feat: 预付款列表、详情页访问权限

app/controller/advance_controller.js

@@ -68,7 +68,7 @@ module.exports = app => {
         /**
          * 获取通用的renderData（用于layout, Menu, subMenu部分）
          * @param {Object} ctx 全局上下文
-         * @return {{auditConst, jsFiles, accountGroup?, accountList?, auditors, auditHistory, preUrl}}
+         * @return {{auditConst, jsFiles, accountGroup?, accountList?, auditors, auditHistory, preUrl}} 通用数据
          * @private
          */
         async _getDefaultRenderData(ctx) {
@@ -87,6 +87,9 @@ module.exports = app => {
                     columns: ['id', 'name', 'company', 'role', 'enable', 'is_admin', 'account_group'],
                 });
                 data.accountList = accountList;
+                // accountGroup.forEach
+                // console.log('accountGroup', accountGroup);
+                // console.log('accountList', accountList);
             }
             // 获取审核人左边列表
             data.auditors = await ctx.service.advanceAudit.getAuditorsWithOwner(ctx.advance.id, ctx.advance.times);
@@ -104,6 +107,14 @@ module.exports = app => {
             return data;
         }
 
+        _checkCanEntry(ctx) {
+            if (ctx.session.sessionUser.accountId !== ctx.advance.uid) {
+                if (ctx.advance.status === auditConst.status.uncheck) {
+                    throw '无权访问';
+                }
+            }
+        }
+
         /**
          * 预付款详情页(AJAX) GET
          * @param {Object} ctx 全局上下文
@@ -111,6 +122,7 @@ module.exports = app => {
         async detail(ctx) {
             const advancePayTotal = ctx.advance.type === 0 ? ctx.tender.info.deal_param.startAdvance : ctx.tender.info.deal_param.materialAdvance;
             try {
+                this._checkCanEntry(ctx);
                 const renderData = await this._getDefaultRenderData(ctx);
                 const { uncheck, checkNo } = auditConst.status;
                 const { status } = ctx.advance;