feat(admin): 统一后台 API 资源鉴权并完善投注风控快照与回补

app/Http/Controllers/Api/V1/Admin/Player/AdminPlayerTicketItemsIndexController.php

@@ -36,7 +36,7 @@ final class AdminPlayerTicketItemsIndexController extends Controller
             ])
             ->orderByDesc('ticket_items.id');
 
-        if ($drawNo !== '') {
+        if (is_string($drawNo) && $drawNo !== '') {
             $query->whereHas('draw', fn ($q) => $q->where('draw_no', $drawNo));
         }
 

app/Http/Middleware/EnsureAdminApiResourcePermission.php

@@ -0,0 +1,88 @@
+<?php
+
+namespace App\Http\Middleware;
+
+use Closure;
+use App\Models\AdminUser;
+use App\Lottery\ErrorCode;
+use App\Support\ApiResponse;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\DB;
+use Symfony\Component\HttpFoundation\Response;
+
+final class EnsureAdminApiResourcePermission
+{
+    public function handle(Request $request, Closure $next): Response
+    {
+        $admin = $request->lotteryAdmin();
+        if (! $admin instanceof AdminUser) {
+            return ApiResponse::error(
+                trans('admin.unauthenticated', [], $request->lotteryLocale()),
+                ErrorCode::AdminUnauthenticated->value,
+                null,
+                401,
+            );
+        }
+
+        $route = $request->route();
+        $routeName = is_object($route) ? $route->getName() : null;
+        if (! is_string($routeName) || $routeName === '') {
+            return ApiResponse::error('后台路由缺少 route name，无法执行资源鉴权。', ErrorCode::InternalError->value, null, 500);
+        }
+
+        $normalizedRouteName = $this->normalizeAdminRouteName($routeName);
+        $resource = DB::table('admin_api_resources')
+            ->where('route_name', $normalizedRouteName)
+            ->where('status', 1)
+            ->first(['id', 'code', 'auth_mode']);
+
+        if ($resource === null) {
+            return ApiResponse::error(
+                sprintf('后台 API 资源未配置：%s', $normalizedRouteName),
+                ErrorCode::InternalError->value,
+                ['route_name' => $normalizedRouteName],
+                500,
+            );
+        }
+
+        if ($resource->auth_mode === 'login_only') {
+            return $next($request);
+        }
+
+        $permissionCodes = DB::table('admin_api_resource_bindings as arb')
+            ->join('admin_menu_actions as ma', 'ma.id', '=', 'arb.menu_action_id')
+            ->where('arb.api_resource_id', (int) $resource->id)
+            ->where('ma.status', 1)
+            ->pluck('ma.permission_code')
+            ->filter(static fn ($code): bool => is_string($code) && $code !== '')
+            ->values()
+            ->all();
+
+        if ($permissionCodes === []) {
+            return ApiResponse::error(
+                sprintf('后台 API 资源未绑定权限动作：%s', (string) $resource->code),
+                ErrorCode::InternalError->value,
+                ['resource_code' => $resource->code],
+                500,
+            );
+        }
+
+        foreach ($permissionCodes as $permissionCode) {
+            if ($admin->hasAdminPermission((string) $permissionCode)) {
+                return $next($request);
+            }
+        }
+
+        return ApiResponse::error(
+            trans('admin.permission_denied', [], $request->lotteryLocale()),
+            ErrorCode::AdminForbidden->value,
+            ['required_any_codes' => $permissionCodes, 'resource_code' => $resource->code],
+            403,
+        );
+    }
+
+    private function normalizeAdminRouteName(string $routeName): string
+    {
+        return preg_replace('/^(api\.v1\.admin\.)+/', 'api.v1.admin.', $routeName) ?? $routeName;
+    }
+}