4 Commits

Author SHA1 Message Date
lkddi 32af6abeb2 优化 2026-04-26 21:06:43 +08:00
lkddi d4082e0edd 限制系统参数配置为站长专属 2026-04-26 21:06:30 +08:00
lkddi 0402097b59 聊天室管理权限统一为职务权限 2026-04-26 20:55:11 +08:00
lkddi b07f4e971a 优化 后台等级设置 2026-04-26 20:37:23 +08:00
32 changed files with 1380 additions and 415 deletions
+1 -1
View File
@@ -3,7 +3,7 @@
/**
* 文件功能:用户被踢出房间广播事件
*
* 管理员踢出/冻结用户时触发,前端监听后强制该用户跳转至大厅。
* 管理员踢出/封禁用户时触发,前端监听后强制该用户跳转至大厅。
*
* @author ChatRoom Laravel
*
@@ -0,0 +1,77 @@
<?php
/**
* 文件功能:后台等级经验阈值配置控制器
*
* sysparam 表中的 levelexp 配置拆分为独立后台页面,
* 以列表模式维护每一级所需的累计经验值。
*/
namespace App\Http\Controllers\Admin;
use App\Http\Controllers\Controller;
use App\Http\Requests\UpdateLevelExpConfigRequest;
use App\Models\Sysparam;
use App\Services\ChatStateService;
use Illuminate\Http\RedirectResponse;
use Illuminate\View\View;
/**
* 类功能:负责展示和保存等级经验阈值列表。
*/
class LevelExpConfigController extends Controller
{
/**
* 方法功能:注入系统参数缓存同步服务。
*/
public function __construct(
private readonly ChatStateService $chatState
) {}
/**
* 方法功能:显示等级经验阈值列表页。
*/
public function index(): View
{
$rawThresholds = Sysparam::getLevelExpThresholds();
$maxLevel = (int) Sysparam::getValue('maxlevel', '99');
$thresholds = collect($rawThresholds)
->values()
->map(fn (int $exp, int $index): array => [
'level' => $index + 1,
'exp' => $exp,
'increment' => $index === 0 ? $exp : $exp - $rawThresholds[$index - 1],
]);
return view('admin.level-exp-configs.index', [
'thresholds' => $thresholds,
'maxLevel' => $maxLevel,
]);
}
/**
* 方法功能:保存等级经验阈值配置,并同步刷新缓存。
*/
public function update(UpdateLevelExpConfigRequest $request): RedirectResponse
{
$thresholds = $request->validated('thresholds');
// 将列表页提交的阈值重新拼成兼容旧逻辑的逗号字符串。
$body = implode(',', $thresholds);
Sysparam::updateOrCreate(
['alias' => 'levelexp'],
[
'body' => $body,
'guidetxt' => '按列表逐级维护升级所需的累计经验阈值',
]
);
// 同步更新 Redis / Cache,确保前台经验等级计算即时生效。
$this->chatState->setSysParam('levelexp', $body);
Sysparam::clearCache('levelexp');
return redirect()->route('admin.level-exp-configs.index')->with('success', '等级经验阈值已保存并生效!');
}
}
@@ -60,6 +60,14 @@ class SystemController extends Controller
// 只接受通用系统页白名单内的字段,忽略任何伪造提交的敏感键。
$data = $request->only($this->editableSystemAliases());
if (array_key_exists('maxlevel', $data)) {
$normalizedMaxLevel = max(1, (int) $data['maxlevel']);
// 管理员级别始终跟随最高等级 + 1,避免两个配置页出现口径漂移。
$data['maxlevel'] = (string) $normalizedMaxLevel;
$data['superlevel'] = (string) ($normalizedMaxLevel + 1);
}
foreach ($data as $alias => $body) {
$normalizedBody = (string) $body;
@@ -88,7 +96,7 @@ class SystemController extends Controller
return SysParam::query()
->orderBy('id')
->pluck('alias')
->filter(fn (string $alias): bool => ! $this->isSensitiveAlias($alias))
->filter(fn (string $alias): bool => ! $this->isSensitiveAlias($alias) && ! $this->isDedicatedAlias($alias))
->values()
->all();
}
@@ -104,4 +112,21 @@ class SystemController extends Controller
return Str::endsWith($alias, ['_password', '_secret', '_token', '_key']);
}
/**
* 判断参数是否已经迁移到独立配置页。
*/
private function isDedicatedAlias(string $alias): bool
{
return in_array($alias, [
'levelexp',
'level_warn',
'level_mute',
'level_kick',
'level_announcement',
'level_ban',
'level_banip',
'level_freeze',
], true);
}
}
@@ -241,10 +241,10 @@ class UserManagerController extends Controller
abort(403, '权限不足:无法删除同级或高级账号!');
}
// 管理员保护:达到踢人等级(level_kick)的用户视为管理员,不可被强杀
$levelKick = (int) \App\Models\Sysparam::getValue('level_kick', '10');
if ($targetUser->user_level >= $levelKick) {
abort(403, '该用户为管理员,不允许强杀!请先在用户编辑中降低其等级。');
// 任命体系保护:仍持有在职职务的账号不可直接强杀,必须先走撤职流程。
$targetUser->loadMissing('activePosition.position');
if ($targetUser->id === 1 || $targetUser->activePosition?->position) {
abort(403, '该用户当前拥有在职职务,不允许强杀!请先撤销职务。');
}
$targetUser->delete();
+115 -27
View File
@@ -4,7 +4,7 @@
* 文件功能:管理员聊天室实时命令控制器
*
* 提供管理员在聊天室内对用户执行的管理操作:
* 警告(=J)、踢出(=T)、禁言(=B)冻结(=Y)、查看私信(=S)、职务公屏讲话。
* 警告(=J)、踢出(=T)、禁言(=B)封号、封IP、查看私信(=S)、职务公屏讲话。
*
* 对应原 ASP 文件:DOUSER.ASP / KILLUSER.ASP / LOCKIP.ASP / NEWSAY.ASP
*
@@ -278,14 +278,14 @@ class AdminCommandController extends Controller
}
/**
* 冻结用户账号=Y 理由)
* 封禁用户账号
*
* 用户账号状态设为冻结,禁止登录
* 目标账号设为封禁状态,并将其从当前在线房间中移出
*
* @param Request $request 请求对象,需包含 username, reason
* @param Request $request 请求对象,需包含 username, room_id, reason
* @return JsonResponse 操作结果
*/
public function freeze(Request $request): JsonResponse
public function ban(Request $request): JsonResponse
{
$request->validate([
'username' => 'required|string',
@@ -301,12 +301,12 @@ class AdminCommandController extends Controller
return response()->json(['status' => 'error', 'message' => $roomAuthorization['message']], 403);
}
$reason = ChatContentSanitizer::htmlText($request->input('reason', '违反聊天室规则'));
$reason = ChatContentSanitizer::htmlText($request->input('reason', '严重违规'));
$safeTargetUsername = ChatContentSanitizer::htmlText($targetUsername);
$operatorDisplay = $this->buildOperatorDisplayHtml($admin);
// 权限检查:必须拥有职务权限,且不能处理职务高于自己的用户。
$authorization = $this->authorizeModerationAction($admin, $targetUsername, PositionPermissionRegistry::USER_FREEZE, '冻结');
$authorization = $this->authorizeModerationAction($admin, $targetUsername, PositionPermissionRegistry::USER_BAN, '封禁');
if (! $authorization['ok']) {
return response()->json(['status' => 'error', 'message' => $authorization['message']], 403);
}
@@ -316,37 +316,30 @@ class AdminCommandController extends Controller
return response()->json(['status' => 'error', 'message' => $targetAuthorization['message']], 403);
}
// 冻结用户账号(将等级设为 -1 表示冻结)
$target = $authorization['target'];
$target->user_level = -1;
$target->save();
// 先给被冻结用户补发私聊提示,再将其移出各房间并强制下线。
$this->pushTargetToastMessage(
roomId: (int) $roomId,
roomId: $roomId,
targetUsername: $targetUsername,
content: "🧊 {$operatorDisplay}冻结你的账号。原因:{$reason}",
title: '🧊 账号已冻结',
toastMessage: "{$operatorDisplay}冻结你的账号。<br>原因:{$reason}",
color: '#3b82f6',
icon: '🧊',
content: " {$operatorDisplay}封禁你的账号。原因:{$reason}",
title: ' 账号已封禁',
toastMessage: "{$operatorDisplay}封禁你的账号。<br>原因:{$reason}",
color: '#991b1b',
icon: '',
);
// 从所有房间移除
$rooms = $this->chatState->getUserRooms($targetUsername);
foreach ($rooms as $rid) {
$this->chatState->userLeave($rid, $targetUsername);
}
$this->removeUserFromAllRooms($targetUsername);
// 广播冻结消息
$msg = [
'id' => $this->chatState->nextMessageId($roomId),
'room_id' => $roomId,
'from_user' => '系统传音',
'to_user' => '大家',
'content' => "🧊 {$operatorDisplay}冻结 <b>{$safeTargetUsername}</b> 的账号。原因:{$reason}",
'content' => " {$operatorDisplay}封禁 <b>{$safeTargetUsername}</b> 的账号。原因:{$reason}",
'is_secret' => false,
'font_color' => '#dc2626',
'font_color' => '#991b1b',
'action' => '',
'sent_at' => now()->toDateTimeString(),
];
@@ -354,10 +347,93 @@ class AdminCommandController extends Controller
broadcast(new MessageSent($roomId, $msg));
SaveMessageJob::dispatch($msg);
// 广播踢出事件
broadcast(new \App\Events\UserKicked($roomId, $targetUsername, "账号已被冻结:{$reason}"));
broadcast(new \App\Events\UserKicked($roomId, $targetUsername, "账号已被封禁:{$reason}"));
return response()->json(['status' => 'success', 'message' => "冻结 {$targetUsername} 的账号"]);
return response()->json(['status' => 'success', 'message' => "封禁 {$targetUsername} 的账号"]);
}
/**
* 封禁用户 IP。
*
* 将目标账号设为封禁状态并把最近登录 IP 写入黑名单。
*
* @param Request $request 请求对象,需包含 username, room_id, reason
* @return JsonResponse 操作结果
*/
public function banIp(Request $request): JsonResponse
{
$request->validate([
'username' => 'required|string',
'room_id' => 'required|integer',
'reason' => 'nullable|string|max:200',
]);
$admin = Auth::user();
$targetUsername = $request->input('username');
$roomId = (int) $request->input('room_id');
$roomAuthorization = $this->authorizeManagedRoom($roomId, $admin);
if (! $roomAuthorization['ok']) {
return response()->json(['status' => 'error', 'message' => $roomAuthorization['message']], 403);
}
$reason = ChatContentSanitizer::htmlText($request->input('reason', '严重违规'));
$safeTargetUsername = ChatContentSanitizer::htmlText($targetUsername);
$operatorDisplay = $this->buildOperatorDisplayHtml($admin);
// 权限检查:必须拥有职务权限,且不能处理职务高于自己的用户。
$authorization = $this->authorizeModerationAction($admin, $targetUsername, PositionPermissionRegistry::USER_BANIP, '封禁 IP ');
if (! $authorization['ok']) {
return response()->json(['status' => 'error', 'message' => $authorization['message']], 403);
}
$targetAuthorization = $this->authorizeTargetOnlineInRoom($roomId, $targetUsername);
if (! $targetAuthorization['ok']) {
return response()->json(['status' => 'error', 'message' => $targetAuthorization['message']], 403);
}
$target = $authorization['target'];
$targetIp = (string) ($target->last_ip ?? '');
if ($targetIp !== '') {
