From 374fa5eb702316c3c731d2abc8dccfa3813c642f Mon Sep 17 00:00:00 2001
From: zhl <zhl010101@gmail.com>
Date: Sat, 8 May 2021 15:21:59 +0800
Subject: [PATCH] =?UTF-8?q?=E8=B0=83=E6=95=B4=E7=AE=A1=E7=90=86=E5=91=98?=
 =?UTF-8?q?=E7=9B=B8=E5=85=B3=E6=8E=A5=E5=8F=A3=E7=9A=84=E6=9D=83=E9=99=90?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 src/admin/controllers/account.controller.ts | 47 ++++++++++++++++++---
 src/admin/controllers/role.controller.ts    |  6 ++-
 2 files changed, 45 insertions(+), 8 deletions(-)

diff --git a/src/admin/controllers/account.controller.ts b/src/admin/controllers/account.controller.ts
index 65e925f..c87c3f4 100644
--- a/src/admin/controllers/account.controller.ts
+++ b/src/admin/controllers/account.controller.ts
@@ -33,7 +33,7 @@ class AccountController extends BaseController {
   async logout(req, res) {
     return {}
   }
-  @permission('admin:save')
+  @permission(['admin:edit', 'shopadmin:edit'])
   @router('post /admin/save')
   async save(req) {
     const { id, username, password, roles, showname, sex, locked, department, level, avatar } = req.params
@@ -49,6 +49,7 @@ class AccountController extends BaseController {
         throw new ZError(10, 'account already exists')
       }
       account = new Admin()
+      account.level = 9
     }
     if (username) {
       if (ADMINS.indexOf(username) >= 0) {
@@ -56,6 +57,10 @@ class AccountController extends BaseController {
       }
       account.username = username
     }
+    let admin = req.user
+    if (admin.level > account.level) {
+      throw new ZError(13, 'operate no permission')
+    }
     account.roles = roles
     if (password) {
       account.updatePassword(password)
@@ -64,11 +69,16 @@ class AccountController extends BaseController {
     account.sex = sex || '0'
     // 管理员不需要设置部门属性
     if (ADMINS.indexOf(username) < 0) {
-      account.department = department
+      if (admin.level > 1) {
+        account.department = admin.department
+      } else {
+        account.department = department
+      }
     }
     if (level) {
-      account.level = level
+      account.level = Math.max(level, admin.level)
     }
+
     if (avatar) {
       account.avatar = avatar
     }
@@ -87,14 +97,18 @@ class AccountController extends BaseController {
     return account.toJson()
   }
 
-  @permission('admin:read')
+  @permission(['admin:read', 'shopadmin:read'])
   @router('get /admins')
   async users(req) {
     const user = req.user
+    let { dept } = req.params
     let queryData: any = {deleted: false}
     if (!user.isSysAdmin()) {
       queryData.show = true
     }
+    if (dept) {
+      queryData.department = dept
+    }
     let users = await Admin.find(queryData)
     return users.map(o => o.toJson())
   }
@@ -128,7 +142,7 @@ class AccountController extends BaseController {
     return result
   }
 
-  @permission('self:save')
+  @permission('self:edit')
   @router('post /admin/:uid/passwd')
   async changePass(req) {
     let { uid, passwordOld, passwordNew } = req.params
@@ -144,7 +158,7 @@ class AccountController extends BaseController {
     return account.toJson()
   }
 
-  @permission('admin:save')
+  @permission(['admin:lock', 'shopadmin:lock'])
   @router('post /admin/:uid/locker')
   async changeLocked(req) {
     let { uid, lock } = req.params
@@ -152,7 +166,17 @@ class AccountController extends BaseController {
     if (!account) {
       throw new ZError(10, 'account not found')
     }
+    let admin = req.user
     const locker = isTrue(lock)
+    if (admin.id === account.id && locker) {
+      throw new ZError(14, 'can not lock self')
+    }
+    if (admin.level > 1) {
+      if (admin.department !== account.department || account.level < admin.level ) {
+        throw new ZError(13, 'operate no permission')
+      }
+    }
+
     account.locked = isTrue(locker)
     if (locker) {
       account.lockTime = new Date()
@@ -161,7 +185,7 @@ class AccountController extends BaseController {
     return account.toJson()
   }
 
-  @permission('admin:delete')
+  @permission(['admin:delete', 'shopadmin:delete'])
   @router('post /admin/:uid/delete')
   async deleteAdmin(req: any) {
     let { uid } = req.params
@@ -175,6 +199,15 @@ class AccountController extends BaseController {
     if (ADMINS.indexOf(account.username) >= 0) {
       throw new ZError(12, 'can`t delete admin')
     }
+    let admin = req.user
+    if (admin.id === account.id ) {
+      throw new ZError(14, 'can not delete self')
+    }
+    if (admin.level > 1) {
+      if (admin.department !== account.department || account.level < admin.level) {
+        throw new ZError(13, 'operate no permission')
+      }
+    }
     account.deleted = true
     account.deleteTime = new Date()
     await account.save()
diff --git a/src/admin/controllers/role.controller.ts b/src/admin/controllers/role.controller.ts
index 9c433e5..7f0e8b7 100644
--- a/src/admin/controllers/role.controller.ts
+++ b/src/admin/controllers/role.controller.ts
@@ -16,7 +16,7 @@ class RoleController extends BaseController {
     return role.toJson()
   }
 
-  @permission('role:read')
+  @permission(['role:read', 'shopadmin:read'])
   // @role('sysadmin')
   @router('get /roles')
   async roles(req) {
@@ -25,6 +25,10 @@ class RoleController extends BaseController {
     if (!user.isSysAdmin()) {
       queryData.show = true
     }
+    const { level } = req.params
+    if (level != undefined) {
+      queryData.level = {$gte: level}
+    }
     const records = await AdminRole.find(queryData)
     return records.map(o => o.toJson())
   }