fix(项目管理): 项目管理后台接口补足权限校验

--task=1012120 --user=宋天阳检查所有API权限控制是否有加 RequiresPermissions https://www.tapd.cn/55049933/s/1377485
2023-05-31 14:55:52 +08:00 · 2023-05-31 14:55:52 +08:00 · 14326dcbf5
parent c275ee1567
commit 14326dcbf5
13 changed files with 121 additions and 33 deletions
--- a/framework/sdk-parent/sdk/src/main/java/io/metersphere/commons/utils/FilterChainUtils.java
+++ b/framework/sdk-parent/sdk/src/main/java/io/metersphere/commons/utils/FilterChainUtils.java
@ -71,7 +71,6 @@ public class FilterChainUtils {
        filterChainDefinitionMap.put("/system/theme", "anon");
        filterChainDefinitionMap.put("/system/save/baseurl/**", "anon");
        filterChainDefinitionMap.put("/system/timeout", "anon");
-        filterChainDefinitionMap.put("/file/metadata/info/**", "anon");

        filterChainDefinitionMap.put("/v1/catalog/**", "anon");
        filterChainDefinitionMap.put("/v1/agent/**", "anon");
--- a/framework/sdk-parent/sdk/src/main/java/io/metersphere/environment/controller/TestEnvironmentController.java
+++ b/framework/sdk-parent/sdk/src/main/java/io/metersphere/environment/controller/TestEnvironmentController.java
@ -17,12 +17,13 @@ import io.metersphere.environment.utils.TcpTreeTableDataParser;
 import io.metersphere.i18n.Translator;
 import io.metersphere.log.annotation.MsAuditLog;
 import io.metersphere.request.EnvironmentRequest;
+import jakarta.annotation.Resource;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.json.JSONArray;
 import org.json.JSONObject;
 import org.springframework.web.bind.annotation.*;
 import org.springframework.web.multipart.MultipartFile;

-import jakarta.annotation.Resource;
 import java.sql.DriverManager;
 import java.util.List;
 import java.util.Map;
@ -38,6 +39,7 @@ public class TestEnvironmentController {
    private BaseEnvGroupProjectService baseEnvGroupProjectService;

    @GetMapping("/list/{projectId}")
+    @RequiresPermissions("PROJECT_ENVIRONMENT:READ")
    public List<ApiTestEnvironmentWithBLOBs> list(@PathVariable String projectId) {
        return baseEnvironmentService.list(projectId);
    }
@ -51,23 +53,27 @@ public class TestEnvironmentController {
     * @return
     */
    @PostMapping("/list/{goPage}/{pageSize}")
+    @RequiresPermissions("PROJECT_ENVIRONMENT:READ")
    public Pager<List<ApiTestEnvironmentWithBLOBs>> listByCondition(@PathVariable int goPage, @PathVariable int pageSize, @RequestBody EnvironmentRequest environmentRequest) {
        Page<Object> page = PageHelper.startPage(goPage, pageSize, true);
        return PageUtils.setPageInfo(page, baseEnvironmentService.listByConditions(environmentRequest));
    }

    @GetMapping("/get/{id}")
+    @RequiresPermissions("PROJECT_ENVIRONMENT:READ")
    public ApiTestEnvironmentWithBLOBs get(@PathVariable String id) {
        return baseEnvironmentService.get(id);
    }


    @PostMapping(value = "/get/entry")
+    @RequiresPermissions("PROJECT_ENVIRONMENT:READ")
    public List<KeyStoreEntry> getEntry(@RequestPart("request") String password, @RequestPart(value = "file") MultipartFile sslFiles) {
        return commandService.get(password, sslFiles);
    }

    @PostMapping("/add")
+    @RequiresPermissions("PROJECT_ENVIRONMENT:READ+CREATE")
    @MsAuditLog(module = OperLogModule.PROJECT_ENVIRONMENT_SETTING, type = OperLogConstants.CREATE, title = "#apiTestEnvironmentWithBLOBs.name", project = "#apiTestEnvironmentWithBLOBs.projectId", msClass = BaseEnvironmentService.class)
    public String create(@RequestPart("request") TestEnvironmentDTO apiTestEnvironmentWithBLOBs, @RequestPart(value = "files", required = false) List<MultipartFile> sslFiles, @RequestPart(value = "variablesFiles", required = false) List<MultipartFile> variableFile) {
        checkParams(apiTestEnvironmentWithBLOBs);
@ -75,12 +81,14 @@ public class TestEnvironmentController {
    }

    @PostMapping("/import")
+    @RequiresPermissions("PROJECT_ENVIRONMENT:READ+IMPORT")
    public String create(@RequestBody List<TestEnvironmentDTO> environments) {
        environments.forEach(this::checkParams);
        return baseEnvironmentService.importEnvironment(environments);
    }

