package user import ( "context" "database/sql" "errors" "perms-system-server/internal/consts" "perms-system-server/internal/loaders" "perms-system-server/internal/middleware" memberModel "perms-system-server/internal/model/productmember" userModel "perms-system-server/internal/model/user" "perms-system-server/internal/model/userrole" "perms-system-server/internal/response" "perms-system-server/internal/svc" "perms-system-server/internal/testutil" "perms-system-server/internal/testutil/ctxhelper" "perms-system-server/internal/types" "testing" "time" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) // TC-1267: 超管不传 productCode → roleIds 含目标用户所有产品角色(全量) func TestUserDetail_SuperAdmin_NoProductCode_ReturnsAllRoles(t *testing.T) { svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) conn := testutil.GetTestSqlConn() // 超管 ctx 中 ProductCode 为空,模拟真实超管登录态 ctx := ctxhelper.CustomCtx(&loaders.UserDetails{ UserId: 1, Username: "superadmin", IsSuperAdmin: true, MemberType: consts.MemberTypeSuperAdmin, Status: consts.StatusEnabled, ProductCode: "", }) username := testutil.UniqueId() userId := insertTestUser(t, ctxhelper.SuperAdminCtx(), username, testutil.HashPassword("pass")) roleInP1 := insertTestRole(t, svcCtx, "test_product", 1) roleInP2 := insertTestRole(t, svcCtx, "other_product", 1) now := time.Now().Unix() var roleRecordIds []int64 for _, roleId := range []int64{roleInP1, roleInP2} { res, err := svcCtx.SysUserRoleModel.Insert(ctxhelper.SuperAdminCtx(), &userrole.SysUserRole{ UserId: userId, RoleId: roleId, CreateTime: now, UpdateTime: now, }) require.NoError(t, err) id, _ := res.LastInsertId() roleRecordIds = append(roleRecordIds, id) } t.Cleanup(func() { testutil.CleanTable(ctx, conn, "`sys_user_role`", roleRecordIds...) testutil.CleanTable(ctx, conn, "`sys_role`", roleInP1, roleInP2) testutil.CleanTable(ctx, conn, "`sys_user`", userId) }) resp, err := NewUserDetailLogic(ctx, svcCtx).UserDetail(&types.UserDetailReq{Id: userId}) require.NoError(t, err) assert.ElementsMatch(t, []int64{roleInP1, roleInP2}, resp.RoleIds, "超管不传 productCode 时应返回全量角色(跨产品)") } // TC-1268: 超管传 productCode → roleIds 只含该产品角色 func TestUserDetail_SuperAdmin_WithProductCode_FiltersRoles(t *testing.T) { svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) conn := testutil.GetTestSqlConn() superCtx := ctxhelper.SuperAdminCtx() username := testutil.UniqueId() userId := insertTestUser(t, superCtx, username, testutil.HashPassword("pass")) roleInCurrent1 := insertTestRole(t, svcCtx, "test_product", 1) roleInCurrent2 := insertTestRole(t, svcCtx, "test_product", 1) roleInOther := insertTestRole(t, svcCtx, "other_product", 1) now := time.Now().Unix() var roleRecordIds []int64 for _, roleId := range []int64{roleInCurrent1, roleInCurrent2, roleInOther} { res, err := svcCtx.SysUserRoleModel.Insert(superCtx, &userrole.SysUserRole{ UserId: userId, RoleId: roleId, CreateTime: now, UpdateTime: now, }) require.NoError(t, err) id, _ := res.LastInsertId() roleRecordIds = append(roleRecordIds, id) } t.Cleanup(func() { testutil.CleanTable(superCtx, conn, "`sys_user_role`", roleRecordIds...) testutil.CleanTable(superCtx, conn, "`sys_role`", roleInCurrent1, roleInCurrent2, roleInOther) testutil.CleanTable(superCtx, conn, "`sys_user`", userId) }) resp, err := NewUserDetailLogic(superCtx, svcCtx).UserDetail(&types.UserDetailReq{ Id: userId, ProductCode: "test_product", }) require.NoError(t, err) assert.ElementsMatch(t, []int64{roleInCurrent1, roleInCurrent2}, resp.RoleIds, "超管传 productCode 时只返回该产品下的角色") assert.NotContains(t, resp.RoleIds, roleInOther, "其他产品的角色不应出现在结果中") } // TC-1269: 非超管不传 productCode → roleIds 只含 JWT context 产品角色;req.productCode 被忽略 func TestUserDetail_NonSuperAdmin_UsesCtxProductCode(t *testing.T) { svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) conn := testutil.GetTestSqlConn() superCtx := ctxhelper.SuperAdminCtx() productCode := "test_product" username := testutil.UniqueId() userId := insertTestUser(t, superCtx, username, testutil.HashPassword("pass")) mId := insertTestMember(t, svcCtx, productCode, userId) roleInCtx := insertTestRole(t, svcCtx, productCode, 1) roleInOther := insertTestRole(t, svcCtx, "other_product", 1) now := time.Now().Unix() var roleRecordIds []int64 for _, roleId := range []int64{roleInCtx, roleInOther} { res, err := svcCtx.SysUserRoleModel.Insert(superCtx, &userrole.SysUserRole{ UserId: userId, RoleId: roleId, CreateTime: now, UpdateTime: now, }) require.NoError(t, err) id, _ := res.LastInsertId() roleRecordIds = append(roleRecordIds, id) } t.Cleanup(func() { testutil.CleanTable(superCtx, conn, "`sys_user_role`", roleRecordIds...) testutil.CleanTable(superCtx, conn, "`sys_product_member`", mId) testutil.CleanTable(superCtx, conn, "`sys_role`", roleInCtx, roleInOther) testutil.CleanTable(superCtx, conn, "`sys_user`", userId) }) // ADMIN ctx productCode="test_product",req 里传 "other_product" 应被忽略 ctx := ctxhelper.AdminCtx(productCode) resp, err := NewUserDetailLogic(ctx, svcCtx).UserDetail(&types.UserDetailReq{ Id: userId, ProductCode: "other_product", // 非超管时此字段应被忽略 }) require.NoError(t, err) assert.ElementsMatch(t, []int64{roleInCtx}, resp.RoleIds, "非超管始终用 JWT context productCode,req.productCode 应被忽略") assert.NotContains(t, resp.RoleIds, roleInOther) } // TC-0182: 正常查询-含Avatar func TestUserDetail_WithAvatar(t *testing.T) { ctx := ctxhelper.SuperAdminCtx() svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) conn := testutil.GetTestSqlConn() userId := insertTestUserFull(t, ctx, &userModel.SysUser{ Username: testutil.UniqueId(), Password: testutil.HashPassword("pass"), Nickname: "avatar_user", Avatar: sql.NullString{String: "https://example.com/avatar.png", Valid: true}, IsSuperAdmin: 2, MustChangePassword: 2, Status: 1, }) t.Cleanup(func() { testutil.CleanTable(ctx, conn, "`sys_user`", userId) }) logic := NewUserDetailLogic(ctx, svcCtx) resp, err := logic.UserDetail(&types.UserDetailReq{Id: userId}) require.NoError(t, err) require.NotNil(t, resp) assert.Equal(t, "https://example.com/avatar.png", resp.Avatar) } // TC-0183: 不存在 func TestUserDetail_NotFound(t *testing.T) { ctx := ctxhelper.SuperAdminCtx() svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) logic := NewUserDetailLogic(ctx, svcCtx) _, err := logic.UserDetail(&types.UserDetailReq{Id: 999999999}) require.Error(t, err) var codeErr *response.CodeError require.True(t, errors.As(err, &codeErr)) assert.Equal(t, 404, codeErr.Code()) assert.Equal(t, "用户不存在", codeErr.Error()) } func insertH1Member(t *testing.T, ctx context.Context, svcCtx *svc.ServiceContext, productCode string, u *userModel.SysUser) (int64, int64) { t.Helper() id := insertTestUserFull(t, ctx, u) now := time.Now().Unix() res, err := svcCtx.SysProductMemberModel.Insert(ctx, &memberModel.SysProductMember{ ProductCode: productCode, UserId: id, MemberType: consts.MemberTypeMember, Status: 1, CreateTime: now, UpdateTime: now, }) require.NoError(t, err) mId, _ := res.LastInsertId() return id, mId } // TC-0991: 业务契约——看自己时 Email/Phone/Remark 原样返回。 // 背景:PII 契约已由业务侧固定为"所有调用者(含同产品 MEMBER)原样返回联系信息", // 故不存在脱敏短路;本用例作为回归守卫,防止未来有人误加"同级脱敏"把 self-view 一起打了。 func TestUserDetail_H1_ViewSelf_KeepsPII(t *testing.T) { ctx := context.Background() svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) conn := testutil.GetTestSqlConn() productCode := "h1_self_" + testutil.UniqueId() selfId, mSelf := insertH1Member(t, ctx, svcCtx, productCode, &userModel.SysUser{ Username: "self_" + testutil.UniqueId(), Password: testutil.HashPassword("pw"), Nickname: "self", Email: "self@example.com", Phone: "13900002222", Remark: "self-only note", IsSuperAdmin: 2, MustChangePassword: 2, Status: 1, DeptId: 1, }) t.Cleanup(func() { testutil.CleanTable(ctx, conn, "`sys_product_member`", mSelf) testutil.CleanTable(ctx, conn, "`sys_user`", selfId) }) selfCtx := middleware.WithUserDetails(context.Background(), &loaders.UserDetails{ UserId: selfId, Username: "self", MemberType: consts.MemberTypeMember, Status: 1, ProductCode: productCode, DeptId: 1, DeptPath: "/1/", MinPermsLevel: 100, }) resp, err := NewUserDetailLogic(selfCtx, svcCtx).UserDetail(&types.UserDetailReq{Id: selfId}) require.NoError(t, err) assert.Equal(t, "self@example.com", resp.Email, "看自己必须返回 Email 原值") assert.Equal(t, "13900002222", resp.Phone, "看自己必须返回 Phone 原值") assert.Equal(t, "self-only note", resp.Remark, "看自己必须返回 Remark 原值") } // TC-0992: 超管分支 —— SuperAdmin 看任何用户必须拿到 Email/Phone/Remark 原值。 // 若未来有人加脱敏逻辑却漏写 IsSuperAdmin 豁免,本用例立刻炸。 func TestUserDetail_H1_SuperAdmin_KeepsPII(t *testing.T) { ctx := ctxhelper.SuperAdminCtx() svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) conn := testutil.GetTestSqlConn() userId := insertTestUserFull(t, ctx, &userModel.SysUser{ Username: "sa_view_" + testutil.UniqueId(), Password: testutil.HashPassword("pw"), Nickname: "n", Email: "x@y.com", Phone: "13700000000", Remark: "nb", IsSuperAdmin: 2, MustChangePassword: 2, Status: 1, }) t.Cleanup(func() { testutil.CleanTable(ctx, conn, "`sys_user`", userId) }) resp, err := NewUserDetailLogic(ctx, svcCtx).UserDetail(&types.UserDetailReq{Id: userId}) require.NoError(t, err) assert.Equal(t, "x@y.com", resp.Email) assert.Equal(t, "13700000000", resp.Phone) assert.Equal(t, "nb", resp.Remark) } // seedPIITarget 插入一个"有完整 PII 的 target 用户"并挂到指定产品下,返回 userId / mId 供清理。 // 统一 helper 以便 TC-1164~1166 共用;PII 字段值用固定常量,保证断言直接对比字符串即可。 const ( piiEmail = "target@example.com" piiPhone = "13911118888" piiRemark = "target remark only admin can see" ) func seedPIITarget(t *testing.T, svcCtx *svc.ServiceContext, productCode string) (int64, int64) { t.Helper() bootstrap := ctxhelper.SuperAdminCtx() targetId := insertTestUserFull(t, bootstrap, &userModel.SysUser{ Username: "pii_target_" + testutil.UniqueId(), Password: testutil.HashPassword("pw"), Nickname: "t", Email: piiEmail, Phone: piiPhone, Remark: piiRemark, IsSuperAdmin: 2, MustChangePassword: 2, Status: 1, DeptId: 1, }) now := time.Now().Unix() mRes, err := svcCtx.SysProductMemberModel.Insert(bootstrap, &memberModel.SysProductMember{ ProductCode: productCode, UserId: targetId, MemberType: consts.MemberTypeMember, Status: 1, CreateTime: now, UpdateTime: now, }) require.NoError(t, err) mId, _ := mRes.LastInsertId() return targetId, mId } // TC-1164: 产品 ADMIN 看同产品他人 —— PII 完整返回。 // ADMIN 是产品层授权面,负责人员/角色维护,必须能看到联系方式去做"找到此人"。 func TestUserDetail_M_R16_1_ProductAdmin_KeepsPII(t *testing.T) { svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) conn := testutil.GetTestSqlConn() bootstrap := ctxhelper.SuperAdminCtx() productCode := "m_r16_admin_" + testutil.UniqueId() targetId, mId := seedPIITarget(t, svcCtx, productCode) t.Cleanup(func() { testutil.CleanTable(bootstrap, conn, "`sys_product_member`", mId) testutil.CleanTable(bootstrap, conn, "`sys_user`", targetId) }) resp, err := NewUserDetailLogic(ctxhelper.AdminCtx(productCode), svcCtx). UserDetail(&types.UserDetailReq{Id: targetId}) require.NoError(t, err) assert.Equal(t, piiEmail, resp.Email, "ADMIN 必须看到 Email 原值") assert.Equal(t, piiPhone, resp.Phone, "ADMIN 必须看到 Phone 原值") assert.Equal(t, piiRemark, resp.Remark, "ADMIN 必须看到 Remark 原值") } // TC-1165: 产品 DEVELOPER 看同产品他人 —— PII 完整返回。 // DEVELOPER 是全权分支,授权读取元数据里就包含"看到成员详情";不应随 M-R16-1 一起被脱敏误伤。 func TestUserDetail_M_R16_1_ProductDeveloper_KeepsPII(t *testing.T) { svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) conn := testutil.GetTestSqlConn() bootstrap := ctxhelper.SuperAdminCtx() productCode := "m_r16_dev_" + testutil.UniqueId() targetId, mId := seedPIITarget(t, svcCtx, productCode) t.Cleanup(func() { testutil.CleanTable(bootstrap, conn, "`sys_product_member`", mId) testutil.CleanTable(bootstrap, conn, "`sys_user`", targetId) }) resp, err := NewUserDetailLogic(ctxhelper.DeveloperCtx(productCode), svcCtx). UserDetail(&types.UserDetailReq{Id: targetId}) require.NoError(t, err) assert.Equal(t, piiEmail, resp.Email) assert.Equal(t, piiPhone, resp.Phone) assert.Equal(t, piiRemark, resp.Remark) } // TC-1166: 产品 MEMBER 看同产品他人 —— PII 必须被置空(不能再返回 email/phone/remark)。 // 这是 M-R16-1 的核心契约:普通成员拿到的 UserItem 里仅保留 Username/Nickname/DeptId/Status // 这类"组织结构可见"的字段,拒绝把全员通讯录外泄给普通成员。 func TestUserDetail_M_R16_1_ProductMember_MasksPII(t *testing.T) { svcCtx := svc.NewServiceContext(testutil.GetTestConfig()) conn := testutil.GetTestSqlConn() bootstrap := ctxhelper.SuperAdminCtx() productCode := "m_r16_mb_" + testutil.UniqueId() targetId, mId := seedPIITarget(t, svcCtx, productCode) // caller 本身也要挂到这个产品下,否则 FindOneByProductCodeUserId(caller.ProductCode, target.Id) // 会直接 403——那就测不到脱敏逻辑。ctxhelper.MemberCtx 里 UserId=4 与 target 不同,才能触发 // "caller 看他人"的分支。 callerCtx := ctxhelper.MemberCtx(productCode) callerId := int64(4) now := time.Now().Unix() callerMRes, err := svcCtx.SysProductMemberModel.Insert(bootstrap, &memberModel.SysProductMember{ ProductCode: productCode, UserId: callerId, MemberType: consts.MemberTypeMember, Status: 1, CreateTime: now, UpdateTime: now, }) require.NoError(t, err) callerMId, _ := callerMRes.LastInsertId() t.Cleanup(func() { testutil.CleanTable(bootstrap, conn, "`sys_product_member`", mId, callerMId) testutil.CleanTable(bootstrap, conn, "`sys_user`", targetId) }) resp, err := NewUserDetailLogic(callerCtx, svcCtx). UserDetail(&types.UserDetailReq{Id: targetId}) require.NoError(t, err, "脱敏不应该变成 403 —— 同产品可读的组织信息依然返回,只是 PII 字段置空") assert.Empty(t, resp.Email, "MEMBER 看他人:Email 必须为空字符串") assert.Empty(t, resp.Phone, "MEMBER 看他人:Phone 必须为空字符串") assert.Empty(t, resp.Remark, "MEMBER 看他人:Remark 必须为空字符串") // 未脱敏的字段必须原样回填,否则是多脱一刀(误伤 UI)。 assert.Equal(t, targetId, resp.Id) assert.NotEmpty(t, resp.Username, "Username 不应被脱敏") }