- 模型去掉 defaultSoftDelete=0,避免 ThinkPHP 软删过滤导致新增记录"隐形" - 菜单 paths 改相对路径并新增「自录数据统计」目录,迁移已有菜单 - Lists/Overview 补部门关联、支持按部门筛选 - 数据权限改由 self_input_stats_view_all_roles 白名单 + DataScope 控制, 编辑/删除完全交给按钮权限校验(移除"仅本人可改"硬限制) - 新增 /stats.self_input/mediaSourceOptions 接口,统计页/账户消耗页/录入弹窗 共用 useMediaSourceOptions + MediaSourceSelect,去重动态加载 Co-authored-by: Cursor <cursoragent@cursor.com>
200 lines
7.0 KiB
PHP
Executable File
200 lines
7.0 KiB
PHP
Executable File
<?php
|
||
// +----------------------------------------------------------------------
|
||
// | likeadmin快速开发前后端分离管理后台(PHP版)
|
||
// +----------------------------------------------------------------------
|
||
// | 欢迎阅读学习系统程序代码,建议反馈是我们前进的动力
|
||
// | 开源版本可自由商用,可去除界面版权logo
|
||
// | gitee下载:https://gitee.com/likeshop_gitee/likeadmin
|
||
// | github下载:https://github.com/likeshop-github/likeadmin
|
||
// | 访问官网:https://www.likeadmin.cn
|
||
// | likeadmin团队 版权所有 拥有最终解释权
|
||
// +----------------------------------------------------------------------
|
||
// | author: likeadminTeam
|
||
// +----------------------------------------------------------------------
|
||
|
||
declare (strict_types=1);
|
||
|
||
namespace app\adminapi\http\middleware;
|
||
|
||
use app\adminapi\logic\LoginLogic;
|
||
use app\common\{
|
||
cache\AdminAuthCache,
|
||
service\JsonService
|
||
};
|
||
use think\helper\Str;
|
||
|
||
/**
|
||
* 权限验证中间件
|
||
* Class AuthMiddleware
|
||
* @package app\adminapi\http\middleware
|
||
*/
|
||
class AuthMiddleware
|
||
{
|
||
/**
|
||
* @notes 权限验证
|
||
* @param $request
|
||
* @param \Closure $next
|
||
* @return mixed
|
||
* @author 令狐冲
|
||
* @date 2021/7/2 19:29
|
||
*/
|
||
public function handle($request, \Closure $next)
|
||
{
|
||
//不登录访问,无需权限验证
|
||
if ($request->controllerObject->isNotNeedLogin()) {
|
||
return $next($request);
|
||
}
|
||
|
||
if ($request->adminInfo['login_ip'] != request()->ip()) {
|
||
return JsonService::fail('ip地址发生变化,请重新登录', [], -1);
|
||
}
|
||
|
||
// 非 root 待绑企微:放行绑定 / 解绑 / 个人信息 / 退出(避免无菜单权限;action 与路由大小写一致)
|
||
if (LoginLogic::adminMustBindWorkWechat($request->adminInfo)) {
|
||
if (LoginLogic::isWorkWechatBindExemptActionName((string) $request->action())) {
|
||
return $next($request);
|
||
}
|
||
}
|
||
|
||
//系统默认超级管理员,无需权限验证
|
||
if (1 === $request->adminInfo['root']) {
|
||
return $next($request);
|
||
}
|
||
|
||
// 面诊进度看板:仅登录即可拉医生列表 + 预约列表(须带 progress_board=1,见 AdminLists / AppointmentLists 内限制)
|
||
if ($this->isFaceProgressBoardPublicLists($request)) {
|
||
return $next($request);
|
||
}
|
||
|
||
$adminAuthCache = new AdminAuthCache($request->adminInfo['admin_id']);
|
||
|
||
// 当前访问路径
|
||
$accessUri = strtolower($request->controller() . '/' . $request->action());
|
||
// 全部路由
|
||
$allUri = $this->formatUrl($adminAuthCache->getAllUri());
|
||
|
||
// 判断该当前访问的uri是否存在,不存在无需验证
|
||
if (!in_array($accessUri, $allUri)) {
|
||
return $next($request);
|
||
}
|
||
|
||
// 当前管理员拥有的路由权限
|
||
$AdminUris = $adminAuthCache->getAdminUri() ?? [];
|
||
$AdminUris = $this->formatUrl($AdminUris);
|
||
|
||
if (in_array($accessUri, $AdminUris) || $this->matchPermissionAlias($accessUri, $AdminUris)) {
|
||
return $next($request);
|
||
}
|
||