    @PostMapping(value = "/update")
+    @RequiresPermissions("PROJECT_ENVIRONMENT:READ+EDIT")
    @MsAuditLog(module = OperLogModule.PROJECT_ENVIRONMENT_SETTING, type = OperLogConstants.UPDATE, beforeEvent = "#msClass.getLogDetails(#apiTestEnvironment.id)", content = "#msClass.getLogDetails(#apiTestEnvironment.id)", msClass = BaseEnvironmentService.class)
    public void update(@RequestPart("request") TestEnvironmentDTO apiTestEnvironment, @RequestPart(value = "files", required = false) List<MultipartFile> sslFiles, @RequestPart(value = "variablesFiles", required = false) List<MultipartFile> variableFile) {
        checkParams(apiTestEnvironment);
@ -115,6 +123,7 @@ public class TestEnvironmentController {
    }

    @GetMapping("/delete/{id}")
+    @RequiresPermissions("PROJECT_ENVIRONMENT:READ+DELETE")
    @MsAuditLog(module = OperLogModule.PROJECT_ENVIRONMENT_SETTING, type = OperLogConstants.DELETE, beforeEvent = "#msClass.getLogDetails(#id)", msClass = BaseEnvironmentService.class)
    public void delete(@PathVariable String id) {
        baseEnvironmentService.delete(id);
@ -122,11 +131,13 @@ public class TestEnvironmentController {


    @GetMapping("/group/map/{groupId}")
+    @RequiresPermissions("PROJECT_ENVIRONMENT:READ")
    public Map<String, String> getEnvMap(@PathVariable String groupId) {
        return baseEnvGroupProjectService.getEnvMap(groupId);
    }

    @GetMapping("/module/list/{projectId}/{protocol}")
+    @RequiresPermissions("PROJECT_ENVIRONMENT:READ")
    public List<ApiModuleDTO> getNodeByProjectId(@PathVariable String projectId, @PathVariable String protocol) {
        return baseEnvironmentService.getNodeTreeByProjectId(projectId, protocol);
    }
@ -137,6 +148,7 @@ public class TestEnvironmentController {
    }

    @PostMapping("/database/validate")
+    @RequiresPermissions("PROJECT_ENVIRONMENT:READ")
    public void validate(@RequestBody DatabaseConfig databaseConfig) {
        try {
            DriverManager.getConnection(databaseConfig.getDbUrl(), databaseConfig.getUsername(), databaseConfig.getPassword());
--- a/framework/sdk-parent/sdk/src/main/java/io/metersphere/metadata/controller/FileMetadataController.java
+++ b/framework/sdk-parent/sdk/src/main/java/io/metersphere/metadata/controller/FileMetadataController.java
@ -11,12 +11,10 @@ import io.metersphere.commons.utils.Pager;
 import io.metersphere.dto.FileMetadataDTO;
 import io.metersphere.log.annotation.MsAuditLog;
 import io.metersphere.metadata.service.FileMetadataService;
-import io.metersphere.metadata.vo.DownloadRequest;
-import io.metersphere.metadata.vo.DumpFileRequest;
-import io.metersphere.metadata.vo.FileMetadataCreateRequest;
-import io.metersphere.metadata.vo.MoveFIleMetadataRequest;
+import io.metersphere.metadata.vo.*;
 import io.metersphere.request.QueryProjectFileRequest;
 import jakarta.annotation.Resource;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.MediaType;
 import org.springframework.http.ResponseEntity;
@ -32,36 +30,42 @@ public class FileMetadataController {
    private FileMetadataService fileMetadataService;

    @GetMapping(value = "/info/{fileId}")
-    public ResponseEntity<byte[]> image(@PathVariable("fileId") String fileId) {
-        return fileMetadataService.getFile(fileId);
+    @RequiresPermissions("PROJECT_FILE:READ")
+    public FileResponse image(@PathVariable("fileId") String fileId) {
+        FileResponse fileResponse = new FileResponse();
+        fileResponse.setBytes(fileMetadataService.getFile(fileId).getBody());
+        return fileResponse;
    }

    @PostMapping("/project/{projectId}/{goPage}/{pageSize}")
-    public Pager<List<FileMetadataDTO>> getProjectFiles(@PathVariable String projectId,
-                                                        @PathVariable int goPage, @PathVariable int pageSize,
-                                                        @RequestBody QueryProjectFileRequest request) {
+    @RequiresPermissions("PROJECT_FILE:READ")
+    public Pager<List<FileMetadataDTO>> getProjectFiles(@PathVariable String projectId, @PathVariable int goPage, @PathVariable int pageSize, @RequestBody QueryProjectFileRequest request) {
        fileMetadataService.checkProjectFileHasModuleId(projectId);
        Page<Object> page = PageHelper.startPage(goPage, pageSize, true);
        return PageUtils.setPageInfo(page, fileMetadataService.getFileMetadataByProject(projectId, request));
    }

