fix: allow super admin tenant-scoped role ops

2025-12-05 23:07:31 +08:00
parent 1060ab13d6
commit d7772b0f8d
13 changed files with 64 additions and 28 deletions
--- a/src/Api/TakeoutSaaS.AdminApi/Controllers/TenantRolesController.cs
+++ b/src/Api/TakeoutSaaS.AdminApi/Controllers/TenantRolesController.cs
@@ -31,15 +31,24 @@ public sealed class TenantRolesController(IMediator mediator, ITenantProvider te
        [FromQuery] SearchRolesQuery query,
        CancellationToken cancellationToken)
    {
-        // 1. 校验路由租户与上下文一致
+        // 1. 校验路由租户与上下文一致（超管 tenantId=0 放行）
        var currentTenantId = tenantProvider.GetCurrentTenantId();
-        if (tenantId != currentTenantId)
+        if (currentTenantId != 0 && tenantId != currentTenantId)
        {
            return ApiResponse<PagedResult<RoleDto>>.Error(StatusCodes.Status400BadRequest, "租户上下文不一致");
        }

-        // 2. 查询角色分页
-        var result = await mediator.Send(query, cancellationToken);
+        // 2. 绑定租户并查询角色分页
+        var request = new SearchRolesQuery
+        {
+            TenantId = tenantId,
+            Keyword = query.Keyword,
+            Page = query.Page,
+            PageSize = query.PageSize,
+            SortBy = query.SortBy,
+            SortDescending = query.SortDescending
+        };
+        var result = await mediator.Send(request, cancellationToken);

        // 3. 返回分页数据
        return ApiResponse<PagedResult<RoleDto>>.Ok(result);
@@ -54,15 +63,15 @@ public sealed class TenantRolesController(IMediator mediator, ITenantProvider te
    [ProducesResponseType(typeof(ApiResponse<RoleDetailDto>), StatusCodes.Status404NotFound)]
    public async Task<ApiResponse<RoleDetailDto>> Detail(long tenantId, long roleId, CancellationToken cancellationToken)
    {
-        // 1. 校验租户上下文
+        // 1. 校验租户上下文（超管 tenantId=0 放行）
        var currentTenantId = tenantProvider.GetCurrentTenantId();
-        if (tenantId != currentTenantId)
+        if (currentTenantId != 0 && tenantId != currentTenantId)
        {
            return ApiResponse<RoleDetailDto>.Error(StatusCodes.Status400BadRequest, "租户上下文不一致");
        }

        // 2. 查询角色详情
-        var result = await mediator.Send(new RoleDetailQuery { RoleId = roleId }, cancellationToken);
+        var result = await mediator.Send(new RoleDetailQuery { RoleId = roleId, TenantId = tenantId }, cancellationToken);

        // 3. 返回数据或 404
        return result is null
@@ -81,15 +90,15 @@ public sealed class TenantRolesController(IMediator mediator, ITenantProvider te
        [FromBody, Required] CreateRoleCommand command,
        CancellationToken cancellationToken)
    {
-        // 1. 校验租户上下文
+        // 1. 校验租户上下文（超管 tenantId=0 放行）
        var currentTenantId = tenantProvider.GetCurrentTenantId();
-        if (tenantId != currentTenantId)
+        if (currentTenantId != 0 && tenantId != currentTenantId)
        {
            return ApiResponse<RoleDto>.Error(StatusCodes.Status400BadRequest, "租户上下文不一致");
        }

        // 2. 创建角色
-        var result = await mediator.Send(command, cancellationToken);
+        var result = await mediator.Send(command with { TenantId = tenantId }, cancellationToken);

        // 3. 返回创建结果
        return ApiResponse<RoleDto>.Ok(result);
@@ -108,15 +117,15 @@ public sealed class TenantRolesController(IMediator mediator, ITenantProvider te
        [FromBody, Required] UpdateRoleCommand command,
        CancellationToken cancellationToken)
    {
-        // 1. 校验租户上下文
+        // 1. 校验租户上下文（超管 tenantId=0 放行）
        var currentTenantId = tenantProvider.GetCurrentTenantId();
-        if (tenantId != currentTenantId)
+        if (currentTenantId != 0 && tenantId != currentTenantId)
        {
            return ApiResponse<RoleDto>.Error(StatusCodes.Status400BadRequest, "租户上下文不一致");
        }

