修复管理员越权删除的BUG

添加控制台安装系统接口
修复菜单错误
增加操作日志
其它BUG修复

application/admin/command/Crud.php

@@ -9,6 +9,7 @@ use think\console\Input;
 use think\console\input\Option;
 use think\console\Output;
 use think\Db;
+use think\Exception;
 use think\Lang;
 
 class Crud extends Command
@@ -41,8 +42,7 @@ class Crud extends Command
         $local = $input->getOption('local');
         if (!$table)
         {
-            $output->error('table name can\'t empty');
-            return;
+            throw new Exception('table name can\'t empty');
         }
         $dbname = Config::get('database.database');
         $prefix = Config::get('database.prefix');
@@ -50,8 +50,7 @@ class Crud extends Command
         $tableInfo = Db::query("SHOW TABLE STATUS LIKE '{$tableName}'", [], TRUE);
         if (!$tableInfo)
         {
-            $output->error("table not found");
-            return;
+            throw new Exception("table not found");
         }
         $tableInfo = $tableInfo[0];
 
@@ -69,8 +68,7 @@ class Crud extends Command
         //非覆盖模式时如果存在控制器文件则报错
         if (is_file($controllerFile) && !$force)
         {
-            $output->error('controller already exists');
-            return;
+            throw new Exception('controller already exists');
         }
 
         //模型默认以表名进行处理,以下划线进行分隔,如果需要自定义则需要传入model,不支持目录层级
@@ -91,8 +89,7 @@ class Crud extends Command
         //非覆盖模式时如果存在模型文件则报错
         if (is_file($modelFile) && !$force)
         {
-            $output->error('model already exists');
-            return;
+            throw new Exception('model already exists');
         }
 
         //从数据库中获取表字段信息

application/admin/command/Install.php

@@ -0,0 +1,49 @@
+<?php
+
+namespace app\admin\command;
+
+use think\console\Command;
+use think\console\Input;
+use think\console\input\Option;
+use think\console\Output;
+use think\Db;
+use think\Exception;
+
+class Install extends Command
+{
+
+    protected $model = null;
+
+    protected function configure()
+    {
+        $this
+                ->setName('install')
+                ->addOption('force', 'f', Option::VALUE_OPTIONAL, 'force override', FALSE)
+                ->setDescription('New installation of FastAdmin');
+    }
+
+    protected function execute(Input $input, Output $output)
+    {
+
+        //覆盖安装
+        $force = $input->getOption('force');
+
+        $installLockFile = __DIR__ . "/Install/install.lock";
+        if (is_file($installLockFile) && !$force)
+        {
+            throw new Exception("\nFastAdmin already installed!\nIf you need to reinstall again, use the parameter --force=true ");
+        }
+
+        $sql = file_get_contents(__DIR__ . '/Install/fastadmin.sql');
+
+        // 查询一次SQL,判断连接是否正常
+        Db::execute("SELECT 1");
+
+        // 调用原生PDO对象进行批量查询
+        Db::getPdo()->exec($sql);
+
+        file_put_contents($installLockFile, 1);
+        $output->info("Install Successed!");
+    }
+
+}

application/admin/command/Install/install.lock

@@ -0,0 +1 @@
+1

application/admin/command/Menu.php

@@ -11,6 +11,7 @@ use think\console\Command;
 use think\console\Input;
 use think\console\input\Option;
 use think\console\Output;
+use think\Exception;
 
 class Menu extends Command
 {
@@ -33,8 +34,7 @@ class Menu extends Command
         $controller = $input->getOption('controller') ? : '';
         if (!$controller)
         {
-            $output->error("please input controller name");
-            return;
+            throw new Exception("please input controller name");
         }
 
         if ($controller != 'all-controller')

