整体优化完善接口与数据权限检查

2026-03-28 14:18:11 +08:00
parent 51c377964d
commit 22cb2d50d3
21 changed files with 161 additions and 98 deletions
--- a/README.md
+++ b/README.md
@@ -1,6 +1,8 @@
 ## TODO

-增删改数据权限排查
+用户请求需要检查数据权限
+
+管理页面查询统一加排序

 后端默认用户名不能是完整手机号

--- a/scripts/sql/init.sql
+++ b/scripts/sql/init.sql
@@ -433,6 +433,7 @@ create table permission (
    parent_id   int,
    name        text not null,
    description text,
+    sort        int,
    created_at  timestamptz default current_timestamp,
    updated_at  timestamptz default current_timestamp,
    deleted_at  timestamptz
@@ -447,6 +448,7 @@ comment on column permission.id is '权限ID';
 comment on column permission.parent_id is '父权限ID';
 comment on column permission.name is '权限名称';
 comment on column permission.description is '权限描述';
+comment on column permission.sort is '排序';
 comment on column permission.created_at is '创建时间';
 comment on column permission.updated_at is '更新时间';
 comment on column permission.deleted_at is '删除时间';
--- a/web/auth/check.go
+++ b/web/auth/check.go
@@ -2,6 +2,7 @@ package auth

 import (
 	m "platform/web/models"
+	"strings"

 	"github.com/gofiber/fiber/v2"
 )
@@ -12,7 +13,6 @@ type AuthCtx struct {
 	Client  *m.Client  `json:"client,omitempty"`
 	Scopes  []string   `json:"scopes,omitempty"`
 	Session *m.Session `json:"session,omitempty"`
-	smap    map[string]struct{}
 }

 func (a *AuthCtx) PermitUser(scopes ...string) (*AuthCtx, error) {
@@ -68,15 +68,11 @@ func (a *AuthCtx) checkScopes(scopes ...string) bool {
 	if len(scopes) == 0 || len(a.Scopes) == 0 {
 		return true
 	}
-	if len(a.smap) == 0 && len(a.Scopes) > 0 {
-		a.smap = make(map[string]struct{}, len(a.Scopes))
-		for _, scope := range a.Scopes {
-			a.smap[scope] = struct{}{}
-		}
-	}
 	for _, scope := range scopes {
-		if _, ok := a.smap[scope]; ok {
-			return true
+		for _, prefix := range a.Scopes {
+			if strings.HasPrefix(scope, prefix) {
+				return true
+			}
 		}
 	}
 	return false
--- a/web/core/model.go
+++ b/web/core/model.go
@@ -15,7 +15,7 @@ type Model struct {
 	ID        int32          `json:"id" gorm:"column:id;primaryKey"`
 	CreatedAt time.Time      `json:"created_at" gorm:"column:created_at"`
 	UpdatedAt time.Time      `json:"updated_at" gorm:"column:updated_at"`
-	DeletedAt gorm.DeletedAt `gorm:"column:deleted_at"`
+	DeletedAt gorm.DeletedAt `json:"-" gorm:"column:deleted_at"`
 }

 func (m *Model) GetID() int32 {
--- a/web/core/scopes.go
+++ b/web/core/scopes.go
@@ -1,30 +1,55 @@
 package core

 const (
-	ScopePermissionRead  = string("permission:read")
-	ScopePermissionWrite = string("permission:write")
+	ScopePermission      = string("permission")       // 权限
+	ScopePermissionRead  = string("permission:read")  // 读取权限列表
+	ScopePermissionWrite = string("permission:write") // 写入权限

-	ScopeAdminRoleRead  = string("admin_role:read")
-	ScopeAdminRoleWrite = string("admin_role:write")
+	ScopeAdminRole      = string("admin_role")       // 管理员角色
+	ScopeAdminRoleRead  = string("admin_role:read")  // 读取管理员角色列表
+	ScopeAdminRoleWrite = string("admin_role:write") // 写入管理员角色

-	ScopeAdminRead  = string("admin:read")
-	ScopeAdminWrite = string("admin:write")
+	ScopeAdmin      = string("admin")       // 管理员
+	ScopeAdminRead  = string("admin:read")  // 读取管理员列表
+	ScopeAdminWrite = string("admin:write") // 写入管理员

