rogee/quyun-v2
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: implement tenant-side creator audit feature and update related tests and documentation

Browse Source 
Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-opencode)

Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
This commit is contained in:
Rogee
2026-02-09 06:54:04 +08:00
parent 3126ed5e64
commit 05a0d07dbb
23 changed files with 7205 additions and 112 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
backend/app/http/v1/creator.go
View File

@@ -186,6 +186,36 @@ func (c *Creator) ListOrders(ctx fiber.Ctx, filter *dto.CreatorOrderListFilter)
return services.Creator.ListOrders(ctx, tenantID, userID, filter)
}
// List creator audit logs
//
// @Router /v1/t/:tenantCode/creator/audit-logs [get]
// @Summary List creator audit logs
// @Description 查询当前租户创作者侧审计日志(仅管理员可见)
// @Tags CreatorCenter
// @Accept json
// @Produce json
// @Param page query int false "Page"
// @Param limit query int false "Limit"
// @Param operator_id query int false "Operator ID"
// @Param operator_name query string false "Operator name"
// @Param action query string false "Action"
// @Param target_id query string false "Target ID"
// @Param keyword query string false "Keyword"
// @Param created_at_from query string false "Created at from (RFC3339)"
// @Param created_at_to query string false "Created at to (RFC3339)"
// @Success 200 {object} requests.Pager{items=[]dto.CreatorAuditLogItem}
// @Bind filter query
func (c *Creator) ListAuditLogs(ctx fiber.Ctx, filter *dto.CreatorAuditLogListFilter) (*requests.Pager, error) {
if filter == nil {
filter = &dto.CreatorAuditLogListFilter{}
}
tenantID := getTenantID(ctx)
userID := getUserID(ctx)
return services.Creator.ListAuditLogs(ctx, tenantID, userID, filter)
}
// Process order refund
//
// @Router /v1/t/:tenantCode/creator/orders/:id<int>/refund [post]

45
backend/app/http/v1/dto/creator_audit.go Normal file
View File

@@ -0,0 +1,45 @@
package dto
import "quyun/v2/app/requests"
// CreatorAuditLogListFilter 创作者侧审计日志列表过滤条件。
type CreatorAuditLogListFilter struct {
// Pagination 分页参数page/limit
requests.Pagination
// OperatorID 操作者用户ID精确匹配。
OperatorID *int64 `query:"operator_id"`
// OperatorName 操作者用户名/昵称,模糊匹配。
OperatorName *string `query:"operator_name"`
// Action 动作标识,精确匹配。
Action *string `query:"action"`
// TargetID 目标ID精确匹配。
TargetID *string `query:"target_id"`
// Keyword 详情关键词,模糊匹配。
Keyword *string `query:"keyword"`
// CreatedAtFrom 创建时间起始RFC3339/2006-01-02
CreatedAtFrom *string `query:"created_at_from"`
// CreatedAtTo 创建时间结束RFC3339/2006-01-02
CreatedAtTo *string `query:"created_at_to"`
// Asc 升序字段id/created_at
Asc *string `query:"asc"`
// Desc 降序字段id/created_at
Desc *string `query:"desc"`
}
// CreatorAuditLogItem 创作者侧审计日志条目。
type CreatorAuditLogItem struct {
// ID 审计日志ID。
ID int64 `json:"id"`
// OperatorID 操作者用户ID。
OperatorID int64 `json:"operator_id"`
// OperatorName 操作者用户名/昵称。
OperatorName string `json:"operator_name"`
// Action 动作标识。
Action string `json:"action"`
// TargetID 目标ID。
TargetID string `json:"target_id"`
// Detail 操作详情。
Detail string `json:"detail"`
// CreatedAt 创建时间RFC3339
CreatedAt string `json:"created_at"`
}

5
backend/app/http/v1/routes.gen.go
View File

@@ -171,6 +171,11 @@ func (r *Routes) Register(router fiber.Router) {
r.creator.RemovePayoutAccount,
QueryParam[int64]("id"),
))
r.log.Debugf("Registering route: Get /v1/t/:tenantCode/creator/audit-logs -> creator.ListAuditLogs")
router.Get("/v1/t/:tenantCode/creator/audit-logs"[len(r.Path()):], DataFunc1(
r.creator.ListAuditLogs,
Query[dto.CreatorAuditLogListFilter]("filter"),
))
r.log.Debugf("Registering route: Get /v1/t/:tenantCode/creator/contents -> creator.ListContents")
router.Get("/v1/t/:tenantCode/creator/contents"[len(r.Path()):], DataFunc1(
r.creator.ListContents,

136
backend/app/services/coupon_test.go
View File

@@ -2,9 +2,11 @@ package services
import (
"database/sql"
"errors"
"testing"
"quyun/v2/app/commands/testx"
"quyun/v2/app/errorx"
order_dto "quyun/v2/app/http/v1/dto"
"quyun/v2/database"
"quyun/v2/database/models"
@@ -196,3 +198,137 @@ func (s *CouponTestSuite) Test_ListAvailable() {
So(list[0].CouponID, ShouldEqual, cp.ID)
})
}
func (s *CouponTestSuite) Test_Validate_DenyCrossTenantCoupon() {
Convey("Validate should deny cross-tenant coupon", s.T(), func() {
ctx := s.T().Context()
database.Truncate(
ctx,
s.DB,
models.TableNameCoupon,
models.TableNameUserCoupon,
models.TableNameUser,
)
user := &models.User{Username: "coupon_cross_validate", Phone: "13800000011"}
So(models.UserQuery.WithContext(ctx).Create(user), ShouldBeNil)
tenantA := int64(11)
tenantB := int64(22)
coupon := &models.Coupon{
TenantID: tenantA,
Title: "Tenant A Coupon",
Type: consts.CouponTypeFixAmount,
Value: 200,
MinOrderAmount: 0,
}
So(models.CouponQuery.WithContext(ctx).Create(coupon), ShouldBeNil)
userCoupon := &models.UserCoupon{
UserID: user.ID,
CouponID: coupon.ID,
Status: consts.UserCouponStatusUnused,
}
So(models.UserCouponQuery.WithContext(ctx).Create(userCoupon), ShouldBeNil)
_, err := Coupon.Validate(ctx, tenantB, user.ID, userCoupon.ID, 1000)
So(err, ShouldNotBeNil)
var appErr *errorx.AppError
So(errors.As(err, &appErr), ShouldBeTrue)
So(appErr.Code, ShouldEqual, errorx.ErrForbidden.Code)
})
}
func (s *CouponTestSuite) Test_MarkUsed_DenyCrossTenantCoupon() {
Convey("MarkUsed should deny cross-tenant coupon", s.T(), func() {
ctx := s.T().Context()
database.Truncate(
ctx,
s.DB,
models.TableNameCoupon,
models.TableNameUserCoupon,
models.TableNameOrder,
models.TableNameUser,
)
user := &models.User{Username: "coupon_cross_mark", Phone: "13800000012"}
So(models.UserQuery.WithContext(ctx).Create(user), ShouldBeNil)
tenantA := int64(33)
tenantB := int64(44)
coupon := &models.Coupon{
TenantID: tenantA,
Title: "Tenant A Coupon",
Type: consts.CouponTypeFixAmount,
Value: 200,
MinOrderAmount: 0,
}
So(models.CouponQuery.WithContext(ctx).Create(coupon), ShouldBeNil)
userCoupon := &models.UserCoupon{
UserID: user.ID,
CouponID: coupon.ID,
Status: consts.UserCouponStatusUnused,
}
So(models.UserCouponQuery.WithContext(ctx).Create(userCoupon), ShouldBeNil)
order := &models.Order{
TenantID: tenantA,
UserID: user.ID,
Type: consts.OrderTypeContentPurchase,
Status: consts.OrderStatusCreated,
}
So(models.OrderQuery.WithContext(ctx).Create(order), ShouldBeNil)
err := models.Q.Transaction(func(tx *models.Query) error {
return Coupon.MarkUsed(ctx, tx, tenantB, userCoupon.ID, order.ID)
})
So(err, ShouldNotBeNil)
var appErr *errorx.AppError
So(errors.As(err, &appErr), ShouldBeTrue)
So(appErr.Code, ShouldEqual, errorx.ErrForbidden.Code)
})
}
func (s *CouponTestSuite) Test_Grant_DenyCrossTenantCoupon() {
Convey("Grant should reject coupon from another tenant", s.T(), func() {
ctx := s.T().Context()
database.Truncate(
ctx,
s.DB,
models.TableNameCoupon,
models.TableNameUserCoupon,
models.TableNameUser,
)
user := &models.User{Username: "coupon_cross_grant", Phone: "13800000013"}
So(models.UserQuery.WithContext(ctx).Create(user), ShouldBeNil)
tenantA := int64(55)
tenantB := int64(66)
coupon := &models.Coupon{
TenantID: tenantA,
Title: "Tenant A Coupon",
Type: consts.CouponTypeFixAmount,
Value: 200,
MinOrderAmount: 0,
}
So(models.CouponQuery.WithContext(ctx).Create(coupon), ShouldBeNil)
granted, err := Coupon.Grant(ctx, tenantB, coupon.ID, []int64{user.ID})
So(err, ShouldNotBeNil)
So(granted, ShouldEqual, 0)
var appErr *errorx.AppError
So(errors.As(err, &appErr), ShouldBeTrue)
So(appErr.Code, ShouldEqual, errorx.ErrRecordNotFound.Code)
exists, err := models.UserCouponQuery.WithContext(ctx).
Where(models.UserCouponQuery.UserID.Eq(user.ID), models.UserCouponQuery.CouponID.Eq(coupon.ID)).
Exists()
So(err, ShouldBeNil)
So(exists, ShouldBeFalse)
})
}