    @PostMapping(value = "/create")
+    @RequiresPermissions("PROJECT_FILE:READ+UPLOAD+JAR")
    @MsAuditLog(module = OperLogModule.PROJECT_FILE_MANAGEMENT, type = OperLogConstants.CREATE, title = "#request.name", content = "#msClass.getLogDetails(#request.id)", msClass = FileMetadataService.class)
    public List<FileMetadata> create(@RequestPart("request") FileMetadataCreateRequest request, @RequestPart(value = "file", required = false) List<MultipartFile> files) {
        return fileMetadataService.create(request, files);
    }

    @PostMapping(value = "/upload")
+    @RequiresPermissions("PROJECT_FILE:READ+UPLOAD+JAR")
    public FileMetadata upload(@RequestPart("request") FileMetadataWithBLOBs request, @RequestPart(value = "file", required = false) List<MultipartFile> files) {
        return fileMetadataService.reLoad(request, files);
    }

    @GetMapping(value = "/download/{id}")
+    @RequiresPermissions("PROJECT_FILE:READ+DOWNLOAD+JAR")
    public ResponseEntity<byte[]> download(@PathVariable("id") String id) {
        return fileMetadataService.getFile(id);
    }

    @PostMapping(value = "/download/zip")
+    @RequiresPermissions("PROJECT_FILE:READ+DOWNLOAD+JAR")
    public ResponseEntity<byte[]> downloadBodyFiles(@RequestBody DownloadRequest request) {
        try {
            byte[] bytes = fileMetadataService.exportZip(request);
@ -75,49 +79,58 @@ public class FileMetadataController {
    }

    @GetMapping(value = "/delete/{fileId}")
+    @RequiresPermissions("PROJECT_FILE:READ+DELETE+JAR")
    @MsAuditLog(module = OperLogModule.PROJECT_FILE_MANAGEMENT, type = OperLogConstants.DELETE, beforeEvent = "#msClass.getLogDetails(#fileId)", msClass = FileMetadataService.class)
    public void deleteFile(@PathVariable String fileId) {
        fileMetadataService.deleteFile(fileId);
    }

    @PostMapping(value = "/delete/batch")
+    @RequiresPermissions("PROJECT_FILE:READ+BATCH+DELETE")
    public void deleteBatch(@RequestBody List<String> ids) {
        fileMetadataService.deleteBatch(ids);
    }

    @GetMapping(value = "/get/type/all")
+    @RequiresPermissions("PROJECT_FILE:READ")
    public List<String> getTypes() {
        return fileMetadataService.getTypes();
    }

    @PostMapping(value = "/move")
+    @RequiresPermissions("PROJECT_FILE:READ+BATCH+MOVE")
    @MsAuditLog(module = OperLogModule.PROJECT_FILE_MANAGEMENT, type = OperLogConstants.UPDATE, beforeEvent = "#msClass.getLogDetails(#request.id)", title = "#request.name", content = "#msClass.getLogDetails(#request.id)", msClass = FileMetadataService.class)
    public void move(@RequestBody MoveFIleMetadataRequest request) {
        fileMetadataService.move(request);
    }

    @PostMapping(value = "/update")
+    @RequiresPermissions("PROJECT_FILE:READ+UPLOAD+JAR")
    @MsAuditLog(module = OperLogModule.PROJECT_FILE_MANAGEMENT, type = OperLogConstants.UPDATE, beforeEvent = "#msClass.getLogDetails(#request.id)", title = "#request.name", content = "#msClass.getLogDetails(#request.id)", msClass = FileMetadataService.class)
    public void update(@RequestBody FileMetadataWithBLOBs request) {
        fileMetadataService.update(request);
    }

    @PostMapping(value = "/dump/file", consumes = {"multipart/form-data"})
+    @RequiresPermissions("PROJECT_FILE:READ+UPLOAD+JAR")
    public void dumpFile(@RequestPart("request") DumpFileRequest request, @RequestPart(value = "files", required = false) List<MultipartFile> files) {
        fileMetadataService.dumpFile(request, files);
    }

    @GetMapping(value = "/count/{projectId}/{createUser}")
+    @RequiresPermissions("PROJECT_FILE:READ")
    public long myFiles(@PathVariable String projectId, @PathVariable String createUser) {
        return fileMetadataService.myFiles(createUser, projectId);
    }

