use bgrwCheck func to check alert_rule put

src/webapi/router/router.go

@@ -186,7 +186,7 @@ func configRoute(r *gin.Engine, version string) {
 		pages.POST("/busi-group/:id/alert-rules", jwtAuth(), user(), perm("/alert-rules/add"), bgrw(), alertRuleAdd)
 		pages.DELETE("/busi-group/:id/alert-rules", jwtAuth(), user(), perm("/alert-rules/del"), bgrw(), alertRuleDel)
 		pages.PUT("/busi-group/:id/alert-rules/fields", jwtAuth(), user(), perm("/alert-rules/put"), bgrw(), alertRulePutFields)
-		pages.PUT("/busi-group/:id/alert-rule/:arid", jwtAuth(), user(), perm("/alert-rules/put"), bgrw(), alertRulePut)
+		pages.PUT("/busi-group/:id/alert-rule/:arid", jwtAuth(), user(), perm("/alert-rules/put"), alertRulePut)
 		pages.GET("/alert-rule/:arid", jwtAuth(), user(), perm("/alert-rules"), alertRuleGet)
 
 		pages.GET("/busi-group/:id/alert-mutes", jwtAuth(), user(), perm("/alert-mutes"), bgro(), alertMuteGets)

src/webapi/router/router_alert_rule.go

@@ -78,6 +78,8 @@ func alertRulePut(c *gin.Context) {
 		return
 	}
 
+	bgrwCheck(c, ar.GroupId)
+
 	f.UpdateBy = c.MustGet("username").(string)
 	ginx.NewRender(c).Message(ar.Update(f))
 }

src/webapi/router/router_mw.go

@@ -105,6 +105,7 @@ func bgro() gin.HandlerFunc {
 	}
 }
 
+// bgrw 逐步要被干掉，不安全
 func bgrw() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		me := c.MustGet("user").(*models.User)
@@ -122,6 +123,21 @@ func bgrw() gin.HandlerFunc {
 	}
 }
 
+// bgrwCheck 要逐渐替换掉bgrw方法，更安全
+func bgrwCheck(c *gin.Context, bgid int64) {
+	me := c.MustGet("user").(*models.User)
+	bg := BusiGroup(bgid)
+
+	can, err := me.CanDoBusiGroup(bg, "rw")
+	ginx.Dangerous(err)
+
+	if !can {
+		ginx.Bomb(http.StatusForbidden, "forbidden")
+	}
+
+	c.Set("busi_group", bg)
+}
+
 func perm(operation string) gin.HandlerFunc {
 	return func(c *gin.Context) {
 		me := c.MustGet("user").(*models.User)