Developer
ba33d517c1
后端: - 新增 Role / RolePermission 实体(自动 seed 系统角色) - PermissionService——通过 isAdmin / TenantMember 链路解析用户权限 - @Permission() 装饰器 + PermissionsGuard 守卫 - /api/permissions 和 /api/roles REST API - UserController 内联 role 检查迁移到 @Permission() - PermissionModule 全局注册 前端: - usePermissions hook——获取当前用户权限集 - PermissionGate 组件级门控 - PermissionSettingsView——角色列表+权限矩阵编辑页面 - SettingsView 新增「权限管理」Tab(仅 admin 可见) - 权限预览(26 项,7 分类) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
260 lines
6.9 KiB
TypeScript
260 lines
6.9 KiB
TypeScript
import {
|
|
BadRequestException,
|
|
Body,
|
|
Controller,
|
|
Delete,
|
|
ForbiddenException,
|
|
NotFoundException,
|
|
Get,
|
|
Param,
|
|
Post,
|
|
Put,
|
|
Request,
|
|
UseGuards,
|
|
Query,
|
|
} from '@nestjs/common';
|
|
import { UserService } from './user.service';
|
|
import { CombinedAuthGuard } from '../auth/combined-auth.guard';
|
|
import { CreateUserDto } from './dto/create-user.dto';
|
|
import { UpdateUserDto } from './dto/update-user.dto';
|
|
import { I18nService } from '../i18n/i18n.service';
|
|
import { UserRole } from './user-role.enum';
|
|
import { UserSettingService } from './user-setting.service';
|
|
import { Permission } from '../auth/permission/permission.decorator';
|
|
import { PermissionsGuard } from '../auth/permission/permission.guard';
|
|
|
|
@Controller('users')
|
|
@UseGuards(CombinedAuthGuard)
|
|
export class UserController {
|
|
constructor(
|
|
private readonly userService: UserService,
|
|
private readonly i18nService: I18nService,
|
|
private readonly userSettingService: UserSettingService,
|
|
) {}
|
|
|
|
// --- API Key Management ---
|
|
@Get('api-key')
|
|
async getApiKey(@Request() req) {
|
|
const apiKey = await this.userService.getOrCreateApiKey(req.user.id);
|
|
return { apiKey };
|
|
}
|
|
|
|
@Post('api-key/rotate')
|
|
async rotateApiKey(@Request() req) {
|
|
const apiKey = await this.userService.regenerateApiKey(req.user.id);
|
|
return { apiKey };
|
|
}
|
|
|
|
// --- Personal Settings ---
|
|
@Get('settings')
|
|
async getSettings(@Request() req) {
|
|
return this.userSettingService.getByUser(req.user.id);
|
|
}
|
|
|
|
@Put('settings/language')
|
|
async updateLanguage(@Request() req, @Body() body: { language: string }) {
|
|
if (!body.language) throw new BadRequestException('language is required');
|
|
return this.userSettingService.update(req.user.id, body.language);
|
|
}
|
|
|
|
// --- Profile ---
|
|
@Get('profile')
|
|
async getProfile(@Request() req: any) {
|
|
return this.userService.findOneById(req.user.id);
|
|
}
|
|
|
|
@Get('tenants')
|
|
async getMyTenants(@Request() req: any) {
|
|
return this.userService.getUserTenants(req.user.id);
|
|
}
|
|
|
|
@Get('me')
|
|
async getMe(@Request() req) {
|
|
const user = await this.userService.findOneById(req.user.id);
|
|
if (!user) throw new NotFoundException();
|
|
|
|
let isNotebookEnabled = true;
|
|
if (user.tenantId) {
|
|
const settings = await this.userService.getTenantSettings(user.tenantId);
|
|
isNotebookEnabled = settings?.isNotebookEnabled ?? true;
|
|
}
|
|
|
|
const tenantName = user.tenantMembers?.[0]?.tenant?.name || 'Default';
|
|
|
|
return {
|
|
id: user.id,
|
|
username: user.username,
|
|
displayName: user.displayName,
|
|
role: user.isAdmin ? UserRole.SUPER_ADMIN : UserRole.USER,
|
|
tenantId: user.tenantId,
|
|
tenantName,
|
|
isAdmin: user.isAdmin,
|
|
isNotebookEnabled,
|
|
};
|
|
}
|
|
|
|
@Get()
|
|
@UseGuards(PermissionsGuard)
|
|
@Permission('user:view')
|
|
async findAll(
|
|
@Request() req,
|
|
@Query('page') page?: string,
|
|
@Query('limit') limit?: string,
|
|
) {
|
|
const p = page ? parseInt(page) : undefined;
|
|
const l = limit ? parseInt(limit) : undefined;
|
|
|
|
if (req.user.role === UserRole.SUPER_ADMIN) {
|
|
return this.userService.findAll(p, l);
|
|
} else {
|
|
return this.userService.findByTenantId(req.user.tenantId, p, l);
|
|
}
|
|
}
|
|
|
|
@Put('password')
|
|
async changePassword(
|
|
@Request() req,
|
|
@Body() body: { currentPassword: string; newPassword: string },
|
|
) {
|
|
const { currentPassword, newPassword } = body;
|
|
|
|
if (!currentPassword || !newPassword) {
|
|
throw new BadRequestException(
|
|
this.i18nService.getErrorMessage('passwordsRequired'),
|
|
);
|
|
}
|
|
|
|
if (newPassword.length < 6) {
|
|
throw new BadRequestException(
|
|
this.i18nService.getErrorMessage('newPasswordMinLength'),
|
|
);
|
|
}
|
|
|
|
return this.userService.changePassword(
|
|
req.user.id,
|
|
currentPassword,
|
|
newPassword,
|
|
);
|
|
}
|
|
|
|
@Post()
|
|
@UseGuards(PermissionsGuard)
|
|
@Permission('user:create')
|
|
async createUser(@Request() req, @Body() body: CreateUserDto) {
|
|
const { username, password } = body;
|
|
|
|
if (!username || !password) {
|
|
throw new BadRequestException(
|
|
this.i18nService.getErrorMessage('usernamePasswordRequired'),
|
|
);
|
|
}
|
|
|
|
if (password.length < 6) {
|
|
throw new BadRequestException(
|
|
this.i18nService.getErrorMessage('passwordMinLength'),
|
|
);
|
|
}
|
|
|
|
// All new users default to non-admin.