-	ScopeProductRead  = string("product:read")
-	ScopeProductWrite = string("product:write")
+	ScopeProduct      = string("product")       // 产品
+	ScopeProductRead  = string("product:read")  // 读取产品列表
+	ScopeProductWrite = string("product:write") // 写入产品

-	ScopeProductSkuRead  = string("product_sku:read")
-	ScopeProductSkuWrite = string("product_sku:write")
+	ScopeProductSku      = string("product_sku")       // 产品套餐
+	ScopeProductSkuRead  = string("product_sku:read")  // 读取产品套餐列表
+	ScopeProductSkuWrite = string("product_sku:write") // 写入产品套餐

-	ScopeProductDiscountRead  = string("product_discount:read")
-	ScopeProductDiscountWrite = string("product_discount:write")
+	ScopeDiscount      = string("discount")       // 折扣
+	ScopeDiscountRead  = string("discount:read")  // 读取折扣列表
+	ScopeDiscountWrite = string("discount:write") // 写入折扣

-	ScopeResourceRead  = string("resource:read")
-	ScopeResourceWrite = string("resource:write")
+	ScopeResource      = string("resource")       // 用户套餐
+	ScopeResourceRead  = string("resource:read")  // 读取用户套餐列表
+	ScopeResourceWrite = string("resource:write") // 写入用户套餐

-	ScopeUserRead  = string("user:read")
-	ScopeUserWrite = string("user:write")
+	ScopeUser      = string("user")       // 用户
+	ScopeUserRead  = string("user:read")  // 读取用户列表
+	ScopeUserWrite = string("user:write") // 写入用户

-	ScopeCouponRead  = string("coupon:read")
-	ScopeCouponWrite = string("coupon:write")
+	ScopeCoupon      = string("coupon")       // 优惠券
+	ScopeCouponRead  = string("coupon:read")  // 读取优惠券列表
+	ScopeCouponWrite = string("coupon:write") // 写入优惠券
+
+	ScopeBatch      = string("batch")       // 批次
+	ScopeBatchRead  = string("batch:read")  // 读取批次列表
+	ScopeBatchWrite = string("batch:write") // 写入批次
+
+	ScopeChannel      = string("channel")       // IP
+	ScopeChannelRead  = string("channel:read")  // 读取 IP 列表
+	ScopeChannelWrite = string("channel:write") // 写入 IP
+
+	ScopeTrade      = string("trade")       // 交易
+	ScopeTradeRead  = string("trade:read")  // 读取交易列表
+	ScopeTradeWrite = string("trade:write") // 写入交易
+
+	ScopeBill      = string("bill")       // 账单
+	ScopeBillRead  = string("bill:read")  // 读取账单列表
+	ScopeBillWrite = string("bill:write") // 写入账单
 )
--- a/web/handlers/admin.go
+++ b/web/handlers/admin.go
@@ -9,7 +9,7 @@ import (
 	"github.com/gofiber/fiber/v2"
 )

-func PageAdminsByAdmin(c *fiber.Ctx) error {
+func PageAdminByAdmin(c *fiber.Ctx) error {
 	_, err := auth.GetAuthCtx(c).PermitAdmin(core.ScopeAdminRead)
 	if err != nil {
 		return err
@@ -37,7 +37,7 @@ type PageAdminsReq struct {
 	core.PageReq
 }

-func ListAdminsByAdmin(c *fiber.Ctx) error {
+func AllAdminByAdmin(c *fiber.Ctx) error {
 	_, err := auth.GetAuthCtx(c).PermitAdmin(core.ScopeAdminRead)
 	if err != nil {
 		return err
--- a/web/handlers/admin_role.go
+++ b/web/handlers/admin_role.go
@@ -9,7 +9,7 @@ import (
 	"github.com/gofiber/fiber/v2"
 )

-func ListAdminRolesByAdmin(c *fiber.Ctx) error {
+func AllAdminRoleByAdmin(c *fiber.Ctx) error {
 	_, err := auth.GetAuthCtx(c).PermitAdmin(core.ScopeAdminRoleRead)
 	if err != nil {
 		return err
@@ -23,7 +23,7 @@ func ListAdminRolesByAdmin(c *fiber.Ctx) error {
 	return c.JSON(list)
 }

