fix: restrict order status to owner

2026-01-09 17:34:18 +08:00
parent 0707d1c5da
commit 2c6f4163c5
3 changed files with 9 additions and 4 deletions
--- a/backend/app/http/v1/routes.gen.go
+++ b/backend/app/http/v1/routes.gen.go
@@ -285,8 +285,9 @@ func (r *Routes) Register(router fiber.Router) {
 	))
 	// Register routes for controller: Transaction
 	r.log.Debugf("Registering route: Get /t/:tenantCode/v1/orders/:id<int>/status -> transaction.Status")
-	router.Get("/t/:tenantCode/v1/orders/:id<int>/status"[len(r.Path()):], DataFunc1(
+	router.Get("/t/:tenantCode/v1/orders/:id<int>/status"[len(r.Path()):], DataFunc2(
 		r.transaction.Status,
+		Local[*models.User]("__ctx_user"),
 		PathParam[int64]("id"),
 	))
 	r.log.Debugf("Registering route: Post /t/:tenantCode/v1/orders -> transaction.Create")
--- a/backend/app/http/v1/transaction.go
+++ b/backend/app/http/v1/transaction.go
@@ -66,10 +66,11 @@ func (t *Transaction) Pay(
 // @Produce json
 // @Param id path int64 true "Order ID"
 // @Success 200 {object} dto.OrderStatusResponse
+// @Bind user local key(__ctx_user)
 // @Bind id path
-func (t *Transaction) Status(ctx fiber.Ctx, id int64) (*dto.OrderStatusResponse, error) {
+func (t *Transaction) Status(ctx fiber.Ctx, user *models.User, id int64) (*dto.OrderStatusResponse, error) {
 	tenantID := getTenantID(ctx)
-	return services.Order.Status(ctx, tenantID, id)
+	return services.Order.Status(ctx, tenantID, user.ID, id)
 }

 type WebhookForm struct {
--- a/backend/app/services/order.go
+++ b/backend/app/services/order.go
@@ -393,7 +393,7 @@ func (s *order) settleOrder(ctx context.Context, o *models.Order, method, extern
 	return nil
 }

-func (s *order) Status(ctx context.Context, tenantID, id int64) (*transaction_dto.OrderStatusResponse, error) {
+func (s *order) Status(ctx context.Context, tenantID, userID, id int64) (*transaction_dto.OrderStatusResponse, error) {
 	o, err := models.OrderQuery.WithContext(ctx).Where(models.OrderQuery.ID.Eq(id)).First()
 	if err != nil {
 		if errors.Is(err, gorm.ErrRecordNotFound) {
@@ -401,6 +401,9 @@ func (s *order) Status(ctx context.Context, tenantID, id int64) (*transaction_dt
 		}
 		return nil, errorx.ErrDatabaseError.WithCause(err)
 	}
+	if userID > 0 && o.UserID != userID {
+		return nil, errorx.ErrForbidden.WithMsg("无权访问该订单")
+	}
 	if tenantID > 0 && o.TenantID > 0 && o.TenantID != tenantID {
 		return nil, errorx.ErrForbidden.WithMsg("租户不匹配")
 	}