fix(auth): Correct owner ID resolution order in PermWithOwner

- Fix owner ID lookup to prioritize PathParams and Query over Context - Prevent incorrect owner match when context contains current user ID - Reset InitAdmin.Password to empty so first registered user becomes admin
1 week ago · 95cdcd557c
parent 9518a9be21
commit 95cdcd557c
2 changed files with 7 additions and 3 deletions
--- a/auth/auth.go
+++ b/auth/auth.go
@ -413,9 +413,13 @@ func (a *appAuth) PermWithOwner(permissionID, ownerKey string) func(*vigo.X) err
 		orgID := getOrgID(x)

 		// 获取资源所有者ID
-		ownerID, _ := x.Get(ownerKey).(string)
+		// 优先从Path/Query获取，因为Context中的可能是登录用户ID
+		ownerID := x.PathParams.Get(ownerKey)
 		if ownerID == "" {
-			ownerID = x.PathParams.Get(ownerKey)
+			ownerID = x.Request.URL.Query().Get(ownerKey)
+		}
+		if ownerID == "" {
+			ownerID, _ = x.Get(ownerKey).(string)
 		}

 		// 如果是所有者，直接放行
--- a/cfg/cfg.go
+++ b/cfg/cfg.go
@ -69,7 +69,7 @@ var Config = &Options{
 	},
 	InitAdmin: InitAdminConfig{
 		Username: "admin",
-		Password: "123456", // 为空表示不自动创建，第一个注册用户成为 admin
+		Password: "", // 为空表示不自动创建，第一个注册用户成为 admin
 		Email:    "admin@example.com",
 	},
 }