refactor(用例管理): 增加CheckOwner

2023-12-25 15:47:43 +08:00 · 2023-12-25 15:47:43 +08:00 · 29dcd4d422
parent a6d3c97375
commit 29dcd4d422
10 changed files with 72 additions and 0 deletions
--- a/backend/services/case-management/src/main/java/io/metersphere/functional/controller/CaseReviewController.java
+++ b/backend/services/case-management/src/main/java/io/metersphere/functional/controller/CaseReviewController.java
@ -15,6 +15,7 @@ import io.metersphere.system.log.annotation.Log;
 import io.metersphere.system.log.constants.OperationLogType;
 import io.metersphere.system.notice.annotation.SendNotice;
 import io.metersphere.system.notice.constants.NoticeConstants;
+import io.metersphere.system.security.CheckOwner;
 import io.metersphere.system.utils.PageUtils;
 import io.metersphere.system.utils.Pager;
 import io.metersphere.system.utils.SessionUtils;
@ -42,6 +43,7 @@ public class CaseReviewController {
    @PostMapping("/page")
    @Operation(summary = "用例管理-用例评审-用例列表查询")
    @RequiresPermissions(PermissionConstants.CASE_REVIEW_READ)
+    @CheckOwner(resourceId = "#request.getProjectId()", resourceType = "project")
    public Pager<List<CaseReviewDTO>> getFunctionalCasePage(@Validated @RequestBody CaseReviewPageRequest request) {
        Page<Object> page = PageHelper.startPage(request.getCurrent(), request.getPageSize(),
                StringUtils.isNotBlank(request.getSortString()) ? request.getSortString() : "pos desc");
@ -51,6 +53,7 @@ public class CaseReviewController {
    @PostMapping("/module/count")
    @Operation(summary = "用例管理-用例评审-表格分页查询文件")
    @RequiresPermissions(PermissionConstants.CASE_REVIEW_READ)
+    @CheckOwner(resourceId = "#request.getProjectId()", resourceType = "project")
    public Map<String, Long> moduleCount(@Validated @RequestBody CaseReviewPageRequest request) {
        return caseReviewService.moduleCount(request);
    }
@ -60,6 +63,7 @@ public class CaseReviewController {
    @Log(type = OperationLogType.ADD, expression = "#msClass.addCaseReviewLog(#request)", msClass = CaseReviewLogService.class)
    @SendNotice(taskType = NoticeConstants.TaskType.CASE_REVIEW_TASK, event = NoticeConstants.Event.CREATE, target = "#targetClass.getMainCaseReview(#request)", targetClass = CaseReviewNoticeService.class)
    @RequiresPermissions(PermissionConstants.CASE_REVIEW_READ_ADD)
+    @CheckOwner(resourceId = "#request.getProjectId()", resourceType = "project")
    public void addCaseReview(@Validated @RequestBody CaseReviewRequest request) {
        caseReviewService.addCaseReview(request, SessionUtils.getUserId());
    }
@ -69,6 +73,7 @@ public class CaseReviewController {
    @Log(type = OperationLogType.COPY, expression = "#msClass.copyCaseReviewLog(#request)", msClass = CaseReviewLogService.class)
    @SendNotice(taskType = NoticeConstants.TaskType.CASE_REVIEW_TASK, event = NoticeConstants.Event.CREATE, target = "#targetClass.getMainCaseReview(#request)", targetClass = CaseReviewNoticeService.class)
    @RequiresPermissions(PermissionConstants.CASE_REVIEW_READ_ADD)
+    @CheckOwner(resourceId = "#request.getProjectId()", resourceType = "project")
    public void copyCaseReview(@Validated @RequestBody CaseReviewRequest request) {
        caseReviewService.addCaseReview(request, SessionUtils.getUserId());
    }
@ -78,6 +83,7 @@ public class CaseReviewController {
    @Log(type = OperationLogType.UPDATE, expression = "#msClass.updateCaseReviewLog(#request)", msClass = CaseReviewLogService.class)
    @SendNotice(taskType = NoticeConstants.TaskType.CASE_REVIEW_TASK, event = NoticeConstants.Event.UPDATE, target = "#targetClass.getMainCaseReview(#request)", targetClass = CaseReviewNoticeService.class)
    @RequiresPermissions(PermissionConstants.CASE_REVIEW_READ_UPDATE)
+    @CheckOwner(resourceId = "#request.getProjectId()", resourceType = "project")
    public void editCaseReview(@Validated({Updated.class}) @RequestBody CaseReviewRequest request) {
        caseReviewService.editCaseReview(request, SessionUtils.getUserId());
    }
@ -85,6 +91,7 @@ public class CaseReviewController {
    @GetMapping("/user-option/{projectId}")
    @Operation(summary = "用例管理-用例评审-获取具有评审权限的用户")
    @RequiresPermissions(value = {PermissionConstants.CASE_REVIEW_READ_ADD,PermissionConstants.CASE_REVIEW_READ_UPDATE}, logical = Logical.OR)
+    @CheckOwner(resourceId = "#projectId", resourceType = "project")
    public List<User> getReviewUserList(@PathVariable String projectId, @Schema(description = "查询关键字，根据邮箱和用户名查询")
    @RequestParam(value = "keyword", required = false) String keyword) {
        return caseReviewService.getReviewUserList(projectId, keyword);
@ -93,6 +100,7 @@ public class CaseReviewController {
