fix: anonymize clerk random order views

play-admin/src/main/java/com/starry/admin/modules/order/service/impl/PlayOrderInfoServiceImpl.java

@@ -44,11 +44,9 @@ import com.starry.admin.modules.order.service.support.ClerkRevenueCalculator;
 import com.starry.admin.modules.personnel.module.entity.PlayPersonnelGroupInfoEntity;
 import com.starry.admin.modules.personnel.service.IPlayPersonnelGroupInfoService;
 import com.starry.admin.modules.shop.module.constant.CouponUseState;
-import com.starry.admin.modules.shop.module.vo.PlayCouponDetailsReturnVo;
 import com.starry.admin.modules.shop.service.IPlayCouponDetailsService;
 import com.starry.admin.modules.weichat.entity.order.*;
 import com.starry.admin.modules.weichat.service.NotificationSender;
-import com.starry.admin.modules.withdraw.service.IEarningsService;
 import com.starry.admin.utils.DateRangeUtils;
 import com.starry.admin.utils.SecurityUtils;
 import com.starry.common.utils.ConvertUtil;
@@ -478,6 +476,16 @@ public class PlayOrderInfoServiceImpl extends ServiceImpl<PlayOrderInfoMapper, P
                 log.warn("Refund info missing for cancelled order, orderId={}", returnVo.getId());
             }
         }
+
+        // Privacy protection: Hide customer info for pending random orders
+        if (OrderConstant.PlaceType.RANDOM.getCode().equals(returnVo.getPlaceType())
+                && OrderStatus.PENDING.getCode().equals(returnVo.getOrderStatus())) {
+            returnVo.setWeiChatCode("");
+            returnVo.setCustomNickname("匿名用户");
+            returnVo.setCustomAvatar("");
+            returnVo.setCustomId("");
+        }
+
         if (returnVo.getEstimatedRevenue() == null) {
             returnVo.setEstimatedRevenue(BigDecimal.ZERO);
         }
@@ -512,8 +520,21 @@ public class PlayOrderInfoServiceImpl extends ServiceImpl<PlayOrderInfoMapper, P
                 .selectAs(PlayCustomLevelInfoEntity::getName, "customLevelName");
         lambdaQueryWrapper.leftJoin(PlayCustomLevelInfoEntity.class, PlayCustomLevelInfoEntity::getId,
                 PlayCustomUserInfoEntity::getLevelId);
-        return this.baseMapper.selectJoinPage(new Page<>(vo.getPageNum(), vo.getPageSize()),
+        IPage<PlayClerkOrderListReturnVo> page = this.baseMapper.selectJoinPage(
-                PlayClerkOrderListReturnVo.class, lambdaQueryWrapper);
+                new Page<>(vo.getPageNum(), vo.getPageSize()),
+                PlayClerkOrderListReturnVo.class,
+                lambdaQueryWrapper);
+
+        for (PlayClerkOrderListReturnVo record : page.getRecords()) {
+            if (OrderConstant.PlaceType.RANDOM.getCode().equals(record.getPlaceType())
+                    && OrderStatus.PENDING.getCode().equals(record.getOrderStatus())) {
+                record.setCustomNickname("匿名用户");
+                record.setCustomAvatar("");
+                record.setCustomId("");
+            }
+        }
+
+        return page;
     }
 
     @Override

play-admin/src/test/java/com/starry/admin/api/WxOrderInfoControllerApiTest.java

@@ -181,6 +181,82 @@ class WxOrderInfoControllerApiTest extends WxCustomOrderApiTestSupport {
         assertThat(data.path("customAvatar").asText()).isEmpty();
     }
 
