修复权限管理员越权上级权限的BUG

修复管理员日志查看超级权限的BUG
优化权限管理分组列表

application/admin/controller/auth/Admin.php

@@ -12,7 +12,7 @@ use think\Validate;
 /**
  * 管理员管理
  *
- * @icon fa fa-users
+ * @icon   fa fa-users
  * @remark 一个管理员可以有多个角色组,左侧的菜单根据管理员所拥有的权限进行生成
  */
 class Admin extends Backend
@@ -32,8 +32,8 @@ class Admin extends Backend
         parent::_initialize();
         $this->model = model('Admin');
 
-        $this->childrenAdminIds = $this->auth->getChildrenAdminIds(true);
-        $this->childrenGroupIds = $this->auth->getChildrenGroupIds(true);
+        $this->childrenAdminIds = $this->auth->getChildrenAdminIds($this->auth->isSuperAdmin());
+        $this->childrenGroupIds = $this->auth->getChildrenGroupIds($this->auth->isSuperAdmin());
 
         $groupList = collection(AuthGroup::where('id', 'in', $this->childrenGroupIds)->select())->toArray();
 
@@ -136,6 +136,10 @@ class Admin extends Backend
 
                 //过滤不允许的组别,避免越权
                 $group = array_intersect($this->childrenGroupIds, $group);
+                if (!$group) {
+                    $this->error(__('The parent group exceeds permission limit'));
+                }
+
                 $dataset = [];
                 foreach ($group as $value) {
                     $dataset[] = ['uid' => $this->model->id, 'group_id' => $value];
@@ -192,6 +196,9 @@ class Admin extends Backend
 
                 // 过滤不允许的组别,避免越权
                 $group = array_intersect($this->childrenGroupIds, $group);
+                if (!$group) {
+                    $this->error(__('The parent group exceeds permission limit'));
+                }
 
                 $dataset = [];
                 foreach ($group as $value) {

application/admin/controller/auth/Adminlog.php

@@ -27,7 +27,7 @@ class Adminlog extends Backend
         $this->model = model('AdminLog');
 
         $this->childrenAdminIds = $this->auth->getChildrenAdminIds(true);
-        $this->childrenGroupIds = $this->auth->getChildrenGroupIds($this->auth->isSuperAdmin() ? true : false);
+        $this->childrenGroupIds = $this->auth->getChildrenGroupIds(true);
 
         $groupName = AuthGroup::where('id', 'in', $this->childrenGroupIds)
             ->column('id,name');
@@ -66,6 +66,9 @@ class Adminlog extends Backend
         if (!$row) {
             $this->error(__('No Results were found'));
         }
+        if (!$row['admin_id'] || !in_array($row['admin_id'], $this->childrenAdminIds)) {
+            $this->error(__('You have no permission'));
+        }
         $this->view->assign("row", $row->toArray());
         return $this->view->fetch();
     }
@@ -98,10 +101,7 @@ class Adminlog extends Backend
         }
         $ids = $ids ? $ids : $this->request->post("ids");
         if ($ids) {
-            $childrenGroupIds = $this->childrenGroupIds;
-            $adminList = $this->model->where('id', 'in', $ids)->where('admin_id', 'in', function ($query) use ($childrenGroupIds) {
-                $query->name('auth_group_access')->field('uid');
-            })->select();
+            $adminList = $this->model->where('id', 'in', $ids)->where('admin_id', 'in', $this->childrenAdminIds)->select();
             if ($adminList) {
                 $deleteIds = [];
                 foreach ($adminList as $k => $v) {

application/admin/controller/auth/Group.php

@@ -24,6 +24,7 @@ class Group extends Backend
     //当前登录管理员所有子组别
     protected $childrenGroupIds = [];
     //当前组别列表数据
+    protected $grouplist = [];
     protected $groupdata = [];
     //无需要权限判断的方法
     protected $noNeedRight = ['roletree'];
@@ -38,20 +39,28 @@ class Group extends Backend
         $groupList = collection(AuthGroup::where('id', 'in', $this->childrenGroupIds)->select())->toArray();
 