    @PostMapping("/edit/follower")
    @Operation(summary = "用例管理-用例评审-关注/取消关注用例")
    @RequiresPermissions(PermissionConstants.CASE_REVIEW_READ_UPDATE)
+    @CheckOwner(resourceId = "#request.getCaseReviewId()", resourceType = "case_review")
    public void editFollower(@Validated @RequestBody CaseReviewFollowerRequest request) {
        caseReviewService.editFollower(request.getCaseReviewId(), SessionUtils.getUserId());
    }
@ -101,6 +109,7 @@ public class CaseReviewController {
    @Operation(summary = "用例管理-用例评审-关联用例")
    @Log(type = OperationLogType.ASSOCIATE, expression = "#msClass.associateCaseLog(#request)", msClass = CaseReviewLogService.class)
    @RequiresPermissions(PermissionConstants.CASE_REVIEW_RELEVANCE)
+    @CheckOwner(resourceId = "#request.getProjectId()", resourceType = "project")
    public void associateCase(@Validated @RequestBody CaseReviewAssociateRequest request) {
        caseReviewService.associateCase(request, SessionUtils.getUserId());
    }
@ -109,6 +118,7 @@ public class CaseReviewController {
    @Operation(summary = "用例管理-用例评审-取消关联用例")
    @Log(type = OperationLogType.DISASSOCIATE, expression = "#msClass.disAssociateCaseLog(#reviewId, #caseId)", msClass = CaseReviewLogService.class)
    @RequiresPermissions(PermissionConstants.CASE_REVIEW_RELEVANCE)
+    @CheckOwner(resourceId = "#reviewId", resourceType = "case_review")
    public void disassociate(@PathVariable String reviewId, @PathVariable String caseId) {
        caseReviewService.disassociate(reviewId, caseId, SessionUtils.getUserId());
    }
@ -116,6 +126,7 @@ public class CaseReviewController {
    @PostMapping("/edit/pos")
    @Operation(summary = "用例管理-用例评审-拖拽排序")
    @RequiresPermissions(PermissionConstants.CASE_REVIEW_READ_UPDATE)
+    @CheckOwner(resourceId = "#request.getProjectId()", resourceType = "project")
    public void editPos(@Validated @RequestBody PosRequest request) {
        caseReviewService.editPos(request);
    }
@ -123,6 +134,7 @@ public class CaseReviewController {
    @GetMapping("/detail/{id}")
    @Operation(summary = "用例管理-用例评审-查看评审详情")
    @RequiresPermissions(PermissionConstants.CASE_REVIEW_READ)
+    @CheckOwner(resourceId = "#reviewId", resourceType = "case_review")
    public CaseReviewDTO getCaseReviewDetail(@PathVariable String id) {
        return caseReviewService.getCaseReviewDetail(id, SessionUtils.getUserId());
    }
@ -130,6 +142,7 @@ public class CaseReviewController {
    @PostMapping("batch/move")
    @Operation(summary = "用例管理-用例评审-批量移动用例评审")
    @RequiresPermissions(PermissionConstants.CASE_REVIEW_READ_UPDATE)
+    @CheckOwner(resourceId = "#request.getProjectId()", resourceType = "project")
    public void batchMoveCaseReview(@Validated @RequestBody CaseReviewBatchRequest request) {
        caseReviewService.batchMoveCaseReview(request, SessionUtils.getUserId());
    }
@ -139,6 +152,7 @@ public class CaseReviewController {
    @RequiresPermissions(PermissionConstants.CASE_REVIEW_READ_DELETE)
    @SendNotice(taskType = NoticeConstants.TaskType.CASE_REVIEW_TASK, event = NoticeConstants.Event.DELETE, target = "#targetClass.getMainCaseReview(#reviewId)", targetClass = CaseReviewNoticeService.class)
    @Log(type = OperationLogType.DELETE, expression = "#msClass.deleteFunctionalCaseLog(#reviewId)", msClass = CaseReviewLogService.class)
+    @CheckOwner(resourceId = "#projectId", resourceType = "project")
    public void deleteCaseReview(@PathVariable String reviewId, @PathVariable String projectId) {
        caseReviewService.deleteCaseReview(reviewId, projectId);
    }
--- a/backend/services/case-management/src/main/java/io/metersphere/functional/controller/CaseReviewFunctionalCaseController.java
+++ b/backend/services/case-management/src/main/java/io/metersphere/functional/controller/CaseReviewFunctionalCaseController.java
@ -14,6 +14,7 @@ import io.metersphere.functional.service.CaseReviewLogService;
 import io.metersphere.sdk.constants.PermissionConstants;
 import io.metersphere.system.log.annotation.Log;
 import io.metersphere.system.log.constants.OperationLogType;
+import io.metersphere.system.security.CheckOwner;
 import io.metersphere.system.utils.PageUtils;
 import io.metersphere.system.utils.Pager;
 import io.metersphere.system.utils.SessionUtils;
@ -40,6 +41,7 @@ public class CaseReviewFunctionalCaseController {

    @GetMapping("/get-ids/{reviewId}")
    @Operation(summary = "用例管理-功能用例-评审列表-评审详情-获取已关联用例id集合(关联用例弹窗前调用)")
+    @CheckOwner(resourceId = "#reviewId", resourceType = "case_review")
    public List<String> getCaseIds(@PathVariable String reviewId) {
        return caseReviewFunctionalCaseService.getCaseIdsByReviewId(reviewId);
