import { Controller, Get, Post, Body, Patch, Param, Delete, Query, UseGuards, Request, ParseUUIDPipe, HttpCode, HttpStatus, } from '@nestjs/common'; import { UsersService } from './users.service'; import { WorkCityImportService } from './work-city-import.service'; import { CreateUserDto, UpdateUserDto, AssignRolesDto, AssignRegionRolesDto, AddRegionRoleDto, RemoveRegionRoleDto, TerminateUserDto, ActivateUserDto, UpdateUserStatusDto, RestoreUserDto, UserQueryDto, ResetPasswordDto, ImportUserMembershipsDto, } from './dto/user.dto'; import { PermissionsGuard } from '../auth/guards/permissions.guard'; import { RequirePermissions } from '@common/decorators/permissions.decorator'; import { Public } from '../../../common/decorators/public.decorator'; import { AuthService } from '../auth/auth.service'; import { Auditable, Sensitive } from '@core/observability/audit/decorators/auditable.decorator'; @Controller('users') export class UsersController { constructor( private readonly usersService: UsersService, private readonly authService: AuthService, private readonly workCityImportService: WorkCityImportService, ) {} /** * Get current user info */ @Get('me') async getMe(@Request() req: any) { return this.usersService.findOneWithPermissions(req.user.userId); } /** * Get user list */ @Get() @RequirePermissions('user:read') async findAll(@Query() query: UserQueryDto) { return this.usersService.findAll(query); } /** * Get user by ID * Scope: organization - 只能查看本组织用户 */ @Get(':id') @RequirePermissions('user:read') async findOne(@Param('id', ParseUUIDPipe) id: string) { return this.usersService.findOne(id); } /** * Create user */ @Post() @Auditable() @RequirePermissions('user:create') async create(@Body() createUserDto: CreateUserDto) { return this.usersService.create(createUserDto); } /** * Batch import user memberships (user-department relationships) * 批量导入用户成员关系(用户-部门关系) * * 注意:用户应已通过Entra ID同步创建,此接口仅用于导入用户-部门关系 * Scope: organization - 只能为本组织用户导入成员关系 */ @Post('import-memberships') @Auditable() @RequirePermissions('user:update') async importMemberships(@Body() importDto: ImportUserMembershipsDto) { return this.usersService.importMemberships(importDto); } /** * v1.2 工作地 Excel 导入预览(rows 为前端预解析的 [{email, workCity}] 数组) * 返回 exact / similar / new 三类分组,不落库 */ @Post('import-work-city/preview') @Auditable() @UseGuards(PermissionsGuard) @RequirePermissions('user:update') async previewImportWorkCity( @Body() body: { rows?: Array<{ email?: string; workCity?: string }> }, ) { return this.workCityImportService.preview(body?.rows ?? []); } /** * v1.2 工作地 Excel 导入提交(带管理员在预览页做的 approvals 决策) */ @Post('import-work-city/commit') @Auditable() @Sensitive() @UseGuards(PermissionsGuard) @RequirePermissions('user:update') async commitImportWorkCity( @Body() body: { rows?: Array<{ email?: string; workCity?: string }>; approvals?: Record; }, @Request() req: any, ) { return this.workCityImportService.commit( body?.rows ?? [], body?.approvals ?? {}, req?.user?.userId ?? req?.user?.id, ); } /** * Update user */ @Patch(':id') @Auditable() @RequirePermissions('user:update') async update( @Param('id', ParseUUIDPipe) id: string, @Body() updateUserDto: UpdateUserDto, ) { return this.usersService.update(id, updateUserDto); } /** * Delete user (soft delete) */ @Delete(':id') @Auditable() @Sensitive() @RequirePermissions('user:delete') async remove(@Param('id', ParseUUIDPipe) id: string) { return this.usersService.remove(id); } /** * Get user roles */ @Get(':id/roles') async getUserRoles(@Param('id', ParseUUIDPipe) id: string) { return this.usersService.getUserRoles(id); } /** * Assign roles to user (PUT 语义:完全替换用户的所有角色) * * ⚠️ 注意:此 endpoint 是「全替换」语义。如果只想给用户加 1 个角色而保留其他, * 调用 `POST /users/:id/roles/add`(addRoles)。前端 addUsersToRole 已经切到 add endpoint。 * * 文档规定:POST /users/:id/roles 成功响应应返回 200 状态码 */ @Post(':id/roles') @HttpCode(HttpStatus.OK) // 文档规定返回 200,而不是默认的 201 @Auditable() @Sensitive() @RequirePermissions('role:manage') async assignRoles( @Param('id', ParseUUIDPipe) id: string, @Body() assignRolesDto: AssignRolesDto, ) { return this.usersService.assignRoles(id, assignRolesDto); } /** * 增量增加角色(不删除已有的) * * 用于"将用户加到角色 X"场景。