Redis::sadd('banned_ips', $targetIp);
}
$target->user_level = -1;
$target->save();
$this->pushTargetToastMessage(
roomId: $roomId,
targetUsername: $targetUsername,
content: "🌐 {$operatorDisplay} 已封禁你的 IP 并冻结账号。原因:{$reason}",
title: '🌐 IP 已封禁',
toastMessage: "{$operatorDisplay} 已封禁你的 IP 并冻结账号。<br>原因:{$reason}",
color: '#7c2d12',
icon: '🌐',
);
$this->removeUserFromAllRooms($targetUsername);
$ipSuffix = $targetIp !== '' ? "IP{$targetIp}" : '(未记录有效 IP';
$msg = [
'id' => $this->chatState->nextMessageId($roomId),
'room_id' => $roomId,
'from_user' => '系统传音',
'to_user' => '大家',
'content' => "🌐 {$operatorDisplay} 已封禁 <b>{$safeTargetUsername}</b> 的 IP 并冻结账号。原因:{$reason} {$ipSuffix}",
'is_secret' => false,
'font_color' => '#9a3412',
'action' => '',
'sent_at' => now()->toDateTimeString(),
];
$this->chatState->pushMessage($roomId, $msg);
broadcast(new MessageSent($roomId, $msg));
SaveMessageJob::dispatch($msg);
broadcast(new \App\Events\UserKicked($roomId, $targetUsername, "IP 已被封禁:{$reason}"));
return response()->json([
'status' => 'success',
'message' => $targetIp !== '' ? "已封禁 {$targetUsername} 的 IP 与账号" : "已封禁 {$targetUsername} 的账号,但未记录可封禁 IP",
]);
}
/**
@@ -555,7 +631,7 @@ class AdminCommandController extends Controller
string $permissionCode,
string $actionLabel,
): array {
if (! $this->positionPermissionService->hasPermission($admin, $permissionCode)) {
if ($admin->id !== 1 && ! $this->positionPermissionService->hasPermission($admin, $permissionCode)) {
return ['ok' => false, 'message' => "当前职务无权{$actionLabel}用户"];
}
@@ -583,6 +659,18 @@ class AdminCommandController extends Controller
return ['ok' => true, 'message' => '校验通过', 'target' => $target];
}
/**
* 将目标用户从当前在线的全部房间中移除。
*/
private function removeUserFromAllRooms(string $targetUsername): void
{
$rooms = $this->chatState->getUserRooms($targetUsername);
foreach ($rooms as $rid) {
$this->chatState->userLeave((int) $rid, $targetUsername);
}
}
/**
* 判断操作者是否可以按职务位阶处理目标用户。
*
+11 -172
View File
@@ -2,13 +2,8 @@
/**
* 文件功能:用户中心与管理控制器
* 接管原版 USERinfo.ASP, USERSET.ASP, chpasswd.asp, KILLUSER.ASP, LOCKIP.ASP
*
* 权限等级通过 sysparam 表动态配置:
* level_kick - 踢人所需等级
* level_mute - 禁言所需等级
* level_ban - 封号所需等级
* level_banip - 封IP所需等级
* 接管原版 USERinfo.ASP, USERSET.ASP chpasswd.asp。
* 聊天室管理动作已统一迁移到 AdminCommandController 的职务权限链路。
*
* @author ChatRoom Laravel
*
@@ -18,25 +13,23 @@
namespace App\Http\Controllers;
use App\Enums\CurrencySource;
use App\Events\UserKicked;
use App\Events\UserMuted;
use App\Events\UserStatusUpdated;
use App\Http\Requests\ChangePasswordRequest;
use App\Http\Requests\RevealProfileInfoRequest;
use App\Http\Requests\UpdateChatPreferencesRequest;
use App\Http\Requests\UpdateDailyStatusRequest;
use App\Http\Requests\UpdateProfileRequest;
use App\Models\Room;
use App\Models\Sysparam;
use App\Models\User;
use App\Services\ChatStateService;
use App\Services\ChatUserPresenceService;
use App\Services\PositionPermissionService;
use App\Services\UserCurrencyService;
use App\Support\PositionPermissionRegistry;
use Illuminate\Http\JsonResponse;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\Auth;
use Illuminate\Support\Facades\Hash;
use Illuminate\Support\Facades\Redis;
/**
* 类功能:处理用户资料、聊天室偏好、当日状态与基础管理动作。
@@ -65,6 +58,7 @@ class UserController extends Controller
private readonly ChatStateService $chatState,
private readonly ChatUserPresenceService $chatUserPresenceService,
private readonly UserCurrencyService $currencyService,
private readonly PositionPermissionService $positionPermissionService,
) {}
/**
@@ -166,9 +160,10 @@ class UserController extends Controller
] : null,
];
// 拥有封禁IP(level_banip)或踢人以上权限的管理,可以查看IP和归属地
$levelBanIp = (int) Sysparam::getValue('level_banip', '15');
if ($operator && $operator->user_level >= $levelBanIp) {
// 管理员网络信息仅对站长或拥有「封IP」职务权限的操作者展示。
$canViewNetworkInfo = $operator
&& ($operator->id === 1 || $this->positionPermissionService->hasPermission($operator, PositionPermissionRegistry::USER_BANIP));
if ($canViewNetworkInfo) {
$data['first_ip'] = $targetUser->first_ip;
// last_ip 目前定义为『上次登录IP』(取数据库 previous_ip
$data['last_ip'] = $targetUser->previous_ip;
@@ -415,7 +410,7 @@ class UserController extends Controller
/**
* 生成微信绑定代码
*/
public function generateWechatCode(\Illuminate\Http\Request $request): JsonResponse
public function generateWechatCode(Request $request): JsonResponse
{
$user = \Illuminate\Support\Facades\Auth::user();
if (! $user) {
@@ -435,7 +430,7 @@ class UserController extends Controller
/**
* 取消绑定微信
*/
public function unbindWechat(\Illuminate\Http\Request $request): JsonResponse
public function unbindWechat(Request $request): JsonResponse
{
$user = \Illuminate\Support\Facades\Auth::user();
if (! $user) {
@@ -451,162 +446,6 @@ class UserController extends Controller
]);
}
/**
* 通用权限校验:检查操作者是否有权操作目标用户
*
* @param object $operator 操作者
* @param string $targetUsername 目标用户名
* @param int $roomId 房间ID
* @param string $levelKey sysparam中的等级键名(如 level_kick
* @param string $actionName 操作名称(用于错误提示)
* @return array{room: Room, target: User}|JsonResponse
*/
private function checkPermission(object $operator, string $targetUsername, int $roomId, string $levelKey, string $actionName): array|JsonResponse
{
$room = Room::findOrFail($roomId);
$requiredLevel = (int) Sysparam::getValue($levelKey, '15');
// 鉴权:操作者要是房间房主或达到所需等级
if ($room->master !== $operator->username && $operator->user_level < $requiredLevel) {
return response()->json(['status' => 'error', 'message' => "权限不足(需要{$requiredLevel}级),无法执行{$actionName}操作。"], 403);
}
$targetUser = User::where('username', $targetUsername)->first();
if (! $targetUser) {
return response()->json(['status' => 'error', 'message' => '目标用户不存在。'], 404);
}
// 防误伤:不能操作等级 >= 自己的人
if ($targetUser->user_level >= $operator->user_level) {
return response()->json(['status' => 'error', 'message' => "权限不足,无法对同级或高级用户执行{$actionName}"], 403);
}
return ['room' => $room, 'target' => $targetUser];
}
/**
* 踢出房间 (对应 KILLUSER.ASP)
* 所需等级由 sysparam level_kick 配置
*/
public function kick(Request $request, string $username): JsonResponse
{
$operator = Auth::user();
$roomId = $request->input('room_id');
if (! $roomId) {
return response()->json(['status' => 'error', 'message' => '缺少房间参数。'], 422);
}
$result = $this->checkPermission($operator, $username, $roomId, 'level_kick', '踢出');
if ($result instanceof JsonResponse) {
return $result;
}
// 广播踢出事件
broadcast(new UserKicked($roomId, $result['target']->username, "管理员 [{$operator->username}] 将 [{$result['target']->username}] 踢出了聊天室。"));
return response()->json(['status' => 'success', 'message' => "已成功将 {$result['target']->username} 踢出房间。"]);
}
/**
* 禁言 (对应原版限制功能)
* 所需等级由 sysparam level_mute 配置
* 禁言信息存入 RedisTTL 到期自动解除
*/
public function mute(Request $request, string $username): JsonResponse
{
$operator = Auth::user();
$roomId = $request->input('room_id');
$duration = (int) $request->input('duration', 5);
if (! $roomId) {
return response()->json(['status' => 'error', 'message' => '缺少房间参数。'], 422);
}
$result = $this->checkPermission($operator, $username, $roomId, 'level_mute', '禁言');
if ($result instanceof JsonResponse) {
return $result;
}
// 写入 Redis 禁言标记,TTL = 禁言分钟数 * 60
Redis::setex("mute:{$roomId}:{$username}", $duration * 60, json_encode([
'operator' => $operator->username,
'reason' => '管理员禁言',
'until' => now()->addMinutes($duration)->toDateTimeString(),
]));
// 广播禁言事件
broadcast(new UserMuted($roomId, $username, $duration));
return response()->json(['status' => 'success', 'message' => "已对 {$username} 实施禁言 {$duration} 分钟。"]);
}
/**
* 封号(禁止登录)
* 所需等级由 sysparam level_ban 配置
* 将用户等级设为 -1 表示封禁
*/
public function ban(Request $request, string $username): JsonResponse
{
$operator = Auth::user();
$roomId = $request->input('room_id');
if (! $roomId) {
return response()->json(['status' => 'error', 'message' => '缺少房间参数。'], 422);
}
$result = $this->checkPermission($operator, $username, $roomId, 'level_ban', '封号');
if ($result instanceof JsonResponse) {
return $result;
}
// 封号:设置等级为 -1
$result['target']->user_level = -1;
$result['target']->save();
// 踢出聊天室
broadcast(new UserKicked($roomId, $username, "管理员 [{$operator->username}] 已封禁用户 [{$username}] 的账号。"));
return response()->json(['status' => 'success', 'message' => "用户 {$username} 已被封号。"]);
}
/**
* 封IP(记录IP到黑名单并踢出)
* 所需等级由 sysparam level_banip 配置
*/
public function banIp(Request $request, string $username): JsonResponse
{
$operator = Auth::user();
$roomId = $request->input('room_id');
if (! $roomId) {
return response()->json(['status' => 'error', 'message' => '缺少房间参数。'], 422);
}
$result = $this->checkPermission($operator, $username, $roomId, 'level_banip', '封IP');
if ($result instanceof JsonResponse) {
return $result;
}
