feat(auth): 完成租户用户角色资源核心模块

2026-03-01 10:58:53 +08:00
parent fc7138786b
commit 1de4524b5e
12 changed files with 1619 additions and 51 deletions
--- a/backend/internal/handlers/resource.go
+++ b/backend/internal/handlers/resource.go
@@ -0,0 +1,284 @@
+package handlers
+
+import (
+	"encoding/json"
+	"net/http"
+	"strconv"
+
+	"smart-customer-service/internal/models"
+)
+
+// ResourceHandler 资源处理器
+type ResourceHandler struct{}
+
+// Create 创建资源
+func (h *ResourceHandler) Create(w http.ResponseWriter, r *http.Request) {
+	var resource models.Resource
+	if err := json.NewDecoder(r.Body).Decode(&resource); err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	// 验证必填字段
+	if resource.Name == "" || resource.Code == "" || resource.Type == "" {
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusBadRequest)
+		json.NewEncoder(w).Encode(map[string]string{
+			"error": "name, code, and type are required",
+		})
+		return
+	}
+
+	// 验证资源类型
+	validTypes := map[string]bool{
+		"api": true,    // API 端点
+		"page": true,   // 页面
+		"button": true, // 按钮
+		"data": true,   // 数据字段
+	}
+
+	if !validTypes[resource.Type] {
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusBadRequest)
+		json.NewEncoder(w).Encode(map[string]string{
+			"error": "invalid resource type, must be one of: api, page, button, data",
+		})
+		return
+	}
+
+	// 检查代码是否已存在
+	// if exists := checkResourceExists(resource.Code); exists {
+	//     http.Error(w, `{"error": "resource code already exists"}`, http.StatusConflict)
+	//     return
+	// }
+
+	// TODO: 保存到数据库
+	// db.Create(&resource)
+
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusCreated)
+	json.NewEncoder(w).Encode(map[string]interface{}{
+		"message": "资源创建成功",
+		"data":    resource,
+	})
+}
+
+// List 获取资源列表
+func (h *ResourceHandler) List(w http.ResponseWriter, r *http.Request) {
+	page := getPageParam(r, 1)
+	perPage := getPageParam(r, 20)
+
+	// 获取过滤参数
+	tenantIDStr := r.URL.Query().Get("tenant_id")
+	resourceType := r.URL.Query().Get("type")
+	group := r.URL.Query().Get("group")
+	isSystem := r.URL.Query().Get("is_system")
+
+	// TODO: 查询数据库
+	// var resources []models.Resource
+	// query := db.Where("tenant_id = ?", tenantID)
+	// if resourceType != "" {
+	//     query = query.Where("type = ?", resourceType)
+	// }
+	// if group != "" {
+	//     query = query.Where("group = ?", group)
+	// }
+	// if isSystem == "true" {
+	//     query = query.Where("is_system = ?", true)
+	// }
+	// query.Order("sort_order").Find(&resources)
+
+	var resources []models.Resource
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(map[string]interface{}{
+		"total":      0,
+		"page":       page,
+		"per_page":   perPage,
+		"total_pages": 0,
+		"filters": map[string]string{
+			"type":     resourceType,
+			"group":    group,
+			"is_system": isSystem,
+		},
+		"data": resources,
+	})
+}
+
+// Get 获取单个资源
+func (h *ResourceHandler) Get(w http.ResponseWriter, r *http.Request) {
+	idStr := r.URL.Query().Get("id")
+	if idStr == "" {
+		http.Error(w, `{"error": "id is required"}`, http.StatusBadRequest)
+		return
+	}
+
+	id, err := strconv.ParseUint(idStr, 10, 32)
+	if err != nil {
+		http.Error(w, `{"error": "invalid id"}`, http.StatusBadRequest)
+		return
+	}
+
+	// TODO: 查询数据库 (包含关联数据)
+	// var resource models.Resource
+	// db.Preload("Roles").Preload("Parent").Preload("Children").First(&resource, id)
+
+	var resource models.Resource
+
+	if resource.ID == 0 {
+		http.Error(w, `{"error": "resource not found"}`, http.StatusNotFound)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(resource)
