Complete account group permission management

Author: DeliciousBuding

admin/account_groups.go

@@ -201,35 +201,27 @@ func (h *Handler) DeleteAccountGroup(c *gin.Context) {
 			h.store.ApplyAccountGroups(acc.DBID, groups)
 		}
 	}
-	if err := h.removeDeletedGroupFromAPIKeyScopes(ctx, id); err != nil {
-		writeInternalError(c, err)
-		return
-	}
+	h.refreshAPIKeyAllowedGroupsAfterGroupDelete(ctx, id)
 	writeMessage(c, http.StatusOK, "分组已删除")
 }
 
-func (h *Handler) removeDeletedGroupFromAPIKeyScopes(ctx context.Context, groupID int64) error {
+func (h *Handler) refreshAPIKeyAllowedGroupsAfterGroupDelete(ctx context.Context, groupID int64) {
 	if h == nil || h.db == nil || groupID <= 0 {
-		return nil
+		return
 	}
 	keys, err := h.db.ListAPIKeys(ctx)
 	if err != nil {
-		return err
+		return
 	}
 	for _, key := range keys {
-		if key == nil || !containsInt64(key.AllowedGroupIDs, groupID) {
+		if key == nil {
 			continue
 		}
-		next := removeInt64(key.AllowedGroupIDs, groupID)
-		if err := h.db.UpdateAPIKeyAllowedGroupIDs(ctx, key.ID, next); err != nil {
-			return err
-		}
 		if h.store != nil {
-			h.store.SetAPIKeyAllowedGroups(key.ID, next)
+			h.store.SetAPIKeyAllowedGroups(key.ID, key.AllowedGroupIDs)
 		}
 		h.invalidateAPIKeyRuntimeCaches(ctx, key.Key)
 	}
-	return nil
 }
 
 func sanitizeAccountGroupName(raw string) (string, error) {

admin/handler.go

@@ -729,7 +729,30 @@ func (h *Handler) UpdateAccountScheduler(c *gin.Context) {
 		return
 	}
 	if h.store != nil {
-		h.store.ApplyAccountSchedulerOverrides(id, nullableInt64Pointer(scoreBiasOverride), nullableInt64Pointer(baseConcurrencyOverride))
+		if scoreBiasOverride.Set || baseConcurrencyOverride.Set {
+			current := h.store.FindByID(id)
+			var score *int64
+			var concurrency *int64
+			if current != nil {
+				current.Mu().RLock()
+				if current.ScoreBiasOverride != nil {
+					value := *current.ScoreBiasOverride
+					score = &value
+				}
+				if current.BaseConcurrencyOverride != nil {
+					value := *current.BaseConcurrencyOverride
+					concurrency = &value
+				}
+				current.Mu().RUnlock()
+			}
+			if scoreBiasOverride.Set {
+				score = nullableInt64Pointer(scoreBiasOverride.Value)
+			}
+			if baseConcurrencyOverride.Set {
+				concurrency = nullableInt64Pointer(baseConcurrencyOverride.Value)
+			}
+			h.store.ApplyAccountSchedulerOverrides(id, score, concurrency)
+		}
 		if allowedAPIKeyIDs.Set {
 			h.store.ApplyAccountAllowedAPIKeys(id, allowedAPIKeyIDs.Values)
 		}
@@ -804,23 +827,26 @@ func parseOptionalStringSliceField(raw json.RawMessage, field string) (optionalS
 	return optionalStringSlice{Set: true, Values: out}, nil
 }
 
-func parseOptionalIntegerField(raw json.RawMessage, field string, minValue, maxValue int64) (sql.NullInt64, error) {
-	if len(raw) == 0 || string(raw) == "null" {
-		return sql.NullInt64{}, nil
+func parseOptionalIntegerField(raw json.RawMessage, field string, minValue, maxValue int64) (database.OptionalNullInt64, error) {
+	if len(raw) == 0 {
+		return database.OptionalNullInt64{}, nil
+	}
+	if string(raw) == "null" {
+		return database.OptionalNullInt64{Set: true}, nil
 	}
 