|
|
let isAdmin = false;
|
|
|
|
// Pass the calculated params to the service
|
|
return this.userService.createUser(
|
|
username,
|
|
password,
|
|
isAdmin,
|
|
req.user.tenantId,
|
|
body.displayName,
|
|
);
|
|
}
|
|
|
|
@Put(':id')
|
|
@UseGuards(PermissionsGuard)
|
|
@Permission('user:edit')
|
|
async updateUser(
|
|
@Request() req,
|
|
@Body() body: UpdateUserDto,
|
|
@Param('id') id: string,
|
|
) {
|
|
const callerRole = req.user.role;
|
|
|
|
// Get user info to update
|
|
const userToUpdate = await this.userService.findOneById(id);
|
|
if (!userToUpdate) {
|
|
throw new NotFoundException(
|
|
this.i18nService.getErrorMessage('userNotFound'),
|
|
);
|
|
}
|
|
|
|
if (
|
|
callerRole === 'TENANT_ADMIN' &&
|
|
userToUpdate.tenantId !== req.user.tenantId
|
|
) {
|
|
throw new ForbiddenException('Cannot modify users outside your tenant');
|
|
}
|
|
|
|
// Prevent modifying the builtin admin account
|
|
if (userToUpdate.username === 'admin') {
|
|
throw new ForbiddenException(
|
|
this.i18nService.getErrorMessage('cannotModifyBuiltinAdmin'),
|
|
);
|
|
}
|
|
|
|
// Role modification is now obsolete on global level.
|
|
if (body.isAdmin !== undefined && userToUpdate.isAdmin !== body.isAdmin) {
|
|
if (callerRole !== UserRole.SUPER_ADMIN) {
|
|
throw new ForbiddenException(
|
|
'Only Super Admins can change user admin status.',
|
|
);
|
|
}
|
|
}
|
|
|
|
// Validate password length if provided
|
|
if (body.password && body.password.length < 6) {
|
|
throw new BadRequestException(
|
|
this.i18nService.getErrorMessage('passwordMinLength'),
|
|
);
|
|
}
|
|
|
|
return this.userService.updateUser(id, body);
|
|
}
|
|
|
|
@Delete(':id')
|
|
@UseGuards(PermissionsGuard)
|
|
@Permission('user:delete')
|
|
async deleteUser(@Request() req, @Param('id') id: string) {
|
|
const callerRole = req.user.role;
|
|
|
|
// Prevent admin from deleting themselves
|
|
if (req.user.id === id) {
|
|
throw new BadRequestException(
|
|
this.i18nService.getErrorMessage('cannotDeleteSelf'),
|
|
);
|
|
}
|
|
|
|
// Get user info to delete
|
|
const userToDelete = await this.userService.findOneById(id);
|
|
if (!userToDelete) {
|
|
throw new NotFoundException(
|
|
this.i18nService.getErrorMessage('userNotFound'),
|
|
);
|
|
}
|
|
|
|
if (
|
|
callerRole === 'TENANT_ADMIN' &&
|
|
userToDelete.tenantId !== req.user.tenantId
|
|
) {
|
|
throw new ForbiddenException('Cannot delete users outside your tenant');
|
|
}
|
|
|
|
// Block deletion of built-in admin account
|
|
if (userToDelete.username === 'admin') {
|
|
throw new ForbiddenException(
|
|
this.i18nService.getErrorMessage('cannotDeleteBuiltinAdmin'),
|
|
);
|
|
}
|
|
|
|
return this.userService.deleteUser(id);
|
|
}
|
|
}
|