153
backend/app/services/creator.go
View File

@@ -16,6 +16,7 @@ import (
"quyun/v2/pkg/consts"
"github.com/google/uuid"
"go.ipao.vip/gen/field"
"go.ipao.vip/gen/types"
"gorm.io/gorm"
)
@@ -717,6 +718,158 @@ func (s *creator) ListOrders(
return data, nil
}
func (s *creator) ListAuditLogs(
ctx context.Context,
tenantID int64,
userID int64,
filter *creator_dto.CreatorAuditLogListFilter,
) (*requests.Pager, error) {
if filter == nil {
filter = &creator_dto.CreatorAuditLogListFilter{}
}
if tenantID == 0 {
return nil, errorx.ErrRecordNotFound.WithMsg("租户不存在")
}
if _, err := Tenant.ensureTenantAdmin(ctx, tenantID, userID); err != nil {
return nil, err
}
tbl, q := models.AuditLogQuery.QueryContext(ctx)
q = q.Where(tbl.TenantID.Eq(tenantID))
if filter.OperatorID != nil && *filter.OperatorID > 0 {
q = q.Where(tbl.OperatorID.Eq(*filter.OperatorID))
}
if filter.Action != nil && strings.TrimSpace(*filter.Action) != "" {
q = q.Where(tbl.Action.Eq(strings.TrimSpace(*filter.Action)))
}
if filter.TargetID != nil && strings.TrimSpace(*filter.TargetID) != "" {
q = q.Where(tbl.TargetID.Eq(strings.TrimSpace(*filter.TargetID)))
}
if filter.Keyword != nil && strings.TrimSpace(*filter.Keyword) != "" {
keyword := "%" + strings.TrimSpace(*filter.Keyword) + "%"
q = q.Where(field.Or(tbl.Detail.Like(keyword), tbl.Action.Like(keyword), tbl.TargetID.Like(keyword)))
}
operatorIDs, operatorFilter, err := Tenant.lookupUserIDs(ctx, filter.OperatorName)
if err != nil {
return nil, err
}
if operatorFilter {
if len(operatorIDs) == 0 {
q = q.Where(tbl.ID.Eq(-1))
} else {
q = q.Where(tbl.OperatorID.In(operatorIDs...))
}
}
if filter.CreatedAtFrom != nil {
from, err := Super.parseFilterTime(filter.CreatedAtFrom)
if err != nil {
return nil, err
}
if from != nil {
q = q.Where(tbl.CreatedAt.Gte(*from))
}
}
if filter.CreatedAtTo != nil {
to, err := Super.parseFilterTime(filter.CreatedAtTo)
if err != nil {
return nil, err
}
if to != nil {
q = q.Where(tbl.CreatedAt.Lte(*to))
}
}
orderApplied := false
if filter.Desc != nil && strings.TrimSpace(*filter.Desc) != "" {
switch strings.TrimSpace(*filter.Desc) {
case "id":
q = q.Order(tbl.ID.Desc())
case "created_at":
q = q.Order(tbl.CreatedAt.Desc())
}
orderApplied = true
} else if filter.Asc != nil && strings.TrimSpace(*filter.Asc) != "" {
switch strings.TrimSpace(*filter.Asc) {
case "id":
q = q.Order(tbl.ID)
case "created_at":
q = q.Order(tbl.CreatedAt)
}
orderApplied = true
}
if !orderApplied {
q = q.Order(tbl.CreatedAt.Desc())
}
filter.Pagination.Format()
total, err := q.Count()
if err != nil {
return nil, errorx.ErrDatabaseError.WithCause(err)
}
list, err := q.Offset(int(filter.Pagination.Offset())).Limit(int(filter.Pagination.Limit)).Find()
if err != nil {
return nil, errorx.ErrDatabaseError.WithCause(err)
}
if len(list) == 0 {
return &requests.Pager{
Pagination: filter.Pagination,
Total: total,
Items: []creator_dto.CreatorAuditLogItem{},
}, nil
}
operatorSet := make(map[int64]struct{}, len(list))
for _, log := range list {
if log.OperatorID > 0 {
operatorSet[log.OperatorID] = struct{}{}
}
}
operatorMap := make(map[int64]*models.User, len(operatorSet))
if len(operatorSet) > 0 {
ids := make([]int64, 0, len(operatorSet))
for id := range operatorSet {
ids = append(ids, id)
}
userTbl, userQuery := models.UserQuery.QueryContext(ctx)
users, err := userQuery.Where(userTbl.ID.In(ids...)).Find()
if err != nil {
return nil, errorx.ErrDatabaseError.WithCause(err)
}
for _, user := range users {
operatorMap[user.ID] = user
}
}
items := make([]creator_dto.CreatorAuditLogItem, 0, len(list))
for _, log := range list {
item := creator_dto.CreatorAuditLogItem{
ID: log.ID,
OperatorID: log.OperatorID,
Action: log.Action,
TargetID: log.TargetID,
Detail: log.Detail,
CreatedAt: s.formatTime(log.CreatedAt),
}
if operator := operatorMap[log.OperatorID]; operator != nil {
item.OperatorName = operator.Username
} else if log.OperatorID > 0 {
item.OperatorName = "ID:" + strconv.FormatInt(log.OperatorID, 10)
}
items = append(items, item)
}
return &requests.Pager{
Pagination: filter.Pagination,
Total: total,
Items: items,
}, nil
}
func (s *creator) ProcessRefund(ctx context.Context, tenantID, userID, id int64, form *creator_dto.RefundForm) error {
tid, err := s.getTenantID(ctx, tenantID, userID)
if err != nil {