         Tree::instance()->init($groupList);
-        $result = [];
+        $groupList = [];
         if ($this->auth->isSuperAdmin()) {
-            $result = Tree::instance()->getTreeList(Tree::instance()->getTreeArray(0));
+            $groupList = Tree::instance()->getTreeList(Tree::instance()->getTreeArray(0));
         } else {
             $groups = $this->auth->getGroups();
+            $groupIds = [];
             foreach ($groups as $m => $n) {
-                $result = array_merge($result, Tree::instance()->getTreeList(Tree::instance()->getTreeArray($n['pid'])));
+                if (in_array($n['id'], $groupIds) || in_array($n['pid'], $groupIds)) {
+                    continue;
+                }
+                $groupList = array_merge($groupList, Tree::instance()->getTreeList(Tree::instance()->getTreeArray($n['pid'])));
+                foreach ($groupList as $index => $item) {
+                    $groupIds[] = $item['id'];
+                }
             }
         }
         $groupName = [];
-        foreach ($result as $k => $v) {
+        foreach ($groupList as $k => $v) {
             $groupName[$v['id']] = $v['name'];
         }
 
+        $this->grouplist = $groupList;
         $this->groupdata = $groupName;
         $this->assignconfig("admin", ['id' => $this->auth->id, 'group_ids' => $this->auth->getGroupIds()]);
 
@@ -64,19 +73,7 @@ class Group extends Backend
     public function index()
     {
         if ($this->request->isAjax()) {
-            $list = AuthGroup::all(array_keys($this->groupdata));
-            $list = collection($list)->toArray();
-            $groupList = [];
-            foreach ($list as $k => $v) {
-                $groupList[$v['id']] = $v;
-            }
-            $list = [];
-            foreach ($this->groupdata as $k => $v) {
-                if (isset($groupList[$k])) {
-                    $groupList[$k]['name'] = $v;
-                    $list[] = $groupList[$k];
-                }
-            }
+            $list = $this->grouplist;
             $total = count($list);
             $result = array("total" => $total, "rows" => $list);
 

application/admin/controller/auth/Rule.php

@@ -105,6 +105,9 @@ class Rule extends Backend
                 if (!$params['ismenu'] && !$params['pid']) {
                     $this->error(__('The non-menu rule must have parent'));
                 }
+                if ($params['pid'] == $row['id']) {
+                    $this->error(__('Can not change the parent to self'));
+                }
                 if ($params['pid'] != $row['pid']) {
                     $childrenIds = Tree::instance()->init(collection(AuthRule::select())->toArray())->getChildrenIds($row['id']);
                     if (in_array($params['pid'], $childrenIds)) {

application/admin/lang/zh-cn/auth/admin.php

@@ -1,9 +1,10 @@
 <?php
 
 return [
-    'Group'                         => '所属组别',
-    'Loginfailure'                  => '登录失败次数',
-    'Login time'                    => '最后登录',
-    'Please input correct username' => '用户名只能由3-12位数字、字母、下划线组合',
-    'Please input correct password' => '密码长度必须在6-16位之间，不能包含空格',
+    'Group'                                     => '所属组别',
+    'Loginfailure'                              => '登录失败次数',
+    'Login time'                                => '最后登录',
+    'The parent group exceeds permission limit' => '父组别超出权限范围',
+    'Please input correct username'             => '用户名只能由3-12位数字、字母、下划线组合',
+    'Please input correct password'             => '密码长度必须在6-16位之间，不能包含空格',
 ];

application/admin/lang/zh-cn/auth/group.php

@@ -5,7 +5,7 @@ return [
     'The parent group can not found'                                       => '父组别未找到',
     'Group not found'                                                      => '组别未找到',
     'Can not change the parent to child'                                   => '父组别不能是它的子组别',
-    'Can not change the parent to self'                                    => '父组别不能是它的子组别',
+    'Can not change the parent to self'                                    => '父组别不能是它自己',
     'You can not delete group that contain child group and administrators' => '你不能删除含有子组和管理员的组',
     'The parent group exceeds permission limit'                            => '父组别超出权限范围',
     'The parent group can not be its own child or itself'                  => '父组别不能是它的子组别及本身',

application/admin/lang/zh-cn/auth/rule.php

@@ -15,6 +15,7 @@ return [
     'Menu tips'                                                 => '父级菜单无需匹配控制器和方法,子级菜单请使用控制器名',
     'Node tips'                                                 => '控制器/方法名,如果有目录请使用 目录名/控制器名/方法名',
     'The non-menu rule must have parent'                        => '非菜单规则节点必须有父级',
-    'Can not change the parent to child'                        => '父组别不能是它的子组别',
+    'Can not change the parent to child'                        => '父级不能是它的子级',
+    'Can not change the parent to self'                         => '父级不能是它自己',
     'Name only supports letters, numbers, underscore and slash' => 'URL规则只能是小写字母、数字、下划线和/组成',
 ];