+}
+
+// Update 更新资源
+func (h *ResourceHandler) Update(w http.ResponseWriter, r *http.Request) {
+	idStr := r.URL.Query().Get("id")
+	if idStr == "" {
+		http.Error(w, `{"error": "id is required"}`, http.StatusBadRequest)
+		return
+	}
+
+	id, err := strconv.ParseUint(idStr, 10, 32)
+	if err != nil {
+		http.Error(w, `{"error": "invalid id"}`, http.StatusBadRequest)
+		return
+	}
+
+	var resource models.Resource
+	if err := json.NewDecoder(r.Body).Decode(&resource); err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	// 不允许修改代码 (Code 是唯一索引)
+	// resource.Code = "" 
+
+	// TODO: 更新数据库
+	// db.Model(&resource).Where("id = ?", id).Updates(resource)
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(map[string]interface{}{
+		"message": "资源更新成功",
+		"data":    resource,
+	})
+}
+
+// Delete 删除资源
+func (h *ResourceHandler) Delete(w http.ResponseWriter, r *http.Request) {
+	idStr := r.URL.Query().Get("id")
+	if idStr == "" {
+		http.Error(w, `{"error": "id is required"}`, http.StatusBadRequest)
+		return
+	}
+
+	id, err := strconv.ParseUint(idStr, 10, 32)
+	if err != nil {
+		http.Error(w, `{"error": "invalid id"}`, http.StatusBadRequest)
+		return
+	}
+
+	// 检查是否有子资源
+	// childCount := countChildResources(id)
+	// if childCount > 0 {
+	//     http.Error(w, `{"error": "cannot delete resource with children"}`, http.StatusBadRequest)
+	//     return
+	// }
+
+	// 检查是否有角色使用
+	// roleCount := countRolesWithResource(id)
+	// if roleCount > 0 {
+	//     http.Error(w, `{"error": "cannot delete resource with associated roles"}`, http.StatusBadRequest)
+	//     return
+	// }
+
+	// TODO: 软删除
+	// db.Where("id = ?", id).Update("deleted_at", time.Now())
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(map[string]interface{}{
+		"message": "资源删除成功",
+		"id":      id,
+	})
+}
+
+// GetTree 获取资源树形结构
+func (h *ResourceHandler) GetTree(w http.ResponseWriter, r *http.Request) {
+	// 获取过滤参数
+	tenantIDStr := r.URL.Query().Get("tenant_id")
+	groupBy := r.URL.Query().Get("group_by") // 按分组、类型等分组
+
+	// TODO: 查询数据库
+	// 1. 查询所有资源
+	// 2. 构建树形结构
+	// 3. 按分组分类返回
+
+	type ResourceTree struct {
+		ID          uint              `json:"id"`
+		Name        string            `json:"name"`
+		Code        string            `json:"code"`
+		Type        string            `json:"type"`
+		Children    []ResourceTree    `json:"children,omitempty"`
+		ParentID    *uint             `json:"parent_id,omitempty"`
+	}
+
+	var tree []ResourceTree
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(map[string]interface{}{
+		"tree": tree,
+	})
+}
+
+// GetResourceByCode 通过代码获取资源
+func (h *ResourceHandler) GetResourceByCode(w http.ResponseWriter, r *http.Request) {
+	code := r.URL.Query().Get("code")
+	if code == "" {
+		http.Error(w, `{"error": "code is required"}`, http.StatusBadRequest)
+		return
+	}
+
+	// TODO: 查询数据库
+	// var resource models.Resource
+	// db.Where("code = ?", code).First(&resource)
+
+	var resource models.Resource
+
+	if resource.ID == 0 {
+		http.Error(w, `{"error": "resource not found"}`, http.StatusNotFound)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(resource)
+}
+
+// CheckPermission 检查权限是否有效
+func (h *ResourceHandler) CheckPermission(w http.ResponseWriter, r *http.Request) {
+	type PermissionCheck struct {
+		UserID       uint   `json:"user_id"`
+		TenantID     uint   `json:"tenant_id"`
+		ResourceCode string `json:"resource_code"`
+		Action       string `json:"action"` // create, read, update, delete, etc.