已存在的 (userId, roleId, organizationId) 幂等跳过。 * 修复历史 BUG:前端 addUsersToRole 之前调 POST /:id/roles 全替换语义, * 把"加 1 个"误传为"全删后只留这 1 个",导致用户其他角色丢失。 */ @Post(':id/roles/add') @HttpCode(HttpStatus.OK) @Auditable() @Sensitive() @RequirePermissions('role:manage') async addRoles( @Param('id', ParseUUIDPipe) id: string, @Body() assignRolesDto: AssignRolesDto, ) { return this.usersService.addRoles(id, assignRolesDto); } /** * Remove role from user (removes all region associations for this role) */ @Delete(':id/roles/:roleId') @Auditable() @Sensitive() @RequirePermissions('role:manage') async removeRole( @Param('id', ParseUUIDPipe) id: string, @Param('roleId', ParseUUIDPipe) roleId: string, ) { return this.usersService.removeRole(id, roleId); } // ==================== 区域角色管理 API ==================== /** * 分配区域角色(完全替换用户的所有角色) * * 请求体示例: * { * "roles": [ * { "roleId": "uuid", "region": null }, // 全局角色 * { "roleId": "uuid", "region": "CN" }, // 中国区角色 * { "roleId": "uuid", "region": "US" } // 美国区角色 * ] * } */ @Post(':id/region-roles') @Auditable() @Sensitive() @RequirePermissions('role:manage') async assignRegionRoles( @Param('id', ParseUUIDPipe) id: string, @Body() dto: AssignRegionRolesDto, ) { return this.usersService.assignRegionRoles(id, dto.roles); } /** * 添加单个区域角色 * * 请求体示例: * { "roleId": "uuid", "region": "CN" } // 添加中国区角色 * { "roleId": "uuid" } // 添加全局角色 */ @Post(':id/region-roles/add') @Auditable() @Sensitive() @RequirePermissions('role:manage') async addRegionRole( @Param('id', ParseUUIDPipe) id: string, @Body() dto: AddRegionRoleDto, ) { return this.usersService.addRegionRole(id, dto.roleId, dto.region); } /** * 删除单个区域角色 * * 请求体示例: * { "roleId": "uuid", "region": "CN" } // 删除中国区角色 * { "roleId": "uuid" } // 删除全局角色 */ @Post(':id/region-roles/remove') @Auditable() @Sensitive() @RequirePermissions('role:manage') async removeRegionRole( @Param('id', ParseUUIDPipe) id: string, @Body() dto: RemoveRegionRoleDto, ) { return this.usersService.removeRegionRole(id, dto.roleId, dto.region); } /** * Get user permissions * v2.1: Supports organizationId query parameter for filtering */ @Get(':id/permissions') async getUserPermissions( @Param('id', ParseUUIDPipe) id: string, @Query('organizationId') organizationId?: string, ) { return this.usersService.getUserPermissions(id, organizationId); } /** * Get user subordinates */ @Get(':id/subordinates') async getSubordinates(@Param('id', ParseUUIDPipe) id: string) { return this.usersService.getSubordinates(id); } /** * Terminate user */ /** * Terminate user (v2.0) * Sets user status to TERMINATED */ @Post(':id/terminate') @HttpCode(HttpStatus.OK) // 文档规定返回200 @Auditable() @Sensitive() @RequirePermissions('user:update') async terminate( @Param('id', ParseUUIDPipe) id: string, @Body() terminateUserDto: TerminateUserDto, ) { return this.usersService.terminate(id, terminateUserDto); } /** * Activate user */ @Post(':id/activate') @Auditable() @Sensitive() @RequirePermissions('user:update') async activate( @Param('id', ParseUUIDPipe) id: string, @Body() activateUserDto: ActivateUserDto, ) { return this.usersService.activate(id, activateUserDto); } /** * Update user status (v2.1.1 新增) * 支持 ACTIVE ↔ INACTIVE 状态切换 */ @Patch(':id/status') @Auditable() @Sensitive() @RequirePermissions('user:update') async updateStatus( @Param('id', ParseUUIDPipe) id: string, @Body() updateUserStatusDto: UpdateUserStatusDto, ) { return this.usersService.updateStatus(id, updateUserStatusDto); } /** * Restore deleted user (永久可恢复) */ @Post(':id/restore') @Auditable() @Sensitive() @RequirePermissions('user:update') async restore( @Param('id', ParseUUIDPipe) id: string, @Body() restoreUserDto: RestoreUserDto, ) { return this.usersService.restore(id, restoreUserDto); } /** * Reset user password (admin only) */ @Post(':id/reset-password') @Auditable() @Sensitive() @RequirePermissions('user:update') async resetPassword( @Param('id', ParseUUIDPipe) id: string, @Body() resetPasswordDto: ResetPasswordDto, ) { await this.authService.resetPassword(id, resetPasswordDto.newPassword); return { message: 'Password reset successfully', }; } }