lkddi/chatroom
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

增强:实现真正的创始人(ID=1)特权控制:限制非 ID=1 管理员访问部分后台模块及修改他人等级的能力

Browse Source
This commit is contained in:
流星
2026-02-27 09:39:26 +08:00
parent 4c48530a4f
commit 44ac4742d8
6 changed files with 71 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
app/Http/Controllers/Admin/UserManagerController.php
View File

@@ -73,9 +73,11 @@ class UserManagerController extends Controller
// 如果传了且没超权,直接赋予
if (isset($validated['user_level'])) {
// 不能把别人提权到超过自己的等级
if ($validated['user_level'] > $currentUser->user_level && $currentUser->id !== $targetUser->id) {
return response()->json(['status' => 'error', 'message' => '您不能将别人提升至超过您的等级!'], 403);
if ($currentUser->id !== $targetUser->id) {
// 修改别人:只有真正的创始人 (ID=1) 才能修改别人的等级
if ($currentUser->id !== 1) {
return response()->json(['status' => 'error', 'message' => '权限越界:只有星系创始人(站长)才能调整其他用户的行政等级!'], 403);
}
}
$targetUser->user_level = $validated['user_level'];
}

28
app/Http/Middleware/SiteOwnerRequired.php Normal file
View File

@@ -0,0 +1,28 @@
<?php
namespace App\Http\Middleware;
use Closure;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
use Symfony\Component\HttpFoundation\Response;
class SiteOwnerRequired
{
/**
* Handle an incoming request.
*
* @param \Closure(\Illuminate\Http\Request): (\Symfony\Component\HttpFoundation\Response) $next
*/
public function handle(Request $request, Closure $next): Response
{
if (Auth::id() !== 1) {
if ($request->expectsJson()) {
return response()->json(['message' => '特权不足,仅限站长操作', 'status' => 'error'], 403);
}
abort(403, '特权不足,此功能仅限创始人/站长操作。');
}
return $next($request);
}
}

1
bootstrap/app.php
View File

@@ -15,6 +15,7 @@ return Application::configure(basePath: dirname(__DIR__))
$middleware->alias([
'chat.auth' => \App\Http\Middleware\ChatAuthenticate::class,
'chat.level' => \App\Http\Middleware\LevelRequired::class,
'chat.site_owner' => \App\Http\Middleware\SiteOwnerRequired::class,
]);
// 这一步是为了防止用户访问需要登录的页面时,默认被跳到原版 Laravel 未定义的 login 路由报错

20
resources/views/admin/layouts/app.blade.php
View File

@@ -21,10 +21,12 @@
class="block px-4 py-3 rounded-md transition {{ request()->routeIs('admin.dashboard') ? 'bg-indigo-600 font-bold' : 'hover:bg-white/10' }}">
📊 仪表盘
</a>
<a href="{{ route('admin.system.edit') }}"
class="block px-4 py-3 rounded-md transition {{ request()->routeIs('admin.system.*') ? 'bg-indigo-600 font-bold' : 'hover:bg-white/10' }}">
⚙️ 系统参数参数
</a>
@if (Auth::id() === 1)
<a href="{{ route('admin.system.edit') }}"
class="block px-4 py-3 rounded-md transition {{ request()->routeIs('admin.system.*') ? 'bg-indigo-600 font-bold' : 'hover:bg-white/10' }}">
⚙️ 系统参数参数
</a>
@endif
<a href="{{ route('admin.users.index') }}"
class="block px-4 py-3 rounded-md transition {{ request()->routeIs('admin.users.*') ? 'bg-indigo-600 font-bold' : 'hover:bg-white/10' }}">
👥 用户管理
@@ -41,10 +43,12 @@
class="block px-4 py-3 rounded-md transition {{ request()->routeIs('admin.vip.*') ? 'bg-indigo-600 font-bold' : 'hover:bg-white/10' }}">
👑 VIP 会员等级
</a>
<a href="{{ route('admin.ai-providers.index') }}"
class="block px-4 py-3 rounded-md transition {{ request()->routeIs('admin.ai-providers.*') ? 'bg-indigo-600 font-bold' : 'hover:bg-white/10' }}">
🤖 AI 厂商配置
</a>
@if (Auth::id() === 1)
<a href="{{ route('admin.ai-providers.index') }}"
class="block px-4 py-3 rounded-md transition {{ request()->routeIs('admin.ai-providers.*') ? 'bg-indigo-600 font-bold' : 'hover:bg-white/10' }}">
🤖 AI 厂商配置
</a>
@endif
</nav>
<div class="p-4 border-t border-white/10">
<a href="{{ route('rooms.index') }}"