 	var number json.Number
 	if err := json.Unmarshal(raw, &number); err != nil {
-		return sql.NullInt64{}, fmt.Errorf("%s 必须是整数或 null", field)
+		return database.OptionalNullInt64{}, fmt.Errorf("%s 必须是整数或 null", field)
 	}
 	value, err := number.Int64()
 	if err != nil {
-		return sql.NullInt64{}, fmt.Errorf("%s 必须是整数或 null", field)
+		return database.OptionalNullInt64{}, fmt.Errorf("%s 必须是整数或 null", field)
 	}
 	if value < minValue || value > maxValue {
-		return sql.NullInt64{}, fmt.Errorf("%s 超出范围，必须在 %d..%d 之间", field, minValue, maxValue)
+		return database.OptionalNullInt64{}, fmt.Errorf("%s 超出范围，必须在 %d..%d 之间", field, minValue, maxValue)
 	}
-	return sql.NullInt64{Int64: value, Valid: true}, nil
+	return database.OptionalNullInt64{Set: true, Value: sql.NullInt64{Int64: value, Valid: true}}, nil
 }
 
 func parseOptionalIntegerSliceField(raw json.RawMessage, field string) (database.OptionalInt64Slice, error) {
@@ -3117,12 +3143,13 @@ func (h *Handler) ListAPIKeys(c *gin.Context) {
 }
 
 type createKeyReq struct {
-	Name          string   `json:"name"`
-	Key           string   `json:"key"`
-	QuotaLimit    *float64 `json:"quota_limit"`
-	Quota         *float64 `json:"quota"`
-	ExpiresAt     string   `json:"expires_at"`
-	ExpiresInDays *int     `json:"expires_in_days"`
+	Name            string          `json:"name"`
+	Key             string          `json:"key"`
+	QuotaLimit      *float64        `json:"quota_limit"`
+	Quota           *float64        `json:"quota"`
+	ExpiresAt       string          `json:"expires_at"`
+	ExpiresInDays   *int            `json:"expires_in_days"`
+	AllowedGroupIDs json.RawMessage `json:"allowed_group_ids"`
 }
 
 // generateKey 生成随机 API Key
@@ -3178,6 +3205,11 @@ func (h *Handler) CreateAPIKey(c *gin.Context) {
 		writeError(c, http.StatusBadRequest, err.Error())
 		return
 	}
+	allowedGroupIDs, err := parseOptionalIntegerSliceField(req.AllowedGroupIDs, "allowed_group_ids")
+	if err != nil {
+		writeError(c, http.StatusBadRequest, err.Error())
+		return
+	}
 
 	key := req.Key
 	if key == "" {
@@ -3193,17 +3225,39 @@ func (h *Handler) CreateAPIKey(c *gin.Context) {
 
 	ctx, cancel := context.WithTimeout(c.Request.Context(), 5*time.Second)
 	defer cancel()
+	if allowedGroupIDs.Set {
+		missing, err := h.db.VerifyAccountGroupIDs(ctx, allowedGroupIDs.Values)
+		if err != nil {
+			writeInternalError(c, err)
+			return
+		}
+		if len(missing) > 0 {
+			values := make([]string, 0, len(missing))
+			for _, value := range missing {
+				values = append(values, strconv.FormatInt(value, 10))
+			}
+			writeError(c, http.StatusBadRequest, "allowed_group_ids 包含不存在的分组 ID: "+strings.Join(values, ", "))
+			return
+		}
+	}
 
 	id, err := h.db.InsertAPIKeyWithOptions(ctx, database.APIKeyInput{
-		Name:       req.Name,
-		Key:        key,
-		QuotaLimit: quotaLimit,
-		ExpiresAt:  expiresAt,
+		Name:            req.Name,
+		Key:             key,
+		QuotaLimit:      quotaLimit,
+		ExpiresAt:       expiresAt,
+		AllowedGroupIDs: allowedGroupIDs.Values,
 	})
 	if err != nil {
 		writeError(c, http.StatusInternalServerError, "创建失败: "+err.Error())
 		return
 	}
+	if allowedGroupIDs.Set {
+		values := dedupeInt64(allowedGroupIDs.Values)
+		if h.store != nil {
+			h.store.SetAPIKeyAllowedGroups(id, values)
+		}
+	}
 	h.invalidateAPIKeyRuntimeCaches(ctx, key)
 
