From ac6672f3981aa05a99e2f466e7d98a86dedd3d81 Mon Sep 17 00:00:00 2001 From: zhx Date: Wed, 24 Jun 2026 13:02:41 +0800 Subject: [PATCH] =?UTF-8?q?=E4=BF=AE=E5=A4=8D?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../internal/transport/http/response_test.go | 19 +++++++++++-------- .../http/userapi/agency_center_handler.go | 4 +++- 2 files changed, 14 insertions(+), 9 deletions(-) diff --git a/services/gateway-service/internal/transport/http/response_test.go b/services/gateway-service/internal/transport/http/response_test.go index e070c67a..c71fe49e 100644 --- a/services/gateway-service/internal/transport/http/response_test.go +++ b/services/gateway-service/internal/transport/http/response_test.go @@ -4705,9 +4705,9 @@ func TestHostCenterPlatformPolicyRejectsNonActiveHost(t *testing.T) { } } -func TestAgencyCenterOverviewUsesOwnerAgencySalaryAndPendingApplications(t *testing.T) { +func TestAgencyCenterOverviewAllowsOwnerWithoutManagerProfile(t *testing.T) { hostClient := &fakeUserHostClient{ - roleSummary: &userv1.UserRoleSummary{UserId: 42, IsManager: true, AgencyId: 7001}, + roleSummary: &userv1.UserRoleSummary{UserId: 42, IsAgency: true, IsManager: false, AgencyId: 7001}, getAgencyResp: &userv1.GetAgencyResponse{Agency: &userv1.Agency{ AgencyId: 7001, OwnerUserId: 42, @@ -4765,7 +4765,7 @@ func TestAgencyCenterOverviewUsesOwnerAgencySalaryAndPendingApplications(t *test func TestAgencyCenterPlatformPolicyUsesAgencyRegion(t *testing.T) { hostClient := &fakeUserHostClient{ - roleSummary: &userv1.UserRoleSummary{UserId: 42, IsManager: true, AgencyId: 7001}, + roleSummary: &userv1.UserRoleSummary{UserId: 42, IsAgency: true, IsManager: false, AgencyId: 7001}, getAgencyResp: &userv1.GetAgencyResponse{Agency: &userv1.Agency{ AgencyId: 7001, OwnerUserId: 42, @@ -4960,7 +4960,7 @@ func TestBDLeaderInviteBDForwardsSelfInvite(t *testing.T) { func TestAgencyCenterInviteHostCreatesPendingInvitation(t *testing.T) { hostClient := &fakeUserHostClient{ - roleSummary: &userv1.UserRoleSummary{UserId: 42, IsManager: true, AgencyId: 7001}, + roleSummary: &userv1.UserRoleSummary{UserId: 42, IsAgency: true, IsManager: false, AgencyId: 7001}, getAgencyResp: &userv1.GetAgencyResponse{Agency: &userv1.Agency{AgencyId: 7001, OwnerUserId: 42, Status: "active"}}, inviteHostResp: &userv1.InviteHostResponse{Invitation: &userv1.RoleInvitation{ InvitationId: 9010, @@ -5051,7 +5051,10 @@ func TestRoleInvitationsListAndProcessForwardCurrentUser(t *testing.T) { } func TestAgencyCenterOverviewRejectsNonOwner(t *testing.T) { - hostClient := &fakeUserHostClient{roleSummary: &userv1.UserRoleSummary{UserId: 42, IsManager: false, AgencyId: 7001}} + hostClient := &fakeUserHostClient{ + roleSummary: &userv1.UserRoleSummary{UserId: 42, IsAgency: true, AgencyId: 7001}, + getAgencyResp: &userv1.GetAgencyResponse{Agency: &userv1.Agency{AgencyId: 7001, OwnerUserId: 99, Status: "active"}}, + } handler := NewHandlerWithClients(&fakeRoomClient{}, nil, nil, &fakeUserProfileClient{}) handler.SetUserHostClient(hostClient) handler.SetWalletClient(&fakeWalletClient{}) @@ -5069,14 +5072,14 @@ func TestAgencyCenterOverviewRejectsNonOwner(t *testing.T) { if err := json.NewDecoder(recorder.Body).Decode(&response); err != nil { t.Fatalf("decode response failed: %v", err) } - if response.Code != httpkit.CodePermissionDenied || hostClient.lastGetAgency != nil { + if response.Code != httpkit.CodePermissionDenied || hostClient.lastGetAgency == nil || hostClient.lastGetAgency.GetAgencyId() != 7001 { t.Fatalf("non-owner response mismatch: response=%+v getAgency=%+v", response, hostClient.lastGetAgency) } } func TestAgencyCenterHostsReturnsActiveHostSalary(t *testing.T) { hostClient := &fakeUserHostClient{ - roleSummary: &userv1.UserRoleSummary{UserId: 42, IsManager: true, AgencyId: 7001}, + roleSummary: &userv1.UserRoleSummary{UserId: 42, IsAgency: true, IsManager: false, AgencyId: 7001}, getAgencyResp: &userv1.GetAgencyResponse{Agency: &userv1.Agency{AgencyId: 7001, OwnerUserId: 42, Status: "active"}}, membersResp: &userv1.GetAgencyMembersResponse{Memberships: []*userv1.AgencyMembership{ {MembershipId: 1, AgencyId: 7001, HostUserId: 42, MembershipType: "owner", Status: "active", JoinedAtMs: 10}, @@ -5126,7 +5129,7 @@ func TestAgencyCenterHostsReturnsActiveHostSalary(t *testing.T) { func TestAgencyCenterReviewAndRemoveForwardOwnerCommands(t *testing.T) { hostClient := &fakeUserHostClient{ - roleSummary: &userv1.UserRoleSummary{UserId: 42, IsManager: true, AgencyId: 7001}, + roleSummary: &userv1.UserRoleSummary{UserId: 42, IsAgency: true, IsManager: false, AgencyId: 7001}, getAgencyResp: &userv1.GetAgencyResponse{Agency: &userv1.Agency{AgencyId: 7001, OwnerUserId: 42, Status: "active"}}, reviewResp: &userv1.ReviewAgencyApplicationResponse{Application: &userv1.AgencyApplication{ ApplicationId: 9001, diff --git a/services/gateway-service/internal/transport/http/userapi/agency_center_handler.go b/services/gateway-service/internal/transport/http/userapi/agency_center_handler.go index 91d00d33..06828e32 100644 --- a/services/gateway-service/internal/transport/http/userapi/agency_center_handler.go +++ b/services/gateway-service/internal/transport/http/userapi/agency_center_handler.go @@ -378,7 +378,7 @@ func (h *Handler) resolveCurrentOwnerAgency(writer http.ResponseWriter, request return nil, false } summary := roleResp.GetSummary() - if summary == nil || !summary.GetIsManager() || summary.GetAgencyId() <= 0 { + if summary == nil || summary.GetAgencyId() <= 0 { httpkit.WriteError(writer, request, http.StatusForbidden, httpkit.CodePermissionDenied, "permission denied") return nil, false } @@ -391,6 +391,8 @@ func (h *Handler) resolveCurrentOwnerAgency(writer http.ResponseWriter, request return nil, false } agency := agencyResp.GetAgency() + // Agency Center 只属于当前 active Agency owner。manager_profiles 是 Manager Center 权限事实, + // 不能作为 Agency owner 的前置条件;普通成员即使 role summary 带 current agency,也会被 owner 校验挡住。 if agency == nil || agency.GetOwnerUserId() != userID || agency.GetStatus() != agencyStatusActive { httpkit.WriteError(writer, request, http.StatusForbidden, httpkit.CodePermissionDenied, "permission denied") return nil, false