    }
@ -60,6 +62,7 @@ public class CaseReviewFunctionalCaseController {
    @PostMapping("/batch/disassociate")
    @Operation(summary = "用例管理-功能用例-评审列表-评审详情-列表-批量取消关联用例")
    @Log(type = OperationLogType.DISASSOCIATE, expression = "#msClass.batchDisassociateCaseLog(#request)", msClass = CaseReviewLogService.class)
+    @CheckOwner(resourceId = "#request.getReviewId()", resourceType = "case_review")
    public void batchDisassociate(@Validated @RequestBody BaseReviewCaseBatchRequest request) {
        caseReviewFunctionalCaseService.disassociate(request, SessionUtils.getUserId());
    }
@ -67,6 +70,7 @@ public class CaseReviewFunctionalCaseController {
    @PostMapping("/edit/pos")
    @Operation(summary = "用例管理-功能用例-评审列表-评审详情-列表-拖拽排序")
    @RequiresPermissions(PermissionConstants.CASE_REVIEW_READ_UPDATE)
+    @CheckOwner(resourceId = "#request.getProjectId()", resourceType = "project")
    public void editPos(@Validated @RequestBody CaseReviewFunctionalCasePosRequest request) {
        caseReviewFunctionalCaseService.editPos(request);
    }
@ -74,6 +78,7 @@ public class CaseReviewFunctionalCaseController {
    @PostMapping("/batch/review")
    @Operation(summary = "用例管理-功能用例-评审列表-评审详情-列表-批量评审")
    @RequiresPermissions(PermissionConstants.CASE_REVIEW_REVIEW)
+    @CheckOwner(resourceId = "#request.getReviewId()", resourceType = "case_review")
    public void batchReview(@Validated @RequestBody BatchReviewFunctionalCaseRequest request) {
        caseReviewFunctionalCaseService.batchReview(request, SessionUtils.getUserId());
    }
--- a/backend/services/case-management/src/main/java/io/metersphere/functional/controller/CaseReviewModuleController.java
+++ b/backend/services/case-management/src/main/java/io/metersphere/functional/controller/CaseReviewModuleController.java
@ -6,6 +6,7 @@ import io.metersphere.functional.service.CaseReviewModuleService;
 import io.metersphere.sdk.constants.PermissionConstants;
 import io.metersphere.system.dto.sdk.BaseTreeNode;
 import io.metersphere.system.dto.sdk.request.NodeMoveRequest;
+import io.metersphere.system.security.CheckOwner;
 import io.metersphere.system.utils.SessionUtils;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.tags.Tag;
@ -27,6 +28,7 @@ public class CaseReviewModuleController {
    @GetMapping("/tree/{projectId}")
    @Operation(summary = "用例管理-用例评审-模块-获取模块树")
    @RequiresPermissions(PermissionConstants.CASE_REVIEW_READ)
+    @CheckOwner(resourceId = "#projectId", resourceType = "project")
    public List<BaseTreeNode> getTree(@PathVariable String projectId) {
        return caseReviewModuleService.getTree(projectId);
    }
@ -34,6 +36,7 @@ public class CaseReviewModuleController {
    @PostMapping("/add")
    @Operation(summary = "用例管理-用例评审-模块-添加模块")
    @RequiresPermissions(PermissionConstants.CASE_REVIEW_READ_ADD)
+    @CheckOwner(resourceId = "#request.getProjectId()", resourceType = "project")
    public void add(@RequestBody @Validated CaseReviewModuleCreateRequest request) {
        caseReviewModuleService.add(request, SessionUtils.getUserId());
    }
@ -41,6 +44,7 @@ public class CaseReviewModuleController {
    @PostMapping("/update")
    @Operation(summary = "用例管理-用例评审-模块-修改模块")
    @RequiresPermissions(PermissionConstants.CASE_REVIEW_READ_UPDATE)
+    @CheckOwner(resourceId = "#request.getId()", resourceType = "case_review_module")
    public void list(@RequestBody @Validated CaseReviewModuleUpdateRequest request) {
        caseReviewModuleService.update(request, SessionUtils.getUserId());
    }
@ -48,6 +52,7 @@ public class CaseReviewModuleController {
    @PostMapping("/move")
    @Operation(summary = "用例管理-用例评审-模块-移动模块")
    @RequiresPermissions(PermissionConstants.CASE_REVIEW_READ_UPDATE)
+    @CheckOwner(resourceId = "#request.getDragNodeId()", resourceType = "case_review_module")
    public void moveNode(@Validated @RequestBody NodeMoveRequest request) {
        caseReviewModuleService.moveNode(request, SessionUtils.getUserId());
    }
@ -55,6 +60,7 @@ public class CaseReviewModuleController {
    @GetMapping("/delete/{moduleId}")
    @Operation(summary = "用例管理-用例评审-模块-删除模块")
    @RequiresPermissions(PermissionConstants.CASE_REVIEW_READ_DELETE)
+    @CheckOwner(resourceId = "#moduleId", resourceType = "case_review_module")
    public void deleteNode(@PathVariable String moduleId) {
        caseReviewModuleService.deleteModule(moduleId);
    }
--- a/backend/services/case-management/src/main/java/io/metersphere/functional/controller/FunctionalCaseAttachmentController.java
+++ b/backend/services/case-management/src/main/java/io/metersphere/functional/controller/FunctionalCaseAttachmentController.java