$targetIp = $result['target']->last_ip;
if ($targetIp) {
// 将IP加入 Redis 黑名单(永久)
Redis::sadd('banned_ips', $targetIp);
}
// 同时封号
$result['target']->user_level = -1;
$result['target']->save();
// 踢出聊天室
broadcast(new UserKicked($roomId, $username, "管理员 [{$operator->username}] 已封禁用户 [{$username}] 的IP地址。"));
$ipInfo = $targetIp ? "IP: {$targetIp}" : '(未记录IP';
return response()->json(['status' => 'success', 'message' => "用户 {$username} 已被封号并封IP{$ipInfo}"]);
}
/**
* 判断操作者是否可以免费查看目标用户经验、金币与魅力。
*/
@@ -0,0 +1,148 @@
<?php
/**
* 文件功能:校验后台等级经验阈值配置请求
*
* 约束管理员以列表模式提交的每级经验值,
* 确保阈值为正整数且严格递增。
*/
namespace App\Http\Requests;
use App\Models\Sysparam;
use Closure;
use Illuminate\Contracts\Validation\ValidationRule;
use Illuminate\Foundation\Http\FormRequest;
/**
* 类功能:验证等级经验阈值列表的结构与数值合法性。
*/
class UpdateLevelExpConfigRequest extends FormRequest
{
/**
* 方法功能:允许已通过后台鉴权的用户提交该请求。
*/
public function authorize(): bool
{
return true;
}
/**
* 方法功能:预处理输入,过滤空行并统一转成整数序列。
*/
protected function prepareForValidation(): void
{
$thresholds = collect($this->input('thresholds', []))
->map(fn ($value): string => trim((string) $value))
->filter(fn (string $value): bool => $value !== '')
->values()
->all();
$this->merge([
'thresholds' => $thresholds,
]);
}
/**
* 方法功能:返回等级经验阈值表单的校验规则。
*
* @return array<string, ValidationRule|array<int, ValidationRule|string>|string>
*/
public function rules(): array
{
return [
'thresholds' => ['required', 'array', 'min:1', $this->strictlyIncreasingRule(), $this->maxLevelLimitRule()],
'thresholds.*' => ['required', 'integer', 'min:1'],
];
}
/**
* 方法功能:返回中文校验错误消息。
*
* @return array<string, string>
*/
public function messages(): array
{
return [
'thresholds.required' => '请至少配置一个等级经验阈值。',
'thresholds.array' => '等级经验阈值提交格式不正确。',
'thresholds.min' => '请至少保留一个等级经验阈值。',
'thresholds.*.required' => '等级经验阈值不能为空。',
'thresholds.*.integer' => '等级经验阈值必须是整数。',
'thresholds.*.min' => '等级经验阈值必须大于 0。',
];
}
/**
* 方法功能:自定义校验阈值必须严格递增。
*/
private function strictlyIncreasingRule(): ValidationRule
{
return new class implements ValidationRule
{
/**
* 方法功能:执行严格递增校验。
*
* @param Closure(string): void $fail
*/
public function validate(string $attribute, mixed $value, Closure $fail): void
{
if (! is_array($value)) {
return;
}
$previous = null;
foreach ($value as $index => $threshold) {
if (! is_numeric($threshold)) {
continue;
}
$current = (int) $threshold;
// 每一级累计经验必须大于前一级,避免等级计算出现倒挂。
if ($previous !== null && $current <= $previous) {
$fail('等级经验阈值必须按等级从小到大严格递增,第 '.($index + 1).' 级配置不正确。');
return;
}
$previous = $current;
}
}
};
}
/**
* 方法功能:校验等级阈值数量不能超过用户最高可达等级。
*/
private function maxLevelLimitRule(): ValidationRule
{
return new class((int) Sysparam::getValue('maxlevel', '99')) implements ValidationRule
{
/**
* 方法功能:构造数量上限校验器。
*/
public function __construct(
private readonly int $maxLevel
) {}
/**
* 方法功能:执行阈值数量与最高等级的上限校验。
*
* @param Closure(string): void $fail
*/
public function validate(string $attribute, mixed $value, Closure $fail): void
{
if (! is_array($value) || $this->maxLevel < 1) {
return;
}
// 阈值行数对应可升级的等级数,不能超过用户最高可达等级。
if (count($value) > $this->maxLevel) {
$fail('等级经验阈值数量不能超过用户最高可达等级,请先提高最高等级或删除多余等级。');
}
}
};
}
}
+1
View File
@@ -58,6 +58,7 @@ class PositionAuthorityLog extends Model
'warn' => '警告',
'kick' => '踢出',
'mute' => '禁言',
'ban' => '封号',
'banip' => '封锁IP',
'other' => '其他',
];
+15 -5
View File
@@ -64,9 +64,14 @@ class PositionPermissionRegistry
public const USER_MUTE = 'room.user_mute';
/**
* 用户冻结权限。
* 用户封号权限。
*/
public const USER_FREEZE = 'room.user_freeze';
public const USER_BAN = 'room.user_ban';
/**
* 用户封IP权限。
*/
public const USER_BANIP = 'room.user_banip';
/**
* 返回全部权限定义。
@@ -126,10 +131,15 @@ class PositionPermissionRegistry
'label' => '禁言用户',
'description' => '允许在用户名片内对低于自身职务的用户执行禁言。',
],
self::USER_FREEZE => [
self::USER_BAN => [
'group' => '用户管理',
'label' => '冻结用户',
'description' => '允许在用户名片内冻结低于自身职务的用户账号。',
'label' => '封号用户',
'description' => '允许在用户名片内封禁低于自身职务的用户账号并强制下线。',
],
self::USER_BANIP => [
'group' => '用户管理',
'label' => '封IP',
'description' => '允许在用户名片内封禁低于自身职务的用户 IP,并查看管理员网络信息。',
],
];
}
@@ -45,13 +45,6 @@ return new class extends Migration
['alias' => 'jjb_per_heartbeat', 'body' => '1-3', 'guidetxt' => '💰 每次心跳金币奖励(支持固定值如"1"或范围如"1-5"0关闭)', 'created_at' => $now, 'updated_at' => $now],
// ── 管理操作权限等级 ──────────────────────────────────────
['alias' => 'level_warn', 'body' => '5', 'guidetxt' => '警告所需等级', 'created_at' => $now, 'updated_at' => $now],
['alias' => 'level_mute', 'body' => '50', 'guidetxt' => '禁言所需等级', 'created_at' => $now, 'updated_at' => $now],
['alias' => 'level_kick', 'body' => '60', 'guidetxt' => '踢人所需等级', 'created_at' => $now, 'updated_at' => $now],
['alias' => 'level_announcement', 'body' => '60', 'guidetxt' => '设置公告所需等级', 'created_at' => $now, 'updated_at' => $now],
['alias' => 'level_ban', 'body' => '80', 'guidetxt' => '封号所需等级', 'created_at' => $now, 'updated_at' => $now],
['alias' => 'level_banip', 'body' => '90', 'guidetxt' => '封IP所需等级', 'created_at' => $now, 'updated_at' => $now],
['alias' => 'level_freeze', 'body' => '14', 'guidetxt' => '冻结账号所需等级', 'created_at' => $now, 'updated_at' => $now],
// ── 随机事件 ──────────────────────────────────────────────
['alias' => 'auto_event_chance', 'body' => '10', 'guidetxt' => '随机事件触发概率(百分比,1-100)', 'created_at' => $now, 'updated_at' => $now],
@@ -0,0 +1,58 @@
<?php
/**
* 文件功能:清理已废弃的等级阈值聊天室管理权限参数
* 统一删除 level_* 权限残留,避免继续与职务权限体系并存。
*/
use Illuminate\Database\Migrations\Migration;
use Illuminate\Support\Facades\DB;
return new class extends Migration
{
/**
* 方法功能:删除旧等级权限参数。
*/
public function up(): void
{
DB::table('sysparam')
->whereIn('alias', [
'level_warn',
'level_mute',
'level_kick',
'level_announcement',
'level_ban',
'level_banip',
'level_freeze',
])
->delete();
}
/**
* 方法功能:回滚时恢复旧等级权限参数默认值。
*/
public function down(): void
{
$now = now();
foreach ([
'level_warn' => ['5', '警告所需等级'],
'level_mute' => ['50', '禁言所需等级'],
'level_kick' => ['60', '踢人所需等级'],
'level_announcement' => ['60', '设置公告所需等级'],
'level_ban' => ['80', '封号所需等级'],
'level_banip' => ['90', '封IP所需等级'],
'level_freeze' => ['14', '冻结账号所需等级'],
] as $alias => [$body, $guidetxt]) {
DB::table('sysparam')->updateOrInsert(
['alias' => $alias],
[
'body' => $body,
'guidetxt' => $guidetxt,
'created_at' => $now,
'updated_at' => $now,
]
);
}
}
};
@@ -0,0 +1,58 @@
<?php
/**
* 文件功能:将旧的冻结权限合并到封号权限
* 确保已配置 room.user_freeze 的职务在合并后自动继承 room.user_ban。
*/
use App\Models\Position;
use Illuminate\Database\Migrations\Migration;
return new class extends Migration
{
/**
* 方法功能:把冻结权限迁移为封号权限。
*/
public function up(): void
{
Position::query()->each(function (Position $position): void {
$permissions = array_values($position->permissions ?? []);
if (! in_array('room.user_freeze', $permissions, true)) {
return;
}
$normalizedPermissions = array_values(array_unique(array_map(
fn (string $permission): string => $permission === 'room.user_freeze' ? 'room.user_ban' : $permission,
$permissions,
)));
$position->forceFill([
'permissions' => $normalizedPermissions,
])->save();
});
}
/**
* 方法功能:回滚时把合并后的封号权限恢复为冻结权限。
*/
public function down(): void
{
Position::query()->each(function (Position $position): void {
$permissions = array_values($position->permissions ?? []);
if (! in_array('room.user_ban', $permissions, true)) {
return;
}
$normalizedPermissions = array_values(array_unique(array_map(
fn (string $permission): string => $permission === 'room.user_ban' ? 'room.user_freeze' : $permission,
$permissions,
)));
$position->forceFill([
'permissions' => $normalizedPermissions,
])->save();
});
}
};
+38 -7
View File
@@ -603,18 +603,49 @@ export function userCardComponent() {
}
},
/** 冻结用户 */
async freezeUser() {
/** 封禁账号 */
async banUser() {
const confirmed = await this.$confirm(
'确定要冻结 ' + this.userInfo.username + ' 的账号吗?冻结后将无法登录',
'冻结账号',
'#cc4444'
'确定要封禁 ' + this.userInfo.username + ' 的账号吗?封禁后将无法登录',
'封禁账号',
'#991b1b'
);
if (!confirmed) return;
const reason = await this.$prompt('冻结原因:', '严重违规', '填写原因', '#cc4444');
const reason = await this.$prompt('封禁原因:', '严重违规', '填写原因', '#991b1b');
if (reason === null) return;
try {
const res = await fetch('/command/freeze', {
const res = await fetch('/command/ban', {
method: 'POST',
headers: this._headers(),
body: JSON.stringify({
username: this.userInfo.username,
room_id: window.chatContext.roomId,
reason: reason || '严重违规'
})
});
const data = await res.json();
if (data.status === 'success') {
this.showUserModal = false;
} else {
this.$alert('操作失败:' + data.message, '操作失败', '#cc4444');
}
} catch (e) {
this.$alert('网络异常', '错误', '#cc4444');
}
},
/** 封禁 IP */
async banIpUser() {
const confirmed = await this.$confirm(
'确定要封禁 ' + this.userInfo.username + ' 的 IP 吗?该操作会同时冻结账号。',
'封禁 IP',