application/admin/controller/Ajax.php

@@ -146,7 +146,8 @@ class Ajax extends Backend
             $admin_rule_ids = $this->auth->getRuleIds();
             $superadmin = $this->auth->isSuperAdmin();
             $current_rule_ids = $id ? explode(',', $currentgroupmodel->rules) : [];
-            if (!$id || !array_key_exists($pid, Tree::instance()->init($model->all(['status' => 'normal']))->getChildrenIds($id, TRUE)))
+
+            if (!$id || !in_array($pid, Tree::instance()->init($model->all(['status' => 'normal']))->getChildrenIds($id, TRUE)))
             {
                 //构造jstree所需的数据
                 $nodelist = [];

application/admin/controller/Dashboard.php

@@ -13,6 +13,9 @@ use app\common\controller\Backend;
 class Dashboard extends Backend
 {
 
+    /**
+     * 查看
+     */
     public function index()
     {
         $seventtime = \fast\Date::unixtime('day', -7);

application/admin/controller/auth/Admin.php

@@ -2,6 +2,7 @@
 
 namespace app\admin\controller\auth;
 
+use app\admin\model\AdminLog;
 use app\common\controller\Backend;
 use fast\Random;
 use fast\Tree;
@@ -56,10 +57,11 @@ class Admin extends Backend
             $params = $this->request->post("row/a");
             if ($params)
             {
-                $params['salt'] = Random::basic(4);
+                $params['salt'] = Random::alnum();
                 $params['password'] = md5(md5($params['password']) . $params['salt']);
 
                 $admin = $this->model->create($params);
+                AdminLog::record(__('Add'), $this->model->getLastInsID());
                 $group = $this->request->post("group/a");
 
                 //过滤不允许的组别,避免越权
@@ -98,6 +100,7 @@ class Admin extends Backend
                     $params['password'] = md5(md5($params['password']) . $params['salt']);
                 }
                 $row->save($params);
+                AdminLog::record(__('Edit'), $ids);
 
                 // 先移除所有权限
                 model('AuthGroupAccess')->where('uid', $row->id)->delete();
@@ -137,15 +140,41 @@ class Admin extends Backend
         $this->code = -1;
         if ($ids)
         {
-            $count = $this->model->where('id', 'in', $ids)->delete();
-            if ($count)
+            // 避免越权删除管理员
+            $childrenGroupIds = $this->childrenIds;
+            $adminList = $this->model->where('id', 'in', $ids)->where('id', 'in', function($query) use($childrenGroupIds)
+                    {
+                        $query->name('auth_group_access')->where('group_id', 'in', $childrenGroupIds)->field('uid');
+                    })->select();
+            if ($adminList)
             {
-                model('AuthGroupAccess')->where('uid', 'in', $ids)->delete();
-                $this->code = 1;
+                $deleteIds = [];
+                foreach ($adminList as $k => $v)
+                {
+                    $deleteIds[] = $v->id;
+                }
+                $deleteIds = array_diff($deleteIds, [$this->auth->id]);
+                if ($deleteIds)
+                {
+                    AdminLog::record(__('Del'), $deleteIds);
+                    $this->model->destroy($deleteIds);
+                    model('AuthGroupAccess')->where('uid', 'in', $deleteIds)->delete();
+                    $this->code = 1;
+                }
             }
         }
 
         return;
     }
 
+    /**
+     * 批量更新
+     * @internal
+     */
+    public function multi($ids = "")
+    {
+        // 管理员禁止批量操作
+        $this->code = -1;
+    }
+
 }

application/admin/controller/auth/Group.php

@@ -2,6 +2,7 @@
 
 namespace app\admin\controller\auth;
 
+use app\admin\model\AdminLog;
 use app\common\controller\Backend;
 use fast\Tree;
 
@@ -104,6 +105,7 @@ class Group extends Backend
             if ($params)
             {
                 $this->model->create($params);
+                AdminLog::record(__('Add'), $this->model->getLastInsID());
                 $this->code = 1;
             }
 
@@ -151,6 +153,7 @@ class Group extends Backend
             if ($params)
             {
                 $row->save($params);
+                AdminLog::record(__('Edit'), $ids);
                 $this->code = 1;
             }
 