return JsonService::fail('权限不足,无法访问或操作');
|
||
}
|
||
|
||
|
||
/**
|
||
* @notes 格式化URL
|
||
* @param array $data
|
||
* @return array|string[]
|
||
* @author 段誉
|
||
* @date 2022/7/7 15:39
|
||
*/
|
||
public function formatUrl(array $data)
|
||
{
|
||
return array_map(function ($item) {
|
||
return strtolower(Str::camel($item));
|
||
}, $data);
|
||
}
|
||
|
||
/**
|
||
* 日常记录权限域:前端统一收口到 tcm.diagnosis/dailyRecord,
|
||
* 但待办/跟踪备注接口仍保留历史路由名,故在鉴权层做精确别名映射。
|
||
*/
|
||
private function matchPermissionAlias(string $accessUri, array $adminUris): bool
|
||
{
|
||
if (in_array('tcm.diagnosis/dailyrecord', $adminUris, true)
|
||
&& in_array($accessUri, [
|
||
'tcm.diagnosistodo/lists',
|
||
'tcm.diagnosistodo/add',
|
||
'tcm.diagnosistodo/cancel',
|
||
'tcm.diagnosis/trackingnotes',
|
||
'tcm.diagnosis/addtrackingnote',
|
||
], true)) {
|
||
return true;
|
||
}
|
||
|
||
// 导出与列表共用 PrescriptionOrderLists 数据域;角色漏勾「导出订单」子权限时仍返回 权限不足
|
||
if ($accessUri === 'tcm.prescriptionorder/export'
|
||
&& in_array('tcm.prescriptionorder/lists', $adminUris, true)) {
|
||
return true;
|
||
}
|
||
|
||
// 挂号列表批量改渠道:与单条编辑同一数据域,复用 doctor.appointment/edit
|
||
if ($accessUri === 'doctor.appointment/batcheditchannel'
|
||
&& in_array('doctor.appointment/edit', $adminUris, true)) {
|
||
return true;
|
||
}
|
||
|
||
// 自录转化统计:自媒体来源下拉,复用总览或账户消耗列表权限
|
||
if ($accessUri === 'stats.selfinput/mediasourceoptions') {
|
||
$selfInputAliases = [
|
||
'stats.selfinput/overview',
|
||
'stats.self_input/overview',
|
||
'stats.personalaccountcost/lists',
|
||
'stats.personal_account_cost/lists',
|
||
];
|
||
if (count(array_intersect($selfInputAliases, $AdminUris)) > 0) {
|
||
return true;
|
||
}
|
||
}
|
||
|
||
// 处方库列表:消费者开方页/处方库页导入共用,复用开方或处方库菜单权限
|
||
if ($accessUri === 'tcm.prescriptionlibrary/lists'
|
||
&& $this->matchPrescriptionLibraryListsPermission($adminUris)) {
|
||
return true;
|
||
}
|
||
|
||
return false;
|
||
}
|
||
|
||
/**
|
||
* 处方库 lists:与开方、处方库维护菜单权限互通(避免开方页「从处方库导入」403)
|
||
*/
|
||
private function matchPrescriptionLibraryListsPermission(array $adminUris): bool
|
||
{
|
||
$aliases = [
|
||
'tcm.prescriptionlibrary/lists',
|
||
'tcm.prescription/lists',
|
||
'tcm.prescription/add',
|
||
'tcm.prescription/edit',
|
||
'tcm.prescription/detail',
|
||
'cf.prescription/lists',
|
||
'cf.prescription/add',
|
||
'cf.prescription/edit',
|
||
'cf.prescription/read',
|
||
'cf.prescription/del',
|
||
'cf.prescription/audit',
|
||
'wcf.prescription/lists',
|
||
'wcf.prescription/read',
|
||
'wcf.prescription/add',
|
||
'wcf.prescription/edit',
|
||
'wcf.prescription/delete',
|
||
];
|
||
|
||
return count(array_intersect($aliases, $adminUris)) > 0;
|
||
}
|
||
|
||
/**
|
||
* 面诊进度专用:auth.admin/lists、doctor.appointment/lists + progress_board=1,不校验菜单权限
|
||
*/
|
||
private function isFaceProgressBoardPublicLists($request): bool
|
||
{
|
||
if ((int) $request->param('progress_board', 0) !== 1) {
|
||
return false;
|
||
}
|
||
if (strtolower((string) $request->action()) !== 'lists') {
|
||
return false;
|
||
}
|
||
$c = strtolower((string) $request->controller());
|
||
|
||
return in_array($c, ['auth.admin', 'doctor.appointment'], true);
|
||
}
|
||
}
|