83
backend/app/services/creator_test.go
View File

@@ -592,3 +592,86 @@ func (s *CreatorTestSuite) Test_ExportReport() {
So(resp.Content, ShouldContainSubstring, "date,paid_orders,paid_amount,refund_orders,refund_amount,withdrawal_apply_orders,withdrawal_apply_amount,withdrawal_paid_orders,withdrawal_paid_amount,withdrawal_failed_orders,withdrawal_failed_amount,content_created,like_actions,favorite_actions,comment_count")
})
}
func (s *CreatorTestSuite) Test_ListAuditLogs() {
Convey("ListAuditLogs", s.T(), func() {
ctx := s.T().Context()
database.Truncate(ctx, s.DB,
models.TableNameAuditLog,
models.TableNameTenant,
models.TableNameUser,
)
owner := &models.User{Username: "owner_audit", Phone: "13900001013"}
operator := &models.User{Username: "operator_audit", Phone: "13900001014"}
outsider := &models.User{Username: "outsider_audit", Phone: "13900001015"}
models.UserQuery.WithContext(ctx).Create(owner, operator, outsider)
tenantA := &models.Tenant{
Name: "Tenant Audit A",
Code: "tenant_audit_a",
UserID: owner.ID,
Status: consts.TenantStatusVerified,
}
tenantB := &models.Tenant{
Name: "Tenant Audit B",
Code: "tenant_audit_b",
UserID: operator.ID,
Status: consts.TenantStatusVerified,
}
models.TenantQuery.WithContext(ctx).Create(tenantA, tenantB)
now := time.Now()
models.AuditLogQuery.WithContext(ctx).Create(
&models.AuditLog{
TenantID: tenantA.ID,
OperatorID: owner.ID,
Action: "update_settings",
TargetID: "setting_1",
Detail: "更新频道配置",
CreatedAt: now.Add(-1 * time.Hour),
},
&models.AuditLog{
TenantID: tenantA.ID,
OperatorID: operator.ID,
Action: "invite_member",
TargetID: "member_1",
Detail: "邀请成员",
CreatedAt: now,
},
&models.AuditLog{
TenantID: tenantB.ID,
OperatorID: operator.ID,
Action: "update_settings",
TargetID: "setting_999",
Detail: "跨租户数据",
CreatedAt: now,
},
)
pager, err := Creator.ListAuditLogs(ctx, tenantA.ID, owner.ID, &creator_dto.CreatorAuditLogListFilter{})
So(err, ShouldBeNil)
So(pager.Total, ShouldEqual, 2)
items, ok := pager.Items.([]creator_dto.CreatorAuditLogItem)
So(ok, ShouldBeTrue)
So(len(items), ShouldEqual, 2)
So(items[0].TargetID, ShouldEqual, "member_1")
So(items[1].TargetID, ShouldEqual, "setting_1")
operatorName := "operator_audit"
filtered, err := Creator.ListAuditLogs(ctx, tenantA.ID, owner.ID, &creator_dto.CreatorAuditLogListFilter{
OperatorName: &operatorName,
})
So(err, ShouldBeNil)
So(filtered.Total, ShouldEqual, 1)
filteredItems, ok := filtered.Items.([]creator_dto.CreatorAuditLogItem)
So(ok, ShouldBeTrue)
So(len(filteredItems), ShouldEqual, 1)
So(filteredItems[0].Action, ShouldEqual, "invite_member")
So(filteredItems[0].OperatorName, ShouldEqual, "operator_audit")
_, err = Creator.ListAuditLogs(ctx, tenantA.ID, outsider.ID, &creator_dto.CreatorAuditLogListFilter{})
So(err, ShouldNotBeNil)
})
}

73
backend/app/services/order_test.go
View File

@@ -2,9 +2,11 @@ package services
import (
"database/sql"
"errors"
"testing"
"quyun/v2/app/commands/testx"
"quyun/v2/app/errorx"
order_dto "quyun/v2/app/http/v1/dto"
"quyun/v2/database"
"quyun/v2/database/models"
@@ -168,3 +170,74 @@ func (s *OrderTestSuite) Test_PlatformCommission() {
})
})
}
func (s *OrderTestSuite) Test_Pay_DenyCrossTenantOrder() {
Convey("Pay should deny cross-tenant order", s.T(), func() {
ctx := s.T().Context()
database.Truncate(
ctx,
s.DB,
models.TableNameUser,
models.TableNameTenant,
models.TableNameOrder,
)
buyer := &models.User{Username: "buyer_cross_tenant", Balance: 5000}
So(models.UserQuery.WithContext(ctx).Create(buyer), ShouldBeNil)
tenantA := &models.Tenant{UserID: buyer.ID, Code: "order_pay_cross_a", Name: "Tenant A", Status: consts.TenantStatusVerified}
tenantB := &models.Tenant{UserID: buyer.ID, Code: "order_pay_cross_b", Name: "Tenant B", Status: consts.TenantStatusVerified}
So(models.TenantQuery.WithContext(ctx).Create(tenantA, tenantB), ShouldBeNil)
order := &models.Order{
TenantID: tenantA.ID,
UserID: buyer.ID,
Type: consts.OrderTypeContentPurchase,
Status: consts.OrderStatusCreated,
AmountPaid: 1000,
}
So(models.OrderQuery.WithContext(ctx).Create(order), ShouldBeNil)
_, err := Order.Pay(ctx, tenantB.ID, buyer.ID, order.ID, &order_dto.OrderPayForm{Method: "balance"})
So(err, ShouldNotBeNil)
var appErr *errorx.AppError
So(errors.As(err, &appErr), ShouldBeTrue)
So(appErr.Code, ShouldEqual, errorx.ErrForbidden.Code)
})
}
func (s *OrderTestSuite) Test_Status_DenyCrossTenantOrder() {
Convey("Status should deny cross-tenant order", s.T(), func() {
ctx := s.T().Context()
database.Truncate(
ctx,
s.DB,
models.TableNameUser,
models.TableNameTenant,
models.TableNameOrder,
)
buyer := &models.User{Username: "buyer_status_cross", Balance: 5000}
So(models.UserQuery.WithContext(ctx).Create(buyer), ShouldBeNil)
tenantA := &models.Tenant{UserID: buyer.ID, Code: "order_status_cross_a", Name: "Tenant A", Status: consts.TenantStatusVerified}
tenantB := &models.Tenant{UserID: buyer.ID, Code: "order_status_cross_b", Name: "Tenant B", Status: consts.TenantStatusVerified}
So(models.TenantQuery.WithContext(ctx).Create(tenantA, tenantB), ShouldBeNil)
order := &models.Order{
TenantID: tenantA.ID,
UserID: buyer.ID,
Type: consts.OrderTypeContentPurchase,
Status: consts.OrderStatusCreated,
}
So(models.OrderQuery.WithContext(ctx).Create(order), ShouldBeNil)
_, err := Order.Status(ctx, tenantB.ID, buyer.ID, order.ID)
So(err, ShouldNotBeNil)
var appErr *errorx.AppError
So(errors.As(err, &appErr), ShouldBeTrue)
So(appErr.Code, ShouldEqual, errorx.ErrForbidden.Code)
})
}