'#9a3412'
);
if (!confirmed) return;
const reason = await this.$prompt('封禁原因:', '严重违规', '填写原因', '#9a3412');
if (reason === null) return;
try {
const res = await fetch('/command/banip', {
method: 'POST',
headers: this._headers(),
body: JSON.stringify({
-12
View File
@@ -35,18 +35,6 @@
<span class="w-32 text-gray-500 inline-block font-sans">PHP 版本:</span>
<span class="text-indigo-600">{{ PHP_VERSION }}</span>
</li>
<li class="flex items-center text-sm font-mono mt-4 pt-4 border-t">
<span class="mr-4 text-gray-500 inline-block font-sans items-center flex">队列监控面板</span>
<!-- Laravel Horizon 的默认路由前缀由开发者确认或自己改。这里默认是 /horizon -->
<a href="{{ url('/horizon') }}" target="_blank"
class="text-blue-600 hover:text-blue-800 hover:underline flex items-center">
<span>打开 Horizon 控制台</span>
<svg class="w-4 h-4 ml-1" fill="none" stroke="currentColor" viewBox="0 0 24 24">
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
d="M10 6H6a2 2 0 00-2 2v10a2 2 0 002 2h10a2 2 0 002-2v-4M14 4h6m0 0v6m0-6L10 14"></path>
</svg>
</a>
</li>
</ul>
</div>
</div>
+7 -3
View File
@@ -60,9 +60,9 @@
<p class="px-4 text-xs text-slate-500 uppercase tracking-widest mb-1">
{{ Auth::id() === 1 ? '站长功能' : '查看' }}</p>
<a href="{{ route('admin.system.edit') }}"
class="block px-4 py-3 rounded-md transition {{ request()->routeIs('admin.system.*') ? 'bg-indigo-600 font-bold' : 'hover:bg-white/10' }}">
{!! '⚙️ 聊天室参数' !!}
<a href="{{ route('admin.level-exp-configs.index') }}"
class="block px-4 py-3 rounded-md transition {{ request()->routeIs('admin.level-exp-configs.*') ? 'bg-indigo-600 font-bold' : 'hover:bg-white/10' }}">
{!! '📶 等级经验阈值' !!}
</a>
<a href="{{ route('admin.currency-logs.index') }}"
class="block px-4 py-3 rounded-md transition {{ request()->routeIs('admin.currency-logs.*') ? 'bg-indigo-600 font-bold' : 'hover:bg-white/10' }}">
@@ -113,6 +113,10 @@
@if (Auth::id() === 1)
<div class="border-t border-white/10 my-2"></div>
<p class="px-4 text-xs text-slate-500 uppercase tracking-widest mb-1">系统配置</p>
<a href="{{ route('admin.system.edit') }}"
class="block px-4 py-3 rounded-md transition {{ request()->routeIs('admin.system.*') ? 'bg-indigo-600 font-bold' : 'hover:bg-white/10' }}">
⚙️ 聊天室参数
</a>
<a href="{{ route('admin.smtp.edit') }}"
class="block px-4 py-3 rounded-md transition {{ request()->routeIs('admin.smtp.*') ? 'bg-indigo-600 font-bold' : 'hover:bg-white/10' }}">
📧 邮件 SMTP 配置
@@ -0,0 +1,207 @@
@extends('admin.layouts.app')
@section('title', '等级经验阈值管理')
@section('content')
@php require resource_path('views/admin/partials/list-theme.php'); @endphp
@php
$formThresholds = collect(old('thresholds', $thresholds->pluck('exp')->all()))
->map(fn ($value) => trim((string) $value))
->filter(fn (string $value) => $value !== '')
->values();
if ($formThresholds->isEmpty()) {
$formThresholds = $thresholds->pluck('exp')->map(fn ($value) => (string) $value)->values();
}
@endphp
<div class="{{ $adminListPageClass }}">
<div class="{{ $adminListHeaderCardClass }}">
<p class="{{ $adminListHeaderSubtitleClass }} mt-0">按列表维护每一级升级所需的累计经验值,并统一管理用户最高可达等级与管理员级别。</p>
</div>
<form action="{{ route('admin.level-exp-configs.update') }}" method="POST" class="{{ $adminListCardClass }}">
@csrf
@method('PUT')
<div class="grid gap-5 border-b border-gray-100 bg-gray-50 px-6 py-5 md:grid-cols-1">
<div class="rounded-xl border border-amber-200 bg-amber-50 px-4 py-4">
<div class="text-xs font-semibold uppercase tracking-wider text-amber-700">等级阈值说明</div>
<p class="mt-2 text-sm leading-6 text-amber-900">
当前页面按列表逐级维护升级经验阈值:每一行对应一个等级,填写“升到该等级所需的累计经验值”。
等级阈值必须严格递增,且等级行数不能超过“用户最高可达等级”。
</p>
</div>
</div>
<div class="{{ $adminListTableWrapClass }}">
<table class="{{ $adminListTableClass }}">
<thead class="{{ $adminListTableHeadRowClass }}">
<tr>
<th class="{{ $adminListTableHeadCellClass }} w-36">等级</th>
<th class="{{ $adminListTableHeadCellClass }}">累计经验阈值</th>
<th class="{{ $adminListTableHeadCellClass }}">较上一等级新增</th>
<th class="{{ $adminListTableHeadCellClass }} w-28 text-right">操作</th>
</tr>
</thead>
<tbody class="{{ $adminListTableBodyClass }}" data-level-exp-table-body>
@foreach ($formThresholds as $index => $exp)
@php
$currentExp = (int) $exp;
$previousExp = $index === 0 ? 0 : (int) $formThresholds[$index - 1];
@endphp
<tr class="{{ $adminListTableRowClass }}" data-level-exp-row>
<td class="px-4 py-3 {{ $adminListPrimaryTextClass }}" data-level-exp-label> {{ $index + 1 }} </td>
<td class="px-4 py-3">
<input type="number" min="1" step="1" name="thresholds[]" value="{{ $exp }}"
class="w-full max-w-xs rounded-lg border border-gray-300 px-3 py-2 text-sm shadow-sm focus:border-indigo-500 focus:ring-indigo-500"
required>
</td>
<td class="px-4 py-3 {{ $adminListBodyTextClass }}" data-level-exp-increment>
+{{ number_format($currentExp - $previousExp) }}
</td>
<td class="px-4 py-3 text-right">
<button type="button"
class="{{ $adminListActionButtonClass }} bg-red-50 text-red-600 hover:bg-red-100"
data-level-exp-remove>
删除
</button>
</td>
</tr>
@endforeach
</tbody>
</table>
</div>
<div class="flex items-center justify-between gap-4 border-t border-gray-100 bg-gray-50 px-6 py-4">
<div class="space-y-1">
<button type="button" class="{{ $adminListSecondaryButtonClass }}" data-level-exp-add>
+ 添加等级
</button>
<p class="text-xs text-gray-500" data-level-exp-limit-text>
当前已配置 {{ $formThresholds->count() }} 个等级阈值,最高可配置到 {{ $maxLevel }} 级。
</p>
</div>
<button type="submit" class="{{ $adminListPrimaryButtonClass }}">
保存配置
</button>
</div>
</form>
</div>
<template id="level-exp-row-template">
<tr class="{{ $adminListTableRowClass }}" data-level-exp-row>
<td class="px-4 py-3 {{ $adminListPrimaryTextClass }}" data-level-exp-label></td>
<td class="px-4 py-3">
<input type="number" min="1" step="1" name="thresholds[]" value=""
class="w-full max-w-xs rounded-lg border border-gray-300 px-3 py-2 text-sm shadow-sm focus:border-indigo-500 focus:ring-indigo-500"
required>
</td>
<td class="px-4 py-3 {{ $adminListBodyTextClass }}" data-level-exp-increment>--</td>
<td class="px-4 py-3 text-right">
<button type="button"
class="{{ $adminListActionButtonClass }} bg-red-50 text-red-600 hover:bg-red-100"
data-level-exp-remove>
删除
</button>
</td>
</tr>
</template>
<script>
document.addEventListener('DOMContentLoaded', () => {
const tableBody = document.querySelector('[data-level-exp-table-body]');
const addButton = document.querySelector('[data-level-exp-add]');
const template = document.querySelector('#level-exp-row-template');
const limitText = document.querySelector('[data-level-exp-limit-text]');
const maxLevel = {{ $maxLevel }};
if (!tableBody || !addButton || !template || !limitText) {
return;
}
const syncRows = () => {
const rows = Array.from(tableBody.querySelectorAll('[data-level-exp-row]'));
let previousValue = 0;
rows.forEach((row, index) => {
const label = row.querySelector('[data-level-exp-label]');
const input = row.querySelector('input[name=\"thresholds[]\"]');
const increment = row.querySelector('[data-level-exp-increment]');
const currentValue = Number.parseInt(input?.value ?? '', 10);
if (label) {
label.textContent = `第 ${index + 1} 级`;
}
if (increment) {
if (Number.isNaN(currentValue)) {
increment.textContent = '--';
} else {
increment.textContent = `+${(currentValue - previousValue).toLocaleString('zh-CN')}`;
}
}
previousValue = Number.isNaN(currentValue) ? previousValue : currentValue;
});
const removeButtons = tableBody.querySelectorAll('[data-level-exp-remove]');
removeButtons.forEach((button) => {
button.disabled = rows.length === 1;
button.classList.toggle('opacity-40', rows.length === 1);
button.classList.toggle('cursor-not-allowed', rows.length === 1);
});
limitText.textContent = `当前已配置 ${rows.length} 个等级阈值,最高可配置到 ${maxLevel} 级。`;
const canAddMore = rows.length < maxLevel;
addButton.disabled = !canAddMore;
addButton.classList.toggle('opacity-40', !canAddMore);
addButton.classList.toggle('cursor-not-allowed', !canAddMore);
};
addButton.addEventListener('click', () => {
const currentRows = tableBody.querySelectorAll('[data-level-exp-row]').length;
if (currentRows >= maxLevel) {
syncRows();
return;
}
const fragment = template.content.cloneNode(true);
tableBody.appendChild(fragment);
syncRows();
const inputs = tableBody.querySelectorAll('input[name=\"thresholds[]\"]');
inputs[inputs.length - 1]?.focus();
});
tableBody.addEventListener('click', (event) => {
const trigger = event.target.closest('[data-level-exp-remove]');
if (!trigger) {
return;
}
const rows = tableBody.querySelectorAll('[data-level-exp-row]');
if (rows.length <= 1) {
return;
}
trigger.closest('[data-level-exp-row]')?.remove();
syncRows();
});
tableBody.addEventListener('input', (event) => {
