fix: distinguish disabled users from invalid tokens - disabled users see public resources as guest, only truly invalid tokens trigger re-login
This commit is contained in:
@@ -16,20 +16,19 @@ class AssetAppController extends BaseApiController
|
||||
const TOKEN_EXPIRE = 86400 * 7;
|
||||
|
||||
/**
|
||||
* @notes 通过 token 获取当前用户(DB 优先,file cache 兜底)
|
||||
* @notes 通过 token 获取当前用户(不检查 status,仅查 token 有效性)
|
||||
*/
|
||||
private function getAssetUser(): ?AssetUser
|
||||
private function getAssetUserRaw(): ?AssetUser
|
||||
{
|
||||
$token = $this->request->header('token');
|
||||
if (empty($token)) {
|
||||
return null;
|
||||
}
|
||||
|
||||
// 方式1: 从数据库 token 字段查找(需要已执行 asset_user_token.sql)
|
||||
// 方式1: 从数据库 token 字段查找
|
||||
try {
|
||||
$user = AssetUser::where('token', $token)
|
||||
->where('token_expire_time', '>', time())
|
||||
->where('status', 1)
|
||||
->find();
|
||||
if ($user) {
|
||||
return $user;
|
||||
@@ -38,16 +37,28 @@ class AssetAppController extends BaseApiController
|
||||
// token 字段不存在时忽略,走 cache 兜底
|
||||
}
|
||||
|
||||
// 方式2: 从 file cache 查找(兼容旧登录 / 未执行 SQL 迁移)
|
||||
// 方式2: 从 file cache 查找
|
||||
$userId = cache('asset_token_' . $token);
|
||||
if ($userId) {
|
||||
$user = AssetUser::where('id', $userId)->where('status', 1)->find();
|
||||
$user = AssetUser::where('id', $userId)->find();
|
||||
return $user ?: null;
|
||||
}
|
||||
|
||||
return null;
|
||||
}
|
||||
|
||||
/**
|
||||
* @notes 获取当前有效用户(status=1 才返回)
|
||||
*/
|
||||
private function getAssetUser(): ?AssetUser
|
||||
{
|
||||
$user = $this->getAssetUserRaw();
|
||||
if ($user && $user->status == 1) {
|
||||
return $user;
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
||||
/**
|
||||
* @notes 小程序端登录
|
||||
*/
|
||||
@@ -103,16 +114,19 @@ class AssetAppController extends BaseApiController
|
||||
public function getResourceList()
|
||||
{
|
||||
$token = $this->request->header('token');
|
||||
$user = $this->getAssetUser();
|
||||
$rawUser = !empty($token) ? $this->getAssetUserRaw() : null;
|
||||
$user = ($rawUser && $rawUser->status == 1) ? $rawUser : null;
|
||||
$isDisabled = ($rawUser && $rawUser->status != 1); // 用户存在但被禁用
|
||||
|
||||
$type = $this->request->get('type', 1);
|
||||
$pageNo = $this->request->get('page_no', 1);
|
||||
$pageSize = $this->request->get('page_size', 20);
|
||||
$days = (int)$this->request->get('days', 0);
|
||||
$usageStatus = (int)$this->request->get('usage_status', 0); // 0=全部, 1=未使用, 2=已使用
|
||||
|
||||
// 携带了 token 但用户无效(被禁用/过期),返回 -1 触发前端重新登录
|
||||
if (!empty($token) && !$user) {
|
||||
return $this->fail('账号已被禁用或登录已过期,请重新登录', [], -1);
|
||||
// 有 token 但数据库完全找不到这个用户(token 过期或无效)→ 返回 -1 强制重新登录
|
||||
if (!empty($token) && !$rawUser) {
|
||||
return $this->fail('登录已过期,请重新登录', [], -1);
|
||||
}
|
||||
|
||||
$query = AssetResource::where('type', $type);
|
||||
@@ -173,6 +187,7 @@ class AssetAppController extends BaseApiController
|
||||
'count' => $count,
|
||||
'page_no' => $pageNo,
|
||||
'page_size' => $pageSize,
|
||||
'is_disabled' => $isDisabled, // 通知前端:用户已被禁用,应清除本地 token
|
||||
]);
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user