169
backend/app/services/tenant_member_test.go
View File

@@ -216,6 +216,27 @@ func (s *TenantTestSuite) Test_ReviewJoin() {
So(err, ShouldBeNil)
So(req.Status, ShouldEqual, string(consts.TenantJoinRequestStatusRejected))
})
Convey("should deny review when request belongs to another tenant", func() {
tenantA, _, _, reqA := setup()
ownerB := &models.User{Username: "owner_review_cross_b", Phone: "13900009991"}
So(models.UserQuery.WithContext(ctx).Create(ownerB), ShouldBeNil)
tenantB := &models.Tenant{Name: "Tenant Review B", Code: "tenant_review_cross_b", UserID: ownerB.ID, Status: consts.TenantStatusVerified}
So(models.TenantQuery.WithContext(ctx).Create(tenantB), ShouldBeNil)
err := Tenant.ReviewJoin(ctx, tenantB.ID, ownerB.ID, reqA.ID, &tenant_dto.TenantJoinReviewForm{Action: "approve"})
So(err, ShouldNotBeNil)
var appErr *errorx.AppError
So(errors.As(err, &appErr), ShouldBeTrue)
So(appErr.Code, ShouldEqual, errorx.ErrForbidden.Code)
reqReload, err := models.TenantJoinRequestQuery.WithContext(ctx).Where(models.TenantJoinRequestQuery.ID.Eq(reqA.ID)).First()
So(err, ShouldBeNil)
So(reqReload.TenantID, ShouldEqual, tenantA.ID)
So(reqReload.Status, ShouldEqual, string(consts.TenantJoinRequestStatusPending))
})
})
}
@@ -352,54 +373,132 @@ func (s *TenantTestSuite) Test_ListMembersAndRemove() {
So(err, ShouldBeNil)
So(exists, ShouldBeFalse)
})
Convey("should deny removing member from another tenant", s.T(), func() {
ctx := s.T().Context()
database.Truncate(ctx, s.DB,
models.TableNameTenantUser,
models.TableNameTenant,
models.TableNameUser,
)
ownerA := &models.User{Username: "owner_remove_a", Phone: "13900007771"}
ownerB := &models.User{Username: "owner_remove_b", Phone: "13900007772"}
memberA := &models.User{Username: "member_remove_a", Phone: "13900007773"}
So(models.UserQuery.WithContext(ctx).Create(ownerA, ownerB, memberA), ShouldBeNil)
tenantA := &models.Tenant{Name: "Tenant Remove A", Code: "tenant_remove_cross_a", UserID: ownerA.ID, Status: consts.TenantStatusVerified}
tenantB := &models.Tenant{Name: "Tenant Remove B", Code: "tenant_remove_cross_b", UserID: ownerB.ID, Status: consts.TenantStatusVerified}
So(models.TenantQuery.WithContext(ctx).Create(tenantA, tenantB), ShouldBeNil)
memberLinkA := &models.TenantUser{
TenantID: tenantA.ID,
UserID: memberA.ID,
Role: types.Array[consts.TenantUserRole]{consts.TenantUserRoleMember},
Status: consts.UserStatusVerified,
}
So(models.TenantUserQuery.WithContext(ctx).Create(memberLinkA), ShouldBeNil)
err := Tenant.RemoveMember(ctx, tenantB.ID, ownerB.ID, memberLinkA.ID)
So(err, ShouldNotBeNil)
var appErr *errorx.AppError
So(errors.As(err, &appErr), ShouldBeTrue)
So(appErr.Code, ShouldEqual, errorx.ErrForbidden.Code)
exists, err := models.TenantUserQuery.WithContext(ctx).Where(models.TenantUserQuery.ID.Eq(memberLinkA.ID)).Exists()
So(err, ShouldBeNil)
So(exists, ShouldBeTrue)
})
}
func (s *TenantTestSuite) Test_ListInvitesAndDisable() {
Convey("ListInvites and DisableInvite", s.T(), func() {
ctx := s.T().Context()
database.Truncate(ctx, s.DB,
models.TableNameTenantInvite,
models.TableNameTenant,
models.TableNameUser,
)
Convey("should list and disable invite in same tenant", func() {
database.Truncate(ctx, s.DB,
models.TableNameTenantInvite,
models.TableNameTenant,
models.TableNameUser,
)
owner := &models.User{Username: "owner_invite", Phone: "13900002003"}
_ = models.UserQuery.WithContext(ctx).Create(owner)
owner := &models.User{Username: "owner_invite", Phone: "13900002003"}
_ = models.UserQuery.WithContext(ctx).Create(owner)
tenant := &models.Tenant{
Name: "Tenant Invite",
UserID: owner.ID,
Status: consts.TenantStatusVerified,
}
_ = models.TenantQuery.WithContext(ctx).Create(tenant)
tenant := &models.Tenant{
Name: "Tenant Invite",
UserID: owner.ID,
Status: consts.TenantStatusVerified,
}
_ = models.TenantQuery.WithContext(ctx).Create(tenant)
invite := &models.TenantInvite{
TenantID: tenant.ID,
UserID: owner.ID,
Code: "invite_list",
Status: string(consts.TenantInviteStatusActive),
MaxUses: 2,
UsedCount: 0,
ExpiresAt: time.Now().Add(24 * time.Hour),
Remark: "测试邀请",
}
_ = models.TenantInviteQuery.WithContext(ctx).Create(invite)
invite := &models.TenantInvite{
TenantID: tenant.ID,
UserID: owner.ID,
Code: "invite_list",
Status: string(consts.TenantInviteStatusActive),
MaxUses: 2,
UsedCount: 0,
ExpiresAt: time.Now().Add(24 * time.Hour),
Remark: "测试邀请",
}
_ = models.TenantInviteQuery.WithContext(ctx).Create(invite)
res, err := Tenant.ListInvites(ctx, tenant.ID, owner.ID, &tenant_dto.TenantInviteListFilter{
Pagination: requests.Pagination{Page: 1, Limit: 10},
res, err := Tenant.ListInvites(ctx, tenant.ID, owner.ID, &tenant_dto.TenantInviteListFilter{
Pagination: requests.Pagination{Page: 1, Limit: 10},
})
So(err, ShouldBeNil)
So(res.Total, ShouldEqual, 1)
err = Tenant.DisableInvite(ctx, tenant.ID, owner.ID, invite.ID)
So(err, ShouldBeNil)
updated, err := models.TenantInviteQuery.WithContext(ctx).
Where(models.TenantInviteQuery.ID.Eq(invite.ID)).
First()
So(err, ShouldBeNil)
So(updated.Status, ShouldEqual, string(consts.TenantInviteStatusDisabled))
})
So(err, ShouldBeNil)
So(res.Total, ShouldEqual, 1)
err = Tenant.DisableInvite(ctx, tenant.ID, owner.ID, invite.ID)
So(err, ShouldBeNil)
Convey("should deny disabling invite from another tenant", func() {
database.Truncate(ctx, s.DB,
models.TableNameTenantInvite,
models.TableNameTenant,
models.TableNameUser,
)
updated, err := models.TenantInviteQuery.WithContext(ctx).
Where(models.TenantInviteQuery.ID.Eq(invite.ID)).
First()
So(err, ShouldBeNil)
So(updated.Status, ShouldEqual, string(consts.TenantInviteStatusDisabled))
ownerA := &models.User{Username: "owner_invite_a", Phone: "13900008881"}
ownerB := &models.User{Username: "owner_invite_b", Phone: "13900008882"}
So(models.UserQuery.WithContext(ctx).Create(ownerA, ownerB), ShouldBeNil)
tenantA := &models.Tenant{Name: "Tenant Invite A", Code: "tenant_invite_cross_a", UserID: ownerA.ID, Status: consts.TenantStatusVerified}
tenantB := &models.Tenant{Name: "Tenant Invite B", Code: "tenant_invite_cross_b", UserID: ownerB.ID, Status: consts.TenantStatusVerified}
So(models.TenantQuery.WithContext(ctx).Create(tenantA, tenantB), ShouldBeNil)
inviteA := &models.TenantInvite{
TenantID: tenantA.ID,
UserID: ownerA.ID,
Code: "invite_cross_disable",
Status: string(consts.TenantInviteStatusActive),
MaxUses: 2,
UsedCount: 0,
ExpiresAt: time.Now().Add(24 * time.Hour),
Remark: "跨租户禁用测试",
}
So(models.TenantInviteQuery.WithContext(ctx).Create(inviteA), ShouldBeNil)
err := Tenant.DisableInvite(ctx, tenantB.ID, ownerB.ID, inviteA.ID)
So(err, ShouldNotBeNil)
var appErr *errorx.AppError
So(errors.As(err, &appErr), ShouldBeTrue)
So(appErr.Code, ShouldEqual, errorx.ErrForbidden.Code)
reloaded, err := models.TenantInviteQuery.WithContext(ctx).Where(models.TenantInviteQuery.ID.Eq(inviteA.ID)).First()
So(err, ShouldBeNil)
So(reloaded.Status, ShouldEqual, string(consts.TenantInviteStatusActive))
})
})
}

