11 months ago · abd8bd6883
--- a/app/Http/Controllers/API/TaskController.php
+++ b/app/Http/Controllers/API/TaskController.php
@@ -29,7 +29,9 @@ class TaskController extends Controller
 
				         $tasks = Task::query()
			
 
				             ->where("parent_id", 0)
			
 
				             ->with(['children', 'assignTo', 'createdBy'])
			
 
				-            ->filter($request->all())->paginate();
			
 
				+            ->filter($request->all())
			
 
				+            ->allowed()
			
 
				+            ->paginate();
			
 
				 
			
 
				         return TaskResource::collection($tasks);
			
 
				     }
			
@@ -53,7 +55,7 @@ class TaskController extends Controller
 
				             ...$request->all(),
			
 
				             'company_id' => Auth::user()->company_id,
			
 
				             'created_by' => Auth::id(),
			
 
				-            'whitelist' => $request->whitelist ? sprintf(",%s", implode(',', $request->whitelist)) : null,
			
 
				+            'whitelist' => $request->whitelist ? sprintf(",%s,", implode(',', $request->whitelist)) : null,
			
 
				             'asset_id' => $asset_id,
			
 
				             'requirement_group_id'=>$requirement_group_id,
			
 
				         ];
			
@@ -73,7 +75,7 @@ class TaskController extends Controller
 
				      */
			
 
				     public function show(string $id)
			
 
				     {
			
 
				-        $task = Task::query()->findOrFail($id);
			
 
				+        $task = Task::query()->allowed($id)->findOrFail($id);
			
 
				 
			
 
				         return new TaskDetailResource($task);
			
 
				     }
			
@@ -83,7 +85,7 @@ class TaskController extends Controller
 
				      */
			
 
				     public function update(CreateOrUpdateRequest $request, string $id, CustomFieldRepository $customFieldRepo)
			
 
				     {
			
 
				-        $task = Task::query()->findOrFail($id);
			
 
				+        $task = Task::query()->allowed($id)->findOrFail($id);
			
 
				         $asset_id=null;
			
 
				 
			
 
				         if ($requirementId=$request->get('requirement_id')!=$task->requirement_id){
			
@@ -93,7 +95,7 @@ class TaskController extends Controller
 
				         }
			
 
				 
			
 
				         $formData = [...$request->all(),
			
 
				-            'whitelist' => $request->whitelist ? sprintf(",%s", implode(',', $request->whitelist)) : null,
			
 
				+            'whitelist' => $request->whitelist ? sprintf(",%s,", implode(',', $request->whitelist)) : null,
			
 
				             '$asset_id' => $asset_id,
			
 
				         ];
			
 
				 
			
@@ -113,7 +115,7 @@ class TaskController extends Controller
 
				      */
			
 
				     public function destroy(string $id)
			
 
				     {
			
 
				-        $task = Task::query()->findOrFail($id);
			
 
				+        $task = Task::query()->allowed($id)->findOrFail($id);
			
 
				 
			
 
				         $task->delete();
			
 
				 
			
@@ -122,7 +124,7 @@ class TaskController extends Controller
 
				 
			
 
				     public function batchStore(BatchCreateRequest $request, CustomFieldRepository $customFieldRepo)
			
 
				     {
			
 
				-        $project = Project::query()->find($request->project_id);
			
 
				+        $project = Project::query()->allowed($request->project_id)->find($request->project_id);
			
 
				 
			
 
				         $parsedItems = [];
			
 
				         $previousItem = [];
			
--- a/app/Models/Task.php
+++ b/app/Models/Task.php
@@ -2,11 +2,14 @@
 
				 
			
 
				 namespace App\Models;
			
 
				 
			
 
				+use App\Models\Enums\TaskACL;
			
 
				 use App\Models\Scopes\CompanyScope;
			
 
				 use EloquentFilter\Filterable;
			
 
				+use Illuminate\Database\Eloquent\Builder;
			
 
				 use Illuminate\Database\Eloquent\Factories\HasFactory;
			
 
				 use Illuminate\Database\Eloquent\Model;
			
 
				 use Illuminate\Database\Eloquent\SoftDeletes;
			
 
				+use Illuminate\Support\Facades\Auth;
			
 
				 
			
 
				 class Task extends Model
			
 
				 {
			
@@ -26,6 +29,27 @@ class Task extends Model
 
				         static::addGlobalScope(new CompanyScope);
			
 
				     }
			
 
				 
			
 
				+    /**
			
 
				+     * ACL 访问控制作用域
			
 
				+     *
			
 
				+     * @param Builder $query
			
 
				+     * @param string $id 单个操作时使用，限制范围
			
 
				+     * @return void
			
 
				+     */
			
 
				+    public function scopeAllowed(Builder $query, string $id = null): void
			
 
				+    {
			
 
				+        $taskIds = Task::query()->leftJoin("team_members", "tasks.project_id", "=", "team_members.project_id")
			
 
				+            ->filter(request()->query())
			
 
				+            ->when($id, fn($query) => $query->where("tasks.id", $id))
			
 
				+            ->where("team_members.user_id", Auth::id())
			
 
				+            ->orWhere(fn($query) => $query->where("tasks.acl", TaskACL::CUSTOM->value)->where("whitelist", "like", "%,".Auth::id().",%"))
			
 
				+            ->pluck("tasks.id")
			
 
				+            ->unique();
			
 
				+
			
 
				+
			
 
				+        $query->whereIn("id", $taskIds->toArray());
			
 
				+    }
			
 
				+
			
 
				     public function requirement(): \Illuminate\Database\Eloquent\Relations\BelongsTo
			
 
				     {
			
 
				         return $this->belongsTo(Requirement::class);