feat: 增强后台设置校验、代理权限控制与财务审计能力

2026-06-09 13:44:08 +08:00
parent 8d5d7f5b17
commit 41b964a606
25 changed files with 894 additions and 49 deletions
--- a/tests/Feature/AdminAgentNodeApiTest.php
+++ b/tests/Feature/AdminAgentNodeApiTest.php
@@ -9,6 +9,7 @@ use Illuminate\Foundation\Testing\RefreshDatabase;
 uses(RefreshDatabase::class);

 beforeEach(function (): void {
+    ensureAdminActionCatalogSeeded();
    $this->artisan('lottery:admin-auth-sync')->assertExitCode(0);
 });

@@ -209,6 +210,58 @@ test('agent operator can create child under own node but not under sibling', fun
        ->assertForbidden();
 });

+test('agent operator cannot create role or admin user under descendant node', function (): void {
+    $siteId = (int) DB::table('admin_sites')->where('is_default', true)->value('id');
+    $rootId = agentRootNodeId($siteId);
+    $service = app(\App\Services\Agent\AgentNodeService::class);
+    $super = AdminUser::query()->create([
+        'username' => 'bootstrap4',
+        'name' => 'Bootstrap',
+        'email' => null,
+        'password' => Hash::make('secret-strong'),
+        'status' => 0,
+    ]);
+    grantSuperAdminRole($super);
+
+    $nodeA = $service->createChild($super, agentChildPayload([
+        'parent_id' => $rootId,
+        'code' => 'branch-a3',
+        'name' => 'Branch A3',
+    ]));
+    $child = $service->createChild($super, agentChildPayload([
+        'parent_id' => $nodeA->id,
+        'code' => 'branch-a3-child',
+        'name' => 'Branch A3 Child',
+    ]));
+
+    $operator = AdminUser::query()->create([
+        'username' => 'agent_a3_ops',
+        'name' => 'A3 Ops',
+        'email' => null,
+        'password' => Hash::make('secret-strong'),
+        'status' => 0,
+    ]);
+    grantAgentOperatorRole($operator, $nodeA);
+    $token = $operator->createToken('test', ['*'], now()->addDay())->plainTextToken;
+
+    $this->withHeader('Authorization', 'Bearer '.$token)
+        ->postJson('/api/v1/admin/agent-nodes/'.$child->id.'/roles', [
+            'slug' => 'child_role',
+            'name' => 'Child Role',
+            'permission_slugs' => ['prd.agent.view'],
+        ])
+        ->assertForbidden();
+
+    $this->withHeader('Authorization', 'Bearer '.$token)
+        ->postJson('/api/v1/admin/agent-nodes/'.$child->id.'/admin-users', [
+            'username' => 'child_admin',
+            'nickname' => 'Child Admin',
+            'password' => 'Secret123!',
+            'role_ids' => [],
+        ])
+        ->assertForbidden();
+});
+
 test('auth me returns agent context for bound operator', function (): void {
    $siteId = (int) DB::table('admin_sites')->where('is_default', true)->value('id');
    $rootId = agentRootNodeId($siteId);