fix(测试跟踪): 测试计划脑图补充权限校验

--bug=1040625 --user=陈建星 【测试跟踪】测试计划-脑图-编辑脑图后保存失败 https://www.tapd.cn/55049933/s/1515280

test-track/backend/src/main/java/io/metersphere/base/mapper/ext/ExtTestPlanTestCaseMapper.java

@@ -84,4 +84,6 @@ public interface ExtTestPlanTestCaseMapper {
 
     @Select("SELECT id FROM test_plan_test_case WHERE plan_id = #{planId} AND case_id = #{caseId}")
     List<String> selectIdByTestCaseIdAndTestPlanId(@Param("caseId") String caseId, @Param("planId") String planId);
+
+    boolean checkOwner(@Param("planId") String planId, @Param("ids") List<String> ids);
 }

test-track/backend/src/main/java/io/metersphere/base/mapper/ext/ExtTestPlanTestCaseMapper.xml

@@ -711,6 +711,15 @@
         UPDATE test_case SET last_execute_result = #{execResult}
         WHERE id = #{testCaseId} AND (last_execute_result != #{execResult} or last_execute_result is null)
     </update>
+    <select id="checkOwner" resultType="boolean">
+        SELECT count(id) = ${ids.size()}
+        FROM test_plan_test_case
+        WHERE plan_id = #{planId}
+        and id in
+        <foreach collection="ids" item="id" separator="," open="(" close=")">
+            #{id}
+        </foreach>
+    </select>
     <select id="findFailureCaseInTestPlanByProjectIDAndExecuteTimeAndLimitNumber"
             resultType="io.metersphere.dto.ExecutedCaseInfoResult">
         SELECT *

test-track/backend/src/main/java/io/metersphere/controller/TestPlanTestCaseController.java

@@ -140,8 +140,8 @@ public class TestPlanTestCaseController {
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_PLAN_READ_RUN)
     @MsAuditLog(module = OperLogModule.TRACK_TEST_PLAN, type = OperLogConstants.MINDER_OPERATION, content = "#msClass.getCaseLogDetails(#testPlanTestCases)", msClass = TestPlanTestCaseService.class)
     @CheckOwner(resourceId = "#planId", resourceType = "test_plan")
-    public void editTestCaseForMinder(@RequestBody List<TestPlanTestCaseWithBLOBs> testPlanTestCases) {
-        testPlanTestCaseService.editTestCaseForMinder(testPlanTestCases);
+    public void editTestCaseForMinder(@PathVariable String planId, @RequestBody List<TestPlanTestCaseWithBLOBs> testPlanTestCases) {
+        testPlanTestCaseService.editTestCaseForMinder(planId, testPlanTestCases);
     }
 
     @PostMapping("/batch/edit")

test-track/backend/src/main/java/io/metersphere/plan/service/TestPlanTestCaseService.java

@@ -474,7 +474,8 @@ public class TestPlanTestCaseService {
         return cases;
     }
 
-    public void editTestCaseForMinder(List<TestPlanTestCaseWithBLOBs> testPlanTestCases) {
+    public void editTestCaseForMinder(String planId, List<TestPlanTestCaseWithBLOBs> testPlanTestCases) {
+        checkOwner(planId, testPlanTestCases);
         testPlanTestCases.forEach(item -> {
             item.setUpdateTime(System.currentTimeMillis());
             setUpdateCaseExecutor(item);
@@ -483,6 +484,21 @@ public class TestPlanTestCaseService {
         });
     }
 
+    private void checkOwner(String planId, List<TestPlanTestCaseWithBLOBs> testPlanTestCases) {
+        if (CollectionUtils.isEmpty(testPlanTestCases)) {
+            return;
+        }
+
+        List<String> ids = testPlanTestCases.stream()
+                .map(TestPlanTestCaseWithBLOBs::getId)
+                .collect(Collectors.toList());
+
+        boolean hasPermission = extTestPlanTestCaseMapper.checkOwner(planId, ids);
+        if (!hasPermission) {
+            MSException.throwException(Translator.get("check_owner_case"));
+        }
+    }
+
     public List<String> idList(TestPlanFuncCaseBatchRequest request) {
         List<String> returnIdList = new ArrayList<>();
         TestPlanFuncCaseConditions conditions = request.getCondition();