linxianzhuang/saasshop
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

platform_orders index: rollback tools layout wrapper; quick filters use safe back

Browse Source
This commit is contained in:
萝卜
2026-03-14 11:25:02 +00:00
parent a343a06ce2
commit bfcd5a727f
2 changed files with 87 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

36
resources/views/admin/platform_orders/index.blade.php
View File

@@ -150,18 +150,18 @@
@php @php
// 快捷筛选:尽量保留当前筛选(站点/套餐/订阅ID/back 等),仅覆盖目标筛选字段,并清空 page。 // 快捷筛选:尽量保留当前筛选(站点/套餐/订阅ID/back 等),仅覆盖目标筛选字段,并清空 page。
$buildQuickFilterUrl = function (array $overrides) { $buildQuickFilterUrl = function (array $overrides) use ($safeBackForLinks) {
$path = '/' . ltrim(request()->path(), '/'); $path = '/' . ltrim(request()->path(), '/');
// 快捷筛选的设计原则: // 快捷筛选的设计原则:
// - 保留“上下文”字段(站点/套餐/订阅/back/关键词) // - 保留“上下文”字段(站点/套餐/订阅/关键词/back
// - 但back 必须走全页统一安全护栏(避免把 unsafe back 透传到链接里)
// - 清理其它可能互斥/叠加导致空结果的筛选字段(例如 syncable_only/reconcile_mismatch 等) // - 清理其它可能互斥/叠加导致空结果的筛选字段(例如 syncable_only/reconcile_mismatch 等)
// - 并且强制清空 page避免落到空页 // - 并且强制清空 page避免落到空页
$contextKeys = [ $contextKeys = [
'merchant_id' => 1, 'merchant_id' => 1,
'plan_id' => 1, 'plan_id' => 1,
'site_subscription_id' => 1, 'site_subscription_id' => 1,
'back' => 1,
'keyword' => 1, 'keyword' => 1,
// 线索联动:从开通线索跳转来的上下文应保留(避免快捷筛选跳走后丢上下文) // 线索联动:从开通线索跳转来的上下文应保留(避免快捷筛选跳走后丢上下文)
'lead_id' => 1, 'lead_id' => 1,
@@ -169,6 +169,12 @@
$q = array_intersect_key(request()->query(), $contextKeys); $q = array_intersect_key(request()->query(), $contextKeys);
if ($safeBackForLinks !== '') {
$q['back'] = $safeBackForLinks;
} else {
unset($q['back']);
}
foreach ($overrides as $k => $v) { foreach ($overrides as $k => $v) {
if ($v === null) { if ($v === null) {
unset($q[$k]); unset($q[$k]);
@@ -185,16 +191,10 @@
}; };
// “全部”:清空筛选,但保留 back用于返回来源页 // “全部”:清空筛选,但保留 back用于返回来源页
$incomingBack = (string) request()->query('back', ''); // “全部”:清空筛选,但保留安全 back用于返回来源页
$safeBack = (str_starts_with($incomingBack, '/')
&& !preg_match('/["\'<>]/', $incomingBack)
// back 本身不应再包含 back避免无限嵌套导致 URL 膨胀)
&& !preg_match('/(?:^|[?&])back=/', $incomingBack))
? $incomingBack
: '';
$allUrl = '/admin/platform-orders'; $allUrl = '/admin/platform-orders';
if ($safeBack !== '') { if ($safeBackForLinks !== '') {
$allUrl .= '?' . \Illuminate\Support\Arr::query(['back' => $safeBack]); $allUrl .= '?' . \Illuminate\Support\Arr::query(['back' => $safeBackForLinks]);
} }
@endphp @endphp
@@ -436,7 +436,7 @@
</ol> </ol>
</div> </div>
<div class="muted governance-block-footnote">说明:本页“批量同步/批量生效/清理失败标记”等工具动作会透传当前筛选条件;建议先缩小到明确集合再操作。</div> <div class="muted governance-block-footnote">说明:本页“批量同步/批量生效/清理失败标记”等工具动作会透传当前筛选条件;建议先缩小到明确集合再操作。</div>
<div class="muted governance-block-footnote">提示:如果你是从其它页面(例如订阅详情/套餐页)通过 back 进入本页,建议优先用上方「← 返回上一页(保留上下文)」回到来源页,再继续操作。</div> <div class="muted governance-block-footnote">提示:如果你是从其它页面(例如订阅详情/套餐页)通过 back 进入本页,建议优先用上方的「返回上一页」入口回到来源页,再继续操作。</div>
</div> </div>
<div class="card"> <div class="card">
@@ -552,14 +552,6 @@
<h3>工具</h3> <h3>工具</h3>
<div class="muted mb-10">清除仅影响订单 meta 中的失败标记,不改变订单/订阅状态。</div> <div class="muted mb-10">清除仅影响订单 meta 中的失败标记,不改变订单/订阅状态。</div>
@php
// 工具区布局:采用与“筛选条件”类似的排版(两列),避免所有内容挤到左侧。
// 说明:仅做结构包裹,不改动原表单字段/行为。
$toolForms = [];
@endphp
<div class="grid-2">
@php @php
$hasReconcileMismatchFilter = (($filters['reconcile_mismatch'] ?? '') === '1'); $hasReconcileMismatchFilter = (($filters['reconcile_mismatch'] ?? '') === '1');
$hasRefundInconsistentFilter = (($filters['refund_inconsistent'] ?? '') === '1'); $hasRefundInconsistentFilter = (($filters['refund_inconsistent'] ?? '') === '1');
@@ -942,8 +934,6 @@
<button class="btn btn-danger btn-sm" type="submit">清除批量标记支付失败标记(全部订单)</button> <button class="btn btn-danger btn-sm" type="submit">清除批量标记支付失败标记(全部订单)</button>
</div> </div>
</form> </form>
</div>
</div> </div>
<div class="card"> <div class="card">

