sileya-ai
/
vr-shopxo-plugin
1
0
Fork 0
Code Issues 3 Pull Requests Packages Projects Releases Wiki Activity

feat(B0): M-06/M-05/M-03 security fixes

feat/phase-b-verification
Council 2026-04-25 10:34:31 +08:00
parent 26ff950d39
commit f3d102e7ad
2 changed files with 80 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
shopxo/app/plugins/vr_ticket/Event.php
View File

@ -10,12 +10,15 @@ class Event
// 给 ShopXO 商品表追加 item_type 字段MySQL 5.x 兼容写法) // 给 ShopXO 商品表追加 item_type 字段MySQL 5.x 兼容写法)
$query = $db->query("SHOW COLUMNS FROM `{$prefix}goods` LIKE 'item_type'"); $query = $db->query("SHOW COLUMNS FROM `{$prefix}goods` LIKE 'item_type'");
if (count($query) == 0) { // M-03: 修复 empty($result) 对 PDOStatement 永远返回 false 的问题
$resultItemType = $query->fetchAll();
if (count($resultItemType) == 0) {
$db->execute("ALTER TABLE `{$prefix}goods` ADD COLUMN `item_type` VARCHAR(20) NOT NULL DEFAULT 'normal' COMMENT '商品类型normal=普通 goods ticket=票务 physical=周边' AFTER `is_shelves`"); $db->execute("ALTER TABLE `{$prefix}goods` ADD COLUMN `item_type` VARCHAR(20) NOT NULL DEFAULT 'normal' COMMENT '商品类型normal=普通 goods ticket=票务 physical=周边' AFTER `is_shelves`");
} }
$queryConfig = $db->query("SHOW COLUMNS FROM `{$prefix}goods` LIKE 'vr_goods_config'"); $queryConfig = $db->query("SHOW COLUMNS FROM `{$prefix}goods` LIKE 'vr_goods_config'");
if (count($queryConfig) == 0) { $resultConfig = $queryConfig->fetchAll();
if (count($resultConfig) == 0) {
$db->execute("ALTER TABLE `{$prefix}goods` ADD COLUMN `vr_goods_config` LONGTEXT COMMENT '票务配置' AFTER `item_type`"); $db->execute("ALTER TABLE `{$prefix}goods` ADD COLUMN `vr_goods_config` LONGTEXT COMMENT '票务配置' AFTER `item_type`");
} }
} }

