fix(ws-org): enforce org-scoped lianxi relation lookups

Require current_org_id for lianxi deletion and relation traversal, and add org-scoped relation lookups to prevent cross-organization hits in daka/jihua counters. Made-with: Cursor
2026-04-27 23:20:52 +08:00
parent 07ee6e7cc6
commit 2155c66a3b
3 changed files with 224 additions and 15 deletions
@@ -112,24 +112,40 @@ pub async fn raw_create_lianxi(

            debug!("update lianxi_count");
            if let Some(section_id) = &in_jihua_course_section_id {
-                let jihua_course_section = JihuaCourseSection::find_by_id(
+                let jihua_course_section = JihuaCourseSection::find_by_id_in_org(
                    section_id,
+                    &res_lianxi
+                        .org_id
+                        .clone()
+                        .ok_or_else(|| anyhow!("lianxi.org_id is required"))?,
                    extract_conn(fetch_db_conn(&db_pool)?).deref_mut(),
                )?;
-                let belonging_jihua = Jihua::find_by_id(
+                let belonging_jihua = Jihua::find_by_id_in_org(
                    &jihua_course_section.jihua_id,
+                    &res_lianxi
+                        .org_id
+                        .clone()
+                        .ok_or_else(|| anyhow!("lianxi.org_id is required"))?,
                    extract_conn(fetch_db_conn(&db_pool)?).deref_mut(),
                )?;
                let _ = belonging_jihua
                    .update_count(extract_conn(fetch_db_conn(&db_pool)?).deref_mut())?;
            } else if let Some(section_id) = &in_daka_course_section_id {
                // in_daka_course_section_id is some
-                let daka_course_section = DakaCourseSection::find_by_id(
+                let daka_course_section = DakaCourseSection::find_by_id_in_org(
                    section_id,
+                    &res_lianxi
+                        .org_id
+                        .clone()
+                        .ok_or_else(|| anyhow!("lianxi.org_id is required"))?,
                    extract_conn(fetch_db_conn(&db_pool)?).deref_mut(),
                )?;
-                let belonging_daka = Daka::find_by_id(
+                let belonging_daka = Daka::find_by_id_in_org(
                    &daka_course_section.daka_id,
+                    &res_lianxi
+                        .org_id
+                        .clone()
+                        .ok_or_else(|| anyhow!("lianxi.org_id is required"))?,
                    extract_conn(fetch_db_conn(&db_pool)?).deref_mut(),
                )?;
                let _ = belonging_daka
@@ -306,24 +322,40 @@ pub async fn raw_create_lianxi2(

            debug!("update lianxi_count");
            if let Some(section_id) = &in_jihua_course_section_id {
-                let jihua_course_section = JihuaCourseSection::find_by_id(
+                let jihua_course_section = JihuaCourseSection::find_by_id_in_org(
                    section_id,
+                    &res_lianxi
+                        .org_id
+                        .clone()
+                        .ok_or_else(|| anyhow!("lianxi.org_id is required"))?,
                    extract_conn(fetch_db_conn(&db_pool)?).deref_mut(),
                )?;
-                let belonging_jihua = Jihua::find_by_id(
+                let belonging_jihua = Jihua::find_by_id_in_org(
                    &jihua_course_section.jihua_id,
+                    &res_lianxi
+                        .org_id
+                        .clone()
+                        .ok_or_else(|| anyhow!("lianxi.org_id is required"))?,
                    extract_conn(fetch_db_conn(&db_pool)?).deref_mut(),
                )?;
                let _ = belonging_jihua
                    .update_count(extract_conn(fetch_db_conn(&db_pool)?).deref_mut())?;
            } else if let Some(section_id) = &in_daka_course_section_id {
                // in_daka_course_section_id is some
-                let daka_course_section = DakaCourseSection::find_by_id(
+                let daka_course_section = DakaCourseSection::find_by_id_in_org(
                    section_id,
+                    &res_lianxi
+                        .org_id
+                        .clone()
+                        .ok_or_else(|| anyhow!("lianxi.org_id is required"))?,
                    extract_conn(fetch_db_conn(&db_pool)?).deref_mut(),
                )?;
-                let belonging_daka = Daka::find_by_id(
+                let belonging_daka = Daka::find_by_id_in_org(
                    &daka_course_section.daka_id,
+                    &res_lianxi
+                        .org_id
+                        .clone()
+                        .ok_or_else(|| anyhow!("lianxi.org_id is required"))?,
                    extract_conn(fetch_db_conn(&db_pool)?).deref_mut(),
                )?;
                let _ = belonging_daka
@@ -340,12 +372,12 @@ pub async fn raw_create_lianxi2(
 }

