安全:后台强杀功能增加管理员保护,不允许删除管理员账号
This commit is contained in:
@@ -128,14 +128,18 @@ class UserManagerController extends Controller
|
|||||||
$targetUser = User::findOrFail($id);
|
$targetUser = User::findOrFail($id);
|
||||||
$currentUser = Auth::user();
|
$currentUser = Auth::user();
|
||||||
|
|
||||||
// 越权防护
|
// 越权防护:不允许删除同级或更高等级的账号
|
||||||
if ($targetUser->id !== $currentUser->id && $targetUser->user_level >= $currentUser->user_level) {
|
if ($targetUser->id !== $currentUser->id && $targetUser->user_level >= $currentUser->user_level) {
|
||||||
abort(403, '权限不足:无法删除同级或高级账号!');
|
abort(403, '权限不足:无法删除同级或高级账号!');
|
||||||
}
|
}
|
||||||
|
|
||||||
$targetUser->delete();
|
// 管理员保护:达到踢人等级(level_kick)的用户视为管理员,不可被强杀
|
||||||
|
$levelKick = (int) \App\Models\Sysparam::getValue('level_kick', '10');
|
||||||
|
if ($targetUser->user_level >= $levelKick) {
|
||||||
|
abort(403, '该用户为管理员,不允许强杀!请先在用户编辑中降低其等级。');
|
||||||
|
}
|
||||||
|
|
||||||
// 可选:触发解散名下房间等
|
$targetUser->delete();
|
||||||
|
|
||||||
return back()->with('success', '目标已被物理删除。');
|
return back()->with('success', '目标已被物理删除。');
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user