-func PageAdminRolesByAdmin(c *fiber.Ctx) error {
+func PageAdminRoleByAdmin(c *fiber.Ctx) error {
 	_, err := auth.GetAuthCtx(c).PermitAdmin(core.ScopeAdminRoleRead)
 	if err != nil {
 		return err
--- a/web/handlers/batch.go
+++ b/web/handlers/batch.go
@@ -12,8 +12,8 @@ import (
 	"github.com/gofiber/fiber/v2"
 )

-// PageResourceBatch 分页查询套餐提取记录
-func PageResourceBatch(ctx *fiber.Ctx) error {
+// PageBatch 分页查询套餐提取记录
+func PageBatch(ctx *fiber.Ctx) error {
 	// 检查权限
 	authCtx, err := auth.GetAuthCtx(ctx).PermitUser()
 	if err != nil {
@@ -59,7 +59,7 @@ type PageResourceBatchReq struct {

 // PageBatchByAdmin 分页查询所有提取记录
 func PageBatchByAdmin(c *fiber.Ctx) error {
-	_, err := auth.GetAuthCtx(c).PermitAdmin()
+	_, err := auth.GetAuthCtx(c).PermitAdmin(core.ScopeBatchRead)
 	if err != nil {
 		return err
 	}
--- a/web/handlers/bill.go
+++ b/web/handlers/bill.go
@@ -14,7 +14,7 @@ import (
 // PageBillByAdmin 分页查询全部账单
 func PageBillByAdmin(c *fiber.Ctx) error {
 	// 检查权限
-	_, err := auth.GetAuthCtx(c).PermitAdmin()
+	_, err := auth.GetAuthCtx(c).PermitAdmin(core.ScopeBillRead)
 	if err != nil {
 		return err
 	}
--- a/web/handlers/channel.go
+++ b/web/handlers/channel.go
@@ -15,10 +15,10 @@ import (
 	"github.com/gofiber/fiber/v2"
 )

-// PageChannelsByAdmin 分页查询所有通道
-func PageChannelsByAdmin(c *fiber.Ctx) error {
+// PageChannelByAdmin 分页查询所有通道
+func PageChannelByAdmin(c *fiber.Ctx) error {
 	// 检查权限
-	_, err := auth.GetAuthCtx(c).PermitAdmin()
+	_, err := auth.GetAuthCtx(c).PermitAdmin(core.ScopeChannelRead)
 	if err != nil {
 		return err
 	}
@@ -98,8 +98,8 @@ type PageChannelsByAdminReq struct {
 	ExpiredAtEnd   *time.Time `json:"expired_at_end"`
 }

-// 分页查询当前用户通道
-func ListChannels(c *fiber.Ctx) error {
+// ListChannel 分页查询当前用户通道
+func ListChannel(c *fiber.Ctx) error {
 	// 检查权限
 	authContext, err := auth.GetAuthCtx(c).PermitUser()
 	if err != nil {
@@ -169,9 +169,15 @@ type ListChannelsReq struct {
 	ExpireBefore *time.Time        `json:"expire_before"`
 }

-// 创建新通道
+// CreateChannel 创建新通道
 func CreateChannel(c *fiber.Ctx) error {

+	// 检查权限
+	_, err := auth.GetAuthCtx(c).PermitUser()
+	if err != nil {
+		return err
+	}
+
 	// 解析参数
 	req := new(CreateChannelReq)
 	if err := g.Validator.ParseBody(c, req); err != nil {
--- a/web/handlers/coupon.go
+++ b/web/handlers/coupon.go
@@ -33,7 +33,7 @@ func PageCouponByAdmin(c *fiber.Ctx) error {
 	})
 }

-func AllCouponsByAdmin(c *fiber.Ctx) error {
+func AllCouponByAdmin(c *fiber.Ctx) error {
 	_, err := auth.GetAuthCtx(c).PermitAdmin(core.ScopeCouponRead)
 	if err != nil {
 		return err
--- a/web/handlers/permission.go
+++ b/web/handlers/permission.go
@@ -9,7 +9,7 @@ import (
 	"github.com/gofiber/fiber/v2"
 )

-func ListPermissionsByAdmin(c *fiber.Ctx) error {
+func AllPermissionByAdmin(c *fiber.Ctx) error {
 	_, err := auth.GetAuthCtx(c).PermitAdmin(core.ScopePermissionRead)
 	if err != nil {
 		return err
--- a/web/handlers/product.go
+++ b/web/handlers/product.go
@@ -9,7 +9,7 @@ import (
 	"github.com/gofiber/fiber/v2"
 )