2194
backend/docs/docs.go
View File

File diff suppressed because it is too large Load Diff

2194
backend/docs/swagger.json
View File

File diff suppressed because it is too large Load Diff

1464
backend/docs/swagger.yaml
View File

File diff suppressed because it is too large Load Diff

299
docs/release-evidence/2026-02-08.md Normal file
View File

@@ -0,0 +1,299 @@
# Release Evidence — 2026-02-08
## Scope
D1 基线执行(对应 `docs/plan.md`T1 / T4 / T15
- 生产部署能力差距台账4 项标准)
- 前端生产路由数据来源盘点Portal + Superadmin
- 后端隔离基线盘点order/content/coupon/tenant/wallet
## Environment
- Repo: `/home/rogee/Projects/quyun_v2`
- Branch: `main`
- Plan commit: `3126ed5` (`chore: refine production-readiness execution plan`)
## Evidence A — 4项标准差距台账Baseline)
| 标准 | 当前状态 | 结论 | 关键证据 |
|------|----------|------|----------|
| 1) 前端所有数据来源后端接口/渲染 | Portal/Superadmin 主业务页大多为 API存在硬编码业务数据页面与 demo mock 数据入口 | **未达标** | `frontend/portal/src/views/user/LikesView.vue:12-35`(硬编码 items`frontend/superadmin/src/views/uikit/TableDoc.vue:2,85-91` + `frontend/superadmin/src/service/CustomerService.js:2-39`mock数据源 |
| 2) 用户/租户数据隔离完备 | Controller 与 Service 多数传递 tenantID/userID 并做 where 约束;仍存在“依赖人工维护”的模式,需继续补负向测试 | **部分达标** | `backend/app/http/v1/helpers.go`tenant/user 上下文);`backend/app/services/order.go:31-39,64-73`; `backend/app/services/content.go:31-47`; `backend/app/services/coupon.go:162-175,237-239`; `backend/app/services/tenant_member.go:138-154`; `backend/app/services/wallet.go:35-43` |
| 3) 超级管理员后台可审计 | 超管审计链路已存在表、服务、API、页面 | **达标** | `backend/database/migrations/20260115103830_create_audit_logs_and_system_configs.sql:3-25`; `backend/app/http/super/v1/audit_logs.go:16-27`; `frontend/superadmin/src/views/superadmin/AuditLogs.vue:46-67` |
| 4) 租户管理对租户数据可审计 | 目前未见租户侧独立审计日志查询 API/页面(仅通知不等同审计日志) | **未达标** | `backend/app/http/v1` 未发现租户 audit-log 列表入口Portal 仅有通知页 `frontend/portal/src/views/user/NotificationsView.vue` |
## Evidence B — Portal 路由数据来源盘点(生产相关)
来源:`frontend/portal/src/router/index.js`
### B1. API 驱动为主(带少量 UI 常量)
- `/`, `/t/:tenantCode` -> `HomeView.vue`API + fallback 常量)
- `/t/:tenantCode/channel` -> `tenant/HomeView.vue`API + tab 常量)
- `/t/:tenantCode/contents/:id` -> `content/DetailView.vue`API
- `/t/:tenantCode/me/orders``/wallet``/coupons``/library``/favorites``/notifications``/profile`(以 `userApi` 为主)
- `/t/:tenantCode/creator/*`(以 `creatorApi` 为主)
- `/t/:tenantCode/checkout``/payment/:id``contentApi/orderApi`
### B2. 高风险(业务硬编码)
- `/t/:tenantCode/me/likes` -> `user/LikesView.vue`
- 证据:`items` 直接硬编码业务内容 `LikesView.vue:12-35`
### B3. 静态/演示型(非关键业务)
- `/creator/apply` -> `creator/ApplyView.vue`
- 证据:`setTimeout` 模拟提交,未接后端 `ApplyView.vue:42-47`
- `/t/:tenantCode/me/security` -> `user/SecurityView.vue`
- 证据:页面展示固定手机号/验证流程占位,未接后端 `SecurityView.vue:64,113,29`
## Evidence C — Superadmin 路由数据来源盘点
来源:`frontend/superadmin/src/router/index.js`
### C1. 生产业务路由(/superadmin/*
- 租户、用户、订单、内容、创作者、优惠券、财务、报表、资产、通知、审计日志、系统配置等页面均存在。
- 这些页面普遍是“API 查询 + 本地选项常量(筛选项)”混合模式。
### C2. 明确 demo/mock 数据入口(应隔离)
- `/uikit/table` -> `views/uikit/TableDoc.vue`
- 证据:`CustomerService.getCustomers*` `TableDoc.vue:85-91`
- 数据源:`CustomerService.js` 内置对象数组 `CustomerService.js:2-39`(后续大量同类对象)
## Evidence D — 后端隔离基线矩阵T4
| 模块 | 主要隔离实现 | 风险备注 | 证据 |
|------|--------------|----------|------|
| order | query-time 使用 tenantID/userID 条件;读取明细时 tenant + user 双条件 | Recharge 类型用 OR 放行(设计允许同用户跨租户查看充值记录),需确认业务预期 | `order.go:31-39,64-73,66-70` |
| content | 列表/详情普遍 tenant 过滤filter tenant mismatch 直接 forbidden | `UnderlyingDB` + preload 路径需持续关注遗漏风险 | `content.go:31-47,148-159,172-176` |
| coupon | Receive/Create/Update/Get/Validate/MarkUsed 多处 tenant 校验 | 存在 tenantID==0 分支(平台视角),需在接口层严格限定调用入口 | `coupon.go:162-175,237-239,306-308,657-658,720-721` |
| tenant (member) | 管理操作先 `ensureTenantAdmin`,再检查 request/invite 的 tenant 一致性 | 需用负向用例覆盖“跨租户 requestID/inviteID”场景 | `tenant_member.go:138-154,227-237,291-295,320-330` |
| wallet | 钱包交易列表使用 tenant+user 查询;支持充值订单特例 | 与订单同样存在 recharge 例外,需文档化并测试 | `wallet.go:35-43` |
## Performance Baseline Protocol (for later execution)
按计划定义,后续性能验证需满足:
- 目标接口:`/super/v1/audit-logs` + 新增租户审计列表
- 条件:`page=1&limit=20`,默认排序
- 样本预热10次 + 采样50次统计 p95
- 结果写入本文件后续“性能结果”小节
## D1 Exit Check
- [x] T1 差距台账已建立并含证据路径
- [x] T4 隔离基线矩阵已建立order/content/coupon/tenant/wallet
- [x] T15 证据模板文件已创建并写入 D1 结果
## Evidence E — T2 执行结果LikesView API化
### E1. 变更内容
- 文件:`frontend/portal/src/views/user/LikesView.vue`
- 改动要点:
- 删除硬编码 `items` 列表(原本本地静态业务记录)。
- 接入 `userApi.getLikes()` 拉取后端数据。
- 接入 `userApi.removeLike(id)` 处理取消点赞并同步本地列表。
- 复用与 Favorites/Library 一致的数据字段渲染:`title/cover/type/author_name/author_avatar/created_at`
### E2. 核验结果
- LSP目标文件: `lsp_diagnostics frontend/portal/src/views/user/LikesView.vue severity=error` -> **No diagnostics found**
- Portal lint: `npm -C frontend/portal run lint` -> **pass**
- Portal build: `npm -C frontend/portal run build` -> **pass**(包含 `LikesView-*.js` 构建产物)。
### E3. 状态更新
- 标准 #1(前端数据来源后端接口/渲染):
- `LikesView` 已从“未达标子项”移除。
- 剩余风险主要在 demo/doc 路由隔离(`/uikit/table`)与静态占位页策略。
## Evidence F — T3 执行结果Superadmin demo 路由隔离)
### F1. 变更内容
- 文件:`frontend/superadmin/src/router/index.js`
- 改动要点:
- 新增 `isDemoOnlyRoute(path)` 判定,覆盖:
- `/uikit/*`
- `/blocks`
- `/pages/empty`
- `/pages/crud`
- `/documentation`
- `/landing`
- 在全局 `beforeEach` 中加入生产环境拦截:
- `if (!import.meta.env.DEV && isDemoOnlyRoute(to.path)) return { name: 'dashboard' }`
- 效果:开发环境保留 demo 调试能力;非开发环境禁止通过 URL 直接进入 demo 页面。
### F2. 核验结果
- LSP目标文件: `frontend/superadmin/src/router/index.js` -> **No diagnostics found**
- Superadmin lint: `npm -C frontend/superadmin run lint` -> **pass**(首次执行出现一次临时文件 ENOENT重试通过
- Superadmin build: `npm -C frontend/superadmin run build` -> **pass**
### F3. 状态更新
- 标准 #1(前端生产数据来源约束)继续收敛:
- demo/mock 路由已从“可直接访问”改为“生产环境拦截”。
- 仍建议后续把 demo 路由按配置化开关进一步显式隔离(可选增强项)。
## Evidence G — T6 执行结果(跨租户负向测试补强)
### G1. 新增测试覆盖
#### Order
- 文件:`backend/app/services/order_test.go`
- 新增用例:
- `Test_Pay_DenyCrossTenantOrder`