@ -19,6 +19,7 @@ import io.metersphere.sdk.util.FileAssociationSourceUtil;
 import io.metersphere.sdk.util.Translator;
 import io.metersphere.system.dto.sdk.BaseTreeNode;
 import io.metersphere.system.log.constants.OperationLogModule;
+import io.metersphere.system.security.CheckOwner;
 import io.metersphere.system.utils.Pager;
 import io.metersphere.system.utils.SessionUtils;
 import io.swagger.v3.oas.annotations.Operation;
@ -56,6 +57,7 @@ public class FunctionalCaseAttachmentController {
    @PostMapping("/page")
    @Operation(summary = "用例管理-功能用例-附件-关联文件列表分页接口")
    @RequiresPermissions(PermissionConstants.FUNCTIONAL_CASE_READ)
+    @CheckOwner(resourceId = "#request.getProjectId()", resourceType = "project")
    public Pager<List<FileInformationResponse>> page(@Validated @RequestBody FileMetadataTableRequest request) {
        return fileMetadataService.page(request);
    }
@ -64,6 +66,7 @@ public class FunctionalCaseAttachmentController {
    @PostMapping("/preview")
    @Operation(summary = "用例管理-功能用例-附件-文件预览")
    @RequiresPermissions(PermissionConstants.FUNCTIONAL_CASE_READ)
+    @CheckOwner(resourceId = "#request.getProjectId()", resourceType = "project")
    public ResponseEntity<byte[]> preview(@Validated @RequestBody FunctionalCaseFileRequest request) throws Exception {
        if (request.getLocal()) {
            //本地
@ -78,6 +81,7 @@ public class FunctionalCaseAttachmentController {
    @PostMapping("/download")
    @Operation(summary = "用例管理-功能用例-附件-文件下载")
    @RequiresPermissions(PermissionConstants.FUNCTIONAL_CASE_READ)
+    @CheckOwner(resourceId = "#request.getProjectId()", resourceType = "project")
    public ResponseEntity<byte[]> download(@Validated @RequestBody FunctionalCaseFileRequest request) throws Exception {
        if (request.getLocal()) {
            //本地
@ -100,6 +104,7 @@ public class FunctionalCaseAttachmentController {
    @GetMapping("/update/{projectId}/{id}")
    @Operation(summary = "用例管理-功能用例-附件-更新文件")
    @RequiresPermissions(PermissionConstants.FUNCTIONAL_CASE_READ)
+    @CheckOwner(resourceId = "#projectId", resourceType = "project")
    public String update(@PathVariable String projectId, @PathVariable String id) {
        FileLogRecord fileLogRecord = FileLogRecord.builder()
                .logModule(OperationLogModule.FUNCTIONAL_CASE)
@ -113,6 +118,7 @@ public class FunctionalCaseAttachmentController {
    @PostMapping("/transfer")
    @Operation(summary = "用例管理-功能用例-附件-文件转存")
    @RequiresPermissions(PermissionConstants.FUNCTIONAL_CASE_READ)
+    @CheckOwner(resourceId = "#request.getProjectId()", resourceType = "project")
    public String transfer(@Validated @RequestBody AttachmentTransferRequest request) {
        byte[] fileByte = functionalCaseAttachmentService.getFileByte(request);
        FunctionalCaseAttachment attachment = functionalCaseAttachmentService.getAttachment(request);
@ -139,6 +145,7 @@ public class FunctionalCaseAttachmentController {
    @PostMapping("/upload/file")
    @Operation(summary = "用例管理-功能用例-上传文件并关联用例")
    @RequiresPermissions(PermissionConstants.FUNCTIONAL_CASE_READ_UPDATE)
+    @CheckOwner(resourceId = "#request.getProjectId()", resourceType = "project")
    public void uploadFile(@Validated @RequestPart("request") FunctionalCaseAssociationFileRequest request, @RequestPart(value = "file", required = false) MultipartFile file) {
        String userId = SessionUtils.getUserId();
        functionalCaseAttachmentService.uploadOrAssociationFile(request, file, userId);
@ -147,6 +154,7 @@ public class FunctionalCaseAttachmentController {
    @PostMapping("/delete/file")
    @Operation(summary = "用例管理-功能用例-删除文件并取消关联用例")
    @RequiresPermissions(PermissionConstants.FUNCTIONAL_CASE_READ_UPDATE)
+    @CheckOwner(resourceId = "#request.getProjectId()", resourceType = "project")
    public void deleteFile(@Validated @RequestBody FunctionalCaseDeleteFileRequest request) {
        String userId = SessionUtils.getUserId();
        functionalCaseAttachmentService.deleteFile(request, userId);
@ -156,6 +164,7 @@ public class FunctionalCaseAttachmentController {
    @GetMapping("/options/{projectId}")
    @Operation(summary = "用例管理-功能用例-附件-转存目录下拉框")
    @RequiresPermissions(PermissionConstants.FUNCTIONAL_CASE_READ)
+    @CheckOwner(resourceId = "#projectId", resourceType = "project")
    public List<BaseTreeNode> options(@PathVariable String projectId) {
        return fileModuleService.getTree(projectId);
    }
--- a/backend/services/case-management/src/main/java/io/metersphere/functional/controller/FunctionalCaseCommentController.java
+++ b/backend/services/case-management/src/main/java/io/metersphere/functional/controller/FunctionalCaseCommentController.java
