增加非自己数据的判断

4 years ago · cdfa013254
4 changed files with 75 additions and 15 deletions
--- a/app/AdminAgent/Controllers/AgentProductController.php
+++ b/app/AdminAgent/Controllers/AgentProductController.php
@ -100,7 +100,12 @@ class AgentProductController extends AdminController
    protected function detail($id)
    {
        return Show::make($id, new AgentProduct(['agent:id,name', 'product.supplier:id,name']), function (Show $show) {
-            $show->field('id');
+			//不允许查看非自己的数据
+			if ($show->model()->agent_id != Admin::user()->id) {
+				Admin::exit('数据不存在');
+			}
+
+			$show->field('id');
            $show->field('agent_id');
            $show->field('product_id');
            $show->field('price');
@ -137,7 +142,12 @@ class AgentProductController extends AdminController
        return Form::make(new AgentProduct(['product:id,title']), function (Form $form) {
 			$agent_id = Admin::user()->id;

-            $form->display('id');
+			//不允许查看非自己的数据
+			if ($form->isEditing() && $form->model()->agent_id != Admin::user()->id) {
+				return $form->response()->error('数据不存在');
+			}
+
+			$form->display('id');
            $form->hidden('agent_id')->value($agent_id);
 			$form->hidden('status')->value(ProductStatus::UNAUDITED);
 			$form->hidden('product_id');
@ -167,6 +177,11 @@ class AgentProductController extends AdminController
 				->default(settlement::INSTANT)
 				->required();
        })->saving(function (Form $form) {
+			//不允许修改非自己的数据
+			if ($form->isEditing() && $form->model()->agent_id != Admin::user()->id) {
+				return $form->response()->error('数据不存在');
+			}
+
 			$agent_id = Admin::user()->id;

 			//判断供应商产品是否存在或下架
--- a/app/AdminAgent/Controllers/CategoryController.php
+++ b/app/AdminAgent/Controllers/CategoryController.php
@ -37,6 +37,8 @@ class CategoryController extends AdminController
    protected function grid()
    {
        return Grid::make(new Category(), function (Grid $grid) {
+        	$grid->model()->where('agent_id', Admin::user()->id);
+
            $grid->column('id')->sortable();
            $grid->column('name');
            $grid->column('pid');
@ -55,7 +57,12 @@ class CategoryController extends AdminController
    protected function detail($id)
    {
        return Show::make($id, new Category(), function (Show $show) {
-            $show->field('id');
+			//不允许查看非自己的数据
+			if ($show->model()->agent_id != Admin::user()->id) {
+				Admin::exit('数据不存在');
+			}
+
+			$show->field('id');
            $show->field('name');
            $show->field('pid');
            $show->field('sort');
@ -75,27 +82,33 @@ class CategoryController extends AdminController
 			$options = Category::selectOptions(fn($query) => $query->where('agent_id', $agent_id));

        	$form->display('id');
-            $form->hidden('agent_id')->value($agent_id)->required();
 			$form->select('pid')->options($options)->required();
            $form->text('name')->required();
            $form->text('sort')->default(255)->help('越小越靠前');
 //            $form->text('template');
        })->saving(function (Form $form) {
+			//不允许修改非自己的数据
+			if ($form->isEditing() && $form->model()->agent_id != Admin::user()->id) {
+				return $form->response()->error('数据不存在');
+			}
+
 			//不允许编辑的字段
 			$form->ignore(['id', 'deleted_at']);

 			$form->agent_id = Admin::user()->id;
 			$form->sort = $form->sort ?? 255;
 		})->deleting(function (Form $form) {
-			//获取到要删除分类的ID
-			$category_id = (int)$form->getKey();
+			//不允许修改非自己的数据
+			if ($form->model()[0]['agent_id'] != Admin::user()->id) {
+				return $form->response()->error('数据不存在');
+			}

 			//获取要删除类目的所有下级ID
 			$agent_id = Admin::user()->id;
 			$category = Category::where('agent_id', $agent_id)->pluck('pid', 'id')->toArray();
-			$ids = getChildCate($category_id, $category);
+			$ids = getChildCate((int)$form->getKey(), $category);

