调整一些接口的权限

2021-05-08 16:51:54 +08:00 · 2021-05-08 16:51:54 +08:00 · 2972da7a3b
commit 2972da7a3b
parent 374fa5eb70
3 changed files with 27 additions and 4 deletions
--- a/src/admin/controllers/coupon.controller.ts
+++ b/src/admin/controllers/coupon.controller.ts
@ -4,12 +4,18 @@ import { ZError } from '../../common/ZError'
 import { Coupon } from '../../models/shop/Coupon'

 class CouponController extends BaseController{
-  @permission('coupon:read')
+  @permission(['coupon:read', 'activity:edit'])
  @router('post /coupons')
  async list(req, res) {
    let { start, limit, page } = req.params
    limit = +limit || 10
    start = +start || (+page - 1) * limit|| 0
+    const admin = req.params
+    if (admin.level > 1 && req.params.shop) {
+      if (admin.department !== req.params.shop) {
+        throw new ZError(11, 'no permission to query')
+      }
+    }
    let { opt, sort } = Coupon.parseQueryParam(req.params)
    let articles = await Coupon.find(opt)
      .sort(sort)
@ -39,7 +45,7 @@ class CouponController extends BaseController{
    return record.toJson()
  }

-  @permission('coupon:read')
+  @permission('coupon:edit')
  @router('post /coupon/save')
  async save(req: any) {
    let { _id } = req.params
@ -55,7 +61,7 @@ class CouponController extends BaseController{
    await record.save()
    return record.toJson()
  }
-  @permission('coupon:read')
+  @permission('coupon:delete')
  @router('post /coupon/:id/delete')
  async delete(req: any) {
    let { id } = req.params
--- a/src/admin/controllers/game.controller.ts
+++ b/src/admin/controllers/game.controller.ts
@ -4,7 +4,7 @@ import { ZError } from '../../common/ZError'
 import { Game } from '../../models/content/Game'

 class GameController extends BaseController{
-  @permission('game:read')
+  @permission(['game:read', 'shop:game_setting'])
  @router('post /games')
  async list(req, res) {
    let { start, limit, page } = req.params
--- a/src/admin/controllers/shop.controller.ts
+++ b/src/admin/controllers/shop.controller.ts
@ -42,6 +42,23 @@ class ShopController extends BaseController {
    return record.toJson()
  }

+  @permission('self:read')
+  @router('get /myshop')
+  async detailSelf(req: any) {
+    let admin = req.user
+    if (admin.level === 1) {
+      throw new ZError(12, 'this api not for you')
+    }
+    if (!admin.department) {
+      throw new ZError(13, 'you account has no shop bind')
+    }
+    const record = await Shop.findById(admin.department)
+    if (!record) {
+      throw new ZError(11, 'shop not found')
+    }
+    return record.toJson()
+  }
+
  @permission('shop:edit')
  @router('post /shop/save')
  async save(req: any) {