-func AllProductsByAdmin(c *fiber.Ctx) error {
+func AllProductByAdmin(c *fiber.Ctx) error {
 	// 检查权限
 	_, err := auth.GetAuthCtx(c).PermitAdmin(core.ScopeProductRead)
 	if err != nil {
--- a/web/handlers/product_discount.go
+++ b/web/handlers/product_discount.go
@@ -9,8 +9,8 @@ import (
 	"github.com/gofiber/fiber/v2"
 )

-func PageProductDiscountByAdmin(c *fiber.Ctx) error {
-	_, err := auth.GetAuthCtx(c).PermitAdmin(core.ScopeProductDiscountRead)
+func PageDiscountByAdmin(c *fiber.Ctx) error {
+	_, err := auth.GetAuthCtx(c).PermitAdmin(core.ScopeDiscountRead)
 	if err != nil {
 		return err
 	}
@@ -33,8 +33,8 @@ func PageProductDiscountByAdmin(c *fiber.Ctx) error {
 	})
 }

-func AllProductDiscountsByAdmin(c *fiber.Ctx) error {
-	_, err := auth.GetAuthCtx(c).PermitAdmin(core.ScopeProductDiscountRead)
+func AllDiscountByAdmin(c *fiber.Ctx) error {
+	_, err := auth.GetAuthCtx(c).PermitAdmin(core.ScopeDiscountRead)
 	if err != nil {
 		return err
 	}
@@ -47,8 +47,8 @@ func AllProductDiscountsByAdmin(c *fiber.Ctx) error {
 	return c.JSON(list)
 }

-func CreateProductDiscount(c *fiber.Ctx) error {
-	_, err := auth.GetAuthCtx(c).PermitAdmin(core.ScopeProductDiscountWrite)
+func CreateDiscount(c *fiber.Ctx) error {
+	_, err := auth.GetAuthCtx(c).PermitAdmin(core.ScopeDiscountWrite)
 	if err != nil {
 		return err
 	}
@@ -66,8 +66,8 @@ func CreateProductDiscount(c *fiber.Ctx) error {
 	return nil
 }

-func UpdateProductDiscount(c *fiber.Ctx) error {
-	_, err := auth.GetAuthCtx(c).PermitAdmin(core.ScopeProductDiscountWrite)
+func UpdateDiscount(c *fiber.Ctx) error {
+	_, err := auth.GetAuthCtx(c).PermitAdmin(core.ScopeDiscountWrite)
 	if err != nil {
 		return err
 	}
@@ -85,8 +85,8 @@ func UpdateProductDiscount(c *fiber.Ctx) error {
 	return nil
 }

-func DeleteProductDiscount(c *fiber.Ctx) error {
-	_, err := auth.GetAuthCtx(c).PermitAdmin(core.ScopeProductDiscountWrite)
+func DeleteDiscount(c *fiber.Ctx) error {
+	_, err := auth.GetAuthCtx(c).PermitAdmin(core.ScopeDiscountWrite)
 	if err != nil {
 		return err
 	}
--- a/web/handlers/resource.go
+++ b/web/handlers/resource.go
@@ -209,7 +209,7 @@ type PageResourceLongReq struct {

 // PageResourceShortByAdmin 分页查询全部短效套餐
 func PageResourceShortByAdmin(c *fiber.Ctx) error {
-	_, err := auth.GetAuthCtx(c).PermitAdmin()
+	_, err := auth.GetAuthCtx(c).PermitAdmin(core.ScopeResourceRead)
 	if err != nil {
 		return err
 	}
@@ -303,7 +303,7 @@ type PageResourceShortByAdminReq struct {

 // PageResourceLongByAdmin 分页查询全部长效套餐
 func PageResourceLongByAdmin(c *fiber.Ctx) error {
-	_, err := auth.GetAuthCtx(c).PermitAdmin()
+	_, err := auth.GetAuthCtx(c).PermitAdmin(core.ScopeResourceRead)
 	if err != nil {
 		return err
 	}
--- a/web/handlers/trade.go
+++ b/web/handlers/trade.go
@@ -21,7 +21,7 @@ import (
 // PageTradeByAdmin 分页查询所有订单
 func PageTradeByAdmin(c *fiber.Ctx) error {
 	// 检查权限
-	_, err := auth.GetAuthCtx(c).PermitAdmin()
+	_, err := auth.GetAuthCtx(c).PermitAdmin(core.ScopeTradeRead)
 	if err != nil {
 		return err
 	}
@@ -193,6 +193,12 @@ type TradeCancelReq struct {