 	// 记录安全审计日志
@@ -3215,12 +3269,13 @@ func (h *Handler) CreateAPIKey(c *gin.Context) {
 		expiresAtResponse = &formatted
 	}
 	c.JSON(http.StatusOK, createAPIKeyResponse{
-		ID:         id,
-		Key:        key,
-		Name:       req.Name,
-		QuotaLimit: quotaLimit,
-		QuotaUsed:  0,
-		ExpiresAt:  expiresAtResponse,
+		ID:              id,
+		Key:             key,
+		Name:            req.Name,
+		QuotaLimit:      quotaLimit,
+		QuotaUsed:       0,
+		ExpiresAt:       expiresAtResponse,
+		AllowedGroupIDs: dedupeInt64(allowedGroupIDs.Values),
 	})
 }
 

admin/handler_test.go

@@ -491,7 +491,7 @@ func TestUpdateAccountSchedulerResetsToAutoOnNull(t *testing.T) {
 	db := newTestAdminDB(t)
 	accountID := insertTestAccount(t, db)
 	ctx := context.Background()
-	if err := db.UpdateAccountSchedulerConfig(ctx, accountID, sql.NullInt64{Int64: 20, Valid: true}, sql.NullInt64{Int64: 4, Valid: true}, database.OptionalInt64Slice{}); err != nil {
+	if err := db.UpdateAccountSchedulerConfig(ctx, accountID, database.OptionalNullInt64{Set: true, Value: sql.NullInt64{Int64: 20, Valid: true}}, database.OptionalNullInt64{Set: true, Value: sql.NullInt64{Int64: 4, Valid: true}}, database.OptionalInt64Slice{}); err != nil {
 		t.Fatalf("seed scheduler config: %v", err)
 	}
 
@@ -523,6 +523,49 @@ func TestUpdateAccountSchedulerResetsToAutoOnNull(t *testing.T) {
 	}
 }
 
+func TestUpdateAccountSchedulerPartialMetadataPatchPreservesSchedulerConfig(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+
+	db := newTestAdminDB(t)
+	accountID := insertTestAccount(t, db)
+	keyID := insertTestAPIKey(t, db, "Team A")
+	ctx := context.Background()
+	if err := db.UpdateAccountSchedulerConfig(ctx, accountID,
+		database.OptionalNullInt64{Set: true, Value: sql.NullInt64{Int64: 20, Valid: true}},
+		database.OptionalNullInt64{Set: true, Value: sql.NullInt64{Int64: 4, Valid: true}},
+		database.OptionalInt64Slice{Set: true, Values: []int64{keyID}},
+	); err != nil {
+		t.Fatalf("seed scheduler config: %v", err)
+	}
+
+	handler := &Handler{db: db}
+	recorder := httptest.NewRecorder()
+	ginCtx, _ := gin.CreateTestContext(recorder)
+	ginCtx.Params = gin.Params{{Key: "id", Value: fmt.Sprintf("%d", accountID)}}
+	ginCtx.Request = httptest.NewRequest(http.MethodPatch, fmt.Sprintf("/api/admin/accounts/%d/scheduler", accountID), strings.NewReader(`{"tags":["ops"]}`))
+	ginCtx.Request.Header.Set("Content-Type", "application/json")
+
+	handler.UpdateAccountScheduler(ginCtx)
+
+	if recorder.Code != http.StatusOK {
+		t.Fatalf("status = %d, want %d", recorder.Code, http.StatusOK)
+	}
+
+	rows, err := db.ListActive(context.Background())
+	if err != nil {
+		t.Fatalf("ListActive: %v", err)
+	}
+	if !rows[0].ScoreBiasOverride.Valid || rows[0].ScoreBiasOverride.Int64 != 20 {
+		t.Fatalf("score_bias_override = %+v, want 20", rows[0].ScoreBiasOverride)
+	}
+	if !rows[0].BaseConcurrencyOverride.Valid || rows[0].BaseConcurrencyOverride.Int64 != 4 {
+		t.Fatalf("base_concurrency_override = %+v, want 4", rows[0].BaseConcurrencyOverride)
+	}
+	if got := rows[0].GetCredentialInt64Slice("allowed_api_key_ids"); len(got) != 1 || got[0] != keyID {
+		t.Fatalf("allowed_api_key_ids = %v, want [%d]", got, keyID)
+	}
+}
+
 func TestUpdateAccountSchedulerClearsAllowedAPIKeyIDsOnNull(t *testing.T) {
 	gin.SetMode(gin.TestMode)
 

