[FEAT] 移除「商品狀態」冗餘模組、優化麵包屑導航與完善帳號角色過濾邏輯

2026-03-27 16:53:43 +08:00
parent 740eaa30b7
commit c875ab7d29
15 changed files with 431 additions and 159 deletions
--- a/app/Http/Controllers/Admin/PermissionController.php
+++ b/app/Http/Controllers/Admin/PermissionController.php
@@ -315,8 +315,8 @@ class PermissionController extends Controller

        // 驗證角色與公司的匹配性 (RBAC Safeguard)
        if ($company_id !== null) {
-            // 如果是租戶帳號，不能選超級管理員角色
-            if ($role->is_system && $role->name === 'super-admin') {
+            // 如果是租戶帳號，絕對不能指派超級管理員角色 (super-admin)
+            if ($role->name === 'super-admin') {
                return redirect()->back()->with('error', __('Super-admin role cannot be assigned to tenant accounts.'));
            }
            // 如果角色有特定的 company_id，必須匹配
@@ -324,7 +324,7 @@ class PermissionController extends Controller
                return redirect()->back()->with('error', __('This role belongs to another company and cannot be assigned.'));
            }
        } else {
-            // 如果是系統層級帳號，只能選系統角色 (is_system = 1)
+            // 如果是系統層級帳號，只能選全域系統角色 (is_system = 1)
            if (!$role->is_system) {
                return redirect()->back()->with('error', __('Only system roles can be assigned to platform administrative accounts.'));
            }
@@ -408,7 +408,8 @@ class PermissionController extends Controller
        // 驗證角色與公司的匹配性 (RBAC Safeguard)
        if ($user->id !== auth()->id()) { // 排除編輯自己 (super-admin 有特殊邏輯)
            if ($target_company_id !== null) {
-                if ($roleObj->is_system && $roleObj->name === 'super-admin') {
+                // 租戶層級排除 super-admin
+                if ($roleObj->name === 'super-admin') {
                    return redirect()->back()->with('error', __('Super-admin role cannot be assigned to tenant accounts.'));
                }
                if ($roleObj->company_id !== null && $roleObj->company_id != $target_company_id) {
@@ -416,7 +417,7 @@ class PermissionController extends Controller
                }
            } else {
                if (!$roleObj->is_system) {
-                    return redirect()->back()->with('error', __('Only system roles can be assigned to platform administrative accounts.'));
+                    return redirect()->back()->with('error', __('Only global system roles can be assigned to platform administrative accounts.'));
                }
            }
        }