    @GetMapping(value = "/exist/{fileId}")
+    @RequiresPermissions("PROJECT_FILE:READ")
    public boolean exist(@PathVariable("fileId") String fileId) {
        return fileMetadataService.exist(fileId);
    }

    @PostMapping(value = "/exists")
+    @RequiresPermissions("PROJECT_FILE:READ")
    public List<String> exist(@RequestBody List<String> fileIds) {
        return fileMetadataService.exists(fileIds);
    }
--- a/framework/sdk-parent/sdk/src/main/java/io/metersphere/metadata/controller/FileModuleController.java
+++ b/framework/sdk-parent/sdk/src/main/java/io/metersphere/metadata/controller/FileModuleController.java
@ -8,9 +8,11 @@ import io.metersphere.metadata.service.FileModuleService;
 import io.metersphere.metadata.vo.DragFileModuleRequest;
 import io.metersphere.metadata.vo.FileModuleVo;
 import io.metersphere.service.BaseCheckPermissionService;
+import jakarta.annotation.Resource;
+import org.apache.shiro.authz.annotation.Logical;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.web.bind.annotation.*;

-import jakarta.annotation.Resource;
 import java.util.List;

@RequestMapping("/file/module")
@ -29,30 +31,35 @@ public class FileModuleController {
    }

    @PostMapping("/add")
+    @RequiresPermissions("PROJECT_FILE:READ+UPLOAD+JAR")
    @MsAuditLog(module = OperLogModule.PROJECT_FILE_MANAGEMENT, type = OperLogConstants.CREATE, title = "#node.name", content = "#msClass.getLogDetails(#node)", msClass = FileModuleService.class)
    public String addNode(@RequestBody FileModule node) {
        return fileModuleService.addNode(node);
    }

    @PostMapping("/edit")
+    @RequiresPermissions("PROJECT_FILE:READ+UPLOAD+JAR")
    @MsAuditLog(module = OperLogModule.PROJECT_FILE_MANAGEMENT, type = OperLogConstants.UPDATE, beforeEvent = "#msClass.getLogDetails(#node)", title = "#node.name", content = "#msClass.getLogDetails(#node)", msClass = FileModuleService.class)
    public int editNode(@RequestBody DragFileModuleRequest node) {
        return fileModuleService.editNode(node);
    }

    @PostMapping("/delete")
+    @RequiresPermissions(value = {"PROJECT_FILE:READ+BATCH+DELETE", "PROJECT_FILE:READ+DELETE+JAR"}, logical = Logical.OR)
    @MsAuditLog(module = OperLogModule.PROJECT_FILE_MANAGEMENT, type = OperLogConstants.DELETE, beforeEvent = "#msClass.getLogDetails(#nodeIds)", msClass = FileModuleService.class)
    public int deleteNode(@RequestBody List<String> nodeIds) {
        return fileModuleService.deleteNode(nodeIds);
    }

    @PostMapping("/drag")
+    @RequiresPermissions(value = {"PROJECT_FILE:READ+UPLOAD+JAR", "PROJECT_FILE:READ+BATCH+MOVE"}, logical = Logical.OR)
    @MsAuditLog(module = OperLogModule.PROJECT_FILE_MANAGEMENT, type = OperLogConstants.UPDATE, beforeEvent = "#msClass.getLogDetails(#node)", title = "#node.name", content = "#msClass.getLogDetails(#node)", msClass = FileModuleService.class)
    public void dragNode(@RequestBody DragFileModuleRequest node) {
        fileModuleService.dragNode(node);
    }

    @PostMapping("/pos")
+    @RequiresPermissions(value = {"PROJECT_FILE:READ+UPLOAD+JAR", "PROJECT_FILE:READ+BATCH+MOVE"}, logical = Logical.OR)
    public void treeSort(@RequestBody List<String> ids) {
        fileModuleService.sort(ids);
    }
--- a/framework/sdk-parent/sdk/src/main/java/io/metersphere/notice/controller/NoticeController.java
+++ b/framework/sdk-parent/sdk/src/main/java/io/metersphere/notice/controller/NoticeController.java
@ -6,9 +6,10 @@ import io.metersphere.commons.utils.SessionUtils;
 import io.metersphere.log.annotation.MsAuditLog;
 import io.metersphere.notice.domain.MessageDetail;
 import io.metersphere.notice.service.NoticeService;
+import jakarta.annotation.Resource;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.web.bind.annotation.*;

-import jakarta.annotation.Resource;
 import java.util.List;