@@ -200,6 +203,7 @@ class Group extends Backend
             $count = $this->model->where('id', 'in', $ids)->delete();
             if ($count)
             {
+                AdminLog::record(__('Del'), $ids);
                 $this->code = 1;
             }
         }
@@ -208,6 +212,7 @@ class Group extends Backend
 
     /**
      * 批量更新
+     * @internal
      */
     public function multi($ids = "")
     {

application/admin/controller/auth/Rule.php

@@ -2,8 +2,10 @@
 
 namespace app\admin\controller\auth;
 
+use app\admin\model\AdminLog;
 use app\common\controller\Backend;
 use fast\Tree;
+use think\Cache;
 
 /**
  * 规则管理
@@ -24,7 +26,7 @@ class Rule extends Backend
         // 必须将结果集转换为数组
         Tree::instance()->init(collection($this->model->order('weigh', 'desc')->select())->toArray());
         $this->rulelist = Tree::instance()->getTreeList(Tree::instance()->getTreeArray(0), 'title');
-        $ruledata = [];
+        $ruledata = [0 => __('None')];
         foreach ($this->rulelist as $k => $v)
         {
             $ruledata[$v['id']] = $v['title'];
@@ -61,6 +63,8 @@ class Rule extends Backend
             if ($params)
             {
                 $this->model->create($params);
+                AdminLog::record(__('Add'), $this->model->getLastInsID());
+                Cache::rm('__menu__');
                 $this->code = 1;
             }
 
@@ -84,6 +88,8 @@ class Rule extends Backend
             if ($params)
             {
                 $row->save($params);
+                AdminLog::record(__('Edit'), $ids);
+                Cache::rm('__menu__');
                 $this->code = 1;
             }
 
@@ -104,6 +110,8 @@ class Rule extends Backend
             $count = $this->model->where('id', 'in', $ids)->delete();
             if ($count)
             {
+                AdminLog::record(__('Del'), $ids);
+                Cache::rm('__menu__');
                 $this->code = 1;
             }
         }
@@ -111,4 +119,14 @@ class Rule extends Backend
         return;
     }
 
+    /**
+     * 批量更新
+     * @internal
+     */
+    public function multi($ids = "")
+    {
+        // 节点禁止批量操作
+        $this->code = -1;
+    }
+
 }

application/admin/controller/general/Configvalue.php

@@ -2,6 +2,7 @@
 
 namespace app\admin\controller\general;
 
+use app\admin\model\AdminLog;
 use app\common\controller\Backend;
 
 /**
@@ -75,6 +76,7 @@ class Configvalue extends Backend
                     $params['content'] = array_combine($fieldarr, $valuearr);
                 }
                 $this->model->save($params);
+                AdminLog::record(__('Add'), $this->model->getLastInsID());
                 $this->code = 1;
             }
 
@@ -114,6 +116,7 @@ class Configvalue extends Backend
                     $params['content'] = array_combine($fieldarr, $valuearr);
                 }
                 $row->save($params);
+                AdminLog::record(__('Edit'), $ids);
                 $this->code = 1;
             }
 
@@ -123,53 +126,4 @@ class Configvalue extends Backend
         return $this->view->fetch();
     }
 
-    /**
-     * 删除
-     */
-    public function del($ids = "")
-    {
-        $this->code = -1;
-        if ($ids)
-        {
-            $count = $this->model->where('id', 'in', $ids)->delete();
-            if ($count)
-            {
-                $this->code = 1;
-            }
-        }
-
-        return;
-    }
-
-    /**
-     * 批量更新
-     */
-    public function multi($ids = "")
-    {
-        $this->code = -1;
-        $ids = $ids ? $ids : $this->request->param("ids");
-        if ($ids)
-        {
-            if ($this->request->has('params'))
-            {
-                parse_str($this->request->post("params"), $values);
-                $values = array_intersect_key($values, array_flip(array('status')));
-                if ($values)
-                {
-                    $count = $this->model->where('id', 'in', $ids)->update($values);
-                    if ($count)
-                    {
-                        $this->code = 1;
-                    }
-                }
-            }
-            else
-            {
-                $this->code = 1;
-            }
-        }
-
-        return;
-    }
-
 }

application/admin/controller/general/Crontab.php

@@ -51,97 +51,4 @@ class Crontab extends Backend
         return $this->view->fetch();
     }
 
