fix: distinguish disabled users from invalid tokens - disabled users see public resources as guest, only truly invalid tokens trigger re-login

This commit is contained in:
2026-05-21 10:13:33 +08:00
parent 3b44300216
commit 499c969233
@@ -16,20 +16,19 @@ class AssetAppController extends BaseApiController
const TOKEN_EXPIRE = 86400 * 7;
/**
* @notes 通过 token 获取当前用户(DB 优先,file cache 兜底
* @notes 通过 token 获取当前用户(不检查 status,仅查 token 有效性
*/
private function getAssetUser(): ?AssetUser
private function getAssetUserRaw(): ?AssetUser
{
$token = $this->request->header('token');
if (empty($token)) {
return null;
}
// 方式1: 从数据库 token 字段查找(需要已执行 asset_user_token.sql
// 方式1: 从数据库 token 字段查找
try {
$user = AssetUser::where('token', $token)
->where('token_expire_time', '>', time())
->where('status', 1)
->find();
if ($user) {
return $user;
@@ -38,16 +37,28 @@ class AssetAppController extends BaseApiController
// token 字段不存在时忽略,走 cache 兜底
}
// 方式2: 从 file cache 查找(兼容旧登录 / 未执行 SQL 迁移)
// 方式2: 从 file cache 查找
$userId = cache('asset_token_' . $token);
if ($userId) {
$user = AssetUser::where('id', $userId)->where('status', 1)->find();
$user = AssetUser::where('id', $userId)->find();
return $user ?: null;
}
return null;
}
/**
* @notes 获取当前有效用户(status=1 才返回)
*/
private function getAssetUser(): ?AssetUser
{
$user = $this->getAssetUserRaw();
if ($user && $user->status == 1) {
return $user;
}
return null;
}
/**
* @notes 小程序端登录
*/
@@ -103,16 +114,19 @@ class AssetAppController extends BaseApiController
public function getResourceList()
{
$token = $this->request->header('token');
$user = $this->getAssetUser();
$rawUser = !empty($token) ? $this->getAssetUserRaw() : null;
$user = ($rawUser && $rawUser->status == 1) ? $rawUser : null;
$isDisabled = ($rawUser && $rawUser->status != 1); // 用户存在但被禁用
$type = $this->request->get('type', 1);
$pageNo = $this->request->get('page_no', 1);
$pageSize = $this->request->get('page_size', 20);
$days = (int)$this->request->get('days', 0);
$usageStatus = (int)$this->request->get('usage_status', 0); // 0=全部, 1=未使用, 2=已使用
// 携带了 token 但用户无效(被禁用/过期),返回 -1 触发前端重新登录
if (!empty($token) && !$user) {
return $this->fail('账号已被禁用或登录已过期,请重新登录', [], -1);
// token 但数据库完全找不到这个用户(token 过期或无效)→ 返回 -1 强制重新登录
if (!empty($token) && !$rawUser) {
return $this->fail('登录已过期,请重新登录', [], -1);
}
$query = AssetResource::where('type', $type);
@@ -173,6 +187,7 @@ class AssetAppController extends BaseApiController
'count' => $count,
'page_no' => $pageNo,
'page_size' => $pageSize,
'is_disabled' => $isDisabled, // 通知前端:用户已被禁用,应清除本地 token
]);
}