调整管理员相关接口的权限
This commit is contained in:
zhl
parent
c98c73d787
commit
374fa5eb70
@ -33,7 +33,7 @@ class AccountController extends BaseController {
|
||||
async logout(req, res) {
|
||||
return {}
|
||||
}
|
||||
@permission('admin:save')
|
||||
@permission(['admin:edit', 'shopadmin:edit'])
|
||||
@router('post /admin/save')
|
||||
async save(req) {
|
||||
const { id, username, password, roles, showname, sex, locked, department, level, avatar } = req.params
|
||||
@ -49,6 +49,7 @@ class AccountController extends BaseController {
|
||||
throw new ZError(10, 'account already exists')
|
||||
}
|
||||
account = new Admin()
|
||||
account.level = 9
|
||||
}
|
||||
if (username) {
|
||||
if (ADMINS.indexOf(username) >= 0) {
|
||||
@ -56,6 +57,10 @@ class AccountController extends BaseController {
|
||||
}
|
||||
account.username = username
|
||||
}
|
||||
let admin = req.user
|
||||
if (admin.level > account.level) {
|
||||
throw new ZError(13, 'operate no permission')
|
||||
}
|
||||
account.roles = roles
|
||||
if (password) {
|
||||
account.updatePassword(password)
|
||||
@ -64,11 +69,16 @@ class AccountController extends BaseController {
|
||||
account.sex = sex || '0'
|
||||
// 管理员不需要设置部门属性
|
||||
if (ADMINS.indexOf(username) < 0) {
|
||||
account.department = department
|
||||
if (admin.level > 1) {
|
||||
account.department = admin.department
|
||||
} else {
|
||||
account.department = department
|
||||
}
|
||||
}
|
||||
if (level) {
|
||||
account.level = level
|
||||
account.level = Math.max(level, admin.level)
|
||||
}
|
||||
|
||||
if (avatar) {
|
||||
account.avatar = avatar
|
||||
}
|
||||
@ -87,14 +97,18 @@ class AccountController extends BaseController {
|
||||
return account.toJson()
|
||||
}
|
||||
|
||||
@permission('admin:read')
|
||||
@permission(['admin:read', 'shopadmin:read'])
|
||||
@router('get /admins')
|
||||
async users(req) {
|
||||
const user = req.user
|
||||
let { dept } = req.params
|
||||
let queryData: any = {deleted: false}
|
||||
if (!user.isSysAdmin()) {
|
||||
queryData.show = true
|
||||
}
|
||||
if (dept) {
|
||||
queryData.department = dept
|
||||
}
|
||||
let users = await Admin.find(queryData)
|
||||
return users.map(o => o.toJson())
|
||||
}
|
||||
@ -128,7 +142,7 @@ class AccountController extends BaseController {
|
||||
return result
|
||||
}
|
||||
|
||||
@permission('self:save')
|
||||
@permission('self:edit')
|
||||
@router('post /admin/:uid/passwd')
|
||||
async changePass(req) {
|
||||
let { uid, passwordOld, passwordNew } = req.params
|
||||
@ -144,7 +158,7 @@ class AccountController extends BaseController {
|
||||
return account.toJson()
|
||||
}
|
||||
|
||||
@permission('admin:save')
|
||||
@permission(['admin:lock', 'shopadmin:lock'])
|
||||
@router('post /admin/:uid/locker')
|
||||
async changeLocked(req) {
|
||||
let { uid, lock } = req.params
|
||||
@ -152,7 +166,17 @@ class AccountController extends BaseController {
|
||||
if (!account) {
|
||||
throw new ZError(10, 'account not found')
|
||||
}
|
||||
let admin = req.user
|
||||
const locker = isTrue(lock)
|
||||
if (admin.id === account.id && locker) {
|
||||
throw new ZError(14, 'can not lock self')
|
||||
}
|
||||
if (admin.level > 1) {
|
||||
if (admin.department !== account.department || account.level < admin.level ) {
|
||||
throw new ZError(13, 'operate no permission')
|
||||
}
|
||||
}
|
||||
|
||||
account.locked = isTrue(locker)
|
||||
if (locker) {
|
||||
account.lockTime = new Date()
|
||||
@ -161,7 +185,7 @@ class AccountController extends BaseController {
|
||||
return account.toJson()
|
||||
}
|
||||
|
||||
@permission('admin:delete')
|
||||
@permission(['admin:delete', 'shopadmin:delete'])
|
||||
@router('post /admin/:uid/delete')
|
||||
async deleteAdmin(req: any) {
|
||||
let { uid } = req.params
|
||||
@ -175,6 +199,15 @@ class AccountController extends BaseController {
|
||||
if (ADMINS.indexOf(account.username) >= 0) {
|
||||
throw new ZError(12, 'can`t delete admin')
|
||||
}
|
||||
let admin = req.user
|
||||
if (admin.id === account.id ) {
|
||||
throw new ZError(14, 'can not delete self')
|
||||
}
|
||||
if (admin.level > 1) {
|
||||
if (admin.department !== account.department || account.level < admin.level) {
|
||||
throw new ZError(13, 'operate no permission')
|
||||
}
|
||||
}
|
||||
account.deleted = true
|
||||
account.deleteTime = new Date()
|
||||
await account.save()
|
||||
|
||||
@ -16,7 +16,7 @@ class RoleController extends BaseController {
|
||||
return role.toJson()
|
||||
}
|
||||
|
||||
@permission('role:read')
|
||||
@permission(['role:read', 'shopadmin:read'])
|
||||
// @role('sysadmin')
|
||||
@router('get /roles')
|
||||
async roles(req) {
|
||||
@ -25,6 +25,10 @@ class RoleController extends BaseController {
|
||||
if (!user.isSysAdmin()) {
|
||||
queryData.show = true
|
||||
}
|
||||
const { level } = req.params
|
||||
if (level != undefined) {
|
||||
queryData.level = {$gte: level}
|
||||
}
|
||||
const records = await AdminRole.find(queryData)
|
||||
return records.map(o => o.toJson())
|
||||
}
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user