调整管理员相关接口的权限

This commit is contained in:
zhl 2021-05-08 15:21:59 +08:00
parent c98c73d787
commit 374fa5eb70
2 changed files with 45 additions and 8 deletions

View File

@ -33,7 +33,7 @@ class AccountController extends BaseController {
async logout(req, res) { async logout(req, res) {
return {} return {}
} }
@permission('admin:save') @permission(['admin:edit', 'shopadmin:edit'])
@router('post /admin/save') @router('post /admin/save')
async save(req) { async save(req) {
const { id, username, password, roles, showname, sex, locked, department, level, avatar } = req.params const { id, username, password, roles, showname, sex, locked, department, level, avatar } = req.params
@ -49,6 +49,7 @@ class AccountController extends BaseController {
throw new ZError(10, 'account already exists') throw new ZError(10, 'account already exists')
} }
account = new Admin() account = new Admin()
account.level = 9
} }
if (username) { if (username) {
if (ADMINS.indexOf(username) >= 0) { if (ADMINS.indexOf(username) >= 0) {
@ -56,6 +57,10 @@ class AccountController extends BaseController {
} }
account.username = username account.username = username
} }
let admin = req.user
if (admin.level > account.level) {
throw new ZError(13, 'operate no permission')
}
account.roles = roles account.roles = roles
if (password) { if (password) {
account.updatePassword(password) account.updatePassword(password)
@ -64,11 +69,16 @@ class AccountController extends BaseController {
account.sex = sex || '0' account.sex = sex || '0'
// 管理员不需要设置部门属性 // 管理员不需要设置部门属性
if (ADMINS.indexOf(username) < 0) { if (ADMINS.indexOf(username) < 0) {
if (admin.level > 1) {
account.department = admin.department
} else {
account.department = department account.department = department
} }
if (level) {
account.level = level
} }
if (level) {
account.level = Math.max(level, admin.level)
}
if (avatar) { if (avatar) {
account.avatar = avatar account.avatar = avatar
} }
@ -87,14 +97,18 @@ class AccountController extends BaseController {
return account.toJson() return account.toJson()
} }
@permission('admin:read') @permission(['admin:read', 'shopadmin:read'])
@router('get /admins') @router('get /admins')
async users(req) { async users(req) {
const user = req.user const user = req.user
let { dept } = req.params
let queryData: any = {deleted: false} let queryData: any = {deleted: false}
if (!user.isSysAdmin()) { if (!user.isSysAdmin()) {
queryData.show = true queryData.show = true
} }
if (dept) {
queryData.department = dept
}
let users = await Admin.find(queryData) let users = await Admin.find(queryData)
return users.map(o => o.toJson()) return users.map(o => o.toJson())
} }
@ -128,7 +142,7 @@ class AccountController extends BaseController {
return result return result
} }
@permission('self:save') @permission('self:edit')
@router('post /admin/:uid/passwd') @router('post /admin/:uid/passwd')
async changePass(req) { async changePass(req) {
let { uid, passwordOld, passwordNew } = req.params let { uid, passwordOld, passwordNew } = req.params
@ -144,7 +158,7 @@ class AccountController extends BaseController {
return account.toJson() return account.toJson()
} }
@permission('admin:save') @permission(['admin:lock', 'shopadmin:lock'])
@router('post /admin/:uid/locker') @router('post /admin/:uid/locker')
async changeLocked(req) { async changeLocked(req) {
let { uid, lock } = req.params let { uid, lock } = req.params
@ -152,7 +166,17 @@ class AccountController extends BaseController {
if (!account) { if (!account) {
throw new ZError(10, 'account not found') throw new ZError(10, 'account not found')
} }
let admin = req.user
const locker = isTrue(lock) const locker = isTrue(lock)
if (admin.id === account.id && locker) {
throw new ZError(14, 'can not lock self')
}
if (admin.level > 1) {
if (admin.department !== account.department || account.level < admin.level ) {
throw new ZError(13, 'operate no permission')
}
}
account.locked = isTrue(locker) account.locked = isTrue(locker)
if (locker) { if (locker) {
account.lockTime = new Date() account.lockTime = new Date()
@ -161,7 +185,7 @@ class AccountController extends BaseController {
return account.toJson() return account.toJson()
} }
@permission('admin:delete') @permission(['admin:delete', 'shopadmin:delete'])
@router('post /admin/:uid/delete') @router('post /admin/:uid/delete')
async deleteAdmin(req: any) { async deleteAdmin(req: any) {
let { uid } = req.params let { uid } = req.params
@ -175,6 +199,15 @@ class AccountController extends BaseController {
if (ADMINS.indexOf(account.username) >= 0) { if (ADMINS.indexOf(account.username) >= 0) {
throw new ZError(12, 'can`t delete admin') throw new ZError(12, 'can`t delete admin')
} }
let admin = req.user
if (admin.id === account.id ) {
throw new ZError(14, 'can not delete self')
}
if (admin.level > 1) {
if (admin.department !== account.department || account.level < admin.level) {
throw new ZError(13, 'operate no permission')
}
}
account.deleted = true account.deleted = true
account.deleteTime = new Date() account.deleteTime = new Date()
await account.save() await account.save()

View File

@ -16,7 +16,7 @@ class RoleController extends BaseController {
return role.toJson() return role.toJson()
} }
@permission('role:read') @permission(['role:read', 'shopadmin:read'])
// @role('sysadmin') // @role('sysadmin')
@router('get /roles') @router('get /roles')
async roles(req) { async roles(req) {
@ -25,6 +25,10 @@ class RoleController extends BaseController {
if (!user.isSysAdmin()) { if (!user.isSysAdmin()) {
queryData.show = true queryData.show = true
} }
const { level } = req.params
if (level != undefined) {
queryData.level = {$gte: level}
}
const records = await AdminRole.find(queryData) const records = await AdminRole.find(queryData)
return records.map(o => o.toJson()) return records.map(o => o.toJson())
} }