@ -5,6 +5,7 @@ import io.metersphere.functional.dto.FunctionalCaseCommentDTO;
 import io.metersphere.functional.request.FunctionalCaseCommentRequest;
 import io.metersphere.functional.service.FunctionalCaseCommentService;
 import io.metersphere.sdk.constants.PermissionConstants;
+import io.metersphere.system.security.CheckOwner;
 import io.metersphere.system.utils.SessionUtils;
 import io.metersphere.validation.groups.Created;
 import io.metersphere.validation.groups.Updated;
@ -28,6 +29,7 @@ public class FunctionalCaseCommentController {
    @PostMapping("/save")
    @Operation(summary = "用例管理-功能用例-用例评论-创建评论")
    @RequiresPermissions(PermissionConstants.FUNCTIONAL_CASE_READ_COMMENT)
+    @CheckOwner(resourceId = "#functionalCaseCommentRequest.getCaseId()", resourceType = "functional_case")
    public FunctionalCaseComment saveComment(@Validated({Created.class}) @RequestBody FunctionalCaseCommentRequest functionalCaseCommentRequest) {
        return functionalCaseCommentService.saveComment(functionalCaseCommentRequest, SessionUtils.getUserId());
    }
@ -35,6 +37,7 @@ public class FunctionalCaseCommentController {
    @PostMapping("/update")
    @Operation(summary = "用例管理-功能用例-用例评论-修改评论")
    @RequiresPermissions(PermissionConstants.FUNCTIONAL_CASE_READ_COMMENT)
+    @CheckOwner(resourceId = "#functionalCaseCommentRequest.getCaseId()", resourceType = "functional_case")
    public FunctionalCaseComment updateComment(@Validated({Updated.class}) @RequestBody FunctionalCaseCommentRequest functionalCaseCommentRequest) {
        return functionalCaseCommentService.updateComment(functionalCaseCommentRequest, SessionUtils.getUserId());
    }
@ -49,6 +52,7 @@ public class FunctionalCaseCommentController {
    @GetMapping("/get/list/{caseId}")
    @Operation(summary = "用例管理-功能用例-用例评论-获取用例评论")
    @RequiresPermissions(PermissionConstants.FUNCTIONAL_CASE_READ_COMMENT)
+    @CheckOwner(resourceId = "#caseId", resourceType = "functional_case")
    public List<FunctionalCaseCommentDTO> getCommentList(@PathVariable String caseId) {
       return functionalCaseCommentService.getCommentList(caseId);
    }
--- a/backend/services/case-management/src/main/java/io/metersphere/functional/controller/FunctionalCaseController.java
+++ b/backend/services/case-management/src/main/java/io/metersphere/functional/controller/FunctionalCaseController.java
@ -21,6 +21,7 @@ import io.metersphere.system.log.annotation.Log;
 import io.metersphere.system.log.constants.OperationLogType;
 import io.metersphere.system.notice.annotation.SendNotice;
 import io.metersphere.system.notice.constants.NoticeConstants;
+import io.metersphere.system.security.CheckOwner;
 import io.metersphere.system.utils.PageUtils;
 import io.metersphere.system.utils.Pager;
 import io.metersphere.system.utils.SessionUtils;
@ -56,6 +57,7 @@ public class FunctionalCaseController {
    @GetMapping("/default/template/field/{projectId}")
    @Operation(summary = "用例管理-功能用例-获取默认模板自定义字段")
    @RequiresPermissions(PermissionConstants.FUNCTIONAL_CASE_READ_ADD)
+    @CheckOwner(resourceId = "#projectId", resourceType = "project")
    public TemplateDTO getDefaultTemplateField(@PathVariable String projectId) {
        TemplateDTO defaultTemplateDTO = projectTemplateService.getDefaultTemplateDTO(projectId, TemplateScene.FUNCTIONAL.name());
        return defaultTemplateDTO;
@ -67,6 +69,7 @@ public class FunctionalCaseController {
    @RequiresPermissions(PermissionConstants.FUNCTIONAL_CASE_READ_ADD)
    @Log(type = OperationLogType.ADD, expression = "#msClass.addFunctionalCaseLog(#request, #files)", msClass = FunctionalCaseLogService.class)
    @SendNotice(taskType = NoticeConstants.TaskType.FUNCTIONAL_CASE_TASK, event = NoticeConstants.Event.CREATE, target = "#targetClass.getMainFunctionalCaseDTO(#request.name, #request.caseEditType, #request.projectId, #request.customFields)", targetClass = FunctionalCaseNoticeService.class)
+    @CheckOwner(resourceId = "#request.getProjectId()", resourceType = "project")
    public FunctionalCase addFunctionalCase(@Validated @RequestPart("request") FunctionalCaseAddRequest request, @RequestPart(value = "files", required = false) List<MultipartFile> files) {
        String userId = SessionUtils.getUserId();
        return functionalCaseService.addFunctionalCase(request, files, userId);
@ -76,6 +79,7 @@ public class FunctionalCaseController {
    @GetMapping("/detail/{id}")
    @Operation(summary = "用例管理-功能用例-查看用例详情")
    @RequiresPermissions(PermissionConstants.FUNCTIONAL_CASE_READ)
+    @CheckOwner(resourceId = "#id", resourceType = "functional_case")