+	}
+
+	var req PermissionCheck
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	// TODO: 实现权限检查逻辑
+	// 1. 查询用户角色
+	// 2. 查询角色资源
+	// 3. 检查资源是否包含该操作
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(map[string]interface{}{
+		"has_permission": false,
+		"reason":         "permission check not implemented",
+	})
+}
--- a/backend/internal/handlers/role.go
+++ b/backend/internal/handlers/role.go
@@ -0,0 +1,240 @@
+package handlers
+
+import (
+	"encoding/json"
+	"net/http"
+	"strconv"
+
+	"smart-customer-service/internal/models"
+)
+
+// RoleHandler 角色处理器
+type RoleHandler struct{}
+
+// Create 创建角色
+func (h *RoleHandler) Create(w http.ResponseWriter, r *http.Request) {
+	var role models.Role
+	if err := json.NewDecoder(r.Body).Decode(&role); err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	// 验证必填字段
+	if role.Name == "" || role.Code == "" {
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusBadRequest)
+		json.NewEncoder(w).Encode(map[string]string{
+			"error": "name and code are required",
+		})
+		return
+	}
+
+	// 检查角色代码是否已存在
+	// if exists := checkRoleExists(role.Code); exists {
+	//     http.Error(w, `{"error": "role code already exists"}`, http.StatusConflict)
+	//     return
+	// }
+
+	// TODO: 保存到数据库
+	// db.Create(&role)
+
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusCreated)
+	json.NewEncoder(w).Encode(map[string]interface{}{
+		"message": "角色创建成功",
+		"data":    role,
+	})
+}
+
+// List 获取角色列表
+func (h *RoleHandler) List(w http.ResponseWriter, r *http.Request) {
+	page := getPageParam(r, 1)
+	perPage := getPageParam(r, 20)
+
+	// 获取过滤参数
+	tenantIDStr := r.URL.Query().Get("tenant_id")
+	status := r.URL.Query().Get("status")
+	isGlobal := r.URL.Query().Get("is_global")
+
+	// TODO: 查询数据库
+	// var roles []models.Role
+	// query := db.Where("tenant_id = ?", tenantID)
+	// if status != "" {
+	//     query = query.Where("status = ?", status)
+	// }
+	// if isGlobal == "true" {
+	//     query = query.Where("is_global = ?", true)
+	// }
+	// query.Preload("Users").Find(&roles)
+
+	var roles []models.Role
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(map[string]interface{}{
+		"total":      0,
+		"page":       page,
+		"per_page":   perPage,
+		"total_pages": 0,
+		"data":       roles,
+	})
+}
+
+// Get 获取单个角色
+func (h *RoleHandler) Get(w http.ResponseWriter, r *http.Request) {
+	idStr := r.URL.Query().Get("id")
+	if idStr == "" {
+		http.Error(w, `{"error": "id is required"}`, http.StatusBadRequest)
+		return
+	}
+
+	id, err := strconv.ParseUint(idStr, 10, 32)
+	if err != nil {
+		http.Error(w, `{"error": "invalid id"}`, http.StatusBadRequest)
+		return
+	}
+
+	// TODO: 查询数据库 (包含关联数据)
+	// var role models.Role
+	// db.Preload("Resources").Preload("Users").First(&role, id)
+
+	var role models.Role
+
+	if role.ID == 0 {
+		http.Error(w, `{"error": "role not found"}`, http.StatusNotFound)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(role)
+}
+
+// Update 更新角色
+func (h *RoleHandler) Update(w http.ResponseWriter, r *http.Request) {
+	idStr := r.URL.Query().Get("id")
+	if idStr == "" {
+		http.Error(w, `{"error": "id is required"}`, http.StatusBadRequest)