- `Test_Status_DenyCrossTenantOrder`
- 断言目标:同一用户持有 A 租户订单时,用 B 租户上下文调用 `Pay/Status` 必须返回 `ErrForbidden`
#### Coupon
- 文件:`backend/app/services/coupon_test.go`
- 新增用例:
- `Test_Validate_DenyCrossTenantCoupon`
- `Test_MarkUsed_DenyCrossTenantCoupon`
- `Test_Grant_DenyCrossTenantCoupon`
- 断言目标:
- `Validate/MarkUsed` 跨租户必须拒绝(`ErrForbidden`
- `Grant` 使用非所属租户发放时必须失败且不产生 `user_coupons` 记录。
#### Tenant Member
- 文件:`backend/app/services/tenant_member_test.go`
- 新增用例:
- `Test_ReviewJoin` 中补充跨租户 review 拒绝场景
- `Test_ListMembersAndRemove` 中补充跨租户 remove 拒绝场景
- `Test_ListInvitesAndDisable` 中补充跨租户 disable 邀请拒绝场景
- 断言目标:跨租户操作返回 `ErrForbidden`,目标记录状态不应被修改。
### G2. 测试执行结果
- 命令(聚合):
- `cd backend && env GOCACHE=$PWD/.gocache GOTMPDIR=$PWD/.gotmp go test ./app/services -run 'Test_Order/(Test_Pay_DenyCrossTenantOrder|Test_Status_DenyCrossTenantOrder)|Test_Coupon/(Test_Validate_DenyCrossTenantCoupon|Test_MarkUsed_DenyCrossTenantCoupon|Test_Grant_DenyCrossTenantCoupon)|Test_Tenant/(Test_ReviewJoin|Test_ListMembersAndRemove|Test_ListInvitesAndDisable)'`
- 结果:**PASS**`ok quyun/v2/app/services`
### G3. 过程说明
- 首轮执行暴露新增测试数据问题(`tenants_code_key` 唯一约束冲突),已通过为新增租户测试数据设置唯一 `code` 修复。
- 修复后目标测试集稳定通过。
## Evidence H — T8 执行结果(租户侧审计日志 API
### H1. 变更内容
- 新增 DTO`backend/app/http/v1/dto/creator_audit.go`
- `CreatorAuditLogListFilter`:分页 + `operator_id/operator_name/action/target_id/keyword/created_at_from/created_at_to/asc/desc`
- `CreatorAuditLogItem``id/operator_id/operator_name/action/target_id/detail/created_at`
- 新增服务方法:`backend/app/services/creator.go`
- `Creator.ListAuditLogs(ctx, tenantID, userID, filter)`
- 强制租户范围:`audit_logs.tenant_id = currentTenantID`
- 权限校验:复用 `Tenant.ensureTenantAdmin`,仅租户主账号/tenant_admin 可查看
- 过滤/排序/分页:对齐 super audit 风格(支持 `id/created_at` 排序)
- 操作者名补齐:批量查询 user 表回填 `operator_name`
- DB 错误统一 `errorx.ErrDatabaseError.WithCause(err)` 包装
- 新增控制器接口:`backend/app/http/v1/creator.go`
- `GET /v1/t/:tenantCode/creator/audit-logs`
- 控制器仅做 bind + tenant/user 上下文提取 + service 调用
- 路由/文档生成:
- `atomctl gen route`
- `atomctl swag init`
- 生成结果包含:
- `backend/app/http/v1/routes.gen.go` 新路由注册
- `backend/docs/swagger.yaml|swagger.json|docs.go` 新接口与模型
### H2. 测试与核验
- 新增测试:`backend/app/services/creator_test.go`
- `Test_ListAuditLogs`
- 覆盖点:
- 仅返回当前租户日志(跨租户数据不泄露)
- `operator_name` 过滤生效
- 非管理员访问拒绝
- 执行结果:
- `go test ./app/services -run 'Test_Creator/(Test_ListAuditLogs|Test_ReportOverview|Test_ExportReport)$'` -> **PASS**
- `go test ./app/http/v1 ./app/services` -> **PASS**
- `go test ./...`backend-> **PASS**
- LSP本次变更文件: **No diagnostics found**
## Evidence I — T9 执行结果Portal 创作者审计页面)
### I1. 变更内容
- API 封装:`frontend/portal/src/api/creator.js`
- 新增 `listAuditLogs(params)` -> `/creator/audit-logs`
- 新增页面:`frontend/portal/src/views/creator/AuditView.vue`
- 筛选:`operator_id/operator_name/action/target_id/keyword/created_at_from/created_at_to`
- 排序:`created_at|id` + 升降序
- 列表展示日志ID、操作者、动作、目标ID、详情、创建时间
- 分页PrimeVue `Paginator`
- 路由注册:`frontend/portal/src/router/index.js`
- 新增 `creator-audit`,路径 `creator/audit`
- 侧边菜单:`frontend/portal/src/layout/LayoutCreator.vue`
- 新增“操作审计”入口,链接 `tenantRoute('/creator/audit')`
### I2. 核验结果
- Portal lint: `npm -C frontend/portal run lint` -> **pass**
- Portal build: `npm -C frontend/portal run build` -> **pass**(产物含 `AuditView-*.js`
- LSP本次前端变更文件: **No diagnostics found**
## Status Update
- 标准 #4(租户管理侧可审计):
- 已具备租户侧审计查询 API + Portal 页面入口与展示能力
- 当前状态:**达标(待后续前后端联调回归统一验收)**
## Evidence J — T16 执行结果 (Tenant Creator Audit Flow Acceptance)
### J1. 测试执行摘要
| 测试用例 | 状态 | 观察结果 | 证据 |
|-----------|--------|-------------|----------|
| **Admin Login & Navigation** | PASS | Admin `13800000001` 成功登录并导航至 `/t/meipai_765/creator/audit`。页面标题“操作审计”验证通过。 | `admin-audit-page-loaded.png` |
| **Data Rendering** | PASS | 审计日志列表渲染多行数据 (IDs 13, 12, etc.)。 | `admin-audit-page-loaded.png` |
| **Action Filter** | PASS | 筛选动作 "seed" 后列表缩减为单条匹配记录 (ID 3)。 | `admin-filter-result.png` |
| **Pagination** | PASS | 切换至第 2 页显示了不同的记录 (IDs 3, 2, 1)。 | `admin-page-2.png` |
| **Permission Control** | PASS | 普通成员 `13800138000` 访问页面显示“暂无审计记录”,验证了数据权限控制。 | `member-denied-state.png` |
### J2. 截图证据
#### 1. Admin: Audit Page Loaded
![Admin Audit Page](2026-02-08/admin-audit-page-loaded.png)
*完整审计日志列表展示*
#### 2. Admin: Filter Result ("seed")
![Admin Filter Result](2026-02-08/admin-filter-result.png)
*筛选 action='seed' 结果*
#### 3. Admin: Pagination (Page 2)
![Admin Page 2](2026-02-08/admin-page-2.png)
*第 2 页旧数据展示*
#### 4. Member: Access Denied / No Data
![Member Denied](2026-02-08/member-denied-state.png)
*非管理员用户访问无数据展示*
### J3. 结论
**PASS**. 新增的租户创作者审计流程对管理员功能正常对普通成员具备权限控制。T16 验收通过。
## Evidence K — T17 发布门禁汇总与 Go/No-Go
### K1. 门禁清单结果
| 门禁项 | 结果 | 证据 |
|---|---|---|
| T13 Backend 全量测试 | PASS | `go test ./...`backend通过 |
| T14 Frontend build/lint | PASS | `npm -C frontend/portal run lint && npm -C frontend/portal run build` 通过;`npm -C frontend/superadmin run lint && npm -C frontend/superadmin run build` 通过 |
| T16 前端页面流验收(本次受影响流) | PASS | Evidence J + 截图 `docs/release-evidence/2026-02-08/*.png` |
| 租户审计 API 权限与数据面验证 | PASS | 成员调用 `/v1/t/meipai_765/creator/audit-logs` 返回 `code=1206 无权限操作该租户`;管理员调用返回 `total=13` 且可筛选/分页 |
### K2. 四项标准最终判定(本轮)
| 标准 | 判定 | 说明 |
|---|---|---|
| 1) 前端业务数据来自后端接口/渲染 | PASS本轮范围 | LikesView 已 API 化superadmin demo 路由已生产拦截 |
| 2) 用户/租户数据隔离完备 | PASS本轮范围 | 跨租户负向测试补强通过Evidence G |
| 3) 超管后台可审计 | PASS | 既有超管审计链路 + 构建验证通过 |
| 4) 租户管理侧可审计 | PASS | 新增 creator audit API + Portal 页面 + 页面流验收通过 |
### K3. Go/No-Go 结论
**Go可进入生产发布候选**
依据T13/T14/T16/T17 门禁均通过,且四项标准在本轮改造范围内均达标。
### K4. 发布前剩余建议(非阻塞)
1. 按计划补充审计接口性能基线p95记录目前文档仅有测量协议尚缺执行数据
2. 将 superadmin demo 路由从“运行时拦截”进一步提升为“构建期裁剪”(可选增强)。
3. 按计划完成归档动作:若确认本阶段收口,执行 T18归档 `docs/plan.md` -> `docs/plans/<date>.md` 并清空活动 plan
## Next Actions (D2+)
1. 已完成执行计划门禁与联调验收项T13/T14/T16/T17见 Evidence K。
2. 已完成进行前端页面流验收creator audit 查询/筛选/分页)并补充录屏或截图证据(见 Evidence J
3. (可选增强)将 superadmin demo 路由按构建开关完全剔除,而非仅运行时拦截。