@RestController
@ -24,6 +25,7 @@ public class NoticeController {
    }

    @PostMapping("update/message/task")
+    @RequiresPermissions("PROJECT_MESSAGE:READ+EDIT")
    @MsAuditLog(module = OperLogModule.WORKSPACE_MESSAGE_SETTINGS, type = OperLogConstants.UPDATE, beforeEvent = "#msClass.getLogDetails(#messageDetail.id)", content = "#msClass.getLogDetails(#messageDetail.id)", msClass = NoticeService.class)
    public void updateMessage(@RequestBody MessageDetail messageDetail) {
        noticeService.saveMessageTask(messageDetail);
@ -41,6 +43,7 @@ public class NoticeController {
    }

    @GetMapping("/delete/message/{identification}")
+    @RequiresPermissions("PROJECT_MESSAGE:READ+DELETE")
    @MsAuditLog(module = OperLogModule.WORKSPACE_MESSAGE_SETTINGS, type = OperLogConstants.DELETE, beforeEvent = "#msClass.getDelLogDetails(#identification)", msClass = NoticeService.class)
    public int deleteMessage(@PathVariable String identification) {
        return noticeService.delMessage(identification);
--- a/project-management/backend/src/main/java/io/metersphere/code/snippet/controller/CustomFunctionController.java
+++ b/project-management/backend/src/main/java/io/metersphere/code/snippet/controller/CustomFunctionController.java
@ -9,6 +9,8 @@ import io.metersphere.commons.utils.PageUtils;
 import io.metersphere.commons.utils.Pager;
 import io.metersphere.request.CustomFunctionRequest;
 import jakarta.annotation.Resource;
+import org.apache.shiro.authz.annotation.Logical;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.web.bind.annotation.*;

 import java.util.List;
@ -25,16 +27,19 @@ public class CustomFunctionController {
    private CustomFunctionService customFunctionService;

    @PostMapping("/save")
+    @RequiresPermissions("PROJECT_CUSTOM_CODE:READ+CREATE")
    public CustomFunctionWithBLOBs save(@RequestBody CustomFunctionRequest request) {
        return customFunctionService.save(request);
    }

    @GetMapping("/delete/{id}")
+    @RequiresPermissions("PROJECT_CUSTOM_CODE:READ+DELETE")
    public void delete(@PathVariable String id) {
        customFunctionService.delete(id);
    }

    @PostMapping("/update")
+    @RequiresPermissions("PROJECT_CUSTOM_CODE:READ+EDIT")
    public void update(@RequestBody CustomFunctionRequest request) {
        customFunctionService.update(request);
    }
@ -46,6 +51,7 @@ public class CustomFunctionController {
    }

    @GetMapping("/copy/{id}")
+    @RequiresPermissions("PROJECT_CUSTOM_CODE:READ+COPY")
    public CustomFunctionWithBLOBs copy(@PathVariable String id) {
        return customFunctionService.copy(id);
    }
@ -56,6 +62,7 @@ public class CustomFunctionController {
    }

    @PostMapping("/run")
+    @RequiresPermissions(value = {"PROJECT_CUSTOM_CODE:READ+CREATE", "PROJECT_CUSTOM_CODE:READ+COPY"}, logical = Logical.OR)
    public void run(@RequestBody Object request) {
        customFunctionService.run(request);
    }
--- a/project-management/backend/src/main/java/io/metersphere/controller/ApiTemplateController.java
+++ b/project-management/backend/src/main/java/io/metersphere/controller/ApiTemplateController.java
@ -12,9 +12,11 @@ import io.metersphere.log.annotation.MsAuditLog;
 import io.metersphere.request.BaseQueryRequest;
 import io.metersphere.request.UpdateApiTemplateRequest;
 import io.metersphere.service.ApiTemplateService;
+import jakarta.annotation.Resource;
+import org.apache.shiro.authz.annotation.Logical;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.web.bind.annotation.*;

-import jakarta.annotation.Resource;
 import java.util.List;

@RequestMapping("field/template/api")
@ -25,35 +27,41 @@ public class ApiTemplateController {
    private ApiTemplateService apiTemplateService;

    @PostMapping("/add")
+    @RequiresPermissions("PROJECT_TEMPLATE:READ+API_TEMPLATE")
    @MsAuditLog(module = OperLogModule.WORKSPACE_TEMPLATE_SETTINGS_API, type = OperLogConstants.CREATE, content = "#msClass.getLogDetails(#request.id)", msClass = ApiTemplateService.class)
    public void add(@RequestBody UpdateApiTemplateRequest request) {
        apiTemplateService.add(request);
    }

    @PostMapping("/list/{goPage}/{pageSize}")
+    @RequiresPermissions(value = {"PROJECT_TEMPLATE:READ+API_TEMPLATE", "PROJECT_TEMPLATE:READ"}, logical = Logical.OR)
    public Pager<List<ApiTemplate>> list(@PathVariable int goPage, @PathVariable int pageSize, @RequestBody BaseQueryRequest request) {
        Page<List<ApiTemplate>> page = PageHelper.startPage(goPage, pageSize, true);
        return PageUtils.setPageInfo(page, apiTemplateService.list(request));
    }