16
resources/views/admin/users/index.blade.php
View File

@@ -123,12 +123,20 @@
<div class="grid grid-cols-2 gap-4">
{{-- 等级 --}}
<div>
<label class="block text-xs font-bold text-gray-600 mb-1">等级
<span class="text-gray-400 font-normal">(最高 <span x-text="adminLevel"></span>
/ 管理员级别)</span></label>
<label class="block text-xs font-bold text-gray-600 mb-1">
等级
<span class="text-gray-400 font-normal">
(最高 <span x-text="adminLevel"></span> )
</span>
</label>
<input type="number" name="user_level" x-model="editingUser.user_level" required
min="0" :max="adminLevel"
class="w-full border-gray-300 rounded-md shadow-sm focus:ring-indigo-500 focus:border-indigo-500 p-2 border text-sm">
:readonly="{{ Auth::id() }} !== 1 && editingUser.id !== {{ Auth::id() }}"
class="w-full border-gray-300 rounded-md shadow-sm focus:ring-indigo-500 focus:border-indigo-500 p-2 border text-sm"
:class="{ 'bg-gray-100 cursor-not-allowed': {{ Auth::id() }} !== 1 && editingUser.id !==
{{ Auth::id() }} }"
:title="{{ Auth::id() }} !== 1 && editingUser.id !== {{ Auth::id() }} ?
'仅系统创始人可修改他人等级' : ''">
</div>
{{-- 经验 --}}
<div>

22
routes/web.php
View File

@@ -106,8 +106,10 @@ Route::middleware(['chat.auth', 'chat.level:super'])->prefix('admin')->name('adm
Route::get('/', [\App\Http\Controllers\Admin\DashboardController::class, 'index'])->name('dashboard');
// 系统参数配置 (替代 VIEWSYS.ASP / SetSYS.ASP)
Route::get('/system', [\App\Http\Controllers\Admin\SystemController::class, 'edit'])->name('system.edit');
Route::put('/system', [\App\Http\Controllers\Admin\SystemController::class, 'update'])->name('system.update');
Route::middleware(['chat.site_owner'])->group(function () {
Route::get('/system', [\App\Http\Controllers\Admin\SystemController::class, 'edit'])->name('system.edit');
Route::put('/system', [\App\Http\Controllers\Admin\SystemController::class, 'update'])->name('system.update');
});
// 用户大盘管理 (替代 gl/ 目录下的各种用户管理功能)
Route::get('/users', [\App\Http\Controllers\Admin\UserManagerController::class, 'index'])->name('users.index');
@@ -133,11 +135,13 @@ Route::middleware(['chat.auth', 'chat.level:super'])->prefix('admin')->name('adm
Route::delete('/vip/{id}', [\App\Http\Controllers\Admin\VipController::class, 'destroy'])->name('vip.destroy');
// AI 厂商配置管理
Route::get('/ai-providers', [\App\Http\Controllers\Admin\AiProviderController::class, 'index'])->name('ai-providers.index');
Route::post('/ai-providers', [\App\Http\Controllers\Admin\AiProviderController::class, 'store'])->name('ai-providers.store');
Route::put('/ai-providers/{id}', [\App\Http\Controllers\Admin\AiProviderController::class, 'update'])->name('ai-providers.update');
Route::post('/ai-providers/{id}/toggle', [\App\Http\Controllers\Admin\AiProviderController::class, 'toggleEnabled'])->name('ai-providers.toggle');
Route::post('/ai-providers/{id}/default', [\App\Http\Controllers\Admin\AiProviderController::class, 'setDefault'])->name('ai-providers.default');
Route::post('/ai-providers/toggle-chatbot', [\App\Http\Controllers\Admin\AiProviderController::class, 'toggleChatBot'])->name('ai-providers.toggle-chatbot');
Route::delete('/ai-providers/{id}', [\App\Http\Controllers\Admin\AiProviderController::class, 'destroy'])->name('ai-providers.destroy');
Route::middleware(['chat.site_owner'])->group(function () {
Route::get('/ai-providers', [\App\Http\Controllers\Admin\AiProviderController::class, 'index'])->name('ai-providers.index');
Route::post('/ai-providers', [\App\Http\Controllers\Admin\AiProviderController::class, 'store'])->name('ai-providers.store');
Route::put('/ai-providers/{id}', [\App\Http\Controllers\Admin\AiProviderController::class, 'update'])->name('ai-providers.update');
Route::post('/ai-providers/{id}/toggle', [\App\Http\Controllers\Admin\AiProviderController::class, 'toggleEnabled'])->name('ai-providers.toggle');
Route::post('/ai-providers/{id}/default', [\App\Http\Controllers\Admin\AiProviderController::class, 'setDefault'])->name('ai-providers.default');
Route::post('/ai-providers/toggle-chatbot', [\App\Http\Controllers\Admin\AiProviderController::class, 'toggleChatBot'])->name('ai-providers.toggle-chatbot');
Route::delete('/ai-providers/{id}', [\App\Http\Controllers\Admin\AiProviderController::class, 'destroy'])->name('ai-providers.destroy');
});
});