kang
a44679665d
- 在多个控制器中更新权限检查逻辑,确保管理员能够更灵活地管理代理和玩家。 - 在 AdminPlayerStoreController 中引入对玩家创建能力的验证,确保只有具备相应权限的管理员能够创建玩家。 - 更新请求验证逻辑,新增 credit_limit、rebate_rate 和 extra_rebate_rate 字段,以支持更细粒度的玩家管理。 - 在 AgentNodeProfileController 中添加对父代理能力授予的验证,确保子代理的权限在父代理范围内。 - 引入 AgentProfileFieldRules 以简化代理资料更新请求的规则定义,提升代码复用性。
244 lines
8.8 KiB
PHP
244 lines
8.8 KiB
PHP
<?php
|
|
|
|
use App\Models\AdminRole;
|
|
use App\Models\AdminSite;
|
|
use App\Models\AdminUser;
|
|
use App\Models\Player;
|
|
use App\Support\AdminSiteScope;
|
|
use App\Lottery\ErrorCode;
|
|
use Database\Seeders\CurrencySeeder;
|
|
use Illuminate\Support\Facades\DB;
|
|
use Illuminate\Support\Facades\Hash;
|
|
use Illuminate\Foundation\Testing\RefreshDatabase;
|
|
|
|
uses(RefreshDatabase::class);
|
|
|
|
function siteRoleBindingAdmin(string $username, array $permissionSlugs, ?int $boundSiteId = null): string
|
|
{
|
|
$admin = AdminUser::query()->create([
|
|
'username' => $username,
|
|
'name' => 'Tester',
|
|
'email' => null,
|
|
'password' => Hash::make('secret-strong'),
|
|
'status' => 0,
|
|
]);
|
|
|
|
$role = AdminRole::query()->create([
|
|
'slug' => 'role_'.$username,
|
|
'name' => 'Role '.$username,
|
|
]);
|
|
$role->syncLegacyPermissionSlugs($permissionSlugs);
|
|
|
|
$siteId = $boundSiteId ?? AdminUser::defaultAdminSiteId();
|
|
DB::table('admin_user_site_roles')->insert([
|
|
'admin_user_id' => $admin->id,
|
|
'site_id' => $siteId,
|
|
'role_id' => $role->id,
|
|
'granted_at' => now(),
|
|
]);
|
|
|
|
return $admin->createToken('test', ['*'], now()->addDay())->plainTextToken;
|
|
}
|
|
|
|
test('platform user created with admin_site_id only sees that site players', function (): void {
|
|
$this->seed(CurrencySeeder::class);
|
|
|
|
AdminSite::query()->firstOrCreate(['code' => 'site-a'], ['name' => 'A', 'currency_code' => 'NPR', 'status' => 1]);
|
|
AdminSite::query()->firstOrCreate(['code' => 'site-b'], ['name' => 'B', 'currency_code' => 'NPR', 'status' => 1]);
|
|
$siteBId = (int) AdminSite::query()->where('code', 'site-b')->value('id');
|
|
|
|
Player::query()->create([
|
|
'site_code' => 'site-a',
|
|
'site_player_id' => 'pa-bind-1',
|
|
'username' => 'pa_bind_1',
|
|
'nickname' => 'PA',
|
|
'default_currency' => 'NPR',
|
|
'status' => 0,
|
|
]);
|
|
Player::query()->create([
|
|
'site_code' => 'site-b',
|
|
'site_player_id' => 'pb-bind-1',
|
|
'username' => 'pb_bind_1',
|
|
'nickname' => 'PB',
|
|
'default_currency' => 'NPR',
|
|
'status' => 0,
|
|
]);
|
|
|
|
$opsRole = AdminRole::query()->create([
|
|
'slug' => 'site_b_ops',
|
|
'name' => 'Site B Ops',
|
|
'scope_type' => AdminRole::SCOPE_SYSTEM,
|
|
]);
|
|
$opsRole->syncLegacyPermissionSlugs(['prd.users.view_finance', 'prd.admin_user.manage']);
|
|
|
|
$creator = AdminUser::query()->create([
|
|
'username' => 'super_creator',
|
|
'name' => 'Creator',
|
|
'email' => null,
|
|
'password' => Hash::make('secret-strong'),
|
|
'status' => 0,
|
|
]);
|
|
grantSuperAdminRole($creator);
|
|
$token = $creator->createToken('test', ['*'], now()->addDay())->plainTextToken;