 pub async fn delete_lianxi_by_id(
-    _root: HtySudoerTokenHeader,
+    root: HtySudoerTokenHeader,
    Path(id_delete): Path<String>,
    State(db_pool): State<Arc<DbState>>,
 ) -> Json<HtyResponse<Lianxi>> {
    debug!("delete_lianxi_by_id -> start here");
-    match raw_delete_lianxi_by_id(&id_delete, db_pool).await {
+    match raw_delete_lianxi_by_id(&root, &id_delete, db_pool).await {
        Ok(ok) => wrap_json_ok_resp(ok),
        Err(e) => {
            error!("delete_lianxi_by_id -> failed to delete lianxi, e: {}", e);
@@ -355,11 +387,14 @@ pub async fn delete_lianxi_by_id(
 }

 pub async fn raw_delete_lianxi_by_id(
+    root: &HtySudoerTokenHeader,
    id_delete: &String,
    db_pool: Arc<DbState>,
 ) -> anyhow::Result<Lianxi> {
-    let to_delete_lianxi = Lianxi::find_by_id(
+    let current_org_id = required_current_org_id_from_sudoer_token_str(&root.0)?;
+    let to_delete_lianxi = Lianxi::find_by_id_in_org(
        id_delete,
+        &current_org_id,
        extract_conn(fetch_db_conn(&db_pool)?).deref_mut(),
    )?;
    let piyues =
@@ -390,12 +425,14 @@ pub async fn raw_delete_lianxi_by_id(
    }

    if let Some(section_id) = &to_delete_lianxi.jihua_course_section_id {
-        let relation = JihuaCourseSection::find_by_id(
+        let relation = JihuaCourseSection::find_by_id_in_org(
            section_id,
+            &current_org_id,
            extract_conn(fetch_db_conn(&db_pool)?).deref_mut(),
        )?;
-        let belonging_jihua = Jihua::find_by_id(
+        let belonging_jihua = Jihua::find_by_id_in_org(
            &relation.jihua_id,
+            &current_org_id,
            extract_conn(fetch_db_conn(&db_pool)?).deref_mut(),
        )?;
        let _ = belonging_jihua.update_count(extract_conn(fetch_db_conn(&db_pool)?).deref_mut())?;
@@ -406,12 +443,12 @@ pub async fn raw_delete_lianxi_by_id(
 }

 pub async fn delete_lianxi_by_id2(
-    _root: HtySudoerTokenHeader,
+    root: HtySudoerTokenHeader,
    Path(id_delete): Path<String>,
    State(db_pool): State<Arc<DbState>>,
 ) -> Json<HtyResponse<ReqLianxi2>> {
    debug!("delete_lianxi_by_id2 -> start here");
-    match raw_delete_lianxi_by_id2(&id_delete, db_pool).await {
+    match raw_delete_lianxi_by_id2(&root, &id_delete, db_pool).await {
        Ok(ok) => wrap_json_ok_resp(ok),
        Err(e) => {
            error!("delete_lianxi_by_id2 -> failed to delete lianxi, e: {}", e);
@@ -421,11 +458,18 @@ pub async fn delete_lianxi_by_id2(
 }

 pub async fn raw_delete_lianxi_by_id2(
+    root: &HtySudoerTokenHeader,
    id_delete: &String,
    db_pool: Arc<DbState>,
 ) -> anyhow::Result<ReqLianxi2> {
    // let to_delete_lianxi = Lianxi::find_by_id(id_delete, extract_conn(fetch_db_conn(&db_pool)?).deref_mut())?;
    // let piyues = to_delete_lianxi.find_linked_piyues(extract_conn(fetch_db_conn(&db_pool)?).deref_mut())?;
+    let current_org_id = required_current_org_id_from_sudoer_token_str(&root.0)?;
+    let _ = Lianxi::find_by_id_in_org(
+        id_delete,
+        &current_org_id,
+        extract_conn(fetch_db_conn(&db_pool)?).deref_mut(),
+    )?;
    let deleted_lianxi = Lianxi::logic_delete_by_id(
        id_delete,
        extract_conn(fetch_db_conn(&db_pool)?).deref_mut(),