rogee/quyun-v2
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: restrict order status to owner

Browse Source
This commit is contained in:
Rogee
2026-01-09 17:34:18 +08:00
parent 0707d1c5da
commit 2c6f4163c5
3 changed files with 9 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
backend/app/services/order.go
View File

@@ -393,7 +393,7 @@ func (s *order) settleOrder(ctx context.Context, o *models.Order, method, extern
return nil
}
func (s *order) Status(ctx context.Context, tenantID, id int64) (*transaction_dto.OrderStatusResponse, error) {
func (s *order) Status(ctx context.Context, tenantID, userID, id int64) (*transaction_dto.OrderStatusResponse, error) {
o, err := models.OrderQuery.WithContext(ctx).Where(models.OrderQuery.ID.Eq(id)).First()
if err != nil {
if errors.Is(err, gorm.ErrRecordNotFound) {
@@ -401,6 +401,9 @@ func (s *order) Status(ctx context.Context, tenantID, id int64) (*transaction_dt
}
return nil, errorx.ErrDatabaseError.WithCause(err)
}
if userID > 0 && o.UserID != userID {
return nil, errorx.ErrForbidden.WithMsg("无权访问该订单")
}
if tenantID > 0 && o.TenantID > 0 && o.TenantID != tenantID {
return nil, errorx.ErrForbidden.WithMsg("租户不匹配")
}