if (event.target.matches('input[name=\"thresholds[]\"]')) {
syncRows();
}
});
syncRows();
});
</script>
@endsection
+23
View File
@@ -81,6 +81,29 @@
</form>
</div>
{{-- 队列监控面板 --}}
<div class="border border-gray-200 rounded-xl p-5 hover:shadow-sm transition">
<div class="flex items-center gap-3 mb-2">
<span class="text-2xl">📈</span>
<div>
<div class="font-bold text-gray-800 text-sm">队列监控面板</div>
<div class="text-xs text-gray-400">Laravel Horizon</div>
</div>
</div>
<p class="text-xs text-gray-500 mb-4 leading-relaxed">
打开 Horizon 控制台查看队列吞吐、失败任务与进程状态。<br>
需要排查异步任务堆积、失败重试或 Supervisor 状态时从这里进入。
</p>
<a href="{{ url('/horizon') }}" target="_blank" rel="noopener noreferrer"
class="inline-flex items-center px-4 py-2 bg-indigo-600 text-white rounded-lg text-sm font-bold hover:bg-indigo-700 transition shadow-sm">
<span>打开 Horizon 控制台</span>
<svg class="w-4 h-4 ml-1.5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
<path stroke-linecap="round" stroke-linejoin="round" stroke-width="2"
d="M10 6H6a2 2 0 00-2 2v10a2 2 0 002 2h10a2 2 0 002-2v-4M14 4h6m0 0v6m0-6L10 14"></path>
</svg>
</a>
</div>
{{-- 房间在线名单清理 --}}
<div class="border border-red-100 rounded-xl p-5 bg-red-50 hover:shadow-sm transition">
<div class="flex items-center gap-3 mb-2">
@@ -442,6 +442,7 @@
权限管理
<span class="font-normal text-amber-700 ml-1">(控制聊天室输入框上方「管理」菜单中可见的功能按钮)</span>
</h4>
<p class="mb-3 text-xs leading-5 text-amber-700">聊天室管理动作已统一按职务权限控制,不再使用等级阈值参数。</p>
<div class="space-y-4">
@foreach ($positionPermissions as $groupName => $permissions)
<div>
+38 -1
View File
@@ -25,13 +25,24 @@
@php
$fieldValue = (string) $body;
$shouldUseTextarea = strlen($fieldValue) > 50 || str_contains($fieldValue, "\n") || str_contains($fieldValue, '<');
$isMaxLevelField = $alias === 'maxlevel';
$isSuperLevelField = $alias === 'superlevel';
@endphp
<div>
<label class="block text-sm font-bold text-gray-700 mb-2">
{{ $descriptions[$alias] ?? $alias }}
<span class="text-gray-400 font-normal ml-2">[{{ $alias }}]</span>
</label>
@if ($shouldUseTextarea)
@if ($isMaxLevelField)
<p class="mb-2 text-xs text-gray-500">修改后会自动同步管理员级别为“最高等级 + 1”。</p>
<input type="number" min="1" step="1" id="system-maxlevel" name="{{ $alias }}" value="{{ $fieldValue }}"
class="w-full border-gray-300 rounded-md shadow-sm focus:border-indigo-500 focus:ring-indigo-500 p-2.5 bg-gray-50 border">
@elseif ($isSuperLevelField)
<p class="mb-2 text-xs text-gray-500">该值会随“用户最高可达等级”自动计算,仅用于展示当前结果。</p>
<input type="number" id="system-superlevel" value="{{ $fieldValue }}"
class="w-full border-gray-200 rounded-md shadow-sm p-2.5 bg-gray-100 border text-gray-600"
readonly>
@elseif ($shouldUseTextarea)
<textarea name="{{ $alias }}" rows="4"
class="w-full border-gray-300 rounded-md shadow-sm focus:border-indigo-500 focus:ring-indigo-500 p-2.5 bg-gray-50 border whitespace-pre-wrap">{{ $fieldValue }}</textarea>
@else
@@ -53,4 +64,30 @@
</form>
</div>
</div>
<script>
document.addEventListener('DOMContentLoaded', () => {
const maxLevelInput = document.querySelector('#system-maxlevel');
const superLevelInput = document.querySelector('#system-superlevel');
if (!maxLevelInput || !superLevelInput) {
return;
}
const syncSuperLevel = () => {
const maxLevel = Number.parseInt(maxLevelInput.value ?? '', 10);
if (Number.isNaN(maxLevel) || maxLevel < 1) {
superLevelInput.value = '';
return;
}
superLevelInput.value = String(maxLevel + 1);
};
maxLevelInput.addEventListener('input', syncSuperLevel);
syncSuperLevel();
});
</script>
@endsection
-11
View File
@@ -17,13 +17,6 @@
<meta name="csrf-token" content="{{ csrf_token() }}">
<meta http-equiv="Delegate-CH" content="Sec-CH-UA https://s.magsrv.com; Sec-CH-UA-Mobile https://s.magsrv.com; Sec-CH-UA-Arch https://s.magsrv.com; Sec-CH-UA-Model https://s.magsrv.com; Sec-CH-UA-Platform https://s.magsrv.com; Sec-CH-UA-Platform-Version https://s.magsrv.com; Sec-CH-UA-Bitness https://s.magsrv.com; Sec-CH-UA-Full-Version-List https://s.magsrv.com; Sec-CH-UA-Full-Version https://s.magsrv.com;">
@php
// 从 sysparam 读取权限等级配置
$levelWarn = (int) \App\Models\Sysparam::getValue('level_warn', '5');
$levelKick = (int) \App\Models\Sysparam::getValue('level_kick', '10');
$levelMute = (int) \App\Models\Sysparam::getValue('level_mute', '8');
$levelBan = (int) \App\Models\Sysparam::getValue('level_ban', '12');
$levelBanip = (int) \App\Models\Sysparam::getValue('level_banip', '14');
$levelFreeze = (int) \App\Models\Sysparam::getValue('level_freeze', '14');
$superLevel = (int) \App\Models\Sysparam::getValue('superlevel', '100');
$myLevel = Auth::user()->user_level;
$positionPermissions = array_keys(array_filter($roomPermissionMap ?? []));
@@ -64,10 +57,6 @@
'userSex' => match ((int) $user->sex) {1 => '男', 2 => '女', default => ''},
'userLevel' => $user->user_level,
'superLevel' => $superLevel,
'levelKick' => $levelKick,
'levelMute' => $levelMute,
'levelBan' => $levelBan,
'levelBanip' => $levelBanip,
'sendUrl' => route('chat.send', $room->id),
'leaveUrl' => route('chat.leave', $room->id),
'expiredLeaveUrl' => \Illuminate\Support\Facades\URL::temporarySignedRoute('chat.leave.expired', now()->addHours(12), ['id' => $room->id, 'user' => $user->id]),
@@ -4,8 +4,7 @@
第二行:输入框 + 发送按钮
frame.blade.php 拆分,便于独立维护
依赖变量:$user, $room, $levelKick, $levelMute, $levelBan, $levelBanip,
$roomPermissionMap, $hasRoomManagementPermission
依赖变量:$user, $room, $roomPermissionMap, $hasRoomManagementPermission
--}}
@php
@@ -418,9 +418,10 @@
$canWarnUser = Auth::id() === 1 || (($roomPermissionMap[\App\Support\PositionPermissionRegistry::USER_WARN] ?? false) === true);
$canKickUser = Auth::id() === 1 || (($roomPermissionMap[\App\Support\PositionPermissionRegistry::USER_KICK] ?? false) === true);
$canMuteUser = Auth::id() === 1 || (($roomPermissionMap[\App\Support\PositionPermissionRegistry::USER_MUTE] ?? false) === true);
$canFreezeUser = Auth::id() === 1 || (($roomPermissionMap[\App\Support\PositionPermissionRegistry::USER_FREEZE] ?? false) === true);
$canBanUser = Auth::id() === 1 || (($roomPermissionMap[\App\Support\PositionPermissionRegistry::USER_BAN] ?? false) === true);
$canBanIpUser = Auth::id() === 1 || (($roomPermissionMap[\App\Support\PositionPermissionRegistry::USER_BANIP] ?? false) === true);
$canRewardUser = Auth::id() === 1 || (($roomPermissionMap[\App\Support\PositionPermissionRegistry::ROOM_REWARD] ?? false) === true);
$hasUserModerationPermission = $canWarnUser || $canKickUser || $canMuteUser || $canFreezeUser;
$hasUserModerationPermission = $canWarnUser || $canKickUser || $canMuteUser || $canBanUser || $canBanIpUser;
$hasPositionActions = Auth::user()->activePosition || $myLevel >= $superLevel;
@endphp
@if ($hasUserModerationPermission || $hasPositionActions)
@@ -463,10 +464,16 @@
x-on:click="isMuting = !isMuting">🔇 禁言
</button>
@endif
@if ($canFreezeUser)
@if ($canBanUser)
<button
style="flex:1; padding: 5px; border-radius: 4px; font-size: 11px; background: #dbeafe; border: 1px solid #3b82f6; cursor: pointer;"
x-on:click="freezeUser()">🧊 冻结
style="flex:1; padding: 5px; border-radius: 4px; font-size: 11px; background: #fee2e2; border: 1px solid #b91c1c; cursor: pointer;"
x-on:click="banUser()"> 封号
</button>
@endif
@if ($canBanIpUser)
<button
style="flex:1; padding: 5px; border-radius: 4px; font-size: 11px; background: #ffedd5; border: 1px solid #c2410c; cursor: pointer;"
x-on:click="banIpUser()">🌐 封IP
</button>
@endif
+15 -14
View File
@@ -62,12 +62,6 @@
$charmSame = Sysparam::getValue('charm_same_sex', '1');
$charmLimit = Sysparam::getValue('charm_hourly_limit', '20');
// 管理权限等级
$levelWarn = (int) Sysparam::getValue('level_warn', '5');
$levelMute = (int) Sysparam::getValue('level_mute', '8');
$levelKick = (int) Sysparam::getValue('level_kick', '10');
$levelFreeze = (int) Sysparam::getValue('level_freeze', '14');
// 排行榜配置
$lbLimit = (int) Sysparam::getValue('leaderboard_limit', '50');
@@ -480,35 +474,42 @@
<section id="sec-admin" class="bg-white rounded-2xl shadow-sm border border-gray-100 p-6 mb-6">
<h2 class="text-xl font-bold text-red-700 mb-4 flex items-center gap-2">🛡️ 管理权限</h2>
<p class="text-sm text-gray-600 mb-4">等级越高,可使用的管理功能越多。双击用户名片可执行以下操作:</p>
<p class="text-sm text-gray-600 mb-4">聊天室管理动作已统一按职务权限控制。被任命到具备对应权限的职务后,双击用户名片可执行以下操作:</p>
<div class="space-y-2">
<div class="flex items-center gap-3 bg-yellow-50 rounded-lg px-4 py-3">
<span class="text-lg">⚠️</span>
<div>
<span class="font-bold text-gray-800">警告用户</span>
<span class="text-xs text-gray-500 ml-2"> LV.{{ $levelWarn }} 以上</span>
<span class="text-xs text-gray-500 ml-2">具备“警告用户”职务权限</span>
</div>
</div>
<div class="flex items-center gap-3 bg-indigo-50 rounded-lg px-4 py-3">
<span class="text-lg">🔇</span>
<div>
<span class="font-bold text-gray-800">禁言用户</span>