BIN
docs/release-evidence/2026-02-08/admin-audit-page-loaded.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 96 KiB

BIN
docs/release-evidence/2026-02-08/admin-filter-result.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 82 KiB

BIN
docs/release-evidence/2026-02-08/admin-page-2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 82 KiB

BIN
docs/release-evidence/2026-02-08/member-denied-state.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 79 KiB

4
frontend/portal/src/api/creator.js
View File

@@ -18,6 +18,10 @@ export const creatorApi = {
const qs = new URLSearchParams(params).toString();
return request(`/creator/orders?${qs}`);
},
listAuditLogs: (params) => {
const qs = new URLSearchParams(params).toString();
return request(`/creator/audit-logs?${qs}`);
},
refundOrder: (id, data) =>
request(`/creator/orders/${id}/refund`, { method: "POST", body: data }),
listCoupons: (params) => {

10
frontend/portal/src/layout/LayoutCreator.vue
View File

@@ -91,6 +91,16 @@ const isFullWidth = computed(() => {
></i>
<span class="font-medium">订单管理</span>
</router-link>
<router-link
:to="tenantRoute('/creator/audit')"
active-class="bg-primary-600 text-white shadow-md shadow-primary-900/20"
class="flex items-center gap-3 px-4 py-3 rounded-lg hover:bg-surface-highlight hover:text-content transition-all group"
>
<i
class="pi pi-shield text-lg group-hover:scale-110 transition-transform"
></i>
<span class="font-medium">操作审计</span>
</router-link>
<router-link
:to="tenantRoute('/creator/coupons')"
active-class="bg-primary-600 text-white shadow-md shadow-primary-900/20"

5
frontend/portal/src/router/index.js
View File

@@ -175,6 +175,11 @@ const router = createRouter({
name: "creator-orders",
component: () => import("../views/creator/OrdersView.vue"),
},
{
path: "audit",
name: "creator-audit",
component: () => import("../views/creator/AuditView.vue"),
},
{
path: "members",
name: "creator-members",

347
frontend/portal/src/views/creator/AuditView.vue Normal file
View File

@@ -0,0 +1,347 @@
<script setup>
import Paginator from "primevue/paginator";
import Toast from "primevue/toast";
import { useToast } from "primevue/usetoast";
import { computed, onMounted, ref } from "vue";
import { creatorApi } from "../../api/creator";
const toast = useToast();
const logs = ref([]);
const loading = ref(false);
const totalRecords = ref(0);
const rows = ref(10);
const first = ref(0);
const operatorID = ref("");
const operatorName = ref("");
const action = ref("");
const targetID = ref("");
const keyword = ref("");
const createdAtFrom = ref("");
const createdAtTo = ref("");
const sortField = ref("created_at");
const sortOrder = ref("desc");
const page = computed(() => Math.floor(first.value / rows.value) + 1);
const toISO = (value) => {
if (!value) return undefined;
const date = new Date(value);
if (Number.isNaN(date.getTime())) return undefined;
return date.toISOString();
};
const formatDate = (value) => {
if (!value) return "-";
const date = new Date(value);
if (Number.isNaN(date.getTime())) return value;
return date.toLocaleString();
};
const actionTagClass = (value) => {
if (!value) return "bg-slate-100 text-slate-500";
if (value.includes("create") || value.includes("approve")) {
return "bg-emerald-50 text-emerald-700";
}
if (value.includes("update") || value.includes("review")) {
return "bg-blue-50 text-blue-700";
}
if (
value.includes("delete") ||
value.includes("reject") ||
value.includes("disable")
) {
return "bg-rose-50 text-rose-700";
}
return "bg-slate-100 text-slate-600";
};
const buildParams = () => {
const params = {
page: page.value,
limit: rows.value,
};
if (operatorID.value) {
const parsed = Number(operatorID.value);
if (Number.isFinite(parsed) && parsed > 0) {
params.operator_id = parsed;
}
}
if (operatorName.value.trim())
params.operator_name = operatorName.value.trim();
if (action.value.trim()) params.action = action.value.trim();
if (targetID.value.trim()) params.target_id = targetID.value.trim();
if (keyword.value.trim()) params.keyword = keyword.value.trim();
const fromISO = toISO(createdAtFrom.value);
if (fromISO) params.created_at_from = fromISO;
const toISOValue = toISO(createdAtTo.value);
if (toISOValue) params.created_at_to = toISOValue;
if (sortOrder.value === "asc") {
params.asc = sortField.value;
} else {
params.desc = sortField.value;
}
return params;
};
const fetchLogs = async () => {
loading.value = true;
try {
const res = await creatorApi.listAuditLogs(buildParams());
logs.value = res?.items || [];
totalRecords.value = res?.total || 0;
} catch (error) {
toast.add({
severity: "error",
summary: "加载失败",
detail: error?.message || "审计日志加载失败",
life: 3000,
});
} finally {
loading.value = false;
}
};
const onSearch = () => {
first.value = 0;
fetchLogs();
};
const onReset = () => {
operatorID.value = "";
operatorName.value = "";
action.value = "";
targetID.value = "";
keyword.value = "";
createdAtFrom.value = "";
createdAtTo.value = "";
sortField.value = "created_at";
sortOrder.value = "desc";
first.value = 0;
rows.value = 10;
fetchLogs();
};
const onPage = (event) => {
first.value = event.first;
rows.value = event.rows;
fetchLogs();
};
onMounted(fetchLogs);
</script>
<template>
<div>
<Toast />
<div class="flex items-center justify-between mb-8">
<h1 class="text-2xl font-bold text-slate-900">操作审计</h1>
<div class="text-sm text-slate-500">仅展示当前租户审计记录</div>
</div>
<div class="bg-white rounded-xl shadow-sm border border-slate-100 p-4 mb-6">
<div class="grid grid-cols-1 md:grid-cols-2 xl:grid-cols-4 gap-4">
<div>
<label class="text-xs font-bold text-slate-500 block mb-1"
>操作者ID</label
>
<input
v-model="operatorID"
type="number"
min="1"
class="w-full h-9 px-3 rounded border border-slate-200 text-sm focus:border-primary-500 outline-none"
placeholder="精确匹配"
@keyup.enter="onSearch"
/>
</div>
<div>
<label class="text-xs font-bold text-slate-500 block mb-1"
>操作者</label
>
<input
v-model="operatorName"
type="text"
class="w-full h-9 px-3 rounded border border-slate-200 text-sm focus:border-primary-500 outline-none"
placeholder="用户名/昵称"
@keyup.enter="onSearch"
/>
</div>
<div>
<label class="text-xs font-bold text-slate-500 block mb-1"
>动作</label
>
<input
v-model="action"
type="text"
class="w-full h-9 px-3 rounded border border-slate-200 text-sm focus:border-primary-500 outline-none"
placeholder="如 update_settings"
@keyup.enter="onSearch"
/>
</div>
<div>
<label class="text-xs font-bold text-slate-500 block mb-1"
>目标ID</label
>
<input
v-model="targetID"
type="text"
class="w-full h-9 px-3 rounded border border-slate-200 text-sm focus:border-primary-500 outline-none"
placeholder="精确匹配"
@keyup.enter="onSearch"
/>
</div>
<div>
<label class="text-xs font-bold text-slate-500 block mb-1"
>关键词</label
>
<input
v-model="keyword"
type="text"
class="w-full h-9 px-3 rounded border border-slate-200 text-sm focus:border-primary-500 outline-none"
placeholder="详情关键词"
@keyup.enter="onSearch"
/>
</div>
<div>
<label class="text-xs font-bold text-slate-500 block mb-1"
>创建时间 From</label
>
<input
v-model="createdAtFrom"
type="datetime-local"
class="w-full h-9 px-3 rounded border border-slate-200 text-sm focus:border-primary-500 outline-none"
/>
</div>
<div>
<label class="text-xs font-bold text-slate-500 block mb-1"
>创建时间 To</label
>
<input
v-model="createdAtTo"
type="datetime-local"
class="w-full h-9 px-3 rounded border border-slate-200 text-sm focus:border-primary-500 outline-none"
/>
</div>
<div>
<label class="text-xs font-bold text-slate-500 block mb-1"
>排序</label
>
<div class="flex gap-2">
<select
v-model="sortField"
class="flex-1 h-9 px-2 rounded border border-slate-200 text-sm focus:border-primary-500 outline-none bg-white"
>
<option value="created_at">created_at</option>
<option value="id">id</option>
</select>
<select
v-model="sortOrder"
class="w-24 h-9 px-2 rounded border border-slate-200 text-sm focus:border-primary-500 outline-none bg-white"
>
<option value="desc">降序</option>
<option value="asc">升序</option>
</select>
</div>
</div>
</div>
<div class="mt-4 flex justify-end gap-2">
<button
@click="onReset"
class="px-4 h-9 border border-slate-200 rounded text-sm text-slate-600 hover:bg-slate-50"
>
重置
</button>
<button
@click="onSearch"
class="px-4 h-9 bg-slate-900 text-white rounded text-sm hover:bg-slate-800"
>
查询
</button>
</div>
</div>
<div
class="bg-white rounded-xl shadow-sm border border-slate-100 overflow-hidden"
>
<div v-if="loading" class="px-6 py-10 text-center text-slate-400">
加载中...
</div>
<template v-else>
<table class="w-full text-left text-sm">
<thead
class="bg-slate-50 text-slate-500 font-bold border-b border-slate-200"
>
<tr>
<th class="px-6 py-4 whitespace-nowrap">日志ID</th>
<th class="px-6 py-4 whitespace-nowrap">操作者</th>
<th class="px-6 py-4 whitespace-nowrap">动作</th>
<th class="px-6 py-4 whitespace-nowrap">目标ID</th>
<th class="px-6 py-4">详情</th>
<th class="px-6 py-4 whitespace-nowrap">创建时间</th>
</tr>
</thead>
<tbody class="divide-y divide-slate-100">
<tr
v-for="item in logs"
:key="item.id"
class="hover:bg-slate-50 transition-colors"
>
<td class="px-6 py-4 font-mono text-slate-600">{{ item.id }}</td>
<td class="px-6 py-4">
<div class="font-medium text-slate-900">
{{ item.operator_name || "-" }}
</div>
<div class="text-xs text-slate-500">
ID: {{ item.operator_id || "-" }}
</div>
</td>
<td class="px-6 py-4">
<span
class="inline-block px-2.5 py-1 rounded text-xs font-bold"
:class="actionTagClass(item.action)"
>
{{ item.action || "-" }}
</span>
</td>
<td class="px-6 py-4 font-mono text-slate-600">
{{ item.target_id || "-" }}
</td>
<td class="px-6 py-4 text-slate-700">
<span
class="block max-w-[520px] truncate"
:title="item.detail"
>{{ item.detail || "-" }}</span
>
</td>
<td class="px-6 py-4 text-slate-500 whitespace-nowrap">
{{ formatDate(item.created_at) }}
</td>
</tr>
</tbody>
</table>
<div v-if="logs.length === 0" class="text-center py-12 text-slate-400">
暂无审计记录
</div>
</template>
</div>
<div class="mt-6 flex justify-end" v-if="totalRecords > rows">
<Paginator
:rows="rows"
:first="first"
:totalRecords="totalRecords"
@page="onPage"
template="PrevPageLink PageLinks NextPageLink RowsPerPageDropdown"
:rowsPerPageOptions="[10, 20, 50]"
/>
</div>
</div>
</template>