 // 检查订单
 func TradeCheck(c *fiber.Ctx) error {
+	// 检查权限
+	_, err := auth.GetAuthCtx(c).PermitUser()
+	if err != nil {
+		return err
+	}
+
 	// 解析请求参数
 	req := new(TradeCheckReq)
 	if err := g.Validator.ParseQuery(c, req); err != nil {
--- a/web/handlers/user.go
+++ b/web/handlers/user.go
@@ -121,7 +121,7 @@ func PageUserByAdmin(c *fiber.Ctx) error {

 	// 查询用户列表
 	users, total, err := q.User.Debug().
-		Preload(q.User.Admin).
+		Preload(q.User.Admin, q.User.Discount).
 		Omit(q.User.Password).
 		Where(do).
 		Order(q.User.CreatedAt).
@@ -159,7 +159,7 @@ type PageUserByAdminReq struct {
 // 绑定管理员
 func BindAdmin(c *fiber.Ctx) error {
 	// 检查权限
-	authCtx, err := auth.GetAuthCtx(c).PermitAdmin()
+	authCtx, err := auth.GetAuthCtx(c).PermitAdmin(core.ScopeUserWrite)
 	if err != nil {
 		return err
 	}
--- a/web/models/permission.go
+++ b/web/models/permission.go
@@ -8,6 +8,7 @@ type Permission struct {
 	ParentID    *int32  `json:"parent_id,omitempty" gorm:"column:parent_id"`     // 父权限ID
 	Name        string  `json:"name" gorm:"column:name"`                         // 权限名称
 	Description *string `json:"description,omitempty" gorm:"column:description"` // 权限描述
+	Sort        int     `json:"sort" gorm:"column:sort"`                         // 排序

 	Parent   *Permission   `json:"parent,omitempty" gorm:"foreignKey:ParentID"`
 	Children []*Permission `json:"children,omitempty" gorm:"foreignKey:ParentID"`
--- a/web/queries/permission.gen.go
+++ b/web/queries/permission.gen.go
@@ -34,6 +34,7 @@ func newPermission(db *gorm.DB, opts ...gen.DOOption) permission {
 	_permission.ParentID = field.NewInt32(tableName, "parent_id")
 	_permission.Name = field.NewString(tableName, "name")
 	_permission.Description = field.NewString(tableName, "description")
+	_permission.Sort = field.NewInt(tableName, "sort")
 	_permission.Children = permissionHasManyChildren{
 		db: db.Session(&gorm.Session{}),

@@ -72,6 +73,7 @@ type permission struct {
 	ParentID    field.Int32
 	Name        field.String
 	Description field.String
+	Sort        field.Int
 	Children    permissionHasManyChildren

 	Parent permissionBelongsToParent
@@ -98,6 +100,7 @@ func (p *permission) updateTableName(table string) *permission {
 	p.ParentID = field.NewInt32(table, "parent_id")
 	p.Name = field.NewString(table, "name")
 	p.Description = field.NewString(table, "description")
+	p.Sort = field.NewInt(table, "sort")

 	p.fillFieldMap()

@@ -114,7 +117,7 @@ func (p *permission) GetFieldByName(fieldName string) (field.OrderExpr, bool) {
 }

 func (p *permission) fillFieldMap() {
-	p.fieldMap = make(map[string]field.Expr, 9)
+	p.fieldMap = make(map[string]field.Expr, 10)
 	p.fieldMap["id"] = p.ID
 	p.fieldMap["created_at"] = p.CreatedAt
 	p.fieldMap["updated_at"] = p.UpdatedAt
@@ -122,6 +125,7 @@ func (p *permission) fillFieldMap() {
 	p.fieldMap["parent_id"] = p.ParentID
 	p.fieldMap["name"] = p.Name
 	p.fieldMap["description"] = p.Description
+	p.fieldMap["sort"] = p.Sort

 }

--- a/web/routes.go
+++ b/web/routes.go
@@ -15,6 +15,7 @@ func ApplyRouters(app *fiber.App) {
 	api := app.Group("/api")
 	userRouter(api)
 	adminRouter(api)
+	clientRouter(api)

