feat: 增强后台设置校验、代理权限控制与财务审计能力

2026-06-09 13:44:08 +08:00
parent 8d5d7f5b17
commit 41b964a606
25 changed files with 894 additions and 49 deletions
--- a/app/Http/Controllers/Api/V1/Admin/Agent/AgentNodeAdminUserStoreController.php
+++ b/app/Http/Controllers/Api/V1/Admin/Agent/AgentNodeAdminUserStoreController.php
@@ -10,6 +10,7 @@ use App\Http\Controllers\Controller;
 use App\Services\Agent\AgentAdminUserService;
 use App\Lottery\ErrorCode;
 use App\Support\AdminAgentNodeAccess;
+use App\Support\AdminAgentScope;
 use App\Support\AdminUserApiPresenter;
 use App\Support\ApiMessage;
 use App\Http\Requests\Admin\AgentAdminUserStoreRequest;
@@ -39,6 +40,17 @@ final class AgentNodeAdminUserStoreController extends Controller
            );
        }

+        if (! AdminAgentScope::nodeManageableBy($admin, $agent_node)) {
+            return AdminAgentNodeAccess::denyUnlessCanManageParent($admin, $agent_node)
+                ?? ApiMessage::errorResponse(
+                    $request,
+                    'admin.agent_user_manage_denied',
+                    ErrorCode::AdminForbidden->value,
+                    null,
+                    403,
+                );
+        }
+
        $user = $service->createUnderAgent($agent_node, $request->validated());

        AuditLogger::recordForAdmin(
--- a/app/Http/Controllers/Api/V1/Admin/Agent/AgentNodeDestroyController.php
+++ b/app/Http/Controllers/Api/V1/Admin/Agent/AgentNodeDestroyController.php
@@ -47,6 +47,14 @@ final class AgentNodeDestroyController extends Controller
            return ApiMessage::errorResponse($request, 'admin.agent_node_has_players_cannot_delete', ErrorCode::ValidationFailed->value, null, 422);
        }

+        if (DB::table('admin_user_agents')->where('agent_node_id', $agent_node->id)->exists()) {
+            return ApiMessage::errorResponse($request, 'admin.agent_node_has_admin_users_cannot_delete', ErrorCode::ValidationFailed->value, null, 422);
+        }
+
+        if ($service->hasBlockingCustomRoles($agent_node)) {
+            return ApiMessage::errorResponse($request, 'admin.agent_node_has_roles_cannot_delete', ErrorCode::ValidationFailed->value, null, 422);
+        }
+
        $before = AgentNodePresenter::item($agent_node);
        $service->destroy($agent_node);

--- a/app/Http/Controllers/Api/V1/Admin/Agent/AgentNodeRoleStoreController.php
+++ b/app/Http/Controllers/Api/V1/Admin/Agent/AgentNodeRoleStoreController.php
@@ -10,6 +10,7 @@ use App\Http\Controllers\Controller;
 use App\Services\Agent\AgentRoleService;
 use App\Lottery\ErrorCode;
 use App\Support\AdminAgentNodeAccess;
+use App\Support\AdminAgentScope;
 use App\Support\AdminRoleApiPresenter;
 use App\Support\ApiMessage;
 use App\Http\Requests\Admin\AgentRoleStoreRequest;
@@ -39,6 +40,17 @@ final class AgentNodeRoleStoreController extends Controller
            );
        }

+        if (! AdminAgentScope::nodeManageableBy($admin, $agent_node)) {
+            return AdminAgentNodeAccess::denyUnlessCanManageParent($admin, $agent_node)
+                ?? ApiMessage::errorResponse(
+                    $request,
+                    'admin.agent_role_manage_denied',
+                    ErrorCode::AdminForbidden->value,
+                    null,
+                    403,
+                );
+        }
+
        $role = $service->createForAgent($admin, $agent_node, $request->validated());

        AuditLogger::recordForAdmin(
--- a/app/Http/Requests/Admin/AdminSettingBatchUpdateRequest.php
+++ b/app/Http/Requests/Admin/AdminSettingBatchUpdateRequest.php
@@ -4,6 +4,7 @@ namespace App\Http\Requests\Admin;

 use App\Models\AdminUser;
 use App\Http\Requests\ApiFormRequest;
+use App\Support\AdminSettingPolicy;

 final class AdminSettingBatchUpdateRequest extends ApiFormRequest
 {
@@ -22,8 +23,8 @@ final class AdminSettingBatchUpdateRequest extends ApiFormRequest

        foreach ($items as $item) {
            $key = is_array($item) ? (string) ($item['key'] ?? '') : '';
-            if (str_starts_with($key, 'settlement.')) {
-                return $admin->hasAdminPermission('prd.payout.manage');
+            if (! AdminSettingPolicy::canUpdate($admin, $key)) {
+                return false;
            }
        }

@@ -38,4 +39,15 @@ final class AdminSettingBatchUpdateRequest extends ApiFormRequest
            'items.*.value' => ['present'],
        ];
    }
+
+    public function after(): array
+    {
+        return [
+            function (): void {
+                /** @var list<array{key: string, value: mixed}> $items */
+                $items = $this->validated('items', []);
+                AdminSettingPolicy::validateItems($items);
+            },
+        ];
+    }
 }
--- a/app/Http/Requests/Admin/AdminSettingUpdateRequest.php
+++ b/app/Http/Requests/Admin/AdminSettingUpdateRequest.php
@@ -4,6 +4,7 @@ namespace App\Http\Requests\Admin;

 use App\Models\AdminUser;
 use App\Http\Requests\ApiFormRequest;
+use App\Support\AdminSettingPolicy;

 final class AdminSettingUpdateRequest extends ApiFormRequest
 {
@@ -15,11 +16,7 @@ final class AdminSettingUpdateRequest extends ApiFormRequest
        }

        $key = (string) $this->route('key', '');
-        if (str_starts_with($key, 'settlement.')) {
-            return $admin->hasAdminPermission('prd.payout.manage');
-        }
-
-        return true;
+        return AdminSettingPolicy::canUpdate($admin, $key);
    }

    public function rules(): array
@@ -28,4 +25,17 @@ final class AdminSettingUpdateRequest extends ApiFormRequest
            'value' => ['present'],
        ];
    }
+
+    public function after(): array
+    {
+        return [
+            function (): void {
+                $key = (string) $this->route('key', '');
+                AdminSettingPolicy::validateItems([[
+                    'key' => $key,
+                    'value' => $this->validated('value'),
+                ]]);
+            },
+        ];
+    }
 }