        // 2. 绑定角色 ID
-        command = command with { RoleId = roleId };
+        command = command with { RoleId = roleId, TenantId = tenantId };

        // 3. 执行更新
        var result = await mediator.Send(command, cancellationToken);
@@ -135,15 +144,15 @@ public sealed class TenantRolesController(IMediator mediator, ITenantProvider te
    [ProducesResponseType(typeof(ApiResponse<bool>), StatusCodes.Status200OK)]
    public async Task<ApiResponse<bool>> Delete(long tenantId, long roleId, CancellationToken cancellationToken)
    {
-        // 1. 校验租户上下文
+        // 1. 校验租户上下文（超管 tenantId=0 放行）
        var currentTenantId = tenantProvider.GetCurrentTenantId();
-        if (tenantId != currentTenantId)
+        if (currentTenantId != 0 && tenantId != currentTenantId)
        {
            return ApiResponse<bool>.Error(StatusCodes.Status400BadRequest, "租户上下文不一致");
        }

        // 2. 执行删除
-        var command = new DeleteRoleCommand { RoleId = roleId };
+        var command = new DeleteRoleCommand { RoleId = roleId, TenantId = tenantId };
        var result = await mediator.Send(command, cancellationToken);

        // 3. 返回结果
@@ -162,15 +171,15 @@ public sealed class TenantRolesController(IMediator mediator, ITenantProvider te
        long roleId,
        CancellationToken cancellationToken)
    {
-        // 1. 校验租户上下文
+        // 1. 校验租户上下文（超管 tenantId=0 放行）
        var currentTenantId = tenantProvider.GetCurrentTenantId();
-        if (tenantId != currentTenantId)
+        if (currentTenantId != 0 && tenantId != currentTenantId)
        {
            return ApiResponse<IReadOnlyList<PermissionDto>>.Error(StatusCodes.Status400BadRequest, "租户上下文不一致");
        }

        // 2. 查询角色详情并提取权限
-        var detail = await mediator.Send(new RoleDetailQuery { RoleId = roleId }, cancellationToken);
+        var detail = await mediator.Send(new RoleDetailQuery { RoleId = roleId, TenantId = tenantId }, cancellationToken);
        if (detail is null)
        {
            return ApiResponse<IReadOnlyList<PermissionDto>>.Error(StatusCodes.Status404NotFound, "角色不存在");
@@ -192,15 +201,15 @@ public sealed class TenantRolesController(IMediator mediator, ITenantProvider te
        [FromBody, Required] BindRolePermissionsCommand command,
        CancellationToken cancellationToken)
    {
-        // 1. 校验租户上下文
+        // 1. 校验租户上下文（超管 tenantId=0 放行）
        var currentTenantId = tenantProvider.GetCurrentTenantId();
-        if (tenantId != currentTenantId)
+        if (currentTenantId != 0 && tenantId != currentTenantId)
        {
            return ApiResponse<bool>.Error(StatusCodes.Status400BadRequest, "租户上下文不一致");
        }

        // 2. 绑定角色 ID
-        command = command with { RoleId = roleId };
+        command = command with { RoleId = roleId, TenantId = tenantId };