 	// 回调
 	callbacks := app.Group("/callback")
@@ -45,7 +46,6 @@ func userRouter(api fiber.Router) {
 	auth.Post("/token", auth2.Token)
 	auth.Post("/revoke", auth2.Revoke)
 	auth.Post("/introspect", auth2.Introspect)
-	auth.Post("/verify/sms", handlers.SmsCode)

 	// 用户
 	user := api.Group("/user")
@@ -67,19 +67,18 @@ func userRouter(api fiber.Router) {
 	resource.Post("/list/short", handlers.PageResourceShort)
 	resource.Post("/list/long", handlers.PageResourceLong)
 	resource.Post("/create", handlers.CreateResource)
-	resource.Post("/price", handlers.ResourcePrice)
+
 	resource.Post("/statistics/free", handlers.StatisticResourceFree)
 	resource.Post("/statistics/usage", handlers.StatisticResourceUsage)

 	// 批次
 	batch := api.Group("/batch")
-	batch.Post("/page", handlers.PageResourceBatch)
+	batch.Post("/page", handlers.PageBatch)

 	// 通道
 	channel := api.Group("/channel")
-	channel.Post("/list", handlers.ListChannels)
+	channel.Post("/list", handlers.ListChannel)
 	channel.Post("/create", handlers.CreateChannel)
-	channel.Post("/remove", handlers.RemoveChannels)

 	// 交易
 	trade := api.Group("/trade")
@@ -101,7 +100,6 @@ func userRouter(api fiber.Router) {
 	proxy.Post("/online", handlers.ProxyReportOnline)
 	proxy.Post("/offline", handlers.ProxyReportOffline)
 	proxy.Post("/update", handlers.ProxyReportUpdate)
-	proxy.Post("/register/baidyin", handlers.ProxyRegisterBaiYin)

 	// 节点
 	edge := api.Group("/edge")
@@ -113,39 +111,60 @@ func userRouter(api fiber.Router) {
 	inquiry.Post("/create", handlers.CreateInquiry)
 }

+// 客户端接口路由
+func clientRouter(api fiber.Router) {
+	client := api
+
+	// 验证短信令牌
+	client.Post("/sms/verify", handlers.SmsCode)
+
+	// 套餐定价查询
+	resource := client.Group("/resource")
+	resource.Post("/price", handlers.ResourcePrice)
+
+	// 通道管理
+	channel := client.Group("/channel")
+	channel.Post("/remove", handlers.RemoveChannels)
+
+	// 代理网关注册
+	proxy := client.Group("/proxy")
+	proxy.Post("/register/baidyin", handlers.ProxyRegisterBaiYin)
+}
+
 // 管理员接口路由
 func adminRouter(api fiber.Router) {
 	api = api.Group("/admin")

-	// permission 权限
-	var permission = api.Group("/permission")
-	permission.Post("/list", handlers.ListPermissionsByAdmin)
-	permission.Post("/page", handlers.PagePermissionByAdmin)
-
-	// admin-role 管理员角色
-	var adminRole = api.Group("/admin-role")
-	adminRole.Post("/list", handlers.ListAdminRolesByAdmin)
-	adminRole.Post("/page", handlers.PageAdminRolesByAdmin)
-	adminRole.Post("/create", handlers.CreateAdminRole)
-	adminRole.Post("/update", handlers.UpdateAdminRole)
-	adminRole.Post("/remove", handlers.RemoveAdminRole)
-
-	// admin 管理员账户
+	// admin 管理员
 	var admin = api.Group("/admin")
-	admin.Post("/page", handlers.PageAdminsByAdmin)
-	admin.Post("/all", handlers.ListAdminsByAdmin)
+	admin.Post("/all", handlers.AllAdminByAdmin)
+	admin.Post("/page", handlers.PageAdminByAdmin)
 	admin.Post("/create", handlers.CreateAdmin)
 	admin.Post("/update", handlers.UpdateAdmin)
 	admin.Post("/remove", handlers.RemoveAdmin)

