185 lines
5.3 KiB
JavaScript
185 lines
5.3 KiB
JavaScript
const express = require('express');
|
|
const router = express.Router();
|
|
const db = require('../utils/db');
|
|
const auth = require('../middleware/auth');
|
|
const checkPermission = require('../middleware/checkPermission');
|
|
const bcrypt = require('bcryptjs');
|
|
|
|
// 获取用户列表
|
|
router.get('/users', auth, checkPermission('user:manage'), async (req, res) => {
|
|
try {
|
|
const [users] = await db.query(`
|
|
SELECT a.*,
|
|
GROUP_CONCAT(ap.permission) as permissions
|
|
FROM admins a
|
|
LEFT JOIN admin_permissions ap ON a.id = ap.admin_id
|
|
GROUP BY a.id
|
|
`);
|
|
|
|
users.forEach(user => {
|
|
user.permissions = user.permissions ? user.permissions.split(',') : [];
|
|
delete user.password;
|
|
});
|
|
|
|
res.json(users);
|
|
} catch (error) {
|
|
res.status(500).json({ message: error.message });
|
|
}
|
|
});
|
|
|
|
// 添加用户
|
|
router.post('/users', auth, checkPermission('user:manage'), async (req, res) => {
|
|
const connection = await db.getConnection();
|
|
await connection.beginTransaction();
|
|
|
|
try {
|
|
const { username, email, password, role, status, permissions } = req.body;
|
|
|
|
// 验证必填字段
|
|
if (!username || !email || !password) {
|
|
return res.status(400).json({ message: '用户名、邮箱和密码为必填项' });
|
|
}
|
|
|
|
// 检查用户名是否已存在
|
|
const [existingUsers] = await connection.query(
|
|
'SELECT id FROM admins WHERE username = ?',
|
|
[username]
|
|
);
|
|
|
|
if (existingUsers.length > 0) {
|
|
return res.status(400).json({ message: '用户名已存在' });
|
|
}
|
|
|
|
// 加密密码
|
|
const hashedPassword = await bcrypt.hash(password, 10);
|
|
|
|
// 插入用户记录
|
|
const [result] = await connection.query(
|
|
'INSERT INTO admins (username, email, password, role, status) VALUES (?, ?, ?, ?, ?)',
|
|
[username, email, hashedPassword, role || 'editor', status || 'active']
|
|
);
|
|
|
|
// 添加权限
|
|
if (permissions && permissions.length > 0) {
|
|
const permissionValues = permissions.map(permission => [result.insertId, permission]);
|
|
await connection.query(
|
|
'INSERT INTO admin_permissions (admin_id, permission) VALUES ?',
|
|
[permissionValues]
|
|
);
|
|
}
|
|
|
|
await connection.commit();
|
|
res.status(201).json({ message: '用户创建成功' });
|
|
} catch (error) {
|
|
await connection.rollback();
|
|
res.status(500).json({ message: error.message });
|
|
} finally {
|
|
connection.release();
|
|
}
|
|
});
|
|
|
|
// 更新用户
|
|
router.put('/users/:id', auth, checkPermission('user:manage'), async (req, res) => {
|
|
const connection = await db.getConnection();
|
|
await connection.beginTransaction();
|
|
|
|
try {
|
|
const { username, email, password, role, status, permissions } = req.body;
|
|
const userId = req.params.id;
|
|
|
|
// 检查用户是否存在
|
|
const [existingUser] = await connection.query(
|
|
'SELECT role FROM admins WHERE id = ?',
|
|
[userId]
|
|
);
|
|
|
|
if (!existingUser.length) {
|
|
return res.status(404).json({ message: '用户不存在' });
|
|
}
|
|
|
|
// 不允许非超级管理员修改超级管理员
|
|
if (existingUser[0].role === 'superadmin' && req.admin.role !== 'superadmin') {
|
|
return res.status(403).json({ message: '无权修改超级管理员' });
|
|
}
|
|
|
|
// 更新用户基本信息
|
|
let updateQuery = 'UPDATE admins SET username = ?, email = ?';
|
|
let updateParams = [username, email];
|
|
|
|
if (password) {
|
|
const hashedPassword = await bcrypt.hash(password, 10);
|
|
updateQuery += ', password = ?';
|
|
updateParams.push(hashedPassword);
|
|
}
|
|
|
|
if (role) {
|
|
updateQuery += ', role = ?';
|
|
updateParams.push(role);
|
|
}
|
|
|
|
if (status) {
|
|
updateQuery += ', status = ?';
|
|
updateParams.push(status);
|
|
}
|
|
|
|
updateQuery += ' WHERE id = ?';
|
|
updateParams.push(userId);
|
|
|
|
await connection.query(updateQuery, updateParams);
|
|
|
|
// 更新权限
|
|
if (permissions) {
|
|
await connection.query('DELETE FROM admin_permissions WHERE admin_id = ?', [userId]);
|
|
|
|
if (permissions.length > 0) {
|
|
const permissionValues = permissions.map(permission => [userId, permission]);
|
|
await connection.query(
|
|
'INSERT INTO admin_permissions (admin_id, permission) VALUES ?',
|
|
[permissionValues]
|
|
);
|
|
}
|
|
}
|
|
|
|
await connection.commit();
|
|
res.json({ message: '用户更新成功' });
|
|
} catch (error) {
|
|
await connection.rollback();
|
|
res.status(500).json({ message: error.message });
|
|
} finally {
|
|
connection.release();
|
|
}
|
|
});
|
|
|
|
// 删除用户
|
|
router.delete('/users/:id', auth, checkPermission('user:manage'), async (req, res) => {
|
|
try {
|
|
const userId = req.params.id;
|
|
|
|
// 检查用户是否存在
|
|
const [existingUser] = await db.query(
|
|
'SELECT role FROM admins WHERE id = ?',
|
|
[userId]
|
|
);
|
|
|
|
if (!existingUser.length) {
|
|
return res.status(404).json({ message: '用户不存在' });
|
|
}
|
|
|
|
// 不允许删除超级管理员
|
|
if (existingUser[0].role === 'superadmin') {
|
|
return res.status(403).json({ message: '不能删除超级管理员' });
|
|
}
|
|
|
|
// 不能删除自己
|
|
if (userId === req.admin.id) {
|
|
return res.status(400).json({ message: '不能删除自己的账号' });
|
|
}
|
|
|
|
await db.query('DELETE FROM admins WHERE id = ?', [userId]);
|
|
res.json({ message: '用户删除成功' });
|
|
} catch (error) {
|
|
res.status(500).json({ message: error.message });
|
|
}
|
|
});
|
|
|
|
module.exports = router;
|