feat: 增强管理员权限管理，添加 RBAC 支持，更新 AdminUser 模型以处理角色和权限，更新登录接口返回权限信息，扩展数据库填充器以同步角色权限

2026-05-11 16:21:13 +08:00
parent 19003f5041
commit fc023242ce
39 changed files with 1587 additions and 123 deletions
--- a/tests/Feature/AdminPhase15OperationsTest.php
+++ b/tests/Feature/AdminPhase15OperationsTest.php
@@ -0,0 +1,115 @@
+<?php
+
+use App\Lottery\ErrorCode;
+use App\Models\AdminPermission;
+use App\Models\AdminRole;
+use App\Models\AdminUser;
+use App\Models\AuditLog;
+use App\Models\ReconcileJob;
+use App\Models\ReportJob;
+use App\Services\AuditLogger;
+use Illuminate\Foundation\Testing\RefreshDatabase;
+use Illuminate\Support\Facades\Hash;
+
+uses(RefreshDatabase::class);
+
+function phase15SuperToken(): string
+{
+    $admin = AdminUser::query()->create([
+        'username' => 'phase15_super',
+        'name' => 'Phase15',
+        'email' => null,
+        'password' => Hash::make('secret-strong'),
+        'status' => 0,
+    ]);
+    grantSuperAdminRole($admin);
+
+    return $admin->createToken('test', ['*'], now()->addDay())->plainTextToken;
+}
+
+test('report job create list show and audit log index work for super admin', function (): void {
+    AuditLogger::record('system', 0, 'bootstrap', 'test', null, null, null, null);
+
+    $token = phase15SuperToken();
+
+    $this->withHeader('Authorization', 'Bearer '.$token)
+        ->getJson('/api/v1/admin/audit-logs?per_page=5')
+        ->assertOk()
+        ->assertJsonPath('code', ErrorCode::Success->value);
+
+    $create = $this->withHeader('Authorization', 'Bearer '.$token)
+        ->postJson('/api/v1/admin/report-jobs', [
+            'report_type' => 'wallet_txns_daily',
+            'export_format' => 'csv',
+            'filter_json' => ['currency_code' => 'NPR'],
+        ]);
+    $create->assertOk()->assertJsonPath('code', ErrorCode::Success->value);
+    $id = (int) $create->json('data.id');
+    expect($id)->toBeGreaterThan(0);
+    expect(ReportJob::query()->whereKey($id)->exists())->toBeTrue();
+
+    $this->withHeader('Authorization', 'Bearer '.$token)
+        ->getJson('/api/v1/admin/report-jobs/'.$id)
+        ->assertOk()
+        ->assertJsonPath('data.report_type', 'wallet_txns_daily');
+
+    $this->withHeader('Authorization', 'Bearer '.$token)
+        ->getJson('/api/v1/admin/report-jobs?per_page=10')
+        ->assertOk()
+        ->assertJsonPath('code', ErrorCode::Success->value);
+
+    expect(AuditLog::query()->where('module_code', 'report_jobs')->exists())->toBeTrue();
+});
+
+test('reconcile job create with items and nested items index', function (): void {
+    $token = phase15SuperToken();
+
+    $resp = $this->withHeader('Authorization', 'Bearer '.$token)
+        ->postJson('/api/v1/admin/reconcile-jobs', [
+            'reconcile_type' => 'wallet_transfer',
+            'period_start' => '2026-05-01T00:00:00Z',
+            'period_end' => '2026-05-02T00:00:00Z',
+            'items' => [
+                ['side_a_ref' => 'TO-1', 'side_b_ref' => 'MAIN-1', 'difference_amount' => 100, 'status' => 'mismatch'],
+                ['side_a_ref' => 'TO-2', 'side_b_ref' => 'MAIN-2', 'difference_amount' => 0, 'status' => 'matched'],
+            ],
+        ]);
+    $resp->assertOk();
+    $id = (int) $resp->json('data.id');
+    expect($id)->toBeGreaterThan(0);
+
+    $job = ReconcileJob::query()->whereKey($id)->firstOrFail();
+    expect((int) $job->admin_user_id)->toBeGreaterThan(0);
+    expect($job->items()->count())->toBe(2);
+
+    $this->withHeader('Authorization', 'Bearer '.$token)
+        ->getJson('/api/v1/admin/reconcile-jobs/'.$id.'/items')
+        ->assertOk()
+        ->assertJsonPath('data.meta.total', 2);
+});
+
+test('admin without report permission receives 403 on report-jobs', function (): void {
+    $role = AdminRole::query()->create(['slug' => 'auditor_test', 'name' => 'Auditor Test']);
+    $perm = AdminPermission::query()->create(['slug' => 'prd.audit.finance', 'name' => '§8 审计日志·资金相关']);
+    $role->permissions()->sync([(int) $perm->getKey()]);
+
+    $user = AdminUser::query()->create([
+        'username' => 'auditor_only',
+        'name' => 'Auditor',
+        'email' => null,
+        'password' => Hash::make('pw-audit'),
+        'status' => 0,
+    ]);
+    $user->roles()->sync([(int) $role->getKey()]);
+
+    $token = $user->createToken('test', ['*'], now()->addDay())->plainTextToken;
+
+    $this->withHeader('Authorization', 'Bearer '.$token)
+        ->getJson('/api/v1/admin/audit-logs')
+        ->assertOk();
+
+    $this->withHeader('Authorization', 'Bearer '.$token)
+        ->postJson('/api/v1/admin/report-jobs', ['report_type' => 'x'])
+        ->assertStatus(403)
+        ->assertJsonPath('code', ErrorCode::AdminForbidden->value);
+});