细化工单系统的权限控制

2026-04-22 10:26:56 +08:00 · 2014-05-06 05:05:18 +08:00
parent ac33728d6c
commit b9eb56e34d
3 changed files with 28 additions and 8 deletions
--- a/core/api/ticket.coffee
+++ b/core/api/ticket.coffee
@@ -12,7 +12,11 @@ module.exports =
  get:
    list: api.accountAuthenticateRender (req, res, account, renderer) ->
      mTicket.find
-        account_id: account._id
+        $or: [
+            account_id: account._id
+          ,
+            members: account._id
+        ]
      ,
        sort:
          updated_at: -1
@@ -121,7 +125,11 @@ module.exports =

        mTicket.find do ->
          selector =
-            account_id: account._id
+            $or: [
+                account_id: account._id
+              ,
+                members: account._id
+            ]

          if req.body.type?.toLowerCase() in config.ticket.availableType
            selector['type'] = req.body.type.toLowerCase()
@@ -156,6 +164,13 @@ module.exports =
        pullModifier = []

        mTicket.findId req.body.id, (ticket) ->
+          unless ticket
+            return res.json 400, error: 'ticket_not_exist'
+
+          unless mTicket.getMember ticket, account
+            unless mAccount.inGroup account, 'root'
+              return res.json 400, error: 'forbidden'
+
          if req.body.type
            if req.body.type in config.ticket.availableType
              modifier['type'] = req.body.type
--- a/core/index.coffee
+++ b/core/index.coffee
@@ -25,6 +25,7 @@ exports.runWebServer = ->
    app.use (req, res, next) ->
      res.locals.app = app
      res.locals.t = i18n.getTranslator 'zh_CN'
+      res.locals.mAccount = require './model/account'

      next()

--- a/core/view/ticket/view.jade
+++ b/core/view/ticket/view.jade
@@ -25,13 +25,17 @@ block main
  .row
    header= t('ticket.create_reply')
    form.form-horizontal(method='post', role='form')
+      if ticket.status != 'closed'
+        .form-group.padding
+          textarea.form-control#reply-content(name='content', rows='5', required)
      .form-group.padding
-        textarea.form-control#reply-content(name='content', rows='5', required)
-      .form-group.padding
-        button.btn.btn-lg.btn-primary#reply(type='submit')= t('ticket.create_reply')
-        button.btn.btn-lg.btn-danger= t('ticket.close_ticket')
-        button.btn.btn-lg.btn-success= t('ticket.finish_ticket')
-        button.btn.btn-lg.btn-success= t('ticket.reopen_ticket')
+        if ticket.status != 'closed'
+          button.btn.btn-lg.btn-primary#reply(type='submit')= t('ticket.create_reply')
+          button.btn.btn-lg.btn-danger= t('ticket.close_ticket')
+        if mAccount.inGroup(account, 'root') && (ticket.status == 'open' || ticket.status == 'pending')
+          button.btn.btn-lg.btn-success= t('ticket.finish_ticket')
+        if mAccount.inGroup(account, 'root') && ticket.status == 'closed'
+          button.btn.btn-lg.btn-success= t('ticket.reopen_ticket')

 prepend sidebar
  .row