admin/responses.go

@@ -89,12 +89,13 @@ func NewMaskedAPIKeyRow(row *database.APIKeyRow) *MaskedAPIKeyRow {
 }
 
 type createAPIKeyResponse struct {
-	ID         int64   `json:"id"`
-	Key        string  `json:"key"`
-	Name       string  `json:"name"`
-	QuotaLimit float64 `json:"quota_limit"`
-	QuotaUsed  float64 `json:"quota_used"`
-	ExpiresAt  *string `json:"expires_at"`
+	ID              int64   `json:"id"`
+	Key             string  `json:"key"`
+	Name            string  `json:"name"`
+	QuotaLimit      float64 `json:"quota_limit"`
+	QuotaUsed       float64 `json:"quota_used"`
+	ExpiresAt       *string `json:"expires_at"`
+	AllowedGroupIDs []int64 `json:"allowed_group_ids"`
 }
 
 type opsOverviewResponse struct {

database/account_groups.go

@@ -156,6 +156,9 @@ func (db *DB) DeleteAccountGroup(ctx context.Context, id int64, force ...bool) e
 	if _, err := tx.ExecContext(ctx, "DELETE FROM account_group_members WHERE group_id = "+ph, id); err != nil {
 		return err
 	}
+	if err := pruneDeletedGroupFromAPIKeyScopes(ctx, tx, db.isSQLite(), id); err != nil {
+		return err
+	}
 	res, err := tx.ExecContext(ctx, "DELETE FROM account_groups WHERE id = "+ph, id)
 	if err != nil {
 		return err
@@ -170,6 +173,65 @@ func (db *DB) DeleteAccountGroup(ctx context.Context, id int64, force ...bool) e
 	return tx.Commit()
 }
 
+func pruneDeletedGroupFromAPIKeyScopes(ctx context.Context, tx *sql.Tx, sqlite bool, groupID int64) error {
+	rows, err := tx.QueryContext(ctx, `SELECT id, COALESCE(allowed_group_ids, '[]') FROM api_keys`)
+	if err != nil {
+		return err
+	}
+	defer rows.Close()
+
+	type update struct {
+		id     int64
+		groups []int64
+	}
+	updates := make([]update, 0)
+	for rows.Next() {
+		var id int64
+		var raw interface{}
+		if err := rows.Scan(&id, &raw); err != nil {
+			return err
+		}
+		groups := decodeInt64SliceValue(raw)
+		if !containsInt64(groups, groupID) {
+			continue
+		}
+		updates = append(updates, update{id: id, groups: removeInt64(groups, groupID)})
+	}
+	if err := rows.Err(); err != nil {
+		return err
+	}
+
+	query := `UPDATE api_keys SET allowed_group_ids = $1::jsonb WHERE id = $2`
+	if sqlite {
+		query = `UPDATE api_keys SET allowed_group_ids = ? WHERE id = ?`
+	}
+	for _, item := range updates {
+		if _, err := tx.ExecContext(ctx, query, encodeInt64SliceJSON(item.groups), item.id); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func removeInt64(slice []int64, target int64) []int64 {
+	out := make([]int64, 0, len(slice))
+	for _, v := range slice {
+		if v != target {
+			out = append(out, v)
+		}
+	}
+	return out
+}
+
+func containsInt64(slice []int64, target int64) bool {
+	for _, v := range slice {
+		if v == target {
+			return true
+		}
+	}
+	return false
+}
+
 func (db *DB) SetAccountGroups(ctx context.Context, accountID int64, groupIDs []int64) error {
 	tx, err := db.conn.BeginTx(ctx, nil)
 	if err != nil {