feat: 增强玩家管理功能，集成接入站点权限控制

在多个玩家相关控制器中引入 AdminSiteScope，确保管理员在执行操作前具备相应的接入站点权限。更新 Player 相关请求以支持 site_code 参数，增强权限验证逻辑，确保系统安全性与灵活性。同时，新增 AdminUser 模型方法以获取可访问的站点 ID 列表，优化权限管理。
2026-05-27 13:36:23 +08:00
parent b649c862ef
commit a10135d6ee
47 changed files with 2265 additions and 38 deletions
--- a/app/Http/Controllers/Api/V1/Admin/Player/AdminPlayerDestroyController.php
+++ b/app/Http/Controllers/Api/V1/Admin/Player/AdminPlayerDestroyController.php
@@ -8,6 +8,7 @@ use App\Support\ApiResponse;
 use Illuminate\Http\Request;
 use Illuminate\Http\JsonResponse;
 use App\Http\Controllers\Controller;
+use App\Support\AdminSiteScope;
 use Illuminate\Database\Eloquent\Relations\HasMany;

 /** DELETE /api/v1/admin/players/{player} */
@@ -15,6 +16,13 @@ final class AdminPlayerDestroyController extends Controller
 {
    public function __invoke(Request $request, Player $player): JsonResponse
    {
+        $admin = $request->lotteryAdmin();
+        abort_if($admin === null, 401);
+
+        if ($denied = AdminSiteScope::denyUnlessPlayerAccessible($admin, $player)) {
+            return $denied;
+        }
+
        $hasWallets = Player::query()
            ->whereKey($player->getKey())
            ->whereHas('wallets', static fn (HasMany $q) => $q->whereRaw('balance != 0'))
--- a/app/Http/Controllers/Api/V1/Admin/Player/AdminPlayerFreezeController.php
+++ b/app/Http/Controllers/Api/V1/Admin/Player/AdminPlayerFreezeController.php
@@ -4,6 +4,7 @@ namespace App\Http\Controllers\Api\V1\Admin\Player;

 use App\Models\Player;
 use App\Support\ApiResponse;
+use App\Support\AdminSiteScope;
 use App\Support\PlayerApiPresenter;
 use App\Http\Controllers\Controller;
 use App\Services\AuditLogger;
@@ -15,6 +16,13 @@ final class AdminPlayerFreezeController extends Controller
 {
    public function __invoke(Request $request, Player $player): JsonResponse
    {
+        $admin = $request->lotteryAdmin();
+        abort_if($admin === null, 401);
+
+        if ($denied = AdminSiteScope::denyUnlessPlayerAccessible($admin, $player)) {
+            return $denied;
+        }
+
        $before = PlayerApiPresenter::listItem($player);

        $player->forceFill(['status' => 1])->save();
--- a/app/Http/Controllers/Api/V1/Admin/Player/AdminPlayerIndexController.php
+++ b/app/Http/Controllers/Api/V1/Admin/Player/AdminPlayerIndexController.php
@@ -8,6 +8,7 @@ use App\Support\ApiResponse;
 use Illuminate\Http\JsonResponse;
 use App\Http\Controllers\Controller;
 use App\Support\AdminApiList;
+use App\Support\AdminSiteScope;
 use App\Support\PlayerApiPresenter;

 /** GET /api/v1/admin/players */
@@ -15,14 +16,24 @@ final class AdminPlayerIndexController extends Controller
 {
    public function __invoke(Request $request): JsonResponse
    {
+        $admin = $request->lotteryAdmin();
+        abort_if($admin === null, 401);
+
        $p = AdminApiList::readPaging($request);
        $keyword = trim((string) $request->query('keyword', ''));
        $status = $request->query('status');
+        $siteCode = $request->query('site_code');

        $q = Player::query()
            ->with(['wallets' => static fn ($wq) => $wq->orderBy('wallet_type')->orderBy('currency_code')])
            ->orderByDesc('id');

+        AdminSiteScope::applyPlayerFilters(
+            $q,
+            $admin,
+            is_string($siteCode) ? $siteCode : null,
+        );
+
        if ($keyword !== '') {
            $term = '%'.addcslashes($keyword, '%_\\').'%';
            $q->where(static function ($sub) use ($term): void {
--- a/app/Http/Controllers/Api/V1/Admin/Player/AdminPlayerShowController.php
+++ b/app/Http/Controllers/Api/V1/Admin/Player/AdminPlayerShowController.php
@@ -4,14 +4,24 @@ namespace App\Http\Controllers\Api\V1\Admin\Player;

 use App\Models\Player;
 use App\Support\ApiResponse;
+use App\Support\AdminSiteScope;
 use Illuminate\Http\JsonResponse;
 use App\Http\Controllers\Controller;
+use Illuminate\Http\Request;
+use App\Support\PlayerApiPresenter;