    @GetMapping("/delete/{id}")
+    @RequiresPermissions("PROJECT_TEMPLATE:READ+API_TEMPLATE")
    @MsAuditLog(module = OperLogModule.WORKSPACE_TEMPLATE_SETTINGS_API, type = OperLogConstants.DELETE, beforeEvent = "#msClass.getLogDetails(#id)", msClass = ApiTemplateService.class)
    public void delete(@PathVariable(value = "id") String id) {
        apiTemplateService.delete(id);
    }

    @PostMapping("/update")
+    @RequiresPermissions("PROJECT_TEMPLATE:READ+API_TEMPLATE")
    @MsAuditLog(module = OperLogModule.WORKSPACE_TEMPLATE_SETTINGS_API, type = OperLogConstants.UPDATE, beforeEvent = "#msClass.getLogDetails(#request.id)", content = "#msClass.getLogDetails(#request.id)", msClass = ApiTemplateService.class)
    public void update(@RequestBody UpdateApiTemplateRequest request) {
        apiTemplateService.update(request);
    }

    @GetMapping({"/option/{projectId}", "/option"})
+    @RequiresPermissions(value = {"PROJECT_TEMPLATE:READ+API_TEMPLATE", "PROJECT_TEMPLATE:READ"}, logical = Logical.OR)
    public List<ApiTemplate> list(@PathVariable(required = false) String projectId) {
        return apiTemplateService.getOption(projectId);
    }

    @GetMapping("/get-template/relate/{projectId}")
+    @RequiresPermissions(value = {"PROJECT_TEMPLATE:READ+API_TEMPLATE", "PROJECT_TEMPLATE:READ"}, logical = Logical.OR)
    public ApiTemplateDTO getTemplate(@PathVariable String projectId) {
        return apiTemplateService.getTemplate(projectId);
    }
--- a/project-management/backend/src/main/java/io/metersphere/controller/GroupController.java
+++ b/project-management/backend/src/main/java/io/metersphere/controller/GroupController.java
@ -19,12 +19,12 @@ import io.metersphere.request.GroupRequest;
 import io.metersphere.request.group.EditGroupRequest;
 import io.metersphere.request.group.EditGroupUserRequest;
 import io.metersphere.service.GroupService;
+import jakarta.annotation.Resource;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.shiro.authz.annotation.Logical;
 import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.web.bind.annotation.*;

-import jakarta.annotation.Resource;
 import java.util.List;
 import java.util.Map;
 import java.util.UUID;
@ -46,6 +46,7 @@ public class GroupController {
    }

    @GetMapping("/get/all")
+    @RequiresPermissions(value = {PermissionConstants.SYSTEM_GROUP_READ, PermissionConstants.SYSTEM_USER_READ, PermissionConstants.WORKSPACE_USER_READ}, logical = Logical.OR)
    public List<GroupDTO> getAllGroup() {
        return groupService.getAllGroup();
    }
@ -149,6 +150,7 @@ public class GroupController {

    @PostMapping("/edit/member")
    @MsRequestLog(module = OperLogModule.GROUP_PERMISSION)
+    @RequiresPermissions(value = {PermissionConstants.SYSTEM_GROUP_READ_EDIT, PermissionConstants.PROJECT_GROUP_READ_EDIT}, logical = Logical.OR)
    public void editGroupUser(@RequestBody EditGroupUserRequest request) {
        groupService.editGroupUser(request);
    }
--- a/project-management/backend/src/main/java/io/metersphere/controller/ProjectApplicationController.java
+++ b/project-management/backend/src/main/java/io/metersphere/controller/ProjectApplicationController.java
@ -3,13 +3,15 @@ package io.metersphere.controller;
 import io.metersphere.base.domain.ProjectApplication;
 import io.metersphere.commons.constants.OperLogConstants;
 import io.metersphere.commons.constants.OperLogModule;
-import io.metersphere.dto.ProjectConfig;
 import io.metersphere.log.annotation.MsAuditLog;
 import io.metersphere.request.ProjectApplicationRequest;
 import io.metersphere.service.ProjectApplicationService;
-import org.springframework.web.bind.annotation.*;
-
 import jakarta.annotation.Resource;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
+import org.springframework.web.bind.annotation.PostMapping;
+import org.springframework.web.bind.annotation.RequestBody;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;

@RestController
@RequestMapping(value = "/project_application")
@ -18,12 +20,14 @@ public class ProjectApplicationController {
    private ProjectApplicationService projectApplicationService;