79
shopxo/app/plugins/vr_ticket/admin/Admin.php
View File

@ -122,6 +122,10 @@ class Admin extends Common
*/ */
public function SeatTemplateList() public function SeatTemplateList()
{ {
// M-06: 权限校验
if (empty(session('admin_id'))) {
return DataReturn('无权限访问', -1);
}
$where = []; $where = [];
$name = input('name', '', null); $name = input('name', '', null);
@ -167,6 +171,10 @@ class Admin extends Common
*/ */
public function SeatTemplateSave() public function SeatTemplateSave()
{ {
// M-06: 权限校验
if (empty(session('admin_id'))) {
return DataReturn('无权限访问', -1);
}
$id = input('id', 0, 'intval'); $id = input('id', 0, 'intval');
if ((request()->isAjax() && request()->isPost())) { if ((request()->isAjax() && request()->isPost())) {
@ -226,6 +234,10 @@ class Admin extends Common
*/ */
public function SeatTemplateDelete() public function SeatTemplateDelete()
{ {
// M-06: 权限校验
if (empty(session('admin_id'))) {
return DataReturn('无权限访问', -1);
}
if (!(request()->isAjax() && request()->isPost())) { if (!(request()->isAjax() && request()->isPost())) {
return DataReturn('非法请求', -1); return DataReturn('非法请求', -1);
} }
@ -278,6 +290,10 @@ class Admin extends Common
public function SeatTemplateEnable() public function SeatTemplateEnable()
{ {
// M-06: 权限校验
if (empty(session('admin_id'))) {
return DataReturn('无权限访问', -1);
}
if (!(request()->isAjax() && request()->isPost())) { if (!(request()->isAjax() && request()->isPost())) {
return DataReturn('非法请求', -1); return DataReturn('非法请求', -1);
} }
@ -314,6 +330,10 @@ class Admin extends Common
*/ */
public function TicketList() public function TicketList()
{ {
// M-06: 权限校验
if (empty(session('admin_id'))) {
return DataReturn('无权限访问', -1);
}
$where = []; $where = [];
$keywords = input('keywords', '', null, 'trim'); $keywords = input('keywords', '', null, 'trim');
@ -369,6 +389,10 @@ class Admin extends Common
*/ */
public function TicketDetail() public function TicketDetail()
{ {
// M-06: 权限校验
if (empty(session('admin_id'))) {
return DataReturn('无权限访问', -1);
}
$id = input('id', 0, 'intval'); $id = input('id', 0, 'intval');
if ($id <= 0) { if ($id <= 0) {
return DataReturn('参数错误', -1); return DataReturn('参数错误', -1);
@ -406,19 +430,30 @@ class Admin extends Common
*/ */
public function TicketVerify() public function TicketVerify()
{ {
// M-06: 权限校验
if (empty(session('admin_id'))) {
return DataReturn('无权限访问', -1);
}
if (!(request()->isAjax() && request()->isPost())) { if (!(request()->isAjax() && request()->isPost())) {
return DataReturn('非法请求', -1); return DataReturn('非法请求', -1);
} }
$ticket_code = input('ticket_code', '', null, 'trim'); $ticket_code = input('ticket_code', '', null, 'trim');
$verifier_id = input('verifier_id', 0, 'intval');
// M-05: verifier_id 从 session 获取,禁止客户端伪造
$admin_user_id = session('admin_user_info.id');
$verifier = \think\facade\Db::name('vr_verifiers')
->where('user_id', $admin_user_id)
->where('status', 1)
->find();
if (empty($verifier)) {
return DataReturn('你不是核销员,无权核销', -1);
}
$verifier_id = $verifier['id'];
if (empty($ticket_code)) { if (empty($ticket_code)) {
return DataReturn('票码不能为空', -1); return DataReturn('票码不能为空', -1);
} }
if ($verifier_id <= 0) {
return DataReturn('请选择核销员', -1);
}
$result = \app\plugins\vr_ticket\service\TicketService::verifyTicket($ticket_code, $verifier_id); $result = \app\plugins\vr_ticket\service\TicketService::verifyTicket($ticket_code, $verifier_id);
return DataReturn($result['msg'], $result['code'], $result['data'] ?? []); return DataReturn($result['msg'], $result['code'], $result['data'] ?? []);
@ -429,6 +464,10 @@ class Admin extends Common
*/ */
public function TicketExport() public function TicketExport()
{ {
// M-06: 权限校验
if (empty(session('admin_id'))) {
return DataReturn('无权限访问', -1);
}
if (!(request()->isAjax() && request()->isPost())) { if (!(request()->isAjax() && request()->isPost())) {
return DataReturn('非法请求', -1); return DataReturn('非法请求', -1);
} }
@ -476,6 +515,10 @@ class Admin extends Common
*/ */
public function VerifierList() public function VerifierList()
{ {
// M-06: 权限校验
if (empty(session('admin_id'))) {
return DataReturn('无权限访问', -1);
}
$where = []; $where = [];
$keywords = input('keywords', '', null, 'trim'); $keywords = input('keywords', '', null, 'trim');
@ -522,6 +565,10 @@ class Admin extends Common
*/ */
public function VerifierSave() public function VerifierSave()
{ {
// M-06: 权限校验
if (empty(session('admin_id'))) {
return DataReturn('无权限访问', -1);
}
$id = input('id', 0, 'intval'); $id = input('id', 0, 'intval');
if ((request()->isAjax() && request()->isPost())) { if ((request()->isAjax() && request()->isPost())) {
@ -582,6 +629,10 @@ class Admin extends Common
*/ */
public function VerifierDelete() public function VerifierDelete()
{ {
// M-06: 权限校验
if (empty(session('admin_id'))) {
return DataReturn('无权限访问', -1);
}
if (!(request()->isAjax() && request()->isPost())) { if (!(request()->isAjax() && request()->isPost())) {
return DataReturn('非法请求', -1); return DataReturn('非法请求', -1);
} }
@ -620,6 +671,10 @@ class Admin extends Common
*/ */
public function VenueList() public function VenueList()
{ {
// M-06: 权限校验
if (empty(session('admin_id'))) {
return DataReturn('无权限访问', -1);
}
$where = []; $where = [];
$name = input('name', '', null); $name = input('name', '', null);
@ -672,6 +727,10 @@ class Admin extends Common
*/ */
public function VenueSave() public function VenueSave()
{ {
// M-06: 权限校验
if (empty(session('admin_id'))) {
return DataReturn('无权限访问', -1);
}
$id = input('id', 0, 'intval'); $id = input('id', 0, 'intval');
if ((request()->isAjax() && request()->isPost())) { if ((request()->isAjax() && request()->isPost())) {
@ -857,6 +916,10 @@ class Admin extends Common
*/ */
public function VenueDelete() public function VenueDelete()
{ {
// M-06: 权限校验
if (empty(session('admin_id'))) {
return DataReturn('无权限访问', -1);
}
if (!(request()->isAjax() && request()->isPost())) { if (!(request()->isAjax() && request()->isPost())) {
return DataReturn('非法请求', -1); return DataReturn('非法请求', -1);
} }
@ -913,6 +976,10 @@ class Admin extends Common
public function VenueEnable() public function VenueEnable()
{ {
// M-06: 权限校验
if (empty(session('admin_id'))) {
return DataReturn('无权限访问', -1);
}
if (!(request()->isAjax() && request()->isPost())) { if (!(request()->isAjax() && request()->isPost())) {
return DataReturn('非法请求', -1); return DataReturn('非法请求', -1);
} }
@ -945,6 +1012,10 @@ class Admin extends Common
*/ */
public function VerificationList() public function VerificationList()
{ {
// M-06: 权限校验
if (empty(session('admin_id'))) {
return DataReturn('无权限访问', -1);
}
$where = []; $where = [];
$keywords = input('keywords', '', null, 'trim'); $keywords = input('keywords', '', null, 'trim');