refactor: 内敛updateGroupMemberField操作的权限校验

优化权限校验链路
2 years ago · 67f64e28bb
parent 198c1b7464
commit 67f64e28bb
2 changed files with 40 additions and 36 deletions
--- a/server/models/group/group.ts
+++ b/server/models/group/group.ts
@ -10,7 +10,14 @@ import {
 import { Base, TimeStamps } from '@typegoose/typegoose/lib/defaultClasses';
 import _ from 'lodash';
 import { Types } from 'mongoose';
-import { allPermission, GroupPanelType } from 'tailchat-server-sdk';
+import {
  allPermission,
  call,
  GroupPanelType,
  NoPermissionError,
  PERMISSION,
  TcContext,
 } from 'tailchat-server-sdk';
 import { User } from '../user/user';
 class GroupMember {
@ -296,8 +303,11 @@ export class Group extends TimeStamps implements Base {
   *
   * 带权限验证
   */
-  static async updateGroupMemberField<K extends keyof GroupMember>(
+  static async updateGroupMemberField<
    K extends keyof Pick<GroupMember, 'roles' | 'muteUntil'>
  >(
    this: ReturnModelType<typeof Group>,
    ctx: TcContext,
    groupId: string,
    memberId: string,
    fieldName: K,
@ -305,14 +315,33 @@ export class Group extends TimeStamps implements Base {
    operatorUserId: string
  ): Promise<Group> {
    const group = await this.findById(groupId);
-
+    const t = ctx.meta.t;
-    if (String(group.owner) !== operatorUserId) {
+
-      throw new Error('没有操作权限');
+    if (fieldName === 'roles') {
      // 检查操作用户是否有管理角色的权限
      const [hasRolePermission] = await call(ctx).checkUserPermissions(
        groupId,
        operatorUserId,
        [PERMISSION.core.manageRoles]
      );
      if (!hasRolePermission) {
        throw new NoPermissionError(t('没有操作角色权限'));
      }
    } else {
      // 检查操作用户是否有管理用户权限
      const [hasUserPermission] = await call(ctx).checkUserPermissions(
        groupId,
        operatorUserId,
        [PERMISSION.core.manageUser]
      );
      if (!hasUserPermission) {
        throw new NoPermissionError(t('没有操作用户权限'));
      }
    }
    const member = group.members.find((m) => String(m.userId) === memberId);
    if (!member) {
-      throw new Error('没有找到该成员');
+      throw new Error(t('没有找到该成员'));
    }
    if (typeof fieldValue === 'function') {
--- a/server/services/core/group/group.service.ts
+++ b/server/services/core/group/group.service.ts
@ -487,20 +487,12 @@ class GroupService extends TcService {
    }>
  ) {
    const { groupId, memberIds, roles } = ctx.params;
-    const { t, userId } = ctx.meta;
+    const { userId } = ctx.meta;
    const [hasPermission] = await call(ctx).checkUserPermissions(
      groupId,
      userId,
      [PERMISSION.core.manageRoles]
    );
    if (!hasPermission) {
      throw new NoPermissionError(t('没有操作权限'));
    }
    await Promise.all(
      memberIds.map((memberId) =>
        this.adapter.model.updateGroupMemberField(
          ctx,
          groupId,
          memberId,
          'roles',
@ -532,20 +524,12 @@ class GroupService extends TcService {
    }>
  ) {
    const { groupId, memberIds, roles } = ctx.params;
-    const { t, userId } = ctx.meta;
+    const { userId } = ctx.meta;
    const [hasPermission] = await call(ctx).checkUserPermissions(
      groupId,
      userId,
      [PERMISSION.core.manageRoles]
    );
    if (!hasPermission) {
      throw new NoPermissionError(t('没有操作权限'));
    }
    await Promise.all(
      memberIds.map((memberId) =>
        this.adapter.model.updateGroupMemberField(
          ctx,
          groupId,
          memberId,
          'roles',
@ -954,19 +938,10 @@ class GroupService extends TcService {
    const { groupId, memberId, muteMs } = ctx.params;
    const userId = ctx.meta.userId;
    const language = ctx.meta.language;
    const t = ctx.meta.t;
    const isUnmute = muteMs < 0;
    const [hasPermission] = await call(ctx).checkUserPermissions(
      groupId,
      userId,
      [PERMISSION.core.manageUser]
    );
    if (!hasPermission) {
      throw new NoPermissionError(t('没有操作权限'));
    }
    const group = await this.adapter.model.updateGroupMemberField(
      ctx,
      groupId,
      memberId,
      'muteUntil',