weiym
/
perms-system-server


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289
							package user

import (
	"context"
	"database/sql"
	"errors"
	"perms-system-server/internal/consts"
	"perms-system-server/internal/loaders"
	"perms-system-server/internal/middleware"
	memberModel "perms-system-server/internal/model/productmember"
	userModel "perms-system-server/internal/model/user"
	"perms-system-server/internal/model/userrole"
	"perms-system-server/internal/response"
	"perms-system-server/internal/svc"
	"perms-system-server/internal/testutil"
	"perms-system-server/internal/testutil/ctxhelper"
	"perms-system-server/internal/types"
	"testing"
	"time"

	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
)

func TestUserDetail_Success(t *testing.T) {
	ctx := ctxhelper.SuperAdminCtx()
	svcCtx := svc.NewServiceContext(testutil.GetTestConfig())
	conn := testutil.GetTestSqlConn()

	username := testutil.UniqueId()
	userId := insertTestUser(t, ctx, username, testutil.HashPassword("pass"))

	// 插入两条"当前产品"下的真实 sys_role 以及一条属于其它产品的 sys_role，
	// 用户同时绑定这三个角色。超管在 test_product 上下文下应当只看到前两个。
	roleInCurrent1 := insertTestRole(t, svcCtx, "test_product", 1)
	roleInCurrent2 := insertTestRole(t, svcCtx, "test_product", 1)
	roleInOther := insertTestRole(t, svcCtx, "other_product", 1)

	now := time.Now().Unix()
	var roleRecordIds []int64
	for _, roleId := range []int64{roleInCurrent1, roleInCurrent2, roleInOther} {
		res, err := svcCtx.SysUserRoleModel.Insert(ctx, &userrole.SysUserRole{
			UserId:     userId,
			RoleId:     roleId,
			CreateTime: now,
			UpdateTime: now,
		})
		require.NoError(t, err)
		id, _ := res.LastInsertId()
		roleRecordIds = append(roleRecordIds, id)
	}

	t.Cleanup(func() {
		testutil.CleanTable(ctx, conn, "`sys_user_role`", roleRecordIds...)
		testutil.CleanTable(ctx, conn, "`sys_role`", roleInCurrent1, roleInCurrent2, roleInOther)
		testutil.CleanTable(ctx, conn, "`sys_user`", userId)
	})

	logic := NewUserDetailLogic(ctx, svcCtx)
	resp, err := logic.UserDetail(&types.UserDetailReq{Id: userId})
	require.NoError(t, err)
	require.NotNil(t, resp)

	assert.Equal(t, userId, resp.Id)
	assert.Equal(t, username, resp.Username)
	// 修复后：超管在产品上下文里只看到 test_product 的角色；other_product 的角色不应返回
	assert.ElementsMatch(t, []int64{roleInCurrent1, roleInCurrent2}, resp.RoleIds)
	assert.NotContains(t, resp.RoleIds, roleInOther, "超管在具体产品上下文不应返回其它产品的 roleIds")
}

// TC-0182: 正常查询-含Avatar
func TestUserDetail_WithAvatar(t *testing.T) {
	ctx := ctxhelper.SuperAdminCtx()
	svcCtx := svc.NewServiceContext(testutil.GetTestConfig())
	conn := testutil.GetTestSqlConn()

	userId := insertTestUserFull(t, ctx, &userModel.SysUser{
		Username:           testutil.UniqueId(),
		Password:           testutil.HashPassword("pass"),
		Nickname:           "avatar_user",
		Avatar:             sql.NullString{String: "https://example.com/avatar.png", Valid: true},
		IsSuperAdmin:       2,
		MustChangePassword: 2,
		Status:             1,
	})
	t.Cleanup(func() { testutil.CleanTable(ctx, conn, "`sys_user`", userId) })

	logic := NewUserDetailLogic(ctx, svcCtx)
	resp, err := logic.UserDetail(&types.UserDetailReq{Id: userId})
	require.NoError(t, err)
	require.NotNil(t, resp)
	assert.Equal(t, "https://example.com/avatar.png", resp.Avatar)
}

// TC-0183: 不存在
func TestUserDetail_NotFound(t *testing.T) {
	ctx := ctxhelper.SuperAdminCtx()
	svcCtx := svc.NewServiceContext(testutil.GetTestConfig())

	logic := NewUserDetailLogic(ctx, svcCtx)
	_, err := logic.UserDetail(&types.UserDetailReq{Id: 999999999})
	require.Error(t, err)

	var codeErr *response.CodeError
	require.True(t, errors.As(err, &codeErr))
	assert.Equal(t, 404, codeErr.Code())
	assert.Equal(t, "用户不存在", codeErr.Error())
}

func insertH1Member(t *testing.T, ctx context.Context, svcCtx *svc.ServiceContext, productCode string, u *userModel.SysUser) (int64, int64) {
	t.Helper()
	id := insertTestUserFull(t, ctx, u)
	now := time.Now().Unix()
	res, err := svcCtx.SysProductMemberModel.Insert(ctx, &memberModel.SysProductMember{
		ProductCode: productCode, UserId: id, MemberType: consts.MemberTypeMember,
		Status: 1, CreateTime: now, UpdateTime: now,
	})
	require.NoError(t, err)
	mId, _ := res.LastInsertId()
	return id, mId
}