<span class="text-xs text-gray-500 ml-2"> LV.{{ $levelMute }} 以上</span>
<span class="text-xs text-gray-500 ml-2">具备“禁言用户”职务权限</span>
</div>
</div>
<div class="flex items-center gap-3 bg-red-50 rounded-lg px-4 py-3">
<span class="text-lg">🚫</span>
<div>
<span class="font-bold text-gray-800">踢出用户</span>
<span class="text-xs text-gray-500 ml-2"> LV.{{ $levelKick }} 以上</span>
<span class="text-xs text-gray-500 ml-2">具备“踢出用户”职务权限</span>
</div>
</div>
<div class="flex items-center gap-3 bg-blue-50 rounded-lg px-4 py-3">
<span class="text-lg">🧊</span>
<div class="flex items-center gap-3 bg-rose-50 rounded-lg px-4 py-3">
<span class="text-lg"></span>
<div>
<span class="font-bold text-gray-800">冻结账号</span>
<span class="text-xs text-gray-500 ml-2"> LV.{{ $levelFreeze }} 以上</span>
<span class="font-bold text-gray-800">封号用户</span>
<span class="text-xs text-gray-500 ml-2">具备“封号用户”职务权限</span>
</div>
</div>
<div class="flex items-center gap-3 bg-orange-50 rounded-lg px-4 py-3">
<span class="text-lg">🌐</span>
<div>
<span class="font-bold text-gray-800"> IP / 查看管理员网络信息</span>
<span class="text-xs text-gray-500 ml-2">需具备“封IP”职务权限</span>
</div>
</div>
</div>
+8 -9
View File
@@ -109,11 +109,6 @@ Route::middleware(['chat.auth'])->group(function () {
Route::post('/user/unbind-wechat', [UserController::class, 'unbindWechat'])->name('user.unbind_wechat');
Route::post('/user/send-email-code', [\App\Http\Controllers\Api\VerificationController::class, 'sendEmailCode'])->name('user.send_email_code');
Route::put('/user/password', [UserController::class, 'changePassword'])->name('user.update_password');
Route::post('/user/{username}/kick', [UserController::class, 'kick'])->name('user.kick');
Route::post('/user/{username}/mute', [UserController::class, 'mute'])->name('user.mute');
Route::post('/user/{username}/ban', [UserController::class, 'ban'])->name('user.ban');
Route::post('/user/{username}/banip', [UserController::class, 'banIp'])->name('user.banip');
// ---- 好友系统 ----
Route::get('/friends', [\App\Http\Controllers\FriendController::class, 'index'])->name('friend.index');
Route::get('/friend/{username}/status', [\App\Http\Controllers\FriendController::class, 'status'])->name('friend.status');
@@ -329,7 +324,8 @@ Route::middleware(['chat.auth'])->group(function () {
Route::post('/command/warn', [AdminCommandController::class, 'warn'])->name('command.warn');
Route::post('/command/kick', [AdminCommandController::class, 'kick'])->name('command.kick');
Route::post('/command/mute', [AdminCommandController::class, 'mute'])->name('command.mute');
Route::post('/command/freeze', [AdminCommandController::class, 'freeze'])->name('command.freeze');
Route::post('/command/ban', [AdminCommandController::class, 'ban'])->name('command.ban');
Route::post('/command/banip', [AdminCommandController::class, 'banIp'])->name('command.banip');
Route::post('/command/reward', [AdminCommandController::class, 'reward'])->name('command.reward');
Route::get('/command/reward-quota', [AdminCommandController::class, 'rewardQuota'])->name('command.reward_quota');
Route::get('/command/whispers/{username}', [AdminCommandController::class, 'viewWhispers'])->name('command.whispers');
@@ -441,9 +437,9 @@ Route::middleware(['chat.auth', 'chat.has_position'])->prefix('admin')->name('ad
// 大卡片通知广播(仅超级管理员,安全隔离:普通用户无此接口)
Route::post('/banner/broadcast', [\App\Http\Controllers\Admin\BannerBroadcastController::class, 'send'])->name('admin.banner.broadcast');
// 聊天室参数(含保存)
Route::get('/system', [\App\Http\Controllers\Admin\SystemController::class, 'edit'])->name('system.edit');
Route::put('/system', [\App\Http\Controllers\Admin\SystemController::class, 'update'])->name('system.update');
// 等级经验阈值配置
Route::get('/level-exp-configs', [\App\Http\Controllers\Admin\LevelExpConfigController::class, 'index'])->name('level-exp-configs.index');
Route::put('/level-exp-configs', [\App\Http\Controllers\Admin\LevelExpConfigController::class, 'update'])->name('level-exp-configs.update');
// 微信机器人配置
Route::get('/wechat-bot', [\App\Http\Controllers\Admin\WechatBotController::class, 'edit'])->name('wechat_bot.edit');
@@ -583,6 +579,9 @@ Route::middleware(['chat.auth', 'chat.has_position'])->prefix('admin')->name('ad
// 层级 2:仅站长(id=1)可进行以下操作
// ──────────────────────────────────────────────────────────────
Route::middleware(['chat.site_owner'])->group(function () {
// 聊天室参数(含保存)
Route::get('/system', [\App\Http\Controllers\Admin\SystemController::class, 'edit'])->name('system.edit');
Route::put('/system', [\App\Http\Controllers\Admin\SystemController::class, 'update'])->name('system.update');
// 用户编辑 & 删除
Route::put('/users/{user}', [\App\Http\Controllers\Admin\UserManagerController::class, 'update'])->name('users.update');
+5
View File
@@ -370,6 +370,7 @@ class ChatControllerTest extends TestCase
$user = $this->createUserWithPositionPermissions([
PositionPermissionRegistry::USER_WARN,
PositionPermissionRegistry::USER_MUTE,
PositionPermissionRegistry::USER_BAN,
]);
$response = $this->actingAs($user)->get(route('chat.room', $room->id));
@@ -377,7 +378,9 @@ class ChatControllerTest extends TestCase
$response->assertOk();
$response->assertSee('⚠️ 警告', false);
$response->assertSee('🔇 禁言', false);
$response->assertSee('⛔ 封号', false);
$response->assertDontSee('🚫 踢出', false);
$response->assertDontSee('🌐 封IP', false);
$response->assertDontSee('🧊 冻结', false);
}
@@ -395,6 +398,8 @@ class ChatControllerTest extends TestCase
$response->assertDontSee('⚠️ 警告', false);
$response->assertDontSee('🚫 踢出', false);
$response->assertDontSee('🔇 禁言', false);
$response->assertDontSee('⛔ 封号', false);
$response->assertDontSee('🌐 封IP', false);
$response->assertDontSee('🧊 冻结', false);
}
@@ -409,14 +409,14 @@ class AdminCommandControllerTest extends TestCase
}
/**
* 测试冻结操作会给目标用户写入带 toast 的私聊提示。
* 测试封号操作会给目标用户写入带 toast 的私聊提示。
*/
public function test_freeze_message_contains_toast_notification_for_receiver(): void
public function test_ban_message_contains_toast_notification_for_receiver(): void
{
Queue::fake();
[$admin, $target, $room] = $this->createAdminCommandActors();
$response = $this->actingAs($admin)->postJson(route('command.freeze'), [
$response = $this->actingAs($admin)->postJson(route('command.ban'), [
'username' => $target->username,
'room_id' => $room->id,
'reason' => '严重违规',
@@ -424,17 +424,49 @@ class AdminCommandControllerTest extends TestCase
$response->assertOk()->assertJson([
'status' => 'success',
'message' => "冻结 {$target->username} 的账号",
'message' => "封禁 {$target->username} 的账号",
]);
$this->assertSame(-1, (int) $target->fresh()->user_level);
$privateMessage = $this->findPrivateSystemMessage($room->id, $target->username, '已冻结你的账号');
$privateMessage = $this->findPrivateSystemMessage($room->id, $target->username, '已封禁你的账号');
$this->assertNotNull($privateMessage);
$this->assertSame('🧊 账号已冻结', $privateMessage['toast_notification']['title'] ?? null);
$this->assertSame('🧊', $privateMessage['toast_notification']['icon'] ?? null);
$this->assertSame('#3b82f6', $privateMessage['toast_notification']['color'] ?? null);
$this->assertSame(' 账号已封禁', $privateMessage['toast_notification']['title'] ?? null);
$this->assertSame('', $privateMessage['toast_notification']['icon'] ?? null);
$this->assertSame('#991b1b', $privateMessage['toast_notification']['color'] ?? null);
Queue::assertPushed(SaveMessageJob::class, 2);
}
/**
* 测试封IP操作会给目标用户写入带 toast 的私聊提示。
*/
public function test_banip_message_contains_toast_notification_for_receiver(): void
{
Queue::fake();
[$admin, $target, $room] = $this->createAdminCommandActors();
$target->forceFill(['last_ip' => '192.168.1.100'])->save();
$response = $this->actingAs($admin)->postJson(route('command.banip'), [
'username' => $target->username,
'room_id' => $room->id,
'reason' => '恶意刷屏',
]);
$response->assertOk()->assertJson([
'status' => 'success',
'message' => "已封禁 {$target->username} 的 IP 与账号",
]);
$this->assertSame(-1, (int) $target->fresh()->user_level);
$this->assertSame(1, Redis::sismember('banned_ips', '192.168.1.100'));
$privateMessage = $this->findPrivateSystemMessage($room->id, $target->username, '已封禁你的 IP 并冻结账号');
$this->assertNotNull($privateMessage);
$this->assertSame('🌐 IP 已封禁', $privateMessage['toast_notification']['title'] ?? null);
$this->assertSame('🌐', $privateMessage['toast_notification']['icon'] ?? null);
$this->assertSame('#7c2d12', $privateMessage['toast_notification']['color'] ?? null);
Queue::assertPushed(SaveMessageJob::class, 2);
}
@@ -466,6 +498,64 @@ class AdminCommandControllerTest extends TestCase
]);
}
/**
* 测试缺少封号权限的职务用户会被拒绝。
*/
public function test_position_user_without_ban_permission_cannot_ban_target(): void
{