+		return
+	}
+
+	id, err := strconv.ParseUint(idStr, 10, 32)
+	if err != nil {
+		http.Error(w, `{"error": "invalid id"}`, http.StatusBadRequest)
+		return
+	}
+
+	var role models.Role
+	if err := json.NewDecoder(r.Body).Decode(&role); err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	// TODO: 更新数据库
+	// db.Model(&role).Where("id = ?", id).Updates(role)
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(map[string]interface{}{
+		"message": "角色更新成功",
+		"data":    role,
+	})
+}
+
+// Delete 删除角色
+func (h *RoleHandler) Delete(w http.ResponseWriter, r *http.Request) {
+	idStr := r.URL.Query().Get("id")
+	if idStr == "" {
+		http.Error(w, `{"error": "id is required"}`, http.StatusBadRequest)
+		return
+	}
+
+	id, err := strconv.ParseUint(idStr, 10, 32)
+	if err != nil {
+		http.Error(w, `{"error": "invalid id"}`, http.StatusBadRequest)
+		return
+	}
+
+	// 检查是否有用户使用该角色
+	// userCount := countUsersWithRole(id)
+	// if userCount > 0 {
+	//     http.Error(w, `{"error": "cannot delete role with associated users"}`, http.StatusBadRequest)
+	//     return
+	// }
+
+	// TODO: 软删除
+	// db.Where("id = ?", id).Update("deleted_at", time.Now())
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(map[string]interface{}{
+		"message": "角色删除成功",
+		"id":      id,
+	})
+}
+
+// AssignResources 分配资源给角色
+func (h *RoleHandler) AssignResources(w http.ResponseWriter, r *http.Request) {
+	idStr := r.URL.Query().Get("id")
+	if idStr == "" {
+		http.Error(w, `{"error": "id is required"}`, http.StatusBadRequest)
+		return
+	}
+
+	id, err := strconv.ParseUint(idStr, 10, 32)
+	if err != nil {
+		http.Error(w, `{"error": "invalid id"}`, http.StatusBadRequest)
+		return
+	}
+
+	type resourceAssignment struct {
+		ResourceIDs  []uint   `json:"resource_ids"`
+		ResourceCode []string `json:"resource_codes"` // 也可以通过代码分配
+	}
+
+	var req resourceAssignment
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	// TODO: 分配资源
+	// 1. 验证资源是否存在
+	// 2. 更新 role_resources 关联表
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(map[string]interface{}{
+		"message": "资源分配成功",
+		"data":    req,
+	})
+}
+
+// GetPermissions 获取角色的权限列表
+func (h *RoleHandler) GetPermissions(w http.ResponseWriter, r *http.Request) {
+	idStr := r.URL.Query().Get("id")
+	if idStr == "" {
+		http.Error(w, `{"error": "id is required"}`, http.StatusBadRequest)
+		return
+	}
+
+	id, err := strconv.ParseUint(idStr, 10, 32)
+	if err != nil {
+		http.Error(w, `{"error": "invalid id"}`, http.StatusBadRequest)
+		return
+	}
+
+	// TODO: 查询数据库
+	// 1. 查询角色
+	// 2. 查询角色关联的资源
+	// 3. 提取所有资源的操作权限
+
+	type PermissionResult struct {
+		ResourceCode string   `json:"resource_code"`
+		Actions      []string `json:"actions"`
+		Description  string   `json:"description"`
+	}
+
+	var permissions []PermissionResult
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(map[string]interface{}{
+		"role_id":       id,
+		"permissions":   permissions,
+	})
+}
--- a/backend/internal/handlers/tenant.go
+++ b/backend/internal/handlers/tenant.go
@@ -0,0 +1,136 @@
+package handlers
+
+import (
+	"net/http"
+	"smart-customer-service/internal/models"