-    /**
-     * 添加
-     */
-    public function add()
-    {
-        if ($this->request->isPost())
-        {
-            $this->code = -1;
-            $params = $this->request->post("row/a");
-            if ($params)
-            {
-                $this->model->create($params);
-                $this->code = 1;
-            }
-
-            return;
-        }
-        return $this->view->fetch();
-    }
-
-    /**
-     * 编辑
-     */
-    public function edit($ids = NULL)
-    {
-        $row = $this->model->get(['id' => $ids]);
-        if (!$row)
-            $this->error(__('No Results were found'));
-        if ($this->request->isPost())
-        {
-            $this->code = -1;
-            $params = $this->request->post("row/a");
-            if ($params)
-            {
-                $row->save($params);
-                $this->code = 1;
-            }
-
-            return;
-        }
-        $this->view->assign("row", $row);
-        return $this->view->fetch();
-    }
-
-    /**
-     * 删除
-     */
-    public function del($ids = "")
-    {
-        $this->code = -1;
-        if ($ids)
-        {
-            $count = $this->model->where('id', 'in', $ids)->delete();
-            if ($count)
-            {
-                $this->code = 1;
-            }
-        }
-
-        return;
-    }
-
-    /**
-     * 批量更新
-     */
-    public function multi($ids = "")
-    {
-        $this->code = -1;
-        $ids = $ids ? $ids : $this->request->param("ids");
-        if ($ids)
-        {
-            if ($this->request->has('params'))
-            {
-                parse_str($this->request->post("params"), $values);
-                $values = array_intersect_key($values, array_flip(array('status')));
-                if ($values)
-                {
-                    $count = $this->model->where('id', 'in', $ids)->update($values);
-                    if ($count)
-                    {
-                        $this->code = 1;
-                    }
-                }
-            }
-            else
-            {
-                $this->code = 1;
-            }
-        }
-
-        return;
-    }
-
 }

application/admin/controller/general/Database.php

@@ -2,6 +2,7 @@
 
 namespace app\admin\controller\general;
 
+use app\admin\model\AdminLog;
 use app\common\controller\Backend;
 use think\Db;
 use think\Debug;
@@ -59,6 +60,7 @@ class Database extends Backend
 
         if (in_array($do_action, array('doquery', 'optimizeall', 'repairall')))
         {
+            AdminLog::record(__('query'), ['table' => $tablename, 'action' => $do_action, 'sql' => $this->request->post('sqlquery')]);
             $this->$do_action();
         }
         else if (count($tablename) == 0)
@@ -67,6 +69,7 @@ class Database extends Backend
         }
         else
         {
+            AdminLog::record(__('query'), ['table' => $tablename, 'action' => $do_action]);
             foreach ($tablename as $table)
             {
                 $this->$do_action($table);

application/admin/controller/general/Profile.php

@@ -2,6 +2,7 @@
 
 namespace app\admin\controller\general;
 
+use app\admin\model\AdminLog;
 use app\common\controller\Backend;
 use fast\Random;
 
@@ -60,6 +61,7 @@ class Profile extends Backend
             if ($params)
             {
                 model('admin')->where('id', $this->auth->id)->update($params);
+                AdminLog::record(__('Update'), $params);
                 $this->code = 1;
             }
         }

application/admin/controller/wechat/Autoreply.php

@@ -2,6 +2,7 @@
 
 namespace app\admin\controller\wechat;
 