    public FunctionalCaseDetailDTO getFunctionalCaseDetail(@PathVariable String id) {
        String userId = SessionUtils.getUserId();
        return functionalCaseService.getFunctionalCaseDetail(id, userId);
@ -87,6 +91,7 @@ public class FunctionalCaseController {
    @RequiresPermissions(PermissionConstants.FUNCTIONAL_CASE_READ_UPDATE)
    @Log(type = OperationLogType.UPDATE, expression = "#msClass.updateFunctionalCaseLog(#request, #files)", msClass = FunctionalCaseLogService.class)
    @SendNotice(taskType = NoticeConstants.TaskType.FUNCTIONAL_CASE_TASK, event = NoticeConstants.Event.UPDATE, target = "#targetClass.getMainFunctionalCaseDTO(#request.name, #request.caseEditType, #request.projectId, #request.customFields)", targetClass = FunctionalCaseNoticeService.class)
+    @CheckOwner(resourceId = "#request.getProjectId()", resourceType = "project")
    public FunctionalCase updateFunctionalCase(@Validated @RequestPart("request") FunctionalCaseEditRequest request, @RequestPart(value = "files", required = false) List<MultipartFile> files) {
        String userId = SessionUtils.getUserId();
        return functionalCaseService.updateFunctionalCase(request, files, userId);
@ -105,6 +110,7 @@ public class FunctionalCaseController {
    @GetMapping("/version/{id}")
    @Operation(summary = "用例管理-功能用例-版本信息(用例是否存在多版本)")
    @RequiresPermissions(PermissionConstants.FUNCTIONAL_CASE_READ)
+    @CheckOwner(resourceId = "#id", resourceType = "functional_case")
    public List<FunctionalCaseVersionDTO> getVersion(@PathVariable @NotBlank(message = "{functional_case.id.not_blank}") String id) {
        return functionalCaseService.getFunctionalCaseVersion(id);
    }
@ -115,6 +121,7 @@ public class FunctionalCaseController {
    @RequiresPermissions(PermissionConstants.FUNCTIONAL_CASE_READ_DELETE)
    @Log(type = OperationLogType.DELETE, expression = "#msClass.deleteFunctionalCaseLog(#request)", msClass = FunctionalCaseLogService.class)
    @SendNotice(taskType = NoticeConstants.TaskType.FUNCTIONAL_CASE_TASK, event = NoticeConstants.Event.DELETE, target = "#targetClass.getDeleteFunctionalCaseDTO(#request.id)", targetClass = FunctionalCaseNoticeService.class)
+    @CheckOwner(resourceId = "#request.getProjectId()", resourceType = "project")
    public void deleteFunctionalCase(@Validated @RequestBody FunctionalCaseDeleteRequest request) {
        String userId = SessionUtils.getUserId();
        functionalCaseService.deleteFunctionalCase(request, userId);
@ -124,6 +131,7 @@ public class FunctionalCaseController {
    @PostMapping("/page")
    @Operation(summary = "用例管理-功能用例-用例列表查询")
    @RequiresPermissions(PermissionConstants.FUNCTIONAL_CASE_READ)
+    @CheckOwner(resourceId = "#request.getProjectId()", resourceType = "project")
    public Pager<List<FunctionalCasePageDTO>> getFunctionalCasePage(@Validated @RequestBody FunctionalCasePageRequest request) {
        Page<Object> page = PageHelper.startPage(request.getCurrent(), request.getPageSize(),
                StringUtils.isNotBlank(request.getSortString()) ? request.getSortString() : "pos desc");
@ -133,6 +141,7 @@ public class FunctionalCaseController {
    @PostMapping("/module/count")
    @Operation(summary = "用例管理-功能用例-表格分页查询文件")
    @RequiresPermissions(PermissionConstants.FUNCTIONAL_CASE_READ)
+    @CheckOwner(resourceId = "#request.getProjectId()", resourceType = "project")
    public Map<String, Long> moduleCount(@Validated @RequestBody FunctionalCasePageRequest request) {
        return functionalCaseService.moduleCount(request, false);
    }
@ -142,6 +151,7 @@ public class FunctionalCaseController {
    @RequiresPermissions(PermissionConstants.FUNCTIONAL_CASE_READ_DELETE)
    @Log(type = OperationLogType.DELETE, expression = "#msClass.batchDeleteFunctionalCaseLog(#request)", msClass = FunctionalCaseLogService.class)
    @SendNotice(taskType = NoticeConstants.TaskType.FUNCTIONAL_CASE_TASK, event = NoticeConstants.Event.DELETE, target = "#targetClass.getBatchDeleteFunctionalCaseDTO(#request)", targetClass = FunctionalCaseNoticeService.class)
+    @CheckOwner(resourceId = "#request.getProjectId()", resourceType = "project")
    public void batchDeleteFunctionalCaseToGc(@Validated @RequestBody FunctionalCaseBatchRequest request) {
        String userId = SessionUtils.getUserId();
        functionalCaseService.batchDeleteFunctionalCaseToGc(request, userId);
@ -150,6 +160,7 @@ public class FunctionalCaseController {
    @GetMapping("/custom/field/{projectId}")
    @Operation(summary = "用例管理-功能用例-获取表头自定义字段(高级搜索中的自定义字段)")
    @RequiresPermissions(PermissionConstants.FUNCTIONAL_CASE_READ)
+    @CheckOwner(resourceId = "#projectId", resourceType = "project")