// TC-0991: 业务契约——看自己时 Email/Phone/Remark 原样返回。
// 背景：PII 契约已由业务侧固定为"所有调用者（含同产品 MEMBER）原样返回联系信息"，
// 故不存在脱敏短路；本用例作为回归守卫，防止未来有人误加"同级脱敏"把 self-view 一起打了。
func TestUserDetail_H1_ViewSelf_KeepsPII(t *testing.T) {
	ctx := context.Background()
	svcCtx := svc.NewServiceContext(testutil.GetTestConfig())
	conn := testutil.GetTestSqlConn()
	productCode := "h1_self_" + testutil.UniqueId()

	selfId, mSelf := insertH1Member(t, ctx, svcCtx, productCode, &userModel.SysUser{
		Username:           "self_" + testutil.UniqueId(),
		Password:           testutil.HashPassword("pw"),
		Nickname:           "self",
		Email:              "[email protected]",
		Phone:              "13900002222",
		Remark:             "self-only note",
		IsSuperAdmin:       2,
		MustChangePassword: 2,
		Status:             1,
		DeptId:             1,
	})
	t.Cleanup(func() {
		testutil.CleanTable(ctx, conn, "`sys_product_member`", mSelf)
		testutil.CleanTable(ctx, conn, "`sys_user`", selfId)
	})

	selfCtx := middleware.WithUserDetails(context.Background(), &loaders.UserDetails{
		UserId: selfId, Username: "self", MemberType: consts.MemberTypeMember,
		Status: 1, ProductCode: productCode, DeptId: 1, DeptPath: "/1/", MinPermsLevel: 100,
	})

	resp, err := NewUserDetailLogic(selfCtx, svcCtx).UserDetail(&types.UserDetailReq{Id: selfId})
	require.NoError(t, err)

	assert.Equal(t, "[email protected]", resp.Email, "看自己必须返回 Email 原值")
	assert.Equal(t, "13900002222", resp.Phone, "看自己必须返回 Phone 原值")
	assert.Equal(t, "self-only note", resp.Remark, "看自己必须返回 Remark 原值")
}

// TC-0992: 超管分支 —— SuperAdmin 看任何用户必须拿到 Email/Phone/Remark 原值。
// 若未来有人加脱敏逻辑却漏写 IsSuperAdmin 豁免，本用例立刻炸。
func TestUserDetail_H1_SuperAdmin_KeepsPII(t *testing.T) {
	ctx := ctxhelper.SuperAdminCtx()
	svcCtx := svc.NewServiceContext(testutil.GetTestConfig())
	conn := testutil.GetTestSqlConn()

	userId := insertTestUserFull(t, ctx, &userModel.SysUser{
		Username: "sa_view_" + testutil.UniqueId(), Password: testutil.HashPassword("pw"),
		Nickname: "n", Email: "[email protected]", Phone: "13700000000", Remark: "nb",
		IsSuperAdmin: 2, MustChangePassword: 2, Status: 1,
	})
	t.Cleanup(func() { testutil.CleanTable(ctx, conn, "`sys_user`", userId) })

	resp, err := NewUserDetailLogic(ctx, svcCtx).UserDetail(&types.UserDetailReq{Id: userId})
	require.NoError(t, err)
	assert.Equal(t, "[email protected]", resp.Email)
	assert.Equal(t, "13700000000", resp.Phone)
	assert.Equal(t, "nb", resp.Remark)
}

// seedPIITarget 插入一个"有完整 PII 的 target 用户"并挂到指定产品下，返回 userId / mId 供清理。
// 统一 helper 以便 TC-1164~1166 共用；PII 字段值用固定常量，保证断言直接对比字符串即可。
const (
	piiEmail  = "[email protected]"
	piiPhone  = "13911118888"
	piiRemark = "target remark only admin can see"
)

func seedPIITarget(t *testing.T, svcCtx *svc.ServiceContext, productCode string) (int64, int64) {
	t.Helper()
	bootstrap := ctxhelper.SuperAdminCtx()
	targetId := insertTestUserFull(t, bootstrap, &userModel.SysUser{
		Username: "pii_target_" + testutil.UniqueId(), Password: testutil.HashPassword("pw"),
		Nickname: "t", Email: piiEmail, Phone: piiPhone, Remark: piiRemark,
		IsSuperAdmin: 2, MustChangePassword: 2, Status: 1, DeptId: 1,
	})
	now := time.Now().Unix()
	mRes, err := svcCtx.SysProductMemberModel.Insert(bootstrap, &memberModel.SysProductMember{
		ProductCode: productCode, UserId: targetId, MemberType: consts.MemberTypeMember,
		Status: 1, CreateTime: now, UpdateTime: now,
	})
	require.NoError(t, err)
	mId, _ := mRes.LastInsertId()
	return targetId, mId
}