    @PostMapping("/update")
+    @RequiresPermissions("PROJECT_APP_MANAGER:READ+EDIT")
    @MsAuditLog(module = OperLogModule.PROJECT_PROJECT_MANAGER, type = OperLogConstants.UPDATE, beforeEvent = "#msClass.getLogDetails(#projectApplication)", content = "#msClass.getLogDetails(#projectApplication)", msClass = ProjectApplicationService.class)
    public void updateProject(@RequestBody ProjectApplication projectApplication) {
        projectApplicationService.updateProjectApplication(projectApplication);
    }

    @PostMapping("/update/batch")
+    @RequiresPermissions("PROJECT_APP_MANAGER:READ+EDIT")
    @MsAuditLog(module = OperLogModule.PROJECT_PROJECT_MANAGER, type = OperLogConstants.UPDATE, beforeEvent = "#msClass.getLogDetails(#projectApplication)", content = "#msClass.getLogDetails(#projectApplication)", msClass = ProjectApplicationService.class)
    public void updateProjectConfigBatch(@RequestBody ProjectApplicationRequest request) {
        projectApplicationService.updateProjectConfigBatch(request);
--- a/project-management/backend/src/main/java/io/metersphere/controller/ProjectController.java
+++ b/project-management/backend/src/main/java/io/metersphere/controller/ProjectController.java
@ -16,7 +16,6 @@ import io.metersphere.dto.ProjectDTO;
 import io.metersphere.dto.WorkspaceMemberDTO;
 import io.metersphere.i18n.Translator;
 import io.metersphere.log.annotation.MsAuditLog;
-import io.metersphere.log.annotation.MsRequestLog;
 import io.metersphere.request.AddProjectRequest;
 import io.metersphere.request.ProjectRequest;
 import io.metersphere.request.member.AddMemberRequest;
@ -40,8 +39,6 @@ public class ProjectController {
    @Resource
    private ProjectService projectService;
    @Resource
-    private BaseProjectService baseProjectService;
-    @Resource
    private BaseUserService baseUserService;
    @Resource
    private BaseCheckPermissionService baseCheckPermissionService;
@ -92,6 +89,7 @@ public class ProjectController {
    }

    @PostMapping("/member/update")
+    @RequiresPermissions("PROJECT_USER:READ+EDIT")
    @MsAuditLog(module = OperLogModule.PROJECT_PROJECT_MEMBER, type = OperLogConstants.UPDATE, beforeEvent = "#msClass.getLogDetails(#memberDTO)", content = "#msClass.getLogDetails(#memberDTO)", msClass = BaseProjectService.class)
    public void updateMember(@RequestBody WorkspaceMemberDTO memberDTO) {
        projectService.updateMember(memberDTO);
@ -125,7 +123,7 @@ public class ProjectController {
    }

    @GetMapping("/member/delete/{projectId}/{userId}")
-    @MsRequestLog(module = OperLogModule.PROJECT_PROJECT_MEMBER)
+    @RequiresPermissions(PermissionConstants.PROJECT_USER_READ_DELETE)
    public void deleteProjectMember(@PathVariable String projectId, @PathVariable String userId) {
        String currentUserId = SessionUtils.getUser().getId();
        if (StringUtils.equals(userId, currentUserId)) {
@ -140,6 +138,7 @@ public class ProjectController {
    }

    @PostMapping("/member/add")
+    @RequiresPermissions("PROJECT_USER:READ+CREATE")
    public void addProjectMember(@RequestBody AddMemberRequest request) {
        projectService.addProjectMember(request);
    }
--- a/project-management/frontend/src/api/file.js
+++ b/project-management/frontend/src/api/file.js
@ -8,6 +8,10 @@ export function modifyFileMeta(param) {
  return post('/file/metadata/update', param);
 }

