refactor: 检查资源和组织关系

2023-12-14 16:39:35 +08:00 · 2023-12-14 16:39:35 +08:00 · 14cc01dcf1
parent d9b5bcb02e
commit 14cc01dcf1
6 changed files with 38 additions and 4 deletions
--- a/backend/framework/sdk/src/main/resources/i18n/commons_en_US.properties
+++ b/backend/framework/sdk/src/main/resources/i18n/commons_en_US.properties
@ -233,7 +233,7 @@ test_track.length_less_than=The title is too long, the length must be less than
 # check owner
 check_owner_project=The current user does not have permission to operate this project
 check_owner_test=The current user does not have permission to operate this test
-check_owner_case=The current user does not have permission to operate this use case
+check_owner_case=The current user does not have permission to operate this resource
 check_owner_plan=The current user does not have permission to operate this plan
 check_owner_review=The current user does not have permission to operate this review
 check_owner_comment=The current user does not have permission to manipulate this comment
--- a/backend/framework/sdk/src/main/resources/i18n/commons_zh_CN.properties
+++ b/backend/framework/sdk/src/main/resources/i18n/commons_zh_CN.properties
@ -233,7 +233,7 @@ test_track.length_less_than=标题过长，字数必须小于
 # check owner
 check_owner_project=当前用户没有操作此项目的权限
 check_owner_test=当前用户没有操作此测试的权限
-check_owner_case=当前用户没有操作此用例的权限
+check_owner_case=当前用户没有操作此资源的权限
 check_owner_plan=当前用户没有操作此计划的权限
 check_owner_review=当前用户没有操作此评审的权限
 check_owner_comment=当前用户没有操作此评论的权限
--- a/backend/framework/sdk/src/main/resources/i18n/commons_zh_TW.properties
+++ b/backend/framework/sdk/src/main/resources/i18n/commons_zh_TW.properties
@ -232,7 +232,7 @@ test_track.length_less_than=標題過長，字數必須小於
 # check owner
 check_owner_project=當前用戶沒有操作此項目的權限
 check_owner_test=當前用戶沒有操作此測試的權限
-check_owner_case=當前用戶沒有操作此用例的權限
+check_owner_case=當前用戶沒有操作此資源的權限
 check_owner_plan=當前用戶沒有操作此計劃的權限
 check_owner_review=當前用戶沒有操作此評審的權限
 check_owner_comment=當前用戶沒有操作此評論的權限
--- a/backend/services/system-setting/src/main/java/io/metersphere/system/mapper/ExtCheckOwnerMapper.java
+++ b/backend/services/system-setting/src/main/java/io/metersphere/system/mapper/ExtCheckOwnerMapper.java
@ -6,4 +6,6 @@ import java.util.List;

 public interface ExtCheckOwnerMapper {
    boolean checkoutOwner(@Param("table") String resourceType, @Param("projectId") String projectId, @Param("ids") List<String> ids);
+
+    boolean checkoutOrganizationOwner(@Param("table") String resourceType, @Param("organizationId") String organizationId, @Param("ids") List<String> ids);
 }
--- a/backend/services/system-setting/src/main/java/io/metersphere/system/mapper/ExtCheckOwnerMapper.xml
+++ b/backend/services/system-setting/src/main/java/io/metersphere/system/mapper/ExtCheckOwnerMapper.xml
@ -10,4 +10,14 @@
            #{id}
        </foreach>
    </select>
+
+    <select id="checkoutOrganizationOwner" resultType="boolean">
+        SELECT count(id) = ${ids.size()}
+        FROM ${table}
+        WHERE organization_id = #{organizationId}
+        and id in
+        <foreach collection="ids" item="id" separator="," open="(" close=")">
+            #{id}
+        </foreach>
+    </select>
 </mapper>
--- a/backend/services/system-setting/src/main/java/io/metersphere/system/security/CheckOwnerAspect.java
+++ b/backend/services/system-setting/src/main/java/io/metersphere/system/security/CheckOwnerAspect.java
@ -31,7 +31,8 @@ public class CheckOwnerAspect {

    private ExpressionParser parser = new SpelExpressionParser();
    private StandardReflectionParameterNameDiscoverer discoverer = new StandardReflectionParameterNameDiscoverer();
-
+    // 组织归属的资源
+    private static final List<String> orgResources = List.of("organization_parameter", "plugin_organization", "project", "service_integration");
    @Resource
    private ExtCheckOwnerMapper extCheckOwnerMapper;

@ -68,6 +69,14 @@ public class CheckOwnerAspect {
        String resourceType = checkOwner.resourceType();
        Expression titleExp = parser.parseExpression(resourceId);
        Object v = titleExp.getValue(context, Object.class);
+        if (orgResources.contains(resourceType)) {
+            handleOrganizationResource(v, resourceType);
+        } else {
+            handleProjectResource(v, resourceType);
+        }
+    }
+
+    private void handleProjectResource(Object v, String resourceType) {
        if (v instanceof String id) {
            if (!extCheckOwnerMapper.checkoutOwner(resourceType, SessionUtils.getCurrentProjectId(), List.of(id))) {
                throw new MSException(Translator.get("check_owner_case"));
@ -80,4 +89,17 @@ public class CheckOwnerAspect {
        }
    }

+    private void handleOrganizationResource(Object v, String resourceType) {
+        if (v instanceof String id) {
+            if (!extCheckOwnerMapper.checkoutOrganizationOwner(resourceType, SessionUtils.getCurrentOrganizationId(), List.of(id))) {
+                throw new MSException(Translator.get("check_owner_case"));
+            }
+        }
+        if (v instanceof List ids) {
+            if (!extCheckOwnerMapper.checkoutOrganizationOwner(resourceType, SessionUtils.getCurrentOrganizationId(), ids)) {
+                throw new MSException(Translator.get("check_owner_case"));
+            }
+        }
+    }
+
 }