// TC-1164: 产品 ADMIN 看同产品他人 —— PII 完整返回。
// ADMIN 是产品层授权面，负责人员/角色维护，必须能看到联系方式去做"找到此人"。
func TestUserDetail_M_R16_1_ProductAdmin_KeepsPII(t *testing.T) {
	svcCtx := svc.NewServiceContext(testutil.GetTestConfig())
	conn := testutil.GetTestSqlConn()
	bootstrap := ctxhelper.SuperAdminCtx()
	productCode := "m_r16_admin_" + testutil.UniqueId()

	targetId, mId := seedPIITarget(t, svcCtx, productCode)
	t.Cleanup(func() {
		testutil.CleanTable(bootstrap, conn, "`sys_product_member`", mId)
		testutil.CleanTable(bootstrap, conn, "`sys_user`", targetId)
	})

	resp, err := NewUserDetailLogic(ctxhelper.AdminCtx(productCode), svcCtx).
		UserDetail(&types.UserDetailReq{Id: targetId})
	require.NoError(t, err)
	assert.Equal(t, piiEmail, resp.Email, "ADMIN 必须看到 Email 原值")
	assert.Equal(t, piiPhone, resp.Phone, "ADMIN 必须看到 Phone 原值")
	assert.Equal(t, piiRemark, resp.Remark, "ADMIN 必须看到 Remark 原值")
}

// TC-1165: 产品 DEVELOPER 看同产品他人 —— PII 完整返回。
// DEVELOPER 是全权分支，授权读取元数据里就包含"看到成员详情"；不应随 M-R16-1 一起被脱敏误伤。
func TestUserDetail_M_R16_1_ProductDeveloper_KeepsPII(t *testing.T) {
	svcCtx := svc.NewServiceContext(testutil.GetTestConfig())
	conn := testutil.GetTestSqlConn()
	bootstrap := ctxhelper.SuperAdminCtx()
	productCode := "m_r16_dev_" + testutil.UniqueId()

	targetId, mId := seedPIITarget(t, svcCtx, productCode)
	t.Cleanup(func() {
		testutil.CleanTable(bootstrap, conn, "`sys_product_member`", mId)
		testutil.CleanTable(bootstrap, conn, "`sys_user`", targetId)
	})

	resp, err := NewUserDetailLogic(ctxhelper.DeveloperCtx(productCode), svcCtx).
		UserDetail(&types.UserDetailReq{Id: targetId})
	require.NoError(t, err)
	assert.Equal(t, piiEmail, resp.Email)
	assert.Equal(t, piiPhone, resp.Phone)
	assert.Equal(t, piiRemark, resp.Remark)
}

// TC-1166: 产品 MEMBER 看同产品他人 —— PII 必须被置空（不能再返回 email/phone/remark）。
// 这是 M-R16-1 的核心契约：普通成员拿到的 UserItem 里仅保留 Username/Nickname/DeptId/Status
// 这类"组织结构可见"的字段，拒绝把全员通讯录外泄给普通成员。
func TestUserDetail_M_R16_1_ProductMember_MasksPII(t *testing.T) {
	svcCtx := svc.NewServiceContext(testutil.GetTestConfig())
	conn := testutil.GetTestSqlConn()
	bootstrap := ctxhelper.SuperAdminCtx()
	productCode := "m_r16_mb_" + testutil.UniqueId()

	targetId, mId := seedPIITarget(t, svcCtx, productCode)
	// caller 本身也要挂到这个产品下，否则 FindOneByProductCodeUserId(caller.ProductCode, target.Id)
	// 会直接 403——那就测不到脱敏逻辑。ctxhelper.MemberCtx 里 UserId=4 与 target 不同，才能触发
	// "caller 看他人"的分支。
	callerCtx := ctxhelper.MemberCtx(productCode)
	callerId := int64(4)
	now := time.Now().Unix()
	callerMRes, err := svcCtx.SysProductMemberModel.Insert(bootstrap, &memberModel.SysProductMember{
		ProductCode: productCode, UserId: callerId, MemberType: consts.MemberTypeMember,
		Status: 1, CreateTime: now, UpdateTime: now,
	})
	require.NoError(t, err)
	callerMId, _ := callerMRes.LastInsertId()
	t.Cleanup(func() {
		testutil.CleanTable(bootstrap, conn, "`sys_product_member`", mId, callerMId)
		testutil.CleanTable(bootstrap, conn, "`sys_user`", targetId)
	})

	resp, err := NewUserDetailLogic(callerCtx, svcCtx).
		UserDetail(&types.UserDetailReq{Id: targetId})
	require.NoError(t, err, "脱敏不应该变成 403 —— 同产品可读的组织信息依然返回，只是 PII 字段置空")
	assert.Empty(t, resp.Email, "MEMBER 看他人：Email 必须为空字符串")
	assert.Empty(t, resp.Phone, "MEMBER 看他人：Phone 必须为空字符串")
	assert.Empty(t, resp.Remark, "MEMBER 看他人：Remark 必须为空字符串")
	// 未脱敏的字段必须原样回填，否则是多脱一刀（误伤 UI）。
	assert.Equal(t, targetId, resp.Id)
	assert.NotEmpty(t, resp.Username, "Username 不应被脱敏")
}