|
|
|
|
$this->withHeader('Authorization', 'Bearer '.$token)
|
|
->postJson('/api/v1/admin/admin-users', [
|
|
'username' => 'site_b_ops_user',
|
|
'nickname' => 'Site B Ops User',
|
|
'email' => null,
|
|
'password' => 'secret-long',
|
|
'admin_site_id' => $siteBId,
|
|
'role_slugs' => ['site_b_ops'],
|
|
])
|
|
->assertOk()
|
|
->assertJsonPath('data.site_bindings.0.site_id', $siteBId)
|
|
->assertJsonPath('data.site_bindings.0.site_code', 'site-b');
|
|
|
|
$created = AdminUser::query()->where('username', 'site_b_ops_user')->firstOrFail();
|
|
expect($created->isSuperAdmin())->toBeFalse();
|
|
expect($created->accessibleAdminSiteIds())->toEqual([$siteBId]);
|
|
expect(AdminSiteScope::accessibleSiteCodes($created))->toBe(['site-b']);
|
|
|
|
$scopedQuery = Player::query();
|
|
AdminSiteScope::applyToPlayerQuery($scopedQuery, $created);
|
|
expect($scopedQuery->pluck('site_code')->unique()->values()->all())->toBe(['site-b']);
|
|
|
|
$createdToken = $created->createToken('test', ['*'], now()->addDay())->plainTextToken;
|
|
|
|
expect($creator->id)->not->toBe($created->id);
|
|
|
|
$boundRoleSlugs = DB::table('admin_user_site_roles as usr')
|
|
->join('admin_roles as r', 'r.id', '=', 'usr.role_id')
|
|
->where('usr.admin_user_id', $created->id)
|
|
->orderBy('r.slug')
|
|
->pluck('r.slug')
|
|
->all();
|
|
expect($boundRoleSlugs)->toBe(['site_b_ops']);
|
|
expect($created->fresh()->isSuperAdmin())->toBeFalse();
|
|
|
|
app('auth')->forgetGuards();
|
|
|
|
$this->withHeader('Authorization', 'Bearer '.$createdToken)
|
|
->getJson('/api/v1/admin/auth/me')
|
|
->assertOk()
|
|
->assertJsonPath('data.admin.id', $created->id)
|
|
->assertJsonPath('data.admin.username', 'site_b_ops_user')
|
|
->assertJsonCount(1, 'data.admin.accessible_sites');
|
|
|
|
$codes = collect(
|
|
$this->withHeader('Authorization', 'Bearer '.$createdToken)
|
|
->getJson('/api/v1/admin/players')
|
|
->assertOk()
|
|
->json('data.items'),
|
|
)->pluck('site_code')->unique()->values()->all();
|
|
|
|
expect($codes)->toBe(['site-b']);
|
|
|
|
$this->withHeader('Authorization', 'Bearer '.$createdToken)
|
|
->getJson('/api/v1/admin/auth/me')
|
|
->assertOk()
|
|
->assertJsonPath('data.admin.accessible_sites.0.code', 'site-b')
|
|
->assertJsonPath('data.admin.agent', null);
|
|
});
|
|
|
|
test('scoped operator cannot assign roles on site outside their binding', function (): void {
|
|
AdminSite::query()->firstOrCreate(['code' => 'site-a'], ['name' => 'A', 'currency_code' => 'NPR', 'status' => 1]);
|
|
AdminSite::query()->firstOrCreate(['code' => 'site-b'], ['name' => 'B', 'currency_code' => 'NPR', 'status' => 1]);
|
|
$siteAId = (int) AdminSite::query()->where('code', 'site-a')->value('id');
|
|
$siteBId = (int) AdminSite::query()->where('code', 'site-b')->value('id');
|
|
|
|
$target = AdminUser::query()->create([
|
|
'username' => 'bind_target',
|
|
'name' => 'Target',
|
|
'email' => null,
|
|
'password' => Hash::make('secret-strong'),
|
|
'status' => 0,