+	// admin-role 管理员角色
+	var adminRole = api.Group("/admin-role")
+	adminRole.Post("/list", handlers.AllAdminRoleByAdmin)
+	adminRole.Post("/page", handlers.PageAdminRoleByAdmin)
+	adminRole.Post("/create", handlers.CreateAdminRole)
+	adminRole.Post("/update", handlers.UpdateAdminRole)
+	adminRole.Post("/remove", handlers.RemoveAdminRole)
+
+	// permission 权限
+	var permission = api.Group("/permission")
+	permission.Post("/list", handlers.AllPermissionByAdmin)
+	permission.Post("/page", handlers.PagePermissionByAdmin)
+
 	// user 用户
 	var user = api.Group("/user")
 	user.Post("/page", handlers.PageUserByAdmin)
-	user.Post("/bind", handlers.BindAdmin)
 	user.Post("/create", handlers.CreateUserByAdmin)
 	user.Post("/update", handlers.UpdateUserByAdmin)
 	user.Post("/remove", handlers.RemoveUserByAdmin)

+	user.Post("/bind", handlers.BindAdmin)
+
 	// resource 套餐
 	var resource = api.Group("/resource")
 	resource.Post("/short/page", handlers.PageResourceShortByAdmin)
@@ -153,15 +172,15 @@ func adminRouter(api fiber.Router) {
 	resource.Post("/update", handlers.UpdateResourceByAdmin)

 	// batch 批次
-	var usage = api.Group("batch")
-	usage.Post("/page", handlers.PageBatchByAdmin)
+	var batch = api.Group("/batch")
+	batch.Post("/page", handlers.PageBatchByAdmin)

 	// channel 通道
 	var channel = api.Group("/channel")
-	channel.Post("/page", handlers.PageChannelsByAdmin)
+	channel.Post("/page", handlers.PageChannelByAdmin)

 	// trade 交易
-	var trade = api.Group("trade")
+	var trade = api.Group("/trade")
 	trade.Post("/page", handlers.PageTradeByAdmin)

 	// bill 账单
@@ -170,29 +189,31 @@ func adminRouter(api fiber.Router) {

 	// product 产品
 	var product = api.Group("/product")
-	product.Post("/all", handlers.AllProductsByAdmin)
+	product.Post("/all", handlers.AllProductByAdmin)
 	product.Post("/create", handlers.CreateProduct)
 	product.Post("/update", handlers.UpdateProduct)
 	product.Post("/remove", handlers.DeleteProduct)
+
 	product.Post("/sku/all", handlers.AllProductSkuByAdmin)
 	product.Post("/sku/page", handlers.PageProductSkuByAdmin)
 	product.Post("/sku/create", handlers.CreateProductSku)
 	product.Post("/sku/update", handlers.UpdateProductSku)
-	product.Post("/sku/update/discount/batch", handlers.BatchUpdateProductSkuDiscount)
 	product.Post("/sku/remove", handlers.DeleteProductSku)

+	product.Post("/sku/update/discount/batch", handlers.BatchUpdateProductSkuDiscount)
+
 	// discount 折扣
 	var discount = api.Group("/discount")
-	discount.Post("/page", handlers.PageProductDiscountByAdmin)
-	discount.Post("/all", handlers.AllProductDiscountsByAdmin)
-	discount.Post("/create", handlers.CreateProductDiscount)
-	discount.Post("/update", handlers.UpdateProductDiscount)
-	discount.Post("/remove", handlers.DeleteProductDiscount)
+	discount.Post("/all", handlers.AllDiscountByAdmin)
+	discount.Post("/page", handlers.PageDiscountByAdmin)
+	discount.Post("/create", handlers.CreateDiscount)
+	discount.Post("/update", handlers.UpdateDiscount)
+	discount.Post("/remove", handlers.DeleteDiscount)

 	// coupon 优惠券
 	var coupon = api.Group("/coupon")
+	coupon.Post("/all", handlers.AllCouponByAdmin)
 	coupon.Post("/page", handlers.PageCouponByAdmin)
-	coupon.Post("/all", handlers.AllCouponsByAdmin)
 	coupon.Post("/create", handlers.CreateCoupon)
 	coupon.Post("/update", handlers.UpdateCoupon)
 	coupon.Post("/remove", handlers.DeleteCoupon)
--- a/web/services/permission.go
+++ b/web/services/permission.go
@@ -11,7 +11,7 @@ var Permission = &permissionService{}
 type permissionService struct{}

 func (r *permissionService) ListPermissions() (result []*m.Permission, err error) {
-	return q.Permission.Find()
+	return q.Permission.Order(q.Permission.Sort).Find()
 }

 func (p *permissionService) PagePermissions(req core.PageReq) (result []*m.Permission, count int64, err error) {