96
frontend/portal/src/views/user/LikesView.vue
View File

@@ -1,42 +1,61 @@
<script setup>
import { ref } from "vue";
import { ref, onMounted } from "vue";
import { useRoute } from "vue-router";
import Toast from "primevue/toast";
import { useToast } from "primevue/usetoast";
import { userApi } from "../../api/user";
import { tenantPath } from "../../utils/tenant";
const toast = useToast();
const route = useRoute();
const tenantRoute = (path) => tenantPath(path, route);
const items = ref([
{
id: 4,
title: "《霸王别姬》全本实录珍藏版",
cover:
"https://images.unsplash.com/photo-1514306191717-452ec28c7f31?ixlib=rb-1.2.1&auto=format&fit=crop&w=300&q=60",
author: "梅派传人小林",
authorAvatar: "https://api.dicebear.com/7.x/avataaars/svg?seed=Master1",
type: "video",
duration: "120:00",
time: "昨天点赞",
},
{
id: 5,
title: "京剧打击乐基础教程",
cover:
"https://images.unsplash.com/photo-1576014131795-d44019d02374?ixlib=rb-1.2.1&auto=format&fit=crop&w=300&q=60",
author: "戏曲学院官方",
authorAvatar: "https://api.dicebear.com/7.x/avataaars/svg?seed=School",
type: "video",
duration: "45:00",
time: "3天前点赞",
},
]);
const items = ref([]);
const loading = ref(true);
const removeItem = (id) => {
items.value = items.value.filter((i) => i.id !== id);
toast.add({ severity: "success", summary: "已取消点赞", life: 2000 });
const fetchLikes = async () => {
try {
const res = await userApi.getLikes();
items.value = res || [];
} catch (e) {
toast.add({
severity: "error",
summary: "加载失败",
detail: e.message,
life: 3000,
});
} finally {
loading.value = false;
}
};
onMounted(fetchLikes);
const removeItem = async (id) => {
try {
await userApi.removeLike(id);
items.value = items.value.filter((i) => i.id !== id);
toast.add({ severity: "success", summary: "已取消点赞", life: 2000 });
} catch (e) {
toast.add({
severity: "error",
summary: "操作失败",
detail: e.message,
life: 3000,
});
}
};
const getTypeIcon = (type) => {
if (type === "video") return "pi-play-circle";
if (type === "audio") return "pi-volume-up";
return "pi-book";
};
const getTypeLabel = (type) => {
if (type === "video") return "视频";
if (type === "audio") return "音频";
return "文章";
};
</script>
@@ -65,11 +84,8 @@ const removeItem = (id) => {
<div
class="absolute bottom-2 left-2 px-1.5 py-0.5 bg-black/60 text-white text-xs rounded flex items-center gap-1"
>
<i
class="pi"
:class="item.type === 'video' ? 'pi-play-circle' : 'pi-book'"
></i>
<span>{{ item.duration || "文章" }}</span>
<i class="pi" :class="getTypeIcon(item.type)"></i>
<span>{{ getTypeLabel(item.type) }}</span>
</div>
</div>
@@ -81,13 +97,19 @@ const removeItem = (id) => {
{{ item.title }}
</h3>
<div class="flex items-center gap-2 text-xs text-slate-500 mb-3">
<img :src="item.authorAvatar" class="w-5 h-5 rounded-full" />
<span>{{ item.author }}</span>
<img
:src="
item.author_avatar ||
`https://api.dicebear.com/7.x/avataaars/svg?seed=${item.author_id}`
"
class="w-5 h-5 rounded-full"
/>
<span>{{ item.author_name }}</span>
</div>
<div
class="flex items-center justify-between text-xs text-slate-400 border-t border-slate-50 pt-3"
>
<span>{{ item.time }}</span>
<span>{{ item.created_at }}</span>
<button
@click.stop="removeItem(item.id)"
class="hover:text-primary-600 flex items-center gap-1 transition-colors"
@@ -100,7 +122,7 @@ const removeItem = (id) => {
</div>
<!-- Empty State -->
<div v-if="items.length === 0" class="text-center py-20">
<div v-if="!loading && items.length === 0" class="text-center py-20">
<div
class="inline-flex items-center justify-center w-16 h-16 rounded-full bg-slate-50 mb-4"
>

2
frontend/superadmin/dist/index.html vendored
View File

@@ -7,7 +7,7 @@
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Sakai Vue</title>
<link href="https://fonts.cdnfonts.com/css/lato" rel="stylesheet">
<script type="module" crossorigin src="./assets/index-CsH8eBi3.js"></script>
<script type="module" crossorigin src="./assets/index-DRIu3C4l.js"></script>
<link rel="stylesheet" crossorigin href="./assets/index-CLNNtsXI.css">
</head>

8
frontend/superadmin/src/router/index.js
View File

@@ -225,10 +225,18 @@ const router = createRouter({
]
});
const isDemoOnlyRoute = (path) => {
return path.startsWith('/uikit/') || path === '/blocks' || path === '/pages/empty' || path === '/pages/crud' || path === '/documentation' || path === '/landing';
};
let tokenValidated = false;
let tokenValidationPromise = null;
router.beforeEach(async (to) => {
if (!import.meta.env.DEV && isDemoOnlyRoute(to.path)) {
return { name: 'dashboard' };
}
if (to.meta?.requiresAuth !== true) return true;
const isAuthed = hasSuperAuthToken();