    public List<CustomFieldOptions> getTableCustomField(@PathVariable String projectId) {
        return projectTemplateService.getTableCustomField(projectId, TemplateScene.FUNCTIONAL.name());
    }
@ -157,6 +168,7 @@ public class FunctionalCaseController {
    @PostMapping("/batch/move")
    @Operation(summary = "用例管理-功能用例-批量移动用例")
    @RequiresPermissions(PermissionConstants.FUNCTIONAL_CASE_READ_UPDATE)
+    @CheckOwner(resourceId = "#request.getProjectId()", resourceType = "project")
    public void batchMoveFunctionalCase(@Validated @RequestBody FunctionalCaseBatchMoveRequest request) {
        String userId = SessionUtils.getUserId();
        functionalCaseService.batchMoveFunctionalCase(request, userId);
@ -166,6 +178,7 @@ public class FunctionalCaseController {
    @PostMapping("/batch/copy")
    @Operation(summary = "用例管理-功能用例-批量复制用例")
    @RequiresPermissions(PermissionConstants.FUNCTIONAL_CASE_READ_UPDATE)
+    @CheckOwner(resourceId = "#request.getProjectId()", resourceType = "project")
    public void batchCopyFunctionalCase(@Validated @RequestBody FunctionalCaseBatchMoveRequest request) {
        String userId = SessionUtils.getUserId();
        functionalCaseService.batchCopyFunctionalCase(request, userId);
@ -177,6 +190,7 @@ public class FunctionalCaseController {
    @RequiresPermissions(PermissionConstants.FUNCTIONAL_CASE_READ_UPDATE)
    @Log(type = OperationLogType.UPDATE, expression = "#msClass.batchEditFunctionalCaseLog(#request)", msClass = FunctionalCaseLogService.class)
    @SendNotice(taskType = NoticeConstants.TaskType.FUNCTIONAL_CASE_TASK, event = NoticeConstants.Event.UPDATE, target = "#targetClass.getBatchEditFunctionalCaseDTO(#request)", targetClass = FunctionalCaseNoticeService.class)
+    @CheckOwner(resourceId = "#request.getProjectId()", resourceType = "project")
    public void batchEditFunctionalCase(@Validated @RequestBody FunctionalCaseBatchEditRequest request) {
        String userId = SessionUtils.getUserId();
        functionalCaseService.batchEditFunctionalCase(request, userId);
@ -186,6 +200,7 @@ public class FunctionalCaseController {
    @PostMapping("edit/pos")
    @Operation(summary = "用例管理-功能用例-拖拽排序")
    @RequiresPermissions(PermissionConstants.FUNCTIONAL_CASE_READ_UPDATE)
+    @CheckOwner(resourceId = "#request.getProjectId()", resourceType = "project")
    public void editPos(@Validated @RequestBody PosRequest request) {
        functionalCaseService.editPos(request);
    }
--- a/backend/services/case-management/src/main/java/io/metersphere/functional/controller/FunctionalCaseModuleController.java
+++ b/backend/services/case-management/src/main/java/io/metersphere/functional/controller/FunctionalCaseModuleController.java
@ -6,6 +6,7 @@ import io.metersphere.functional.service.FunctionalCaseModuleService;
 import io.metersphere.sdk.constants.PermissionConstants;
 import io.metersphere.system.dto.sdk.BaseTreeNode;
 import io.metersphere.system.dto.sdk.request.NodeMoveRequest;
+import io.metersphere.system.security.CheckOwner;
 import io.metersphere.system.utils.SessionUtils;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.tags.Tag;
@ -27,6 +28,7 @@ public class FunctionalCaseModuleController {
    @GetMapping("/tree/{projectId}")
    @Operation(summary = "用例管理-功能用例-模块-获取模块树")
    @RequiresPermissions(PermissionConstants.FUNCTIONAL_CASE_READ)
+    @CheckOwner(resourceId = "#projectId", resourceType = "project")
    public List<BaseTreeNode> getTree(@PathVariable String projectId) {
        return functionalCaseModuleService.getTree(projectId);
    }
@ -34,6 +36,7 @@ public class FunctionalCaseModuleController {
    @PostMapping("/add")
    @Operation(summary = "用例管理-功能用例-模块-添加模块")
    @RequiresPermissions(PermissionConstants.FUNCTIONAL_CASE_READ_ADD)
+    @CheckOwner(resourceId = "#request.getProjectId()", resourceType = "project")
    public void add(@RequestBody @Validated FunctionalCaseModuleCreateRequest request) {
        functionalCaseModuleService.add(request, SessionUtils.getUserId());
    }
@ -41,6 +44,7 @@ public class FunctionalCaseModuleController {
    @PostMapping("/update")
    @Operation(summary = "用例管理-功能用例-模块-修改模块")
    @RequiresPermissions(PermissionConstants.FUNCTIONAL_CASE_READ_UPDATE)
+    @CheckOwner(resourceId = "#request.getId()", resourceType = "functional_case_module")
    public void list(@RequestBody @Validated FunctionalCaseModuleUpdateRequest request) {
        functionalCaseModuleService.update(request, SessionUtils.getUserId());
    }
@ -48,6 +52,7 @@ public class FunctionalCaseModuleController {
    @PostMapping("/move")
    @Operation(summary = "用例管理-功能用例-模块-移动模块")
