package user import ( "context" "database/sql" "errors" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" "math" "perms-system-server/internal/consts" "perms-system-server/internal/loaders" "perms-system-server/internal/middleware" deptModel "perms-system-server/internal/model/dept" userModel "perms-system-server/internal/model/user" "perms-system-server/internal/response" "perms-system-server/internal/svc" "perms-system-server/internal/testutil" "perms-system-server/internal/testutil/ctxhelper" "perms-system-server/internal/types" "strings" "sync" "testing" "time" ) func insertTestUser(t *testing.T, ctx context.Context, username, password string) int64 { t.Helper() svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) now := time.Now().Unix() res, err := svcCtx.SysUserModel.Insert(ctx, &userModel.SysUser{ Username: username, Password: password, Nickname: "test", Avatar: sql.NullString{}, Email: username + "@test.com", Phone: "13800000000", Remark: "", DeptId: 0, IsSuperAdmin: 2, MustChangePassword: 2, Status: 1, CreateTime: now, UpdateTime: now, }) require.NoError(t, err) id, _ := res.LastInsertId() return id } func insertTestUserFull(t *testing.T, ctx context.Context, u *userModel.SysUser) int64 { t.Helper() svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) now := time.Now().Unix() if u.CreateTime == 0 { u.CreateTime = now } if u.UpdateTime == 0 { u.UpdateTime = now } res, err := svcCtx.SysUserModel.Insert(ctx, u) require.NoError(t, err) id, _ := res.LastInsertId() return id } func strPtr(s string) *string { return &s } func int64Ptr(i int64) *int64 { return &i } // TC-0134: 正常创建 func TestCreateUser_Success(t *testing.T) { ctx := ctxhelper.SuperAdminCtx() svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) conn := testutil.GetTestSqlConn() username := testutil.UniqueId() logic := NewCreateUserLogic(ctx, svcCtx) resp, err := logic.CreateUser(&types.CreateUserReq{ Username: username, Password: "Pass123456", Nickname: "测试用户", Email: username + "@test.com", Phone: "13800138000", Remark: "集成测试", DeptId: 0, }) require.NoError(t, err) require.NotNil(t, resp) assert.Greater(t, resp.Id, int64(0)) t.Cleanup(func() { testutil.CleanTable(ctx, conn, "`sys_user`", resp.Id) }) user, err := svcCtx.SysUserModel.FindOne(ctx, resp.Id) require.NoError(t, err) assert.Equal(t, username, user.Username) assert.Equal(t, "测试用户", user.Nickname) assert.Equal(t, int64(1), user.Status) assert.Equal(t, int64(2), user.IsSuperAdmin) } // TC-0135: 用户名已存在(预检) func TestCreateUser_UsernameExists(t *testing.T) { ctx := ctxhelper.SuperAdminCtx() svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) conn := testutil.GetTestSqlConn() username := testutil.UniqueId() hashed := testutil.HashPassword("pass123") userId := insertTestUser(t, ctx, username, hashed) t.Cleanup(func() { testutil.CleanTable(ctx, conn, "`sys_user`", userId) }) logic := NewCreateUserLogic(ctx, svcCtx) _, err := logic.CreateUser(&types.CreateUserReq{ Username: username, Password: "Pass456789", }) require.Error(t, err) var codeErr *response.CodeError require.True(t, errors.As(err, &codeErr)) assert.Equal(t, 409, codeErr.Code()) assert.Equal(t, "用户名已存在", codeErr.Error()) } // TC-0137: 非法email格式 func TestCreateUser_InvalidEmail(t *testing.T) { ctx := ctxhelper.SuperAdminCtx() svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) logic := NewCreateUserLogic(ctx, svcCtx) _, err := logic.CreateUser(&types.CreateUserReq{ Username: testutil.UniqueId(), Password: "Pass123456", Email: "not-an-email", }) require.Error(t, err) var codeErr *response.CodeError require.True(t, errors.As(err, &codeErr)) assert.Equal(t, 400, codeErr.Code()) assert.Equal(t, "邮箱格式不正确", codeErr.Error()) } // TC-0138: 合法email func TestCreateUser_ValidEmail(t *testing.T) { ctx := ctxhelper.SuperAdminCtx() svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) conn := testutil.GetTestSqlConn() username := testutil.UniqueId() logic := NewCreateUserLogic(ctx, svcCtx) resp, err := logic.CreateUser(&types.CreateUserReq{ Username: username, Password: "Pass123456", Email: username + "@example.com", }) require.NoError(t, err) require.NotNil(t, resp) t.Cleanup(func() { testutil.CleanTable(ctx, conn, "`sys_user`", resp.Id) }) user, err := svcCtx.SysUserModel.FindOne(ctx, resp.Id) require.NoError(t, err) assert.Equal(t, username+"@example.com", user.Email) } // TC-0139: email为空(可选) func TestCreateUser_EmptyEmailSkipsValidation(t *testing.T) { ctx := ctxhelper.SuperAdminCtx() svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) conn := testutil.GetTestSqlConn() username := testutil.UniqueId() logic := NewCreateUserLogic(ctx, svcCtx) resp, err := logic.CreateUser(&types.CreateUserReq{ Username: username, Password: "Pass123456", Email: "", }) require.NoError(t, err) require.NotNil(t, resp) t.Cleanup(func() { testutil.CleanTable(ctx, conn, "`sys_user`", resp.Id) }) user, err := svcCtx.SysUserModel.FindOne(ctx, resp.Id) require.NoError(t, err) assert.Equal(t, "", user.Email) } // TC-0140: 非法phone格式 func TestCreateUser_InvalidPhone(t *testing.T) { ctx := ctxhelper.SuperAdminCtx() svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) logic := NewCreateUserLogic(ctx, svcCtx) _, err := logic.CreateUser(&types.CreateUserReq{ Username: testutil.UniqueId(), Password: "Pass123456", Phone: "abc", }) require.Error(t, err) var codeErr *response.CodeError require.True(t, errors.As(err, &codeErr)) assert.Equal(t, 400, codeErr.Code()) assert.Equal(t, "手机号格式不正确", codeErr.Error()) } // TC-0141: 合法phone(国际) func TestCreateUser_ValidPhone(t *testing.T) { ctx := ctxhelper.SuperAdminCtx() svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) conn := testutil.GetTestSqlConn() username := testutil.UniqueId() logic := NewCreateUserLogic(ctx, svcCtx) resp, err := logic.CreateUser(&types.CreateUserReq{ Username: username, Password: "Pass123456", Phone: "13900139000", }) require.NoError(t, err) require.NotNil(t, resp) t.Cleanup(func() { testutil.CleanTable(ctx, conn, "`sys_user`", resp.Id) }) user, err := svcCtx.SysUserModel.FindOne(ctx, resp.Id) require.NoError(t, err) assert.Equal(t, "13900139000", user.Phone) } // TC-0142: phone为空(可选) func TestCreateUser_EmptyPhoneSkipsValidation(t *testing.T) { ctx := ctxhelper.SuperAdminCtx() svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) conn := testutil.GetTestSqlConn() username := testutil.UniqueId() logic := NewCreateUserLogic(ctx, svcCtx) resp, err := logic.CreateUser(&types.CreateUserReq{ Username: username, Password: "Pass123456", Phone: "", }) require.NoError(t, err) require.NotNil(t, resp) t.Cleanup(func() { testutil.CleanTable(ctx, conn, "`sys_user`", resp.Id) }) user, err := svcCtx.SysUserModel.FindOne(ctx, resp.Id) require.NoError(t, err) assert.Equal(t, "", user.Phone) } // TC-0143: 并发同username(TOCTOU) func TestCreateUser_ConcurrentSameUsername(t *testing.T) { ctx := ctxhelper.SuperAdminCtx() svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) conn := testutil.GetTestSqlConn() username := testutil.UniqueId() t.Cleanup(func() { testutil.CleanTableByField(ctx, conn, "`sys_user`", "username", username) }) var wg sync.WaitGroup results := make(chan error, 2) for i := 0; i < 2; i++ { wg.Add(1) go func() { defer wg.Done() logic := NewCreateUserLogic(ctx, svcCtx) _, err := logic.CreateUser(&types.CreateUserReq{ Username: username, Password: "Pass123456", Nickname: "并发测试用户", }) results <- err }() } wg.Wait() close(results) var errs []error for err := range results { errs = append(errs, err) } require.Len(t, errs, 2) successCount := 0 failCount := 0 for _, err := range errs { if err == nil { successCount++ } else { failCount++ var codeErr *response.CodeError require.True(t, errors.As(err, &codeErr), "error should be CodeError, got: %v", err) assert.Equal(t, 409, codeErr.Code()) assert.Equal(t, "用户名已存在", codeErr.Error()) } } assert.Equal(t, 1, successCount) assert.Equal(t, 1, failCount) } // TC-0141: 合法phone(国际) func TestCreateUser_ValidInternationalPhone(t *testing.T) { ctx := ctxhelper.SuperAdminCtx() svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) conn := testutil.GetTestSqlConn() username := testutil.UniqueId() logic := NewCreateUserLogic(ctx, svcCtx) resp, err := logic.CreateUser(&types.CreateUserReq{ Username: username, Password: "Pass123456", Phone: "+8613800138000", }) require.NoError(t, err) require.NotNil(t, resp) t.Cleanup(func() { testutil.CleanTable(ctx, conn, "`sys_user`", resp.Id) }) user, err := svcCtx.SysUserModel.FindOne(ctx, resp.Id) require.NoError(t, err) assert.Equal(t, "+8613800138000", user.Phone) } // TC-0145: 密码少于8字符 func TestCreateUser_PasswordTooShort(t *testing.T) { ctx := ctxhelper.SuperAdminCtx() svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) logic := NewCreateUserLogic(ctx, svcCtx) _, err := logic.CreateUser(&types.CreateUserReq{ Username: testutil.UniqueId(), Password: "Pas1234", }) require.Error(t, err) var codeErr *response.CodeError require.True(t, errors.As(err, &codeErr)) assert.Equal(t, 400, codeErr.Code()) assert.Equal(t, "密码长度不能少于8个字符", codeErr.Error()) } // TC-0146: 密码缺少大写字母 func TestCreateUser_PasswordNoUppercase(t *testing.T) { ctx := ctxhelper.SuperAdminCtx() svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) logic := NewCreateUserLogic(ctx, svcCtx) longPwd := "A" + strings.Repeat("a", 71) + "1" _, err := logic.CreateUser(&types.CreateUserReq{ Username: testutil.UniqueId(), Password: longPwd, }) require.Error(t, err) var codeErr *response.CodeError require.True(t, errors.As(err, &codeErr)) assert.Equal(t, 400, codeErr.Code()) assert.Equal(t, "密码长度不能超过72个字符", codeErr.Error()) } // TC-0147: 密码缺少小写字母 func TestCreateUser_PasswordNoLowercase(t *testing.T) { ctx := ctxhelper.SuperAdminCtx() svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) logic := NewCreateUserLogic(ctx, svcCtx) _, err := logic.CreateUser(&types.CreateUserReq{ Username: testutil.UniqueId(), Password: "PASS123456", }) require.Error(t, err) var codeErr *response.CodeError require.True(t, errors.As(err, &codeErr)) assert.Equal(t, 400, codeErr.Code()) assert.Equal(t, "密码必须包含大写字母、小写字母和数字", codeErr.Error()) } // TC-0148: 密码缺少数字 func TestCreateUser_PasswordNoDigit(t *testing.T) { ctx := ctxhelper.SuperAdminCtx() svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) logic := NewCreateUserLogic(ctx, svcCtx) _, err := logic.CreateUser(&types.CreateUserReq{ Username: testutil.UniqueId(), Password: "Passpasspass", }) require.Error(t, err) var