weiym
/
perms-system-server


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108
							package member

import (
	"context"
	"time"

	"perms-system-server/internal/consts"
	"perms-system-server/internal/loaders"
	authHelper "perms-system-server/internal/logic/auth"
	"perms-system-server/internal/response"
	"perms-system-server/internal/svc"
	"perms-system-server/internal/types"

	"github.com/zeromicro/go-zero/core/logx"
	"github.com/zeromicro/go-zero/core/stores/sqlx"
)

type UpdateMemberLogic struct {
	logx.Logger
	ctx    context.Context
	svcCtx *svc.ServiceContext
}

func NewUpdateMemberLogic(ctx context.Context, svcCtx *svc.ServiceContext) *UpdateMemberLogic {
	return &UpdateMemberLogic{
		Logger: logx.WithContext(ctx),
		ctx:    ctx,
		svcCtx: svcCtx,
	}
}

// UpdateMember 更新产品成员。修改成员类型或启用/禁用状态。降级最后一个 ADMIN 时会被拒绝以保证产品始终有管理员。
// 审计 L-R11-1：memberType / status 均为指针可选，nil 表示不改该字段；两者都为 nil 时直接 400。
func (l *UpdateMemberLogic) UpdateMember(req *types.UpdateMemberReq) error {
	if req.MemberType == nil && req.Status == nil {
		return response.ErrBadRequest("请至少提供一个要更新的字段（memberType 或 status）")
	}

	member, err := l.svcCtx.SysProductMemberModel.FindOne(l.ctx, req.Id)
	if err != nil {
		return response.ErrNotFound("成员不存在")
	}

	nextType := member.MemberType
	if req.MemberType != nil {
		if *req.MemberType != consts.MemberTypeAdmin &&
			*req.MemberType != consts.MemberTypeDeveloper &&
			*req.MemberType != consts.MemberTypeMember {
			return response.ErrBadRequest("无效的成员类型")
		}
		nextType = *req.MemberType
	}

	if err := authHelper.CheckManageAccess(l.ctx, l.svcCtx, member.UserId, member.ProductCode); err != nil {
		return err
	}
	// 仅在 memberType 真的被改动时走 CheckMemberTypeAssignment：DEVELOPER 不得被普通 admin 分配，
	// 但"只改 status"的场景（已经是 DEVELOPER 的人冻结/启用）不应被该校验误拦。
	if req.MemberType != nil && nextType != member.MemberType {
		if err := authHelper.CheckMemberTypeAssignment(l.ctx, nextType); err != nil {
			return err
		}
	}

	nextStatus := member.Status
	if req.Status != nil {
		if *req.Status != consts.StatusEnabled && *req.Status != consts.StatusDisabled {
			return response.ErrBadRequest("状态值无效，仅支持 1(启用) 和 2(禁用)")
		}
		nextStatus = *req.Status
	}

	if nextType == member.MemberType && nextStatus == member.Status {
		return nil
	}

	if err := l.svcCtx.SysProductMemberModel.TransactCtx(l.ctx, func(ctx context.Context, session sqlx.Session) error {
		locked, err := l.svcCtx.SysProductMemberModel.FindOneForUpdateTx(ctx, session, req.Id)
		if err != nil {
			return response.ErrNotFound("成员不存在")
		}
		wasActiveAdmin := locked.MemberType == consts.MemberTypeAdmin && locked.Status == consts.StatusEnabled
		willBeActiveAdmin := nextType == consts.MemberTypeAdmin && nextStatus == consts.StatusEnabled
		if wasActiveAdmin && !willBeActiveAdmin {
			// 排除当前正在降级/禁用的这一行后还有几个 active admin；为 0 时即为最后一个（见审计 L-5）。
			otherAdminCount, err := l.svcCtx.SysProductMemberModel.CountOtherActiveAdminsTx(ctx, session, member.ProductCode, locked.Id)
			if err != nil {
				return err
			}
			if otherAdminCount == 0 {
				return response.ErrBadRequest("不能降级或禁用该产品的最后一个管理员")
			}
		}
		locked.MemberType = nextType
		locked.Status = nextStatus
		locked.UpdateTime = time.Now().Unix()
		return l.svcCtx.SysProductMemberModel.UpdateWithTx(ctx, session, locked)
	}); err != nil {
		return err
	}

	// 审计 L-R13-5 方案 A：memberType / status 变更直接改 loadPerms 的全权分支判定，
	// UD 失效脱离请求 ctx 防止 TTL 窗口内旧权限继续生效。
	cleanCtx, cancel := loaders.DetachCacheCleanCtx(l.ctx)
	defer cancel()
	l.svcCtx.UserDetailsLoader.Del(cleanCtx, member.UserId, member.ProductCode)
	return nil
}