    @RequiresPermissions(PermissionConstants.FUNCTIONAL_CASE_READ_UPDATE)
+    @CheckOwner(resourceId = "#request.getDragNodeId()", resourceType = "functional_case_module")
    public void moveNode(@Validated @RequestBody NodeMoveRequest request) {
        functionalCaseModuleService.moveNode(request, SessionUtils.getUserId());
    }
@ -55,6 +60,7 @@ public class FunctionalCaseModuleController {
    @GetMapping("/delete/{moduleId}")
    @Operation(summary = "用例管理-功能用例-模块-删除模块")
    @RequiresPermissions(PermissionConstants.FUNCTIONAL_CASE_READ_DELETE)
+    @CheckOwner(resourceId = "#moduleId", resourceType = "functional_case_module")
    public void deleteNode(@PathVariable String moduleId) {
        functionalCaseModuleService.deleteModule(moduleId);
    }
@ -62,6 +68,7 @@ public class FunctionalCaseModuleController {
    @GetMapping("/trash/tree/{projectId}")
    @Operation(summary = "用例管理-功能用例-回收站-模块-获取模块树")
    @RequiresPermissions(PermissionConstants.FUNCTIONAL_CASE_READ)
+    @CheckOwner(resourceId = "#projectId", resourceType = "project")
    public List<BaseTreeNode> getTrashTree(@PathVariable String projectId) {
        return functionalCaseModuleService.getTrashTree(projectId);
    }
--- a/backend/services/case-management/src/main/java/io/metersphere/functional/controller/FunctionalCaseReviewController.java
+++ b/backend/services/case-management/src/main/java/io/metersphere/functional/controller/FunctionalCaseReviewController.java
@ -7,6 +7,7 @@ import io.metersphere.functional.dto.FunctionalCaseReviewDTO;
 import io.metersphere.functional.request.FunctionalCaseReviewListRequest;
 import io.metersphere.functional.service.FunctionalCaseReviewService;
 import io.metersphere.sdk.constants.PermissionConstants;
+import io.metersphere.system.security.CheckOwner;
 import io.metersphere.system.utils.PageUtils;
 import io.metersphere.system.utils.Pager;
 import io.swagger.v3.oas.annotations.Operation;
@ -29,6 +30,7 @@ public class FunctionalCaseReviewController {
    @PostMapping("/page")
    @Operation(summary = "用例管理-功能用例-评审-列表")
    @RequiresPermissions(PermissionConstants.FUNCTIONAL_CASE_READ)
+    @CheckOwner(resourceId = "#request.getCaseId()", resourceType = "functional_case")
    public Pager<List<FunctionalCaseReviewDTO>> getFunctionalCasePage(@Validated @RequestBody FunctionalCaseReviewListRequest request) {
        Page<Object> page = PageHelper.startPage(request.getCurrent(), request.getPageSize(), "update_time desc");
        return PageUtils.setPageInfo(page, functionalCaseReviewService.getFunctionalCaseReviewPage(request));
@ -37,6 +39,7 @@ public class FunctionalCaseReviewController {
    @GetMapping("/comment/{caseId}")
    @Operation(summary = "用例管理-功能用例-评审-评论")
    @RequiresPermissions(PermissionConstants.FUNCTIONAL_CASE_READ)
+    @CheckOwner(resourceId = "#caseId", resourceType = "functional_case")
    public List<CaseReviewHistoryDTO> getCaseReviewHistory(@PathVariable String caseId) {
        return functionalCaseReviewService.getCaseReviewHistory(caseId);
    }
--- a/backend/services/case-management/src/main/java/io/metersphere/functional/controller/FunctionalCaseTrashController.java
+++ b/backend/services/case-management/src/main/java/io/metersphere/functional/controller/FunctionalCaseTrashController.java
@ -12,6 +12,7 @@ import io.metersphere.functional.service.FunctionalCaseTrashService;
 import io.metersphere.sdk.constants.PermissionConstants;
 import io.metersphere.system.log.annotation.Log;
 import io.metersphere.system.log.constants.OperationLogType;
+import io.metersphere.system.security.CheckOwner;
 import io.metersphere.system.utils.PageUtils;
 import io.metersphere.system.utils.Pager;
 import io.metersphere.system.utils.SessionUtils;
@ -38,6 +39,7 @@ public class FunctionalCaseTrashController {
    @PostMapping("/page")
    @Operation(summary = "用例管理-功能用例-回收站-用例列表查询")
    @RequiresPermissions(PermissionConstants.FUNCTIONAL_CASE_READ)
+    @CheckOwner(resourceId = "#request.getProjectId()", resourceType = "project")
    public Pager<List<FunctionalCasePageDTO>> getFunctionalCasePage(@Validated @RequestBody FunctionalCasePageRequest request) {
        Page<Object> page = PageHelper.startPage(request.getCurrent(), request.getPageSize(),
                StringUtils.isNotBlank(request.getSortString()) ? request.getSortString() : "create_time desc");
@ -47,6 +49,7 @@ public class FunctionalCaseTrashController {
    @PostMapping("/module/count")
    @Operation(summary = "用例管理-功能用例-回收站-表格分页查询文件")
    @RequiresPermissions(PermissionConstants.FUNCTIONAL_CASE_READ)
+    @CheckOwner(resourceId = "#request.getProjectId()", resourceType = "project")
    public Map<String, Long> moduleCount(@Validated