+	"database/sql"
+	"encoding/json"
+	"fmt"
+	"strconv"
+)
+
+// TenantHandler 租户处理器
+type TenantHandler struct {
+	// 这里可以添加 database 连接
+}
+
+// Create 创建租户
+func (h *TenantHandler) Create(w http.ResponseWriter, r *http.Request) {
+	var tenant models.Tenant
+	if err := json.NewDecoder(r.Body).Decode(&tenant); err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+	
+	// 验证必填字段
+	if tenant.Name == "" || tenant.Email == "" {
+		http.Error(w, `{"error": "name and email are required"}`, http.StatusBadRequest)
+		return
+	}
+	
+	// TODO: 保存到数据库
+	// db.Create(&tenant)
+	
+	// 返回响应
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusCreated)
+	json.NewEncoder(w).Encode(map[string]interface{}{
+		"message": "租户创建成功",
+		"data": tenant,
+	})
+}
+
+// List 获取租户列表
+func (h *TenantHandler) List(w http.ResponseWriter, r *http.Request) {
+	// 获取分页参数
+	page, _ := strconv.Atoi(r.URL.Query().Get("page"))
+	if page == 0 {
+		page = 1
+	}
+	perPage, _ := strconv.Atoi(r.URL.Query().Get("per_page"))
+	if perPage == 0 {
+		perPage = 20
+	}
+	
+	// TODO: 查询数据库
+	// var tenants []models.Tenant
+	// db.Offset((page-1)*perPage).Limit(perPage).Find(&tenants)
+	
+	var tenants []models.Tenant
+	
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(map[string]interface{}{
+		"total":      0,
+		"page":       page,
+		"per_page":   perPage,
+		"total_pages": 0,
+		"data":       tenants,
+	})
+}
+
+// Get 获取单个租户
+func (h *TenantHandler) Get(w http.ResponseWriter, r *http.Request) {
+	id, err := strconv.ParseUint(r.URL.Query().Get("id"), 10, 32)
+	if err != nil {
+		http.Error(w, `{"error": "invalid id"}`, http.StatusBadRequest)
+		return
+	}
+	
+	// TODO: 查询数据库
+	// var tenant models.Tenant
+	// db.First(&tenant, id)
+	
+	var tenant models.Tenant
+	
+	if tenant.ID == 0 {
+		http.Error(w, `{"error": "tenant not found"}`, http.StatusNotFound)
+		return
+	}
+	
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(tenant)
+}
+
+// Update 更新租户
+func (h *TenantHandler) Update(w http.ResponseWriter, r *http.Request) {
+	id, err := strconv.ParseUint(r.URL.Query().Get("id"), 10, 32)
+	if err != nil {
+		http.Error(w, `{"error": "invalid id"}`, http.StatusBadRequest)
+		return
+	}
+	
+	var tenant models.Tenant
+	if err := json.NewDecoder(r.Body).Decode(&tenant); err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+	
+	// TODO: 更新数据库
+	// db.Model(&tenant).Where("id = ?", id).Updates(map[string]interface{}{
+	//     "name": tenant.Name,
+	//     "email": tenant.Email,
+	// })
+	
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(map[string]interface{}{
+		"message": "租户更新成功",
+		"data":    tenant,
+	})
+}
+
+// Delete 删除租户
+func (h *TenantHandler) Delete(w http.ResponseWriter, r *http.Request) {
+	id, err := strconv.ParseUint(r.URL.Query().Get("id"), 10, 32)
+	if err != nil {
+		http.Error(w, `{"error": "invalid id"}`, http.StatusBadRequest)
+		return
+	}
+	
+	// TODO: 软删除
+	// db.Where("id = ?", id).Update("deleted_at", time.Now())
+	
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(map[string]interface{}{
+		"message": fmt.Sprintf("租户 %d 删除成功", id),
+	})
+}
--- a/backend/internal/handlers/user.go
