From 499c969233a5800d5a676ac97ea2e141f3048383 Mon Sep 17 00:00:00 2001 From: long <452591453@qq.com> Date: Thu, 21 May 2026 10:13:33 +0800 Subject: [PATCH] fix: distinguish disabled users from invalid tokens - disabled users see public resources as guest, only truly invalid tokens trigger re-login --- .../controller/asset/AssetAppController.php | 35 +++++++++++++------ 1 file changed, 25 insertions(+), 10 deletions(-) diff --git a/server/app/api/controller/asset/AssetAppController.php b/server/app/api/controller/asset/AssetAppController.php index 2d254bae..46ef4d00 100644 --- a/server/app/api/controller/asset/AssetAppController.php +++ b/server/app/api/controller/asset/AssetAppController.php @@ -16,20 +16,19 @@ class AssetAppController extends BaseApiController const TOKEN_EXPIRE = 86400 * 7; /** - * @notes 通过 token 获取当前用户(DB 优先,file cache 兜底) + * @notes 通过 token 获取当前用户(不检查 status,仅查 token 有效性) */ - private function getAssetUser(): ?AssetUser + private function getAssetUserRaw(): ?AssetUser { $token = $this->request->header('token'); if (empty($token)) { return null; } - // 方式1: 从数据库 token 字段查找(需要已执行 asset_user_token.sql) + // 方式1: 从数据库 token 字段查找 try { $user = AssetUser::where('token', $token) ->where('token_expire_time', '>', time()) - ->where('status', 1) ->find(); if ($user) { return $user; @@ -38,16 +37,28 @@ class AssetAppController extends BaseApiController // token 字段不存在时忽略,走 cache 兜底 } - // 方式2: 从 file cache 查找(兼容旧登录 / 未执行 SQL 迁移) + // 方式2: 从 file cache 查找 $userId = cache('asset_token_' . $token); if ($userId) { - $user = AssetUser::where('id', $userId)->where('status', 1)->find(); + $user = AssetUser::where('id', $userId)->find(); return $user ?: null; } return null; } + /** + * @notes 获取当前有效用户(status=1 才返回) + */ + private function getAssetUser(): ?AssetUser + { + $user = $this->getAssetUserRaw(); + if ($user && $user->status == 1) { + return $user; + } + return null; + } + /** * @notes 小程序端登录 */ @@ -103,16 +114,19 @@ class AssetAppController extends BaseApiController public function getResourceList() { $token = $this->request->header('token'); - $user = $this->getAssetUser(); + $rawUser = !empty($token) ? $this->getAssetUserRaw() : null; + $user = ($rawUser && $rawUser->status == 1) ? $rawUser : null; + $isDisabled = ($rawUser && $rawUser->status != 1); // 用户存在但被禁用 + $type = $this->request->get('type', 1); $pageNo = $this->request->get('page_no', 1); $pageSize = $this->request->get('page_size', 20); $days = (int)$this->request->get('days', 0); $usageStatus = (int)$this->request->get('usage_status', 0); // 0=全部, 1=未使用, 2=已使用 - // 携带了 token 但用户无效(被禁用/过期),返回 -1 触发前端重新登录 - if (!empty($token) && !$user) { - return $this->fail('账号已被禁用或登录已过期,请重新登录', [], -1); + // 有 token 但数据库完全找不到这个用户(token 过期或无效)→ 返回 -1 强制重新登录 + if (!empty($token) && !$rawUser) { + return $this->fail('登录已过期,请重新登录', [], -1); } $query = AssetResource::where('type', $type); @@ -173,6 +187,7 @@ class AssetAppController extends BaseApiController 'count' => $count, 'page_no' => $pageNo, 'page_size' => $pageSize, + 'is_disabled' => $isDisabled, // 通知前端:用户已被禁用,应清除本地 token ]); }