+export function getFileBytes(id) {
+  return get('/file/metadata/info/' + id);
+}
+
 export function pullGitFile(data) {
  let formData = new FormData();
  formData.append("request", new Blob([JSON.stringify(data)], {type: "application/json"}));
--- a/project-management/frontend/src/business/menu/file/edit/EditFileMetadata.vue
+++ b/project-management/frontend/src/business/menu/file/edit/EditFileMetadata.vue
@ -52,12 +52,14 @@
              <el-col :span="18" style="padding-top: 80px">
                <el-card
                  :body-style="{ padding: '0px' }"
-                  v-if="isImage(data.type) && !isRepositoryFile()"
+                  v-if="isImage(data) && !isRepositoryFile()"
                >
-                  <img
-                    :src="'/project/file/metadata/info/' + data.id"
-                    class="ms-edit-image"
-                  />
+                  <div v-loading="fileBase64Str==='' || fileBase64Str === 'loading'">
+                    <img
+                      :src="fileBase64Str"
+                      class="ms-edit-image"
+                    />
+                  </div>
                </el-card>
                <el-card :body-style="{ padding: '0px' }" v-else>
                  <div class="ms-edit-image">
@ -231,7 +233,7 @@
 <script>
 import {operationConfirm} from "metersphere-frontend/src/utils";
 import {getCurrentProjectID} from "metersphere-frontend/src/utils/token";
-import {getFileMetaPages, modifyFileMeta, pullGitFile, uploadFileMeta,} from "../../../../api/file";
+import {getFileBytes, getFileMetaPages, modifyFileMeta, pullGitFile, uploadFileMeta,} from "../../../../api/file";
 import FileVersionList from "@/business/menu/file/list/FileVersionList";
 import FileCaseRelevanceList from "@/business/menu/file/list/FileCaseRelevanceList";
 import {hasPermission} from "metersphere-frontend/src/utils/permission";
@ -249,6 +251,7 @@ export default {
    return {
      data: {},
      visible: false,
+      fileBase64Str: '',
      isFirst: false,
      isLast: false,
      isPullBtnLoading: false,
@ -389,6 +392,7 @@ export default {
      this.showPanel = "baseInfo";
      this.pageSize = size;
      this.currentPage = page;
+      this.fileBase64Str = '';
      this.total = t;
      this.data = data;
      this.results = this.metadataArray;
@ -436,8 +440,17 @@ export default {
        return type || "";
      }
    },
-    isImage(type) {
-      return type && this.images.indexOf(type.toLowerCase()) !== -1;
+    isImage(data) {
+      let type = data.type;
+      let isImage = type && this.images.indexOf(type.toLowerCase()) !== -1;
+      if (isImage && this.fileBase64Str === '') {
+        this.fileBase64Str = 'loading';
+        getFileBytes(data.id).then(res => {
+          let fileRsp = res.data;
+          this.fileBase64Str = "data:image/png;base64," + fileRsp.bytes;
+        })
+      }
+      return isImage;
    },
    download() {
      this.$emit("download", this.data);
--- a/project-management/frontend/src/business/menu/file/list/FileThumbnail.vue
+++ b/project-management/frontend/src/business/menu/file/list/FileThumbnail.vue
@ -4,7 +4,9 @@
      <el-row :gutter="20">
        <el-col :span="4" v-for="item in data" :key="item.id">
          <el-card :body-style="{ padding: '0px' }" class="ms-card-item" @click.native="handleView(item)">
-            <img :src="'/project/file/metadata/info/'+item.id" class="ms-image" v-if="isImage(item.type)"/>
+            <div v-loading="fileBase64Str==='' || fileBase64Str === 'loading'" v-if="isImage(item)">
+              <img :src="fileBase64Str" class="ms-edit-image"/>
+            </div>
            <div class="ms-image" v-else>
              <div class="ms-file">
                <div class="icon-title">{{ getType(item.type) }}</div>
@ -35,6 +37,7 @@
 <script>
 import MsTablePagination from "metersphere-frontend/src/components/pagination/TablePagination";
 import MsEditFileMetadata from "../edit/EditFileMetadata";
+import {getFileBytes} from "@/api/file";

 export default {
  name: "MsFileThumbnail",
@ -44,6 +47,7 @@ export default {
      currentPage: 1,
      pageSize: 10,
      total: 0,
+      fileBase64Str: '',
      images: ["bmp", "jpg", "png", "tif", "gif", "pcx", "tga", "exif", "fpx", "svg", "psd", "cdr", "pcd", "dxf", "ufo", "eps", "ai", "raw", "WMF", "webp", "avif", "apng", "jpeg"]
    };
  },
@ -56,6 +60,7 @@ export default {
    nodeTree: []
  },
  created() {
+    this.fileBase64Str = '';
    this.currentPage = this.page;
    this.pageSize = this.size;
    this.total = this.pageTotal;
@ -86,10 +91,22 @@ export default {
      return type || "";
    },
    change() {
+      this.fileBase64Str = '';
      this.$emit("change", this.pageSize, this.currentPage);
    },
-    isImage(type) {
-      return (type && this.images.indexOf(type.toLowerCase()) !== -1);
+    isImage(item) {
+      let type = item.type;
+      let isImage = (type && this.images.indexOf(type.toLowerCase()) !== -1);
+      if (isImage) {
+        if (isImage && this.fileBase64Str === '') {
+          this.fileBase64Str = 'loading';
+          getFileBytes(item.id).then(res => {
+            let fileRsp = res.data;
+            this.fileBase64Str = "data:image/png;base64," + fileRsp.bytes;
+          })
+        }
+      }
+      return isImage;
    }
  },
 }