+use app\admin\model\AdminLog;
 use app\common\controller\Backend;
 use app\common\model\WechatResponse;
 use think\Db;
@@ -37,9 +38,10 @@ class Autoreply extends Backend
             if ($params)
             {
                 $row->save($params);
+                AdminLog::record(__('Edit'), $ids);
                 $this->code = 1;
             }
-            return FALSE;
+            return;
         }
         $response = WechatResponse::get(['eventkey' => $row['eventkey']]);
         $this->view->assign("response", $response);

application/admin/controller/wechat/Config.php

@@ -2,6 +2,7 @@
 
 namespace app\admin\controller\wechat;
 
+use app\admin\model\AdminLog;
 use app\common\controller\Backend;
 use app\common\model\Configvalue;
 
@@ -54,6 +55,7 @@ class Config extends Backend
             $this->obj['config'][] = $this->request->post('row/a');
             $this->wechatcfg->content = $this->obj;
             $this->wechatcfg->save();
+            AdminLog::record(__('Add'), $this->request->post('row/a'));
             $this->code = 1;
             return;
         }
@@ -84,6 +86,7 @@ class Config extends Backend
             $this->wechatcfg->content = $this->obj;
             $this->wechatcfg->save();
             $this->code = 1;
+            AdminLog::record(__('Edit'), $ids);
             return;
         }
         $this->view->assign("row", $row);
@@ -108,6 +111,7 @@ class Config extends Backend
             }
             $this->wechatcfg->content = $this->obj;
             $this->wechatcfg->save();
+            AdminLog::record(__('Del'), $ids);
             $this->code = 1;
         }
 

application/admin/controller/wechat/Menu.php

@@ -2,10 +2,12 @@
 
 namespace app\admin\controller\wechat;
 
+use app\admin\model\AdminLog;
 use app\common\controller\Backend;
 use app\common\model\Configvalue;
 use app\common\model\WechatResponse;
 use EasyWeChat\Foundation\Application;
+use think\Config;
 use think\Exception;
 
 /**
@@ -51,6 +53,7 @@ class Menu extends Backend
         $content['menu'] = $menu;
         $this->wechatcfg->content = $content;
         $this->wechatcfg->save();
+        AdminLog::record(__('Edit'), $ids);
         $this->code = 1;
         return;
     }
@@ -68,6 +71,7 @@ class Menu extends Backend
             $ret = $app->menu->add($this->wechatcfg->content['menu']);
             if ($ret->errcode == 0)
             {
+                AdminLog::record(__('Sync'), $this->wechatcfg->content['menu']);
                 $this->code = 1;
             }
             else

application/admin/controller/wechat/Response.php

@@ -2,6 +2,7 @@
 
 namespace app\admin\controller\wechat;
 
+use app\admin\model\AdminLog;
 use app\common\controller\Backend;
 use fast\service\Wechat;
 
@@ -44,6 +45,7 @@ class Response extends Backend
             if ($params)
             {
                 $this->model->save($params);
+                AdminLog::record(__('Add'), $this->model->getLastInsID());
                 $this->code = 1;
                 $this->content = $params;
             }
@@ -72,6 +74,7 @@ class Response extends Backend
             if ($params)
             {
                 $row->save($params);
+                AdminLog::record(__('Edit'), $ids);
                 $this->code = 1;
             }
             return;

application/admin/lang/zh-cn/general/database.php

@@ -3,8 +3,8 @@
 return [
     'SQL Result'                                                             => '查询结果',
     'Basic query'                                                            => '基础查询',
-    'View structure'                                                         => '基础查询',
-    'View data'                                                              => '基础查询',
+    'View structure'                                                         => '查看表结构',
+    'View data'                                                              => '查看表数据',
     'Optimize'                                                               => '优化表',
     'Repair'                                                                 => '修复表',
     'Optimize all'                                                           => '优化全部表',

application/admin/library/traits/Backend.php

@@ -2,6 +2,8 @@
 
 namespace app\admin\library\traits;
 
+use app\admin\model\AdminLog;
+
 trait Backend
 {
 
@@ -42,6 +44,7 @@ trait Backend
             if ($params)
             {
                 $this->model->create($params);
+                AdminLog::record(__('Add'), $this->model->getLastInsID());
                 $this->code = 1;
             }
 