+++ b/backend/internal/handlers/user.go
@@ -0,0 +1,264 @@
+package handlers
+
+import (
+	"encoding/json"
+	"net/http"
+	"strconv"
+	"strings"
+
+	"smart-customer-service/internal/models"
+)
+
+// UserHandler 用户处理器
+type UserHandler struct{}
+
+// Create 创建用户
+func (h *UserHandler) Create(w http.ResponseWriter, r *http.Request) {
+	var user models.User
+	if err := json.NewDecoder(r.Body).Decode(&user); err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	// 验证必填字段
+	if user.Username == "" || user.Email == "" {
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusBadRequest)
+		json.NewEncoder(w).Encode(map[string]string{
+			"error": "username and email are required",
+		})
+		return
+	}
+
+	// 密码不能为空
+	if user.Password == "" {
+		w.Header().Set("Content-Type", "application/json")
+		w.WriteHeader(http.StatusBadRequest)
+		json.NewEncoder(w).Encode(map[string]string{
+			"error": "password is required",
+		})
+		return
+	}
+
+	// TODO: 密码加密、保存到数据库
+	// user.Password = bcrypt.GenerateFromPassword(password)
+	// db.Create(&user)
+
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusCreated)
+	json.NewEncoder(w).Encode(map[string]interface{}{
+		"message": "用户创建成功",
+		"data":    user,
+	})
+}
+
+// List 获取用户列表
+func (h *UserHandler) List(w http.ResponseWriter, r *http.Request) {
+	// 获取分页参数
+	page := getPageParam(r, 1)
+	perPage := getPageParam(r, 20)
+
+	// 获取过滤参数
+	tenantIDStr := r.URL.Query().Get("tenant_id")
+	status := r.URL.Query().Get("status")
+	keyword := r.URL.Query().Get("keyword")
+
+	// TODO: 查询数据库
+	// var users []models.User
+	// query := db.Where("tenant_id = ?", tenantID)
+	// if status != "" {
+	//     query = query.Where("status = ?", status)
+	// }
+	// if keyword != "" {
+	//     query = query.Where("username LIKE ? OR email LIKE ? OR full_name LIKE ?", "%"+keyword+"%", "%"+keyword+"%", "%"+keyword+"%")
+	// }
+	// query.Count(&total).Offset((page-1)*perPage).Limit(perPage).Preload("Tenant").Find(&users)
+
+	var users []models.User
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(map[string]interface{}{
+		"total":      0,
+		"page":       page,
+		"per_page":   perPage,
+		"total_pages": 0,
+		"filters": map[string]string{
+			"tenant_id": tenantIDStr,
+			"status":    status,
+			"keyword":   keyword,
+		},
+		"data": users,
+	})
+}
+
+// Get 获取单个用户
+func (h *UserHandler) Get(w http.ResponseWriter, r *http.Request) {
+	idStr := r.URL.Query().Get("id")
+	if idStr == "" {
+		http.Error(w, `{"error": "id is required"}`, http.StatusBadRequest)
+		return
+	}
+
+	id, err := strconv.ParseUint(idStr, 10, 32)
+	if err != nil {
+		http.Error(w, `{"error": "invalid id"}`, http.StatusBadRequest)
+		return
+	}
+
+	// TODO: 查询数据库 (包含关联数据)
+	// var user models.User
+	// db.Preload("Tenant").Preload("Roles").First(&user, id)
+
+	var user models.User
+
+	if user.ID == 0 {
+		http.Error(w, `{"error": "user not found"}`, http.StatusNotFound)
+		return
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(user)
+}
+
+// Update 更新用户
+func (h *UserHandler) Update(w http.ResponseWriter, r *http.Request) {
+	idStr := r.URL.Query().Get("id")
+	if idStr == "" {
