refactor: 更新权限管理与请求验证逻辑

- 在多个控制器中将权限检查从 hasAdminPermission 更新为 hasPermissionCode，以增强权限管理的灵活性。 - 引入 AdminScopePolicy，优化基于代理节点的权限和数据过滤逻辑，确保管理员能够更精确地控制访问权限。 - 在请求验证中添加 agent_node_id 字段，确保 API 接口支持代理节点的相关操作。 - 更新 AdminUser 模型，新增 hasPermissionCode 方法，以支持更细粒度的权限检查。 - 优化审计日志记录逻辑，确保在处理请求时能够准确记录管理员的操作。
2026-06-03 10:07:38 +08:00
parent 0841fbed32
commit 1dcd4716c5
64 changed files with 2054 additions and 344 deletions
--- a/app/Services/Agent/AgentRoleService.php
+++ b/app/Services/Agent/AgentRoleService.php
@@ -5,6 +5,7 @@ namespace App\Services\Agent;
 use App\Models\AdminRole;
 use App\Models\AdminUser;
 use App\Models\AgentNode;
+use App\Support\AdminPermissionInheritance;
 use App\Support\AgentRoleAuthorization;
 use Illuminate\Support\Facades\DB;
 use Illuminate\Validation\ValidationException;
@@ -16,10 +17,14 @@ final class AgentRoleService
     */
    public function createForAgent(AdminUser $actor, AgentNode $owner, array $payload): AdminRole
    {
+        $permissionSlugs = AdminPermissionInheritance::expand(
+            array_values(array_unique($payload['permission_slugs'] ?? [])),
+        );
+
        AgentRoleAuthorization::assertSlugsForAgentRole(
            $actor,
            $owner,
-            array_values(array_unique($payload['permission_slugs'] ?? [])),
+            $permissionSlugs,
        );

        $slug = trim((string) $payload['slug']);
@@ -30,7 +35,7 @@ final class AgentRoleService
            throw ValidationException::withMessages(['slug' => ['unique']]);
        }

-        return DB::transaction(function () use ($payload, $owner, $slug): AdminRole {
+        return DB::transaction(function () use ($payload, $owner, $slug, $permissionSlugs): AdminRole {
            $role = AdminRole::query()->create([
                'slug' => $slug,
                'code' => $slug,
@@ -44,7 +49,7 @@ final class AgentRoleService
                'delegated_from_role_id' => null,
            ]);

-            $role->syncLegacyPermissionSlugs($payload['permission_slugs'] ?? []);
+            $role->syncLegacyPermissionSlugs($permissionSlugs);

            return $role->fresh();
        });
@@ -80,6 +85,7 @@ final class AgentRoleService
     */
    public function syncPermissions(AdminUser $actor, AdminRole $role, array $permissionSlugs): AdminRole
    {
+        $permissionSlugs = AdminPermissionInheritance::expand($permissionSlugs);
        $owner = AgentNode::query()->findOrFail((int) $role->owner_agent_id);
        AgentRoleAuthorization::assertSlugsForAgentRole($actor, $owner, $permissionSlugs);
        $role->syncLegacyPermissionSlugs($permissionSlugs);