codeErr *response.CodeError require.True(t, errors.As(err, &codeErr)) assert.Equal(t, 400, codeErr.Code()) assert.Equal(t, "密码必须包含大写字母、小写字母和数字", codeErr.Error()) } // TC-0149: 密码超过72字符 func TestCreateUser_PasswordTooLong(t *testing.T) { ctx := ctxhelper.SuperAdminCtx() svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) longPwd := strings.Repeat("a", 73) logic := NewCreateUserLogic(ctx, svcCtx) _, err := logic.CreateUser(&types.CreateUserReq{ Username: testutil.UniqueId(), Password: longPwd, }) require.Error(t, err) var codeErr *response.CodeError require.True(t, errors.As(err, &codeErr)) assert.Equal(t, 400, codeErr.Code()) assert.Equal(t, "密码长度不能超过72个字符", codeErr.Error()) } // TC-0537: createUser非管理员拒绝 func TestCreateUser_MemberRejected(t *testing.T) { ctx := ctxhelper.MemberCtx("test_product") svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) logic := NewCreateUserLogic(ctx, svcCtx) _, err := logic.CreateUser(&types.CreateUserReq{Username: "test", Password: "Pass123456"}) require.Error(t, err) var ce *response.CodeError require.True(t, errors.As(err, &ce)) assert.Equal(t, 403, ce.Code()) } // TC-0150: 用户名含特殊字符被拒绝 func TestCreateUser_UsernameInvalidChars(t *testing.T) { ctx := ctxhelper.SuperAdminCtx() svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) logic := NewCreateUserLogic(ctx, svcCtx) _, err := logic.CreateUser(&types.CreateUserReq{ Username: "user@name!", Password: "Pass123456", }) require.Error(t, err) var codeErr *response.CodeError require.True(t, errors.As(err, &codeErr)) assert.Equal(t, 400, codeErr.Code()) assert.Equal(t, "用户名只能包含字母、数字和下划线,长度2-64个字符", codeErr.Error()) } // TC-0151: 用户名太短(1字符)被拒绝 func TestCreateUser_UsernameTooShort(t *testing.T) { ctx := ctxhelper.SuperAdminCtx() svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) logic := NewCreateUserLogic(ctx, svcCtx) _, err := logic.CreateUser(&types.CreateUserReq{ Username: "a", Password: "Pass123456", }) require.Error(t, err) var codeErr *response.CodeError require.True(t, errors.As(err, &codeErr)) assert.Equal(t, 400, codeErr.Code()) assert.Equal(t, "用户名只能包含字母、数字和下划线,长度2-64个字符", codeErr.Error()) } // TC-0152: 用户名太长(65字符)被拒绝 func TestCreateUser_UsernameTooLong(t *testing.T) { ctx := ctxhelper.SuperAdminCtx() svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) logic := NewCreateUserLogic(ctx, svcCtx) _, err := logic.CreateUser(&types.CreateUserReq{ Username: strings.Repeat("a", 65), Password: "Pass123456", }) require.Error(t, err) var codeErr *response.CodeError require.True(t, errors.As(err, &codeErr)) assert.Equal(t, 400, codeErr.Code()) assert.Equal(t, "用户名只能包含字母、数字和下划线,长度2-64个字符", codeErr.Error()) } // TC-0153: 部门不存在被拒绝 func TestCreateUser_DeptNotExists(t *testing.T) { ctx := ctxhelper.SuperAdminCtx() svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) logic := NewCreateUserLogic(ctx, svcCtx) _, err := logic.CreateUser(&types.CreateUserReq{ Username: testutil.UniqueId(), Password: "Pass123456", DeptId: 999999999, }) require.Error(t, err) var codeErr *response.CodeError require.True(t, errors.As(err, &codeErr)) assert.Equal(t, 400, codeErr.Code()) assert.Equal(t, "部门不存在", codeErr.Error()) } // TC-0154: 昵称超过64字符被拒绝 func TestCreateUser_NicknameTooLong(t *testing.T) { ctx := ctxhelper.SuperAdminCtx() svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) logic := NewCreateUserLogic(ctx, svcCtx) _, err := logic.CreateUser(&types.CreateUserReq{ Username: testutil.UniqueId(), Password: "Pass123456", Nickname: strings.Repeat("n", 65), }) require.Error(t, err) var codeErr *response.CodeError require.True(t, errors.As(err, &codeErr)) assert.Equal(t, 400, codeErr.Code()) assert.Equal(t, "昵称长度不能超过64个字符", codeErr.Error()) } // TC-0155: 备注超过255字符被拒绝 func TestCreateUser_RemarkTooLong(t *testing.T) { ctx := ctxhelper.SuperAdminCtx() svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) logic := NewCreateUserLogic(ctx, svcCtx) _, err := logic.CreateUser(&types.CreateUserReq{ Username: testutil.UniqueId(), Password: "Pass123456", Remark: strings.Repeat("r", 256), }) require.Error(t, err) var codeErr *response.CodeError require.True(t, errors.As(err, &codeErr)) assert.Equal(t, 400, codeErr.Code()) assert.Equal(t, "备注长度不能超过255个字符", codeErr.Error()) } // TC-0136: 带完整可选字段 func TestCreateUser_AllOptionalFields(t *testing.T) { ctx := ctxhelper.SuperAdminCtx() svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) conn := testutil.GetTestSqlConn() now := time.Now().Unix() deptRes, err := svcCtx.SysDeptModel.Insert(ctx, &deptModel.SysDept{ ParentId: 0, Name: "tc0103_dept_" + testutil.UniqueId(), Path: "/", Sort: 1, DeptType: "NORMAL", Remark: "", Status: 1, CreateTime: now, UpdateTime: now, }) require.NoError(t, err) deptId, err := deptRes.LastInsertId() require.NoError(t, err) t.Cleanup(func() { testutil.CleanTable(ctx, conn, "`sys_dept`", deptId) }) username := testutil.UniqueId() logic := NewCreateUserLogic(ctx, svcCtx) resp, err := logic.CreateUser(&types.CreateUserReq{ Username: username, Password: "Pass123456", Nickname: "全字段用户", Email: username + "@example.com", Phone: "13900001111", Remark: "TC-0136完整字段", DeptId: deptId, }) require.NoError(t, err) require.NotNil(t, resp) assert.Greater(t, resp.Id, int64(0)) t.Cleanup(func() { testutil.CleanTable(ctx, conn, "`sys_user`", resp.Id) }) user, err := svcCtx.SysUserModel.FindOne(ctx, resp.Id) require.NoError(t, err) assert.Equal(t, username, user.Username) assert.Equal(t, "全字段用户", user.Nickname) assert.Equal(t, username+"@example.com", user.Email) assert.Equal(t, "13900001111", user.Phone) assert.Equal(t, "TC-0136完整字段", user.Remark) assert.Equal(t, deptId, user.DeptId) assert.Equal(t, int64(1), user.Status) assert.Equal(t, int64(2), user.IsSuperAdmin) } func callerAdminCtx(callerUserId, deptId int64, deptPath string) context.Context { return middleware.WithUserDetails(context.Background(), &loaders.UserDetails{ UserId: callerUserId, Username: "prod_admin_caller", IsSuperAdmin: false, MemberType: consts.MemberTypeAdmin, Status: consts.StatusEnabled, ProductCode: "test_product", DeptId: deptId, DeptPath: deptPath, MinPermsLevel: math.MaxInt64, }) } // TC-0994: 产品 ADMIN 为非自己管辖部门创建用户必须 403。 func TestCreateUser_MN4_AdminCannotCreateOutsideDeptSubtree(t *testing.T) { bootstrap := context.Background() svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) conn := testutil.GetTestSqlConn() callerDeptId := insertTestDeptForScope(t, bootstrap, svcCtx, "mn4_caller", "/100/") outsideDeptId := insertTestDeptForScope(t, bootstrap, svcCtx, "mn4_outside", "/999/") t.Cleanup(func() { testutil.CleanTable(bootstrap, conn, "`sys_dept`", callerDeptId, outsideDeptId) }) adminCtx := callerAdminCtx(777771, callerDeptId, "/100/") _, err := NewCreateUserLogic(adminCtx, svcCtx).CreateUser(&types.CreateUserReq{ Username: "mn4_seed_" + testutil.UniqueId(), Password: "Pass123456", DeptId: outsideDeptId, }) require.Error(t, err) var ce *response.CodeError require.True(t, errors.As(err, &ce)) assert.Equal(t, 403, ce.Code(), "产品 ADMIN 跨部门树创建用户必须 403,防止占用关键用户名等 AddMember 合谋挂进产品") assert.Contains(t, ce.Error(), "无权在非自己管辖的部门下创建用户") } // TC-0995: 正向 —— 产品 ADMIN 在自己子树下的部门创建用户放行。 