$admin = $this->createPositionedManager([
PositionPermissionRegistry::USER_WARN,
]);
$target = User::factory()->create([
'user_level' => 1,
]);
$room = Room::create([
'room_name' => '无权封号房',
]);
$this->joinRoom($admin, $room);
$this->joinRoom($target, $room);
$response = $this->actingAs($admin)->postJson(route('command.ban'), [
'username' => $target->username,
'room_id' => $room->id,
'reason' => '测试',
]);
$response->assertStatus(403)->assertJson([
'status' => 'error',
'message' => '当前职务无权封禁用户',
]);
}
/**
* 测试缺少封IP权限的职务用户会被拒绝。
*/
public function test_position_user_without_banip_permission_cannot_ban_target_ip(): void
{
$admin = $this->createPositionedManager([
PositionPermissionRegistry::USER_WARN,
]);
$target = User::factory()->create([
'user_level' => 1,
]);
$room = Room::create([
'room_name' => '无权封IP房',
]);
$this->joinRoom($admin, $room);
$this->joinRoom($target, $room);
$response = $this->actingAs($admin)->postJson(route('command.banip'), [
'username' => $target->username,
'room_id' => $room->id,
'reason' => '测试',
]);
$response->assertStatus(403)->assertJson([
'status' => 'error',
'message' => '当前职务无权封禁 IP 用户',
]);
}
/**
* 测试不能处理部门位阶更高的目标用户。
*/
@@ -645,7 +735,8 @@ class AdminCommandControllerTest extends TestCase
PositionPermissionRegistry::USER_WARN,
PositionPermissionRegistry::USER_MUTE,
PositionPermissionRegistry::USER_KICK,
PositionPermissionRegistry::USER_FREEZE,
PositionPermissionRegistry::USER_BAN,
PositionPermissionRegistry::USER_BANIP,
]);
$admin->load('activePosition.position.department');
$target = User::factory()->create([
@@ -61,6 +61,8 @@ class AdminDashboardControllerTest extends TestCase
$response->assertOk();
$response->assertSee('当前在线人数');
$response->assertSee('2');
$response->assertDontSee('队列监控面板');
$response->assertDontSee('打开 Horizon 控制台');
}
/**
@@ -0,0 +1,167 @@
<?php
/**
* 文件功能:后台等级经验阈值配置页测试
*
* 覆盖独立菜单页的展示、保存与非法阈值拦截,
* 确保 levelexp 已从通用系统参数页中拆分出来单独维护。
*/
namespace Tests\Feature\Feature;
use App\Models\Sysparam;
use App\Models\User;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Tests\TestCase;
/**
* 类功能:验证后台等级经验阈值独立配置页的核心行为。
*/
class AdminLevelExpConfigControllerTest extends TestCase
{
use RefreshDatabase;
/**
* 方法功能:验证独立配置页会按列表模式展示每一级阈值。
*/
public function test_level_exp_index_displays_threshold_rows(): void
{
$this->seedLevelExpParam();
$admin = $this->createSuperAdmin();
$response = $this->actingAs($admin)->get(route('admin.level-exp-configs.index'));
$response->assertOk();
$response->assertSee('等级经验阈值管理');
$response->assertSee('第 1 级');
$response->assertSee('第 3 级');
$response->assertSee('10');
$response->assertSee('150');
$response->assertSee('最高可配置到 99 级');
}
/**
* 方法功能:验证独立配置页可保存新的等级经验阈值。
*/
public function test_level_exp_update_persists_thresholds(): void
{
$this->seedLevelExpParam();
$admin = $this->createSuperAdmin();
$response = $this->actingAs($admin)->put(route('admin.level-exp-configs.update'), [
'thresholds' => ['20', '80', '180', '360'],
]);
$response->assertRedirect(route('admin.level-exp-configs.index'));
$response->assertSessionHas('success');
$this->assertDatabaseHas('sysparam', [
'alias' => 'levelexp',
'body' => '20,80,180,360',
]);
$this->assertDatabaseHas('sysparam', [
'alias' => 'maxlevel',
'body' => '99',
]);
$this->assertDatabaseHas('sysparam', [
'alias' => 'superlevel',
'body' => '100',
]);
}
/**
* 方法功能:验证阈值必须严格递增,防止错误配置写入。
*/
public function test_level_exp_update_requires_strictly_increasing_thresholds(): void
{
$this->seedLevelExpParam();
$admin = $this->createSuperAdmin();
$response = $this->from(route('admin.level-exp-configs.index'))
->actingAs($admin)
->put(route('admin.level-exp-configs.update'), [
'thresholds' => ['20', '18', '100'],
]);
$response->assertRedirect(route('admin.level-exp-configs.index'));
$response->assertSessionHasErrors('thresholds');
$this->assertDatabaseHas('sysparam', [
'alias' => 'levelexp',
'body' => '10,50,150',
]);
}
/**
* 方法功能:验证等级数量不能超过用户最高可达等级。
*/
public function test_level_exp_update_requires_threshold_count_not_exceed_maxlevel(): void
{
$this->seedLevelExpParam();
Sysparam::updateOrCreate(
['alias' => 'maxlevel'],
['body' => '2', 'guidetxt' => '用户最高可达等级']
);
$admin = $this->createSuperAdmin();
$response = $this->from(route('admin.level-exp-configs.index'))
->actingAs($admin)
->put(route('admin.level-exp-configs.update'), [
'thresholds' => ['20', '80', '180'],
]);
$response->assertRedirect(route('admin.level-exp-configs.index'));
$response->assertSessionHasErrors('thresholds');
$this->assertDatabaseHas('sysparam', [
'alias' => 'levelexp',
'body' => '10,50,150',
]);
$this->assertDatabaseHas('sysparam', [
'alias' => 'maxlevel',
'body' => '2',
]);
$this->assertDatabaseHas('sysparam', [
'alias' => 'superlevel',
'body' => '100',
]);
}
/**
* 方法功能:创建可访问后台页面的超级管理员。
*/
private function createSuperAdmin(): User
{
return User::factory()->create([
'user_level' => 100,
]);
}
/**
* 方法功能:初始化等级经验阈值参数。
*/
private function seedLevelExpParam(): void
{
$rows = [
'levelexp' => [
'body' => '10,50,150',
'guidetxt' => '按列表逐级维护升级所需的累计经验阈值',
],
'maxlevel' => [
'body' => '99',
'guidetxt' => '用户最高可达等级',
],
'superlevel' => [
'body' => '100',
'guidetxt' => '管理员级别(= 最高等级 + 1,拥有最高权限的等级阈值)',
],
];
foreach ($rows as $alias => $payload) {
Sysparam::updateOrCreate(
['alias' => $alias],
$payload
);
}
}
}
@@ -0,0 +1,45 @@
<?php
/**
* 文件功能:运维工具页面展示测试
*
* 覆盖运维工具页中 Horizon 控制台入口的展示,
* 并验证该入口已从后台仪表盘迁移到运维工具页面。
*
* @author ChatRoom Laravel
*
* @version 1.0.0
*/
namespace Tests\Feature\Feature;
use App\Models\User;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Tests\TestCase;
/**
* 类功能:验证运维工具页面的核心展示内容。
*/
class AdminOpsControllerTest extends TestCase
{
use RefreshDatabase;
/**
* 方法功能:验证运维工具页会展示 Horizon 控制台入口。
*/
public function test_ops_page_displays_horizon_console_entry(): void
{
$siteOwner = User::factory()->create([
'id' => 1,
'username' => 'site-owner',
'user_level' => 100,
]);
$response = $this->actingAs($siteOwner)->get(route('admin.ops.index'));
$response->assertOk();
$response->assertSee('队列监控面板');
$response->assertSee('打开 Horizon 控制台');
$response->assertSee('/horizon');
}
}
@@ -47,6 +47,8 @@ class AdminPositionPermissionTest extends TestCase
'permissions' => [
PositionPermissionRegistry::ROOM_ANNOUNCEMENT,
PositionPermissionRegistry::ROOM_PUBLIC_BROADCAST,
PositionPermissionRegistry::USER_BAN,
PositionPermissionRegistry::USER_BANIP,
],
]);
@@ -59,6 +61,8 @@ class AdminPositionPermissionTest extends TestCase
$this->assertSame([
PositionPermissionRegistry::ROOM_ANNOUNCEMENT,
PositionPermissionRegistry::ROOM_PUBLIC_BROADCAST,
PositionPermissionRegistry::USER_BAN,
PositionPermissionRegistry::USER_BANIP,
], $position->permissions);
}
@@ -195,7 +199,9 @@ class AdminPositionPermissionTest extends TestCase
$response->assertSee('默认礼包总量');
$response->assertSee('默认礼包份数');
$response->assertSee('警告用户');
$response->assertSee('冻结用户');
$response->assertSee('封号用户');
$response->assertSee('封IP');
$response->assertSee('聊天室管理动作已统一按职务权限控制');
}
/**
@@ -38,6 +38,16 @@ class AdminSystemControllerTest extends TestCase
$response->assertDontSee('vip_payment_app_secret');
$response->assertDontSee('wechat_bot_config');
$response->assertDontSee('chatbot_max_gold');
$response->assertDontSee('levelexp');
$response->assertDontSee('level_warn');
$response->assertDontSee('level_mute');
$response->assertDontSee('level_kick');
$response->assertDontSee('level_announcement');
$response->assertDontSee('level_ban');
$response->assertDontSee('level_banip');
$response->assertDontSee('level_freeze');
$response->assertSee('maxlevel');
$response->assertSee('superlevel');
}
/**
@@ -51,6 +61,16 @@ class AdminSystemControllerTest extends TestCase
$response = $this->actingAs($admin)->put(route('admin.system.update'), [
'sys_name' => '新版聊天室',
'sys_notice' => '新的公共公告',
'levelexp' => '20,80,180',
'level_warn' => '40',
'level_mute' => '50',
'level_kick' => '60',
'level_announcement' => '65',
'level_ban' => '80',
'level_banip' => '90',
'level_freeze' => '95',
'maxlevel' => '88',
'superlevel' => '666',
'smtp_host' => 'attacker.smtp.example',
'vip_payment_app_secret' => 'tampered-secret',
'wechat_bot_config' => '{"api":{"bot_key":"stolen"}}',
@@ -69,6 +89,46 @@ class AdminSystemControllerTest extends TestCase
'alias' => 'sys_notice',
'body' => '新的公共公告',
]);
$this->assertDatabaseHas('sysparam', [
'alias' => 'levelexp',
'body' => '10,50,150',
]);
$this->assertDatabaseHas('sysparam', [
'alias' => 'level_warn',
'body' => '5',
]);
$this->assertDatabaseHas('sysparam', [
'alias' => 'level_mute',
'body' => '50',
]);
$this->assertDatabaseHas('sysparam', [
'alias' => 'level_kick',
'body' => '60',
]);
$this->assertDatabaseHas('sysparam', [
'alias' => 'level_announcement',
'body' => '60',
]);
