feat: restrict permission roles
This commit is contained in:
+20
-12
@@ -31,11 +31,11 @@ func toUserDTO(user models.User) models.UserDTO {
|
||||
}
|
||||
|
||||
func hasBackendAccess(role string) bool {
|
||||
return role == "admin" || role == "technician"
|
||||
return models.HasBackendAccess(role)
|
||||
}
|
||||
|
||||
func isValidEmployeeRole(role string) bool {
|
||||
return role == "admin" || role == "technician" || role == "employee"
|
||||
func isValidManagedRole(role string) bool {
|
||||
return models.IsWorkOrderRole(role)
|
||||
}
|
||||
|
||||
// Create 创建用户
|
||||
@@ -62,11 +62,11 @@ func (s *UsersService) Create(dto models.CreateUserDTO) (*models.UserDTO, error)
|
||||
if position == "" {
|
||||
return nil, errors.New("岗位不能为空")
|
||||
}
|
||||
if !isValidEmployeeRole(role) {
|
||||
return nil, errors.New("角色不正确")
|
||||
if !isValidManagedRole(role) {
|
||||
return nil, errors.New("权限管理只能创建软件工程师、硬件工程师、商务经理、项目经理")
|
||||
}
|
||||
if hasBackendAccess(role) && len(dto.Password) < 6 {
|
||||
return nil, errors.New("管理员和技术员必须设置至少 6 位初始密码")
|
||||
return nil, errors.New("工单处理账号必须设置至少 6 位初始密码")
|
||||
}
|
||||
|
||||
var existing models.User
|
||||
@@ -133,7 +133,12 @@ func (s *UsersService) FindAll(page int, limit int, role string, search string)
|
||||
|
||||
db := database.DB.Model(&models.User{}).Preload("EmployeeSerials")
|
||||
if role != "" {
|
||||
if !models.IsAssignableWorkOrderRole(role) {
|
||||
return []models.UserDTO{}, 0, 0, nil
|
||||
}
|
||||
db = db.Where("role = ?", role)
|
||||
} else {
|
||||
db = db.Where("role IN ?", models.AssignableWorkOrderRoles)
|
||||
}
|
||||
if search != "" {
|
||||
pattern := "%" + search + "%"
|
||||
@@ -159,11 +164,11 @@ func (s *UsersService) FindAll(page int, limit int, role string, search string)
|
||||
return result, int(total), totalPages, nil
|
||||
}
|
||||
|
||||
// FindAssignable 获取可分配的用户(admin + technician),用于售后工单分配
|
||||
// FindAssignable 获取可分配的工单处理人员,用于工单分配
|
||||
func (s *UsersService) FindAssignable() ([]models.UserDTO, error) {
|
||||
var users []models.User
|
||||
if err := database.DB.Where("role IN ?", []string{"admin", "technician"}).
|
||||
Order("role DESC, created_at ASC").Find(&users).Error; err != nil {
|
||||
if err := database.DB.Where("role IN ?", models.AssignableWorkOrderRoles).
|
||||
Order("created_at ASC").Find(&users).Error; err != nil {
|
||||
return nil, fmt.Errorf("查询可分配用户失败: %w", err)
|
||||
}
|
||||
result := make([]models.UserDTO, 0, len(users))
|
||||
@@ -206,8 +211,11 @@ func (s *UsersService) Update(userId uint, dto models.UpdateUserDTO, currentUser
|
||||
user.Position = strings.TrimSpace(dto.Position)
|
||||
}
|
||||
if dto.Role != "" {
|
||||
if !isValidEmployeeRole(dto.Role) {
|
||||
return nil, errors.New("角色不正确")
|
||||
if !isValidManagedRole(dto.Role) {
|
||||
return nil, errors.New("权限管理只能设置软件工程师、硬件工程师、商务经理、项目经理")
|
||||
}
|
||||
if user.Role == "admin" {
|
||||
return nil, errors.New("不能通过权限管理修改管理员角色")
|
||||
}
|
||||
// 防止管理员把自己降级
|
||||
if user.ID == currentUserId && user.Role == "admin" && dto.Role != "admin" {
|
||||
@@ -231,7 +239,7 @@ func (s *UsersService) ResetPassword(userId uint, newPassword string) error {
|
||||
return errors.New("用户不存在")
|
||||
}
|
||||
if !hasBackendAccess(user.Role) {
|
||||
return errors.New("员工无后台登录权限,不能设置密码")
|
||||
return errors.New("该账号无后台登录权限,不能设置密码")
|
||||
}
|
||||
|
||||
hashed, err := bcrypt.GenerateFromPassword([]byte(newPassword), bcrypt.DefaultCost)
|
||||
|
||||
Reference in New Issue
Block a user