|
|
]);
|
|
|
|
AdminRole::query()->create([
|
|
'slug' => 'scoped_assign_role',
|
|
'name' => 'Scoped Assign',
|
|
'scope_type' => AdminRole::SCOPE_SYSTEM,
|
|
]);
|
|
|
|
$token = siteRoleBindingAdmin('site_a_only_mgr', ['prd.admin_user.manage'], $siteAId);
|
|
|
|
$this->withHeader('Authorization', 'Bearer '.$token)
|
|
->putJson('/api/v1/admin/admin-users/'.$target->id.'/roles', [
|
|
'admin_site_id' => $siteBId,
|
|
'role_slugs' => ['scoped_assign_role'],
|
|
])
|
|
->assertStatus(422)
|
|
->assertJsonPath('code', ErrorCode::ValidationFailed->value);
|
|
});
|
|
|
|
test('role sync replaces roles only for requested site', function (): void {
|
|
AdminSite::query()->firstOrCreate(['code' => 'site-a'], ['name' => 'A', 'currency_code' => 'NPR', 'status' => 1]);
|
|
AdminSite::query()->firstOrCreate(['code' => 'site-b'], ['name' => 'B', 'currency_code' => 'NPR', 'status' => 1]);
|
|
$siteAId = (int) AdminSite::query()->where('code', 'site-a')->value('id');
|
|
$siteBId = (int) AdminSite::query()->where('code', 'site-b')->value('id');
|
|
|
|
$rA = AdminRole::query()->create([
|
|
'slug' => 'multi_a',
|
|
'name' => 'A',
|
|
'scope_type' => AdminRole::SCOPE_SYSTEM,
|
|
]);
|
|
$rB = AdminRole::query()->create([
|
|
'slug' => 'multi_b',
|
|
'name' => 'B',
|
|
'scope_type' => AdminRole::SCOPE_SYSTEM,
|
|
]);
|
|
|
|
$target = AdminUser::query()->create([
|
|
'username' => 'multi_site_user',
|
|
'name' => 'Multi',
|
|
'email' => null,
|
|
'password' => Hash::make('secret-strong'),
|
|
'status' => 0,
|
|
]);
|
|
|
|
DB::table('admin_user_site_roles')->insert([
|
|
['admin_user_id' => $target->id, 'site_id' => $siteAId, 'role_id' => $rA->id, 'granted_at' => now()],
|
|
['admin_user_id' => $target->id, 'site_id' => $siteBId, 'role_id' => $rB->id, 'granted_at' => now()],
|
|
]);
|
|
|
|
$actor = AdminUser::query()->create([
|
|
'username' => 'multi_sync_actor',
|
|
'name' => 'Actor',
|
|
'email' => null,
|
|
'password' => Hash::make('secret-strong'),
|
|
'status' => 0,
|
|
]);
|
|
grantSuperAdminRole($actor);
|
|
$token = $actor->createToken('test', ['*'], now()->addDay())->plainTextToken;
|
|
|
|
$rC = AdminRole::query()->create([
|
|
'slug' => 'multi_c',
|
|
'name' => 'C',
|
|
'scope_type' => AdminRole::SCOPE_SYSTEM,
|
|
]);
|
|
|
|
$this->withHeader('Authorization', 'Bearer '.$token)
|
|
->putJson('/api/v1/admin/admin-users/'.$target->id.'/roles', [
|
|
'admin_site_id' => $siteAId,
|
|
'role_slugs' => ['multi_c'],
|
|
])
|
|
->assertOk();
|
|
|
|
$siteARoles = DB::table('admin_user_site_roles')
|
|
->where('admin_user_id', $target->id)
|
|
->where('site_id', $siteAId)
|
|
->pluck('role_id')
|
|
->map(static fn ($id): int => (int) $id)
|
|
->all();
|
|
$siteBRoles = DB::table('admin_user_site_roles')
|
|
->where('admin_user_id', $target->id)
|
|
->where('site_id', $siteBId)
|
|
->pluck('role_id')
|
|
->map(static fn ($id): int => (int) $id)
|
|
->all();
|
|
|
|
expect($siteARoles)->toBe([(int) $rC->id]);
|
|
expect($siteBRoles)->toBe([(int) $rB->id]);
|
|
});
|