 /** GET /api/v1/admin/players/{player} */
 final class AdminPlayerShowController extends Controller
 {
-    public function __invoke(Player $player): JsonResponse
+    public function __invoke(Request $request, Player $player): JsonResponse
    {
+        $admin = $request->lotteryAdmin();
+        abort_if($admin === null, 401);
+
+        if ($denied = AdminSiteScope::denyUnlessPlayerAccessible($admin, $player)) {
+            return $denied;
+        }
+
        return ApiResponse::success(PlayerApiPresenter::listItem($player));
    }
 }
--- a/app/Http/Controllers/Api/V1/Admin/Player/AdminPlayerStoreController.php
+++ b/app/Http/Controllers/Api/V1/Admin/Player/AdminPlayerStoreController.php
@@ -6,6 +6,7 @@ use App\Models\Player;
 use App\Lottery\ErrorCode;
 use App\Support\ApiResponse;
 use Illuminate\Http\JsonResponse;
+use App\Support\AdminSiteScope;
 use App\Support\PlayerApiPresenter;
 use App\Http\Controllers\Controller;
 use App\Http\Requests\Admin\AdminPlayerStoreRequest;
@@ -15,6 +16,19 @@ final class AdminPlayerStoreController extends Controller
 {
    public function __invoke(AdminPlayerStoreRequest $request): JsonResponse
    {
+        $admin = $request->lotteryAdmin();
+        abort_if($admin === null, 401);
+
+        $siteCode = (string) $request->validated('site_code');
+        if (! AdminSiteScope::siteCodeAllowed($admin, $siteCode)) {
+            return ApiResponse::error(
+                '无权在该站点下创建玩家',
+                ErrorCode::AdminForbidden->value,
+                null,
+                403,
+            );
+        }
+
        $exists = Player::query()
            ->where('site_code', $request->validated('site_code'))
            ->where('site_player_id', $request->validated('site_player_id'))
--- a/app/Http/Controllers/Api/V1/Admin/Player/AdminPlayerTicketItemsIndexController.php
+++ b/app/Http/Controllers/Api/V1/Admin/Player/AdminPlayerTicketItemsIndexController.php
@@ -7,6 +7,7 @@ use App\Models\TicketItem;
 use App\Support\ApiResponse;
 use App\Support\CurrencyFormatter;
 use App\Support\PaginationTrait;
+use App\Support\AdminSiteScope;
 use App\Support\TicketItemListFilters;
 use Illuminate\Http\JsonResponse;
 use App\Http\Controllers\Controller;
@@ -24,6 +25,13 @@ final class AdminPlayerTicketItemsIndexController extends Controller

    public function __invoke(AdminPlayerTicketItemsRequest $request, Player $player): JsonResponse
    {
+        $admin = $request->lotteryAdmin();
+        abort_if($admin === null, 401);
+
+        if ($denied = AdminSiteScope::denyUnlessPlayerAccessible($admin, $player)) {
+            return $denied;
+        }
+
        $perPage = $this->perPage($request, 'per_page', 10, 50);
        $page = $this->page($request);
        $drawNo = $request->validated('draw_no');
--- a/app/Http/Controllers/Api/V1/Admin/Player/AdminPlayerUnfreezeController.php
+++ b/app/Http/Controllers/Api/V1/Admin/Player/AdminPlayerUnfreezeController.php
@@ -4,6 +4,7 @@ namespace App\Http\Controllers\Api\V1\Admin\Player;

 use App\Models\Player;
 use App\Support\ApiResponse;
+use App\Support\AdminSiteScope;
 use App\Support\PlayerApiPresenter;
 use App\Http\Controllers\Controller;
 use App\Services\AuditLogger;
@@ -15,6 +16,13 @@ final class AdminPlayerUnfreezeController extends Controller
 {
    public function __invoke(Request $request, Player $player): JsonResponse
    {
+        $admin = $request->lotteryAdmin();
+        abort_if($admin === null, 401);
+
+        if ($denied = AdminSiteScope::denyUnlessPlayerAccessible($admin, $player)) {
+            return $denied;
+        }
+
        $before = PlayerApiPresenter::listItem($player);

        $player->forceFill(['status' => 0])->save();
--- a/app/Http/Controllers/Api/V1/Admin/Player/AdminPlayerUpdateController.php
+++ b/app/Http/Controllers/Api/V1/Admin/Player/AdminPlayerUpdateController.php
@@ -7,6 +7,7 @@ use App\Lottery\ErrorCode;
 use App\Support\ApiResponse;
 use Illuminate\Http\JsonResponse;
 use App\Http\Controllers\Controller;
+use App\Support\AdminSiteScope;
 use App\Support\PlayerApiPresenter;
 use App\Http\Requests\Admin\AdminPlayerUpdateRequest;

@@ -15,6 +16,13 @@ final class AdminPlayerUpdateController extends Controller
 {
    public function __invoke(AdminPlayerUpdateRequest $request, Player $player): JsonResponse
    {
+        $admin = $request->lotteryAdmin();
+        abort_if($admin === null, 401);
+
+        if ($denied = AdminSiteScope::denyUnlessPlayerAccessible($admin, $player)) {
+            return $denied;
+        }
+
        $data = $request->validated();

        if (isset($data['status'])) {
--- a/app/Http/Controllers/Api/V1/Admin/Player/PlayerWalletShowController.php
+++ b/app/Http/Controllers/Api/V1/Admin/Player/PlayerWalletShowController.php
@@ -5,8 +5,10 @@ namespace App\Http\Controllers\Api\V1\Admin\Player;
 use App\Models\Player;
 use App\Models\PlayerWallet;
 use App\Support\ApiResponse;
+use App\Support\AdminSiteScope;
 use Illuminate\Http\JsonResponse;
 use App\Http\Controllers\Controller;
+use Illuminate\Http\Request;

 /**
 * 后台：按玩家查询钱包余额（`player_wallets` 全币种）。
@@ -15,8 +17,15 @@ use App\Http\Controllers\Controller;
 */
 final class PlayerWalletShowController extends Controller
 {
-    public function __invoke(Player $player): JsonResponse
+    public function __invoke(Request $request, Player $player): JsonResponse
    {
+        $admin = $request->lotteryAdmin();
+        abort_if($admin === null, 401);
+
+        if ($denied = AdminSiteScope::denyUnlessPlayerAccessible($admin, $player)) {
+            return $denied;
+        }
+
        $wallets = PlayerWallet::query()
            ->where('player_id', $player->id)
            ->orderBy('wallet_type')