+    @Test
+    void queryByIdFromClerkControllerHidesCustomerInfoForPendingRandomOrders() throws Exception {
+        String marker = "privacy-leak-" + LocalDateTime.now().toString();
+        String orderId = createRandomOrder(marker);
+
+        // Access via the generic Clerk Order Detail endpoint (which the notification likely links to)
+        MvcResult result = mockMvc.perform(get("/wx/clerk/order/queryById")
+                        .param("id", orderId)
+                        .header(USER_HEADER, DEFAULT_USER)
+                        .header(TENANT_HEADER, DEFAULT_TENANT)
+                        .header(Constants.CLERK_USER_LOGIN_TOKEN, Constants.TOKEN_PREFIX + clerkToken))
+                .andExpect(status().isOk())
+                .andExpect(jsonPath("$.code").value(200))
+                .andReturn();
+
+        JsonNode data = mapper.readTree(result.getResponse().getContentAsString()).path("data");
+
+        assertThat(data.path("weiChatCode").asText()).isEmpty();
+        assertThat(data.path("placeType").asText()).isEqualTo(OrderConstant.PlaceType.RANDOM.getCode());
+        assertThat(data.path("orderStatus").asText()).isEqualTo(OrderConstant.OrderStatus.PENDING.getCode());
+
+        String nickname = data.path("customNickname").asText();
+        assertThat(nickname.equals("匿名用户") || "匿名用户".equals(nickname)).isTrue();
+        assertThat(data.path("customAvatar").asText()).isEmpty();
+    }
+
+    @Test
+    void clerkOrderListHidesCustomerInfoForPendingRandomOrders() throws Exception {
+        String marker = "privacy-list-" + LocalDateTime.now().toString();
+        String orderId = createRandomOrder(marker);
+
+        // Ensure the created pending random order appears in the clerk's own order list
+        ensureTenantContext();
+        playOrderInfoService.lambdaUpdate()
+                .eq(PlayOrderInfoEntity::getId, orderId)
+                .set(PlayOrderInfoEntity::getAcceptBy, ApiTestDataSeeder.DEFAULT_CLERK_ID)
+                .update();
+
+        ObjectNode payload = mapper.createObjectNode();
+        payload.put("pageNum", 1);
+        payload.put("pageSize", 10);
+        payload.put("orderStatus", OrderConstant.OrderStatus.PENDING.getCode());
+        payload.put("placeType", OrderConstant.PlaceType.RANDOM.getCode());
+
+        MvcResult result = mockMvc.perform(post("/wx/clerk/order/queryByPage")
+                        .contentType(MediaType.APPLICATION_JSON)
+                        .header(USER_HEADER, DEFAULT_USER)
+                        .header(TENANT_HEADER, DEFAULT_TENANT)
+                        .header(Constants.CLERK_USER_LOGIN_TOKEN, Constants.TOKEN_PREFIX + clerkToken)
+                        .content(payload.toString()))
+                .andExpect(status().isOk())
+                .andExpect(jsonPath("$.code").value(200))
+                .andReturn();
+
+        JsonNode root = mapper.readTree(result.getResponse().getContentAsString());
+        JsonNode data = root.path("data");
+        JsonNode records = data.isArray() ? data : data.path("records");
+        assertThat(records.isArray()).isTrue();
+        assertThat(records.size()).isGreaterThan(0);
+
+        boolean found = false;
+        for (JsonNode node : records) {
+            assertThat(node.path("placeType").asText()).isEqualTo(OrderConstant.PlaceType.RANDOM.getCode());
+            assertThat(node.path("orderStatus").asText()).isEqualTo(OrderConstant.OrderStatus.PENDING.getCode());
+            if (orderId.equals(node.path("id").asText())) {
+                found = true;
+                String nickname = node.path("customNickname").asText();
+                assertThat(nickname.equals("匿名用户") || "匿名用户".equals(nickname)).isTrue();
+                assertThat(node.path("customAvatar").asText()).isEmpty();
+                assertThat(node.path("customId").asText()).isEmpty();
+            }
+        }
+
+        assertThat(found).as("Pending random order should appear in clerk list response").isTrue();
+    }
+
     private String createRandomOrder(String remark) throws Exception {
         ensureTenantContext();
         resetCustomerBalance();