74
tests/Feature/AdminPlatformOrderIndexUnsafeBackShouldBeDroppedForLinksTest.php Normal file
View File

@@ -0,0 +1,74 @@
<?php
namespace Tests\Feature;
use Illuminate\Foundation\Testing\RefreshDatabase;
use Tests\TestCase;
class AdminPlatformOrderIndexUnsafeBackShouldBeDroppedForLinksTest extends TestCase
{
use RefreshDatabase;
protected function loginAsPlatformAdmin(): void
{
$this->seed();
$this->post('/admin/login', [
'email' => 'platform.admin@demo.local',
'password' => 'Platform@123456',
])->assertRedirect('/admin');
}
public static function invalidBackProvider(): array
{
return [
'contains_quote' => ['/admin/plans?x="'],
'contains_tag' => ['/admin/plans?<script>alert(1)</script>'],
'nested_back' => ['/admin/plans?back=/admin/platform-orders'],
];
}
/**
* @dataProvider invalidBackProvider
*/
public function test_index_should_drop_unsafe_back_for_safe_full_url_with_query_links(string $invalidBack): void
{
$this->loginAsPlatformAdmin();
$res = $this->get('/admin/platform-orders?back=' . urlencode($invalidBack));
$res->assertOk();
$html = (string) $res->getContent();
// unsafe back 时,不应渲染“返回上一页(保留上下文)”的可点击链接。
// 注意:页面的说明文字中可能包含该文案,因此这里用正则只匹配 <a> 标签。
$this->assertSame(
0,
preg_match('/<a[^>]+href="[^"]+"[^>]*>\s*← 返回上一页(保留上下文)\s*<\/a>/', $html),
'unsafe back 时不应渲染可点击的返回链接'
);
preg_match_all('/href="([^"]+)"/', $html, $matches);
$hrefs = $matches[1] ?? [];
$found = false;
foreach ($hrefs as $u) {
if (!str_contains($u, '/admin/platform-orders')) {
continue;
}
$parts = parse_url($u);
parse_str($parts['query'] ?? '', $q);
if (($q['payment_status'] ?? null) !== 'paid') {
continue;
}
$found = true;
$this->assertArrayNotHasKey('back', $q, 'unsafe back 不应出现在 fullUrlWithQuery 类链接中');
break;
}
$this->assertTrue($found, '未找到 payment_status=paid 的链接用于断言 back 是否被移除');
}
}