$this->assertDatabaseHas('sysparam', [
'alias' => 'level_ban',
'body' => '80',
]);
$this->assertDatabaseHas('sysparam', [
'alias' => 'level_banip',
'body' => '90',
]);
$this->assertDatabaseHas('sysparam', [
'alias' => 'level_freeze',
'body' => '14',
]);
$this->assertDatabaseHas('sysparam', [
'alias' => 'maxlevel',
'body' => '88',
]);
$this->assertDatabaseHas('sysparam', [
'alias' => 'superlevel',
'body' => '89',
]);
// 敏感配置必须保持原值,不能被通用系统页伪造请求覆盖。
$this->assertDatabaseHas('sysparam', [
@@ -92,12 +152,44 @@ class AdminSystemControllerTest extends TestCase
]);
}
/**
* 验证非站长的高等级后台用户不能访问系统参数页。
*/
public function test_non_site_owner_cannot_access_system_page(): void
{
$this->seedSystemParams();
$admin = User::factory()->create([
'user_level' => 100,
]);
$this->actingAs($admin)
->get(route('admin.system.edit'))
->assertForbidden();
}
/**
* 验证非站长的高等级后台用户看不到系统参数菜单入口。
*/
public function test_non_site_owner_dashboard_hides_system_menu_link(): void
{
$this->seedSystemParams();
$admin = User::factory()->create([
'user_level' => 100,
]);
$response = $this->actingAs($admin)->get(route('admin.dashboard'));
$response->assertOk();
$response->assertDontSee('⚙️ 聊天室参数', false);
}
/**
* 创建可访问后台通用系统页的超级管理员账号。
*/
private function createSuperAdmin(): User
{
return User::factory()->create([
'id' => 1,
'user_level' => 100,
]);
}
@@ -128,6 +220,16 @@ class AdminSystemControllerTest extends TestCase
return [
'sys_name' => '原始聊天室',
'sys_notice' => '原始公告',
'levelexp' => '10,50,150',
'level_warn' => '5',
'level_mute' => '50',
'level_kick' => '60',
'level_announcement' => '60',
'level_ban' => '80',
'level_banip' => '90',
'level_freeze' => '14',
'maxlevel' => '99',
'superlevel' => '100',
'smtp_host' => 'owner.smtp.example',
'vip_payment_app_secret' => 'owner-secret',
'wechat_bot_config' => '{"api":{"bot_key":"owner-only"}}',
+88 -124
View File
@@ -8,11 +8,15 @@
namespace Tests\Feature;
use App\Enums\CurrencySource;
use App\Models\Department;
use App\Models\Position;
use App\Models\Room;
use App\Models\Sysparam;
use App\Models\User;
use App\Models\UserCurrencyLog;
use App\Models\UserPosition;
use App\Services\ChatUserPresenceService;
use App\Support\PositionPermissionRegistry;
use Carbon\Carbon;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Illuminate\Support\Facades\Cache;
@@ -39,10 +43,6 @@ class UserControllerTest extends TestCase
Redis::flushall();
Sysparam::updateOrCreate(['alias' => 'superlevel'], ['body' => '100']);
Sysparam::updateOrCreate(['alias' => 'level_kick'], ['body' => '15']);
Sysparam::updateOrCreate(['alias' => 'level_mute'], ['body' => '15']);
Sysparam::updateOrCreate(['alias' => 'level_ban'], ['body' => '15']);
Sysparam::updateOrCreate(['alias' => 'level_banip'], ['body' => '15']);
Sysparam::updateOrCreate(['alias' => 'smtp_enabled'], ['body' => '1']); // Allow email changing in tests
}
@@ -294,6 +294,51 @@ class UserControllerTest extends TestCase
->assertJsonPath('data.bank_jjb_can_reveal', false);
}
/**
* 测试拥有封IP职务权限的用户可以查看名片中的管理员网络信息。
*/
public function test_position_user_with_banip_permission_can_view_admin_network_info(): void
{
$viewer = $this->createUserWithPositionPermissions([
PositionPermissionRegistry::USER_BANIP,
]);
$target = User::factory()->create([
'username' => 'nettarget',
'first_ip' => '10.0.0.1',
'previous_ip' => '10.0.0.2',
'last_ip' => '10.0.0.3',
]);
$response = $this->actingAs($viewer)->getJson("/user/{$target->username}");
$response->assertOk()
->assertJsonPath('data.first_ip', '10.0.0.1')
->assertJsonPath('data.last_ip', '10.0.0.2')
->assertJsonPath('data.login_ip', '10.0.0.3');
}
/**
* 测试普通用户查看别人名片时不会拿到管理员网络信息字段。
*/
public function test_user_without_banip_permission_cannot_view_admin_network_info(): void
{
$viewer = User::factory()->create();
$target = User::factory()->create([
'username' => 'hidden-net',
'first_ip' => '10.0.1.1',
'previous_ip' => '10.0.1.2',
'last_ip' => '10.0.1.3',
]);
$response = $this->actingAs($viewer)->getJson("/user/{$target->username}");
$response->assertOk()
->assertJsonMissingPath('data.first_ip')
->assertJsonMissingPath('data.last_ip')
->assertJsonMissingPath('data.login_ip')
->assertJsonMissingPath('data.location');
}
/**
* 测试不改邮箱时可以正常更新个人资料。
*/
@@ -510,126 +555,6 @@ class UserControllerTest extends TestCase
$this->assertTrue(Hash::check('newpassword123', $user->password));
}
public function test_admin_can_kick_user()
{
$admin = User::factory()->create(['username' => 'admin', 'user_level' => 20]);
$target = User::factory()->create(['username' => 'target', 'user_level' => 1]);
$room = Room::create(['id' => 1, 'room_name' => 'Test Room', 'room_owner' => 'someone']);
$this->actingAs($admin);
$response = $this->postJson("/user/{$target->username}/kick", [
'room_id' => $room->id,
]);
$response->assertStatus(200)
->assertJsonPath('status', 'success');
}
public function test_low_level_user_cannot_kick()
{
$user = User::factory()->create(['username' => 'user', 'user_level' => 1]);
$target = User::factory()->create(['username' => 'target', 'user_level' => 1]);
$room = Room::create(['id' => 1, 'room_name' => 'Test Room', 'room_owner' => 'someone']);
$this->actingAs($user);
$response = $this->postJson("/user/{$target->username}/kick", [
'room_id' => $room->id,
]);
$response->assertStatus(403);
}
public function test_room_master_can_kick()
{
$user = User::factory()->create(['username' => 'user', 'user_level' => 2]);
$target = User::factory()->create(['username' => 'target', 'user_level' => 1]);
$room = Room::create(['id' => 1, 'room_name' => 'Test Room', 'room_owner' => 'user']); // Master is 'user'
$this->actingAs($user);
$response = $this->postJson("/user/{$target->username}/kick", [
'room_id' => $room->id,
]);
if ($response->status() !== 200) {
dump($response->json());
}
$response->assertStatus(200);
}
public function test_cannot_kick_higher_level()
{
$admin = User::factory()->create(['username' => 'admin', 'user_level' => 20]);
$superadmin = User::factory()->create(['username' => 'superadmin', 'user_level' => 100]);
$room = Room::create(['id' => 1, 'room_name' => 'Test Room', 'room_owner' => 'someone']);
$this->actingAs($admin);
$response = $this->postJson("/user/{$superadmin->username}/kick", [
'room_id' => $room->id,
]);
$response->assertStatus(403);
}
public function test_admin_can_mute_user()
{
$admin = User::factory()->create(['username' => 'admin', 'user_level' => 20]);
$target = User::factory()->create(['username' => 'target', 'user_level' => 1]);
$room = Room::create(['id' => 1, 'room_name' => 'Test Room', 'room_owner' => 'someone']);
Redis::shouldReceive('setex')->once();
$this->actingAs($admin);
$response = $this->postJson("/user/{$target->username}/mute", [
'room_id' => $room->id,
'duration' => 10,
]);
$response->assertStatus(200);
}
public function test_admin_can_ban_user()
{
$admin = User::factory()->create(['username' => 'admin', 'user_level' => 20]);
$target = User::factory()->create(['username' => 'target', 'user_level' => 1]);
$room = Room::create(['id' => 1, 'room_name' => 'Test Room', 'room_owner' => 'someone']);
$this->actingAs($admin);
$response = $this->postJson("/user/{$target->username}/ban", [
'room_id' => $room->id,
]);
$response->assertStatus(200);
$target->refresh();
$this->assertEquals(-1, $target->user_level);
}
public function test_admin_can_ban_ip()
{
$admin = User::factory()->create(['username' => 'admin', 'user_level' => 20]);
$target = User::factory()->create(['username' => 'target', 'user_level' => 1, 'last_ip' => '192.168.1.100']);
$room = Room::create(['id' => 1, 'room_name' => 'Test Room', 'room_owner' => 'someone']);
Redis::shouldReceive('sadd')->with('banned_ips', '192.168.1.100')->once();
$this->actingAs($admin);
$response = $this->postJson("/user/{$target->username}/banip", [
'room_id' => $room->id,
]);
$response->assertStatus(200);
$target->refresh();
$this->assertEquals(-1, $target->user_level);
}
/**
* 让指定用户先进入聊天室,满足“仅在线用户可设置状态”的前置条件。
*/
@@ -646,4 +571,43 @@ class UserControllerTest extends TestCase
return $room;
}
/**
* 创建带指定职务权限的测试用户。
*
* @param list<string> $permissions
*/
private function createUserWithPositionPermissions(array $permissions): User
{
$user = User::factory()->create([
'user_level' => 88,
]);
$department = Department::create([
'name' => '资料权限部'.$user->id,
'rank' => 88,
'color' => '#4f46e5',
'sort_order' => 1,
'description' => '资料权限测试部门',
]);
$position = Position::create([
'department_id' => $department->id,
'name' => '资料权限职务'.$user->id,
'icon' => '🛡️',
'rank' => 88,
'level' => 88,
'sort_order' => 1,
'permissions' => $permissions,
]);
UserPosition::create([
'user_id' => $user->id,
'position_id' => $position->id,
'appointed_at' => now(),
'is_active' => true,
]);
return $user->fresh();
}
}