webman迁移-优化

2026-03-18 15:10:40 +08:00
parent ea77c7b3a1
commit e2ae55319e
70 changed files with 1278 additions and 137 deletions
--- a/dafuweng-webman/app/admin/library/traits/Backend.php
+++ b/dafuweng-webman/app/admin/library/traits/Backend.php
@@ -16,6 +16,7 @@ trait Backend
 {
    /**
     * 排除入库字段
+     * 时间戳字段（create_time/update_time）由模型自动维护，禁止前端传入非法值（如 'now'）
     */
    protected function excludeFields(array $params): array
    {
@@ -23,8 +24,13 @@ trait Backend
            $this->preExcludeFields = explode(',', (string) $this->preExcludeFields);
        }

-        foreach ($this->preExcludeFields as $field) {
-            if (array_key_exists($field, $params)) {
+        $exclude = array_merge(
+            $this->preExcludeFields,
+            ['create_time', 'update_time', 'createtime', 'updatetime']
+        );
+        foreach ($exclude as $field) {
+            $field = trim($field);
+            if ($field !== '' && array_key_exists($field, $params)) {
                unset($params[$field]);
            }
        }
@@ -37,7 +43,7 @@ trait Backend
    protected function _index(): Response
    {
        if ($this->request && $this->request->get('select')) {
-            $this->select();
+            return $this->select($this->request);
        }

        list($where, $alias, $limit, $order) = $this->queryBuilder();
@@ -56,6 +62,25 @@ trait Backend
        ]);
    }

+    /**
+     * 递归应用输入过滤（如 clean_xss）
+     */
+    protected function applyInputFilter(array $data): array
+    {
+        if (!$this->inputFilter || !function_exists($this->inputFilter)) {
+            return $data;
+        }
+        $filter = $this->inputFilter;
+        foreach ($data as $k => $v) {
+            if (is_string($v)) {
+                $data[$k] = call_user_func($filter, $v);
+            } elseif (is_array($v)) {
+                $data[$k] = $this->applyInputFilter($v);
+            }
+        }
+        return $data;
+    }
+
    /**
     * 添加（内部实现）
     */
@@ -67,6 +92,7 @@ trait Backend
                return $this->error(__('Parameter %s can not be empty', ['']));
            }

+            $data = $this->applyInputFilter($data);
            $data = $this->excludeFields($data);
            if ($this->dataLimit && $this->dataLimitFieldAutoFill) {
                $data[$this->dataLimitField] = $this->auth->id;
@@ -123,6 +149,7 @@ trait Backend
                return $this->error(__('Parameter %s can not be empty', ['']));
            }

+            $data = $this->applyInputFilter($data);
            $data = $this->excludeFields($data);
            $result = false;
            $this->model->startTrans();
@@ -272,9 +299,9 @@ trait Backend
    }

    /**
-     * 加载为 select(远程下拉选择框)数据
+     * 加载为 select(远程下拉选择框)数据，子类可覆盖
     */
-    public function select(): void
+    protected function _select(): void
    {
    }
 }