class Crud extends Base $field = $request->get('field'); $order = $request->get('order', 'asc'); $format = $request->get('format', 'normal'); - $limit = $request->get('limit', $format === 'tree' ? 1000 : 10); + $limit = (int)$request->get('limit', $format === 'tree' ? 1000 : 10); + $limit = $limit <= 0 ? 10 : $limit; $order = $order === 'asc' ? 'asc' : 'desc'; $where = $request->get(); $page = (int)$request->get('page'); @@ -107,7 +109,10 @@ class Crud extends Base if ($this->dataLimit === 'personal') { $where[$this->dataLimitField] = admin_id(); } elseif ($this->dataLimit === 'auth') { - $where[$this->dataLimitField] = ['in', Auth::getAdminIds()]; + $primary_key = $this->model->getKeyName(); + if (!Auth::isSupperAdmin() && (!isset($where[$primary_key]) || $this->dataLimitField != $primary_key)) { + $where[$this->dataLimitField] = ['in', Auth::getDescendantAdminIds(true)]; + } } return [$where, $format, $limit, $field, $order, $page]; } @@ -175,6 +180,17 @@ class Crud extends Base if (isset($data[$password_filed])) { $data[$password_filed] = Util::passwordHash($data[$password_filed]); } + + if (!Auth::isSupperAdmin() && $this->dataLimit) { + if (empty($data[$this->dataLimitField])) { + $data[$this->dataLimitField] = admin_id();; + } else { + $admin_id = $data[$this->dataLimitField]; + if (!in_array($admin_id, Auth::getDescendantAdminIds(true))) { + throw new BusinessException('无数据权限'); + } + } + } return $data; } @@ -206,6 +222,12 @@ class Crud extends Base $primary_key = $this->model->getKeyName(); $id = $request->post($primary_key); $data = $this->inputFilter($request->post()); + if (!Auth::isSupperAdmin() && $this->dataLimit && !empty($data[$this->dataLimitField])) { + $admin_id = $data[$this->dataLimitField]; + if (!in_array($admin_id, Auth::getDescendantAdminIds(true))) { + throw new BusinessException('无数据权限'); + } + } $password_filed = 'password'; if (isset($data[$password_filed])) { // 密码为空,则不更新密码 @@ -278,11 +300,22 @@ class Crud extends Base * 删除前置方法 * @param Request $request * @return array + * @throws BusinessException */ protected function deleteInput(Request $request): array { $primary_key = $this->model->getKeyName(); - return (array)$request->post($primary_key, []); + if (!$primary_key) { + throw new BusinessException('该表无主键,不支持删除'); + } + $ids = (array)$request->post($primary_key, []); + if (!Auth::isSupperAdmin() && $this->dataLimit) { + $admin_ids = $this->model->where($primary_key, $ids)->pluck($this->dataLimitField)->toArray(); + if (array_diff($admin_ids, Auth::getDescendantAdminIds(true))) { + throw new BusinessException('无数据权限'); + } + } + return $ids; } /** diff --git a/src/plugin/admin/app/view/admin/index.html b/src/plugin/admin/app/view/admin/index.html index e1b7f36..7acafb3 100644 --- a/src/plugin/admin/app/view/admin/index.html +++ b/src/plugin/admin/app/view/admin/index.html @@ -89,8 +89,10 @@