        // 3. 覆盖授权
        var result = await mediator.Send(command, cancellationToken);
--- a/src/Application/TakeoutSaaS.Application/Identity/Commands/BindRolePermissionsCommand.cs
+++ b/src/Application/TakeoutSaaS.Application/Identity/Commands/BindRolePermissionsCommand.cs
@@ -8,5 +8,6 @@ namespace TakeoutSaaS.Application.Identity.Commands;
 public sealed record BindRolePermissionsCommand : IRequest<bool>
 {
    public long RoleId { get; init; }
+    public long? TenantId { get; init; }
    public long[] PermissionIds { get; init; } = Array.Empty<long>();
 }
--- a/src/Application/TakeoutSaaS.Application/Identity/Commands/CreateRoleCommand.cs
+++ b/src/Application/TakeoutSaaS.Application/Identity/Commands/CreateRoleCommand.cs
@@ -8,6 +8,11 @@ namespace TakeoutSaaS.Application.Identity.Commands;
 /// </summary>
 public sealed record CreateRoleCommand : IRequest<RoleDto>
 {
+    /// <summary>
+    /// 租户 ID（空则取当前上下文）。
+    /// </summary>
+    public long? TenantId { get; init; }
+
    public string Name { get; init; } = string.Empty;
    public string Code { get; init; } = string.Empty;
    public string? Description { get; init; }
--- a/src/Application/TakeoutSaaS.Application/Identity/Commands/DeleteRoleCommand.cs
+++ b/src/Application/TakeoutSaaS.Application/Identity/Commands/DeleteRoleCommand.cs
@@ -8,4 +8,9 @@ namespace TakeoutSaaS.Application.Identity.Commands;
 public sealed record DeleteRoleCommand : IRequest<bool>
 {
    public long RoleId { get; init; }
+
+    /// <summary>
+    /// 租户 ID（空则取当前上下文）。
+    /// </summary>
+    public long? TenantId { get; init; }
 }
--- a/src/Application/TakeoutSaaS.Application/Identity/Commands/UpdateRoleCommand.cs
+++ b/src/Application/TakeoutSaaS.Application/Identity/Commands/UpdateRoleCommand.cs
@@ -9,6 +9,12 @@ namespace TakeoutSaaS.Application.Identity.Commands;
 public sealed record UpdateRoleCommand : IRequest<RoleDto?>
 {
    public long RoleId { get; init; }
+
+    /// <summary>
+    /// 租户 ID（空则取当前上下文）。
+    /// </summary>
+    public long? TenantId { get; init; }
+
    public string Name { get; init; } = string.Empty;
    public string? Description { get; init; }
 }
--- a/src/Application/TakeoutSaaS.Application/Identity/Handlers/BindRolePermissionsCommandHandler.cs
+++ b/src/Application/TakeoutSaaS.Application/Identity/Handlers/BindRolePermissionsCommandHandler.cs
@@ -16,7 +16,7 @@ public sealed class BindRolePermissionsCommandHandler(
    public async Task<bool> Handle(BindRolePermissionsCommand request, CancellationToken cancellationToken)
    {
        // 1. 获取租户上下文
-        var tenantId = tenantProvider.GetCurrentTenantId();
+        var tenantId = request.TenantId ?? tenantProvider.GetCurrentTenantId();

        // 2. 覆盖式绑定权限
        await rolePermissionRepository.ReplaceRolePermissionsAsync(tenantId, request.RoleId, request.PermissionIds, cancellationToken);
--- a/src/Application/TakeoutSaaS.Application/Identity/Handlers/CreateRoleCommandHandler.cs
+++ b/src/Application/TakeoutSaaS.Application/Identity/Handlers/CreateRoleCommandHandler.cs
@@ -18,7 +18,7 @@ public sealed class CreateRoleCommandHandler(
    public async Task<RoleDto> Handle(CreateRoleCommand request, CancellationToken cancellationToken)
    {
        // 1. 获取租户上下文
-        var tenantId = tenantProvider.GetCurrentTenantId();
+        var tenantId = request.TenantId ?? tenantProvider.GetCurrentTenantId();

        // 2. 构建角色实体
        var role = new Role
--- a/src/Application/TakeoutSaaS.Application/Identity/Handlers/DeleteRoleCommandHandler.cs
+++ b/src/Application/TakeoutSaaS.Application/Identity/Handlers/DeleteRoleCommandHandler.cs
@@ -16,7 +16,7 @@ public sealed class DeleteRoleCommandHandler(
    public async Task<bool> Handle(DeleteRoleCommand request, CancellationToken cancellationToken)
    {
        // 1. 获取租户上下文
-        var tenantId = tenantProvider.GetCurrentTenantId();
+        var tenantId = request.TenantId ?? tenantProvider.GetCurrentTenantId();