-			if (AgentProduct::query()->where('agent_id', $agent_id)->whereIn('category_id', $ids)->exists()) {
+			if (AgentProduct::where('agent_id', $agent_id)->whereIn('category_id', $ids)->exists()) {
 				return $form->response()->error('该分类下已经发布产品，不允许删除');
 			}
 		});
--- a/app/AdminAgent/Controllers/OrderController.php
+++ b/app/AdminAgent/Controllers/OrderController.php
@ -83,9 +83,12 @@ class OrderController extends AdminController
        return Show::make($id, new Order(['product.supplier:id,name']), function (Show $show) {
 			$show->disableDeleteButton();

-			$show->repository()->model()->where('agent_id', Admin::user()->id);
+			//不允许查看非自己的数据
+			if ($show->model()->agent_id != Admin::user()->id) {
+				Admin::exit('数据不存在');
+			}

-            $show->field('id');
+			$show->field('id');
            $show->field('user_id');
            $show->field('order_no');
            $show->field('agent_product_id', '代理商产品ID');
@ -115,11 +118,24 @@ class OrderController extends AdminController
        return Form::make(new Order(), function (Form $form) {
 			$form->disableDeleteButton();

-            $form->display('id');
+			//不允许查看非自己的数据
+			if ($form->isEditing() && $form->model()->agent_id != Admin::user()->id) {
+				return $form->response()->error('数据不存在');
+			}
+
+			$form->display('id');
            $form->text('name');
            $form->text('mobile');
            $form->select('status')->options(OrderStatus::array());
        })->saving(function (Form $form) {
+			//不允许修改非自己的数据
+			if ($form->isCreating()) {
+				return $form->response()->error('不允许此操作');
+			}
+			if ($form->isEditing() && $form->model()->agent_id != Admin::user()->id) {
+				return $form->response()->error('数据不存在');
+			}
+
 			//不允许编辑的字段
 			$form->ignore(['id', 'user_id', 'agent_id', 'agent_product_id', 'product_id', 'product_ids', 'order_no',
 				'pay_type', 'paid_money', 'created_at', 'updated_at', 'deleted_at']);
--- a/app/AdminAgent/Controllers/UserController.php
+++ b/app/AdminAgent/Controllers/UserController.php
@ -56,7 +56,12 @@ class UserController extends AdminController
        return Show::make($id, new User(), function (Show $show) {
 			$show->disableDeleteButton();

-            $show->field('id');
+			//不允许查看非自己的数据
+			if ($show->model()->agent_id != Admin::user()->id) {
+				Admin::exit('数据不存在');
+			}
+
+			$show->field('id');
            $show->field('avatar')->image(80, 80);
            $show->field('mobile');
            $show->field('nickname');
@ -76,15 +81,26 @@ class UserController extends AdminController
        return Form::make(new User(), function (Form $form) {
 			$form->disableDeleteButton();

-            $form->display('id');
+			//不允许查看非自己的数据
+			if ($form->isEditing() && $form->model()->agent_id != Admin::user()->id) {
+				return $form->response()->error('数据不存在');
+			}
+
+			$form->display('id');
 			$form->display('nickname');
            $form->text('mobile');
            $form->switch('status');
            $form->switch('verifier');
        })->saving(function (Form $form) {
-        	//不允许编辑的字段
-			$form->ignore(['id', 'nickname', 'deleted_at']);
+			//不允许修改非自己的数据
+			if ($form->isEditing() && $form->model()->agent_id != Admin::user()->id) {
+				return $form->response()->error('数据不存在');
+			}
+
+			//不允许编辑的字段
+			$form->ignore(['id', 'agent_id', 'nickname', 'deleted_at']);

+			//处理特殊字段
        	$form->agent_id = Admin::user()->id;
 			$form->status = $form->status ? 1 : 0;
 			$form->verifier = $form->verifier ? 1 : 0;