+		http.Error(w, `{"error": "id is required"}`, http.StatusBadRequest)
+		return
+	}
+
+	id, err := strconv.ParseUint(idStr, 10, 32)
+	if err != nil {
+		http.Error(w, `{"error": "invalid id"}`, http.StatusBadRequest)
+		return
+	}
+
+	var user models.User
+	if err := json.NewDecoder(r.Body).Decode(&user); err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	// 不允许修改用户名和租户 ID
+	user.Username = "" 
+	user.TenantID = 0
+
+	// TODO: 更新数据库
+	// db.Model(&user).Where("id = ?", id).Updates(user)
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(map[string]interface{}{
+		"message": "用户更新成功",
+		"data":    user,
+	})
+}
+
+// Delete 删除用户
+func (h *UserHandler) Delete(w http.ResponseWriter, r *http.Request) {
+	idStr := r.URL.Query().Get("id")
+	if idStr == "" {
+		http.Error(w, `{"error": "id is required"}`, http.StatusBadRequest)
+		return
+	}
+
+	id, err := strconv.ParseUint(idStr, 10, 32)
+	if err != nil {
+		http.Error(w, `{"error": "invalid id"}`, http.StatusBadRequest)
+		return
+	}
+
+	// TODO: 软删除
+	// db.Where("id = ?", id).Update("deleted_at", time.Now())
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(map[string]interface{}{
+		"message": "用户删除成功",
+		"id":      id,
+	})
+}
+
+// ChangePassword 修改密码
+func (h *UserHandler) ChangePassword(w http.ResponseWriter, r *http.Request) {
+	idStr := r.URL.Query().Get("id")
+	if idStr == "" {
+		http.Error(w, `{"error": "id is required"}`, http.StatusBadRequest)
+		return
+	}
+
+	type passwordChange struct {
+		OldPassword     string `json:"old_password"`
+		NewPassword     string `json:"new_password"`
+		ConfirmPassword string `json:"confirm_password"`
+	}
+
+	var req passwordChange
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	// 验证新密码
+	if req.NewPassword != req.ConfirmPassword {
+		http.Error(w, `{"error": "new passwords do not match"}`, http.StatusBadRequest)
+		return
+	}
+
+	// 密码最小长度验证
+	if len(req.NewPassword) < 8 {
+		http.Error(w, `{"error": "password must be at least 8 characters"}`, http.StatusBadRequest)
+		return
+	}
+
+	// TODO: 验证旧密码、更新新密码
+	// 1. 查询用户旧密码
+	// 2. bcrypt.CompareHashAndPassword
+	// 3. 更新密码
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(map[string]string{
+		"message": "密码修改成功",
+	})
+}
+
+// AssignRoles 分配角色
+func (h *UserHandler) AssignRoles(w http.ResponseWriter, r *http.Request) {
+	idStr := r.URL.Query().Get("id")
+	if idStr == "" {
+		http.Error(w, `{"error": "id is required"}`, http.StatusBadRequest)
+		return
+	}
+
+	type roleAssignment struct {
+		RoleIDs []uint `json:"role_ids"`
+	}
+
+	var req roleAssignment
+	if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
+		http.Error(w, err.Error(), http.StatusBadRequest)
+		return
+	}
+
+	// TODO: 分配角色
+	// 1. 查询角色是否存在
+	// 2. 更新 user_roles 关联表
+
+	w.Header().Set("Content-Type", "application/json")
+	json.NewEncoder(w).Encode(map[string]interface{}{
+		"message": "角色分配成功",
+		"data":    req,
+	})
+}
+
+// 辅助函数：获取分页参数
+func getPageParam(r *http.Request, defaultVal int) int {
+	strVal := r.URL.Query().Get("page")
+	if strVal == "" {
+		return defaultVal
+	}
+	val, err := strconv.Atoi(strVal)
+	if err != nil || val < 1 {
+		return defaultVal
+	}
+	return val
+}