func TestCreateUser_MN4_AdminCanCreateInsideDeptSubtree(t *testing.T) { bootstrap := context.Background() svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) conn := testutil.GetTestSqlConn() callerDeptId := insertTestDeptForScope(t, bootstrap, svcCtx, "mn4_ok_caller", "/200/") childDeptId := insertTestDeptForScope(t, bootstrap, svcCtx, "mn4_ok_child", "/200/1/") t.Cleanup(func() { testutil.CleanTable(bootstrap, conn, "`sys_dept`", callerDeptId, childDeptId) }) adminCtx := callerAdminCtx(777772, callerDeptId, "/200/") username := "mn4ok_" + testutil.UniqueId() resp, err := NewCreateUserLogic(adminCtx, svcCtx).CreateUser(&types.CreateUserReq{ Username: username, Password: "Pass123456", DeptId: childDeptId, }) require.NoError(t, err) require.NotNil(t, resp) t.Cleanup(func() { testutil.CleanTable(bootstrap, conn, "`sys_user`", resp.Id) }) user, err := svcCtx.SysUserModel.FindOne(bootstrap, resp.Id) require.NoError(t, err) assert.Equal(t, username, user.Username) assert.Equal(t, childDeptId, user.DeptId, "用户必须真实落在指定子部门") } // TC-0996: SuperAdmin 可跨一切部门(含 DeptId=0),继续允许创建系统级账号。 func TestCreateUser_MN4_SuperAdminCanCreateAnywhere(t *testing.T) { bootstrap := context.Background() svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) conn := testutil.GetTestSqlConn() randomDeptId := insertTestDeptForScope(t, bootstrap, svcCtx, "mn4_sa", "/1000/") t.Cleanup(func() { testutil.CleanTable(bootstrap, conn, "`sys_dept`", randomDeptId) }) // A) 超管创建在任意部门 usernameDept := "mn4sa_dept_" + testutil.UniqueId() resp, err := NewCreateUserLogic(ctxhelper.SuperAdminCtx(), svcCtx).CreateUser(&types.CreateUserReq{ Username: usernameDept, Password: "Pass123456", DeptId: randomDeptId, }) require.NoError(t, err) require.NotNil(t, resp) t.Cleanup(func() { testutil.CleanTable(bootstrap, conn, "`sys_user`", resp.Id) }) // B) 超管创建 DeptId=0 的系统级账号(历史跨组织账号语义保留) usernameZero := "mn4sa_zero_" + testutil.UniqueId() respZero, err := NewCreateUserLogic(ctxhelper.SuperAdminCtx(), svcCtx).CreateUser(&types.CreateUserReq{ Username: usernameZero, Password: "Pass123456", DeptId: 0, }) require.NoError(t, err) require.NotNil(t, respZero) t.Cleanup(func() { testutil.CleanTable(bootstrap, conn, "`sys_user`", respZero.Id) }) } // TC-0997: 非超管 caller 的 DeptPath 为空时必须 403,不得在部门树外开口。 func TestCreateUser_MN4_EmptyCallerDeptPathRejected(t *testing.T) { bootstrap := context.Background() svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) conn := testutil.GetTestSqlConn() dstDeptId := insertTestDeptForScope(t, bootstrap, svcCtx, "mn4_empty", "/500/") t.Cleanup(func() { testutil.CleanTable(bootstrap, conn, "`sys_dept`", dstDeptId) }) // caller 是产品 ADMIN 但历史账号 DeptPath=="" —— 必须 403 "未归属任何部门" adminCtx := callerAdminCtx(777773, 0, "") _, err := NewCreateUserLogic(adminCtx, svcCtx).CreateUser(&types.CreateUserReq{ Username: "mn4empty_" + testutil.UniqueId(), Password: "Pass123456", DeptId: dstDeptId, }) require.Error(t, err) var ce *response.CodeError require.True(t, errors.As(err, &ce)) assert.Equal(t, 403, ce.Code(), "caller.DeptPath=='' 属于 legacy 账号,fail-close 不允许创建用户") assert.Contains(t, ce.Error(), "您未归属任何部门") } // TC-0998: 非超管 caller 传 DeptId=0 必须 400(禁止非超管创建"无部门"账号)。 