@@ -65,6 +68,7 @@ trait Backend
             if ($params)
             {
                 $row->save($params);
+                AdminLog::record(__('Edit'), $ids);
                 $this->code = 1;
             }
 
@@ -85,6 +89,7 @@ trait Backend
             $count = $this->model->where('id', 'in', $ids)->delete();
             if ($count)
             {
+                AdminLog::record(__('Del'), $ids);
                 $this->code = 1;
             }
         }
@@ -110,6 +115,7 @@ trait Backend
                     $count = $this->model->where('id', 'in', $ids)->update($values);
                     if ($count)
                     {
+                        AdminLog::record(__('Multi'), $ids);
                         $this->code = 1;
                     }
                 }

application/admin/model/AdminLog.php

@@ -17,6 +17,7 @@ class AdminLog extends Model
     {
         $admin = \think\Session::get('admin');
         $admin_id = $admin ? $admin->id : 0;
+        $content = !is_scalar($content) ? json_encode($content) : $content . '';
         $username = $username ? $username : ($admin ? $admin->username : __(''));
         self::create([
             'title'    => $title,

application/admin/view/general/configvalue/index.html

@@ -14,7 +14,6 @@
                                 <li><a class="btn btn-link btn-multi btn-disabled disabled" href="javascript:;" data-params="status=hidden"><i class="fa fa-eye-slash"></i> 设为隐藏</a></li>
                             </ul>
                         </div>
-                        <a class="btn btn-primary btn-danger btn-clear-cache"><i class="fa fa-times"></i> {:__('Clear cache')}</a>
                     </div>
                     <table id="table" class="table table-striped table-bordered table-hover" width="100%">
                     </table>

application/admin/view/index/login.html

@@ -49,6 +49,15 @@
             }
 
         </style>
+        <script>
+            var _hmt = _hmt || [];
+            (function () {
+                var hm = document.createElement("script");
+                hm.src = "https://hm.baidu.com/hm.js?58347d769d009bcf6074e9a0ab7ba05e";
+                var s = document.getElementsByTagName("script")[0];
+                s.parentNode.insertBefore(hm, s);
+            })();
+        </script>
     </head>
     <body>
         <div class="container">

application/command.php

@@ -13,4 +13,5 @@
 return [
     'app\admin\command\Crud',
     'app\admin\command\Menu',
+    'app\admin\command\Install',
 ];

public/assets/js/backend/index.js

@@ -1,4 +1,4 @@
-define(['jquery', 'bootstrap', 'backend', 'addtabs', 'adminlte'], function ($, undefined, Backend, undefined, AdminLTE) {
+define(['jquery', 'bootstrap', 'backend', 'addtabs', 'adminlte', 'validator'], function ($, undefined, Backend, undefined, AdminLTE, undefined) {
 
     var Controller = {
         index: function () {

public/assets/js/backend/wechat/menu.js

@@ -132,7 +132,7 @@ define(['jquery', 'bootstrap', 'backend', 'table', 'form', 'sortable'], function
             //更新菜单数据
             var menuUpdate = function () {
                 $.post("wechat/menu/edit", {menu: JSON.stringify(getMenuList())}, function (data) {
-                    if (data['code'] == 0) {
+                    if (data['code'] == 1) {
                     } else {
                         Backend.api.error();
                     }
@@ -255,7 +255,7 @@ define(['jquery', 'bootstrap', 'backend', 'table', 'form', 'sortable'], function
             });
             $(document).on('click', "#menuSyn", function () {
                 $.post("wechat/menu/sync", {}, function (data) {
-                    if (data['code'] == 0) {
+                    if (data['code'] == 1) {
                         Backend.api.toastr.success('菜单同步更新成功，生效时间看微信官网说明，或者你重新关注微信号！');
                     } else {
                         Backend.api.toastr.error(data['content']);