        // 2. 删除角色
        await roleRepository.DeleteAsync(request.RoleId, tenantId, cancellationToken);
--- a/src/Application/TakeoutSaaS.Application/Identity/Handlers/RoleDetailQueryHandler.cs
+++ b/src/Application/TakeoutSaaS.Application/Identity/Handlers/RoleDetailQueryHandler.cs
@@ -20,7 +20,7 @@ public sealed class RoleDetailQueryHandler(
    public async Task<RoleDetailDto?> Handle(RoleDetailQuery request, CancellationToken cancellationToken)
    {
        // 1. 获取租户上下文并查询角色
-        var tenantId = tenantProvider.GetCurrentTenantId();
+        var tenantId = request.TenantId ?? tenantProvider.GetCurrentTenantId();
        var role = await roleRepository.FindByIdAsync(request.RoleId, tenantId, cancellationToken);
        if (role is null)
        {
--- a/src/Application/TakeoutSaaS.Application/Identity/Handlers/SearchRolesQueryHandler.cs
+++ b/src/Application/TakeoutSaaS.Application/Identity/Handlers/SearchRolesQueryHandler.cs
@@ -18,7 +18,7 @@ public sealed class SearchRolesQueryHandler(
    public async Task<PagedResult<RoleDto>> Handle(SearchRolesQuery request, CancellationToken cancellationToken)
    {
        // 1. 获取租户上下文并查询角色
-        var tenantId = tenantProvider.GetCurrentTenantId();
+        var tenantId = request.TenantId ?? tenantProvider.GetCurrentTenantId();
        var roles = await roleRepository.SearchAsync(tenantId, request.Keyword, cancellationToken);

        // 2. 排序
--- a/src/Application/TakeoutSaaS.Application/Identity/Handlers/UpdateRoleCommandHandler.cs
+++ b/src/Application/TakeoutSaaS.Application/Identity/Handlers/UpdateRoleCommandHandler.cs
@@ -17,7 +17,7 @@ public sealed class UpdateRoleCommandHandler(
    public async Task<RoleDto?> Handle(UpdateRoleCommand request, CancellationToken cancellationToken)
    {
        // 1. 获取租户上下文并查询角色
-        var tenantId = tenantProvider.GetCurrentTenantId();
+        var tenantId = request.TenantId ?? tenantProvider.GetCurrentTenantId();
        var role = await roleRepository.FindByIdAsync(request.RoleId, tenantId, cancellationToken);
        if (role == null)
        {
--- a/src/Application/TakeoutSaaS.Application/Identity/Queries/RoleDetailQuery.cs
+++ b/src/Application/TakeoutSaaS.Application/Identity/Queries/RoleDetailQuery.cs
@@ -12,4 +12,9 @@ public sealed class RoleDetailQuery : IRequest<RoleDetailDto?>
    /// 角色 ID。
    /// </summary>
    public long RoleId { get; init; }
+
+    /// <summary>
+    /// 租户 ID（空则取当前上下文）。
+    /// </summary>
+    public long? TenantId { get; init; }
 }
--- a/src/Application/TakeoutSaaS.Application/Identity/Queries/SearchRolesQuery.cs
+++ b/src/Application/TakeoutSaaS.Application/Identity/Queries/SearchRolesQuery.cs
@@ -9,6 +9,11 @@ namespace TakeoutSaaS.Application.Identity.Queries;
 /// </summary>
 public sealed class SearchRolesQuery : IRequest<PagedResult<RoleDto>>
 {
+    /// <summary>
+    /// 指定查询的租户 ID（空则取当前上下文）。
+    /// </summary>
+    public long? TenantId { get; init; }
+
    public string? Keyword { get; init; }
    public int Page { get; init; } = 1;
    public int PageSize { get; init; } = 20;