func TestCreateUser_MN4_NonSuperAdminMustSpecifyDept(t *testing.T) { bootstrap := context.Background() svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) conn := testutil.GetTestSqlConn() callerDeptId := insertTestDeptForScope(t, bootstrap, svcCtx, "mn4_mustspec", "/300/") t.Cleanup(func() { testutil.CleanTable(bootstrap, conn, "`sys_dept`", callerDeptId) }) adminCtx := callerAdminCtx(777774, callerDeptId, "/300/") _, err := NewCreateUserLogic(adminCtx, svcCtx).CreateUser(&types.CreateUserReq{ Username: "mn4must_" + testutil.UniqueId(), Password: "Pass123456", DeptId: 0, }) require.Error(t, err) var ce *response.CodeError require.True(t, errors.As(err, &ce)) assert.Equal(t, 400, ce.Code(), "非超管 CreateUser 必须显式指定部门,禁止在部门树外创建账号") assert.Contains(t, ce.Error(), "必须指定部门") } // TC-0999: 目标部门已停用时 CreateUser 必须 400 "目标部门已停用",与 UpdateDept 闭环。 func TestCreateUser_LN2_TargetDeptDisabled(t *testing.T) { bootstrap := context.Background() svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) conn := testutil.GetTestSqlConn() now := time.Now().Unix() disRes, err := svcCtx.SysDeptModel.Insert(bootstrap, &deptModel.SysDept{ ParentId: 0, Name: "ln2_dis_" + testutil.UniqueId(), Path: "/900/", Sort: 0, DeptType: "NORMAL", Remark: "", Status: 2, CreateTime: now, UpdateTime: now, }) require.NoError(t, err) disabledId, _ := disRes.LastInsertId() t.Cleanup(func() { testutil.CleanTable(bootstrap, conn, "`sys_dept`", disabledId) }) // 超管也必须被拒绝: 的规则针对"所有调用方",防止 disabled 部门被意外重新填人 _, err = NewCreateUserLogic(ctxhelper.SuperAdminCtx(), svcCtx).CreateUser(&types.CreateUserReq{ Username: "ln2_" + testutil.UniqueId(), Password: "Pass123456", DeptId: disabledId, }) require.Error(t, err) var ce *response.CodeError require.True(t, errors.As(err, &ce)) assert.Equal(t, 400, ce.Code()) assert.Equal(t, "目标部门已停用", ce.Error(), "目标部门 status!=Enabled 必须拒绝,与 UpdateDept 禁用语义闭环") } // TC-1100: DeptId 负值(-1 / MinInt64)在所有类型 caller 面前都必须被 400 拒绝, // 禁止构造 "sys_user.deptId = 负数" 的僵尸账号(FindOne 永远 NotFound,部门树永远查不到)。 func TestCreateUser_NegativeDeptIdRejected(t *testing.T) { svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) cases := []struct { name string ctx context.Context deptId int64 wantMsg string }{ {"super_admin_negative_one", ctxhelper.SuperAdminCtx(), -1, "部门ID必须为非负整数"}, {"super_admin_min_int64", ctxhelper.SuperAdminCtx(), math.MinInt64, "部门ID必须为非负整数"}, } for _, tc := range cases { tc := tc t.Run(tc.name, func(t *testing.T) { _, err := NewCreateUserLogic(tc.ctx, svcCtx).CreateUser(&types.CreateUserReq{ Username: "neg_dept_" + testutil.UniqueId(), Password: "Pass123456", DeptId: tc.deptId, }) require.Error(t, err, "负值 DeptId 必须被拒绝") var ce *response.CodeError require.True(t, errors.As(err, &ce)) assert.Equal(t, 400, ce.Code(), "必须 400 而不是 5xx / 404:让调用方知道是入参不合法,不是 DB/权限问题") assert.Equal(t, tc.wantMsg, ce.Error()) }) } } func TestCreateUser_DefaultsMustChangePasswordToYes(t *testing.T) { ctx := ctxhelper.SuperAdminCtx() svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) conn := testutil.GetTestSqlConn() username := "lcp_" + testutil.UniqueId() resp, err := NewCreateUserLogic(ctx, svcCtx).CreateUser(&types.CreateUserReq{ Username: username, Password: "InitPass@123", Nickname: "初始口令校验", }) require.NoError(t, err) require.NotNil(t, resp) t.Cleanup(func() { testutil.CleanTable(ctx, conn, "`sys_user`", resp.Id) }) u, err := svcCtx.SysUserModel.FindOne(ctx, resp.Id) require.NoError(t, err) assert.Equal(t, int64(consts.MustChangePasswordYes), u.MustChangePassword, "管理员代填初始密码的用户必须被强制下次登录改密,落盘为 Yes") }