From 5e0bfeb544a63c2aba5821cefb929f817df1abbd Mon Sep 17 00:00:00 2001 From: sky121113 Date: Thu, 25 Jun 2026 20:03:57 +0800 Subject: [PATCH] =?UTF-8?q?[FIX]=20=E9=8A=B7=E5=94=AE=E7=B4=80=E9=8C=84?= =?UTF-8?q?=E6=A9=9F=E5=8F=B0=E6=AC=8A=E9=99=90=E9=9A=94=E9=9B=A2=EF=BC=9A?= =?UTF-8?q?=E8=A8=82=E5=96=AE/=E7=99=BC=E7=A5=A8/=E5=87=BA=E8=B2=A8?= =?UTF-8?q?=E6=B8=85=E5=96=AE=E4=BE=9D=E4=BD=BF=E7=94=A8=E8=80=85=E5=8F=AF?= =?UTF-8?q?=E5=AD=98=E5=8F=96=E6=A9=9F=E5=8F=B0=E9=81=8E=E6=BF=BE?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 1. SalesController index 先前 orders/invoices/dispense 查詢只靠 TenantScoped 做 company 隔離,未依機台授權過濾;導致無該機台權限的子帳號仍能看到其交易訂單(機台名稱因 machine_access scope 顯示 unknown,但訂單仍列出) 2. 修正:非系統管理員時,三個查詢一律限制 machine_id 在「可存取機台集合」(沿用 Machine 的 machine_access 全域 scope,與機台下拉清單一致);export 共用同一 query 亦一併涵蓋 3. 新增 SalesMachineAccessTest(3 案,Admin 套件 58 測試 0 回歸) Co-Authored-By: Claude Opus 4.8 (1M context) --- .../Controllers/Admin/SalesController.php | 10 ++ .../Feature/Admin/SalesMachineAccessTest.php | 100 ++++++++++++++++++ 2 files changed, 110 insertions(+) create mode 100644 tests/Feature/Admin/SalesMachineAccessTest.php diff --git a/app/Http/Controllers/Admin/SalesController.php b/app/Http/Controllers/Admin/SalesController.php index 6fdc97c..a85d1b2 100644 --- a/app/Http/Controllers/Admin/SalesController.php +++ b/app/Http/Controllers/Admin/SalesController.php @@ -85,6 +85,16 @@ class SalesController extends Controller $invoicesQuery->whereBetween('created_at', [$start, $end]); $dispenseQuery->whereBetween('machine_time', [$start, $end]); + // 機台權限隔離:非系統管理員只能看到「自己可存取機台」的交易。沿用 Machine 的 machine_access 全域 scope + // 取得可存取機台集合(與上方機台下拉清單一致),修正訂單/發票/出貨清單先前未依機台授權過濾、 + // 導致無該機台權限的帳號仍可見其交易紀錄的資料隔離漏洞。 + if (!auth()->user()->isSystemAdmin()) { + $accessibleMachineIds = Machine::pluck('id'); + $ordersQuery->whereIn('machine_id', $accessibleMachineIds); + $invoicesQuery->whereIn('machine_id', $accessibleMachineIds); + $dispenseQuery->whereIn('machine_id', $accessibleMachineIds); + } + // 共用過濾器:機台 if ($machineId) { $ordersQuery->where('machine_id', $machineId); diff --git a/tests/Feature/Admin/SalesMachineAccessTest.php b/tests/Feature/Admin/SalesMachineAccessTest.php new file mode 100644 index 0000000..8a3a120 --- /dev/null +++ b/tests/Feature/Admin/SalesMachineAccessTest.php @@ -0,0 +1,100 @@ + 'menu.sales', 'guard_name' => 'web']); + $this->company = Company::create(['name' => 'Co', 'code' => 'CO']); + $role = Role::create(['name' => 'r', 'company_id' => $this->company->id, 'is_system' => false, 'guard_name' => 'web']); + $role->syncPermissions(['menu.sales']); + + $this->main = User::factory()->create(['company_id' => $this->company->id, 'is_admin' => true, 'level' => 0]); + $this->main->assignRole($role); + + $this->mA = Machine::factory()->create(['company_id' => $this->company->id]); + $this->mB = Machine::factory()->create(['company_id' => $this->company->id]); + + $this->orderA = $this->makeOrder($this->mA->id); + $this->orderB = $this->makeOrder($this->mB->id); + } + + private function makeOrder(int $machineId): int + { + return DB::table('orders')->insertGetId([ + 'company_id' => $this->company->id, + 'machine_id' => $machineId, + 'payment_type' => 1, + 'total_amount' => 100, + 'pay_amount' => 100, + 'payment_status' => 1, + 'status' => 'completed', + 'created_at' => now(), + 'updated_at' => now(), + ]); + } + + private function visibleOrderIds(User $user): array + { + $response = $this->actingAs($user)->get(route('admin.sales.index')); + $response->assertOk(); + return collect($response->viewData('orders')->items())->pluck('id')->all(); + } + + public function test_sub_account_with_machine_access_sees_only_that_machine_orders(): void + { + $sub = User::factory()->create(['company_id' => $this->company->id, 'is_admin' => false, 'level' => 1, 'parent_id' => $this->main->id]); + $sub->assignRole(Role::where('company_id', $this->company->id)->first()); + $sub->machines()->attach($this->mA->id); // 只被授權 mA + + $ids = $this->visibleOrderIds($sub); + $this->assertContains($this->orderA, $ids); + $this->assertNotContains($this->orderB, $ids); // 未授權 mB → 看不到其訂單 + } + + public function test_sub_account_without_any_machine_access_sees_no_orders(): void + { + $sub = User::factory()->create(['company_id' => $this->company->id, 'is_admin' => false, 'level' => 1, 'parent_id' => $this->main->id]); + $sub->assignRole(Role::where('company_id', $this->company->id)->first()); + // 不授權任何機台 + + $ids = $this->visibleOrderIds($sub); + $this->assertNotContains($this->orderA, $ids); + $this->assertNotContains($this->orderB, $ids); + } + + public function test_system_admin_sees_all_orders(): void + { + $sysAdmin = User::factory()->create(['company_id' => null]); + + $ids = $this->visibleOrderIds($sysAdmin); + $this->assertContains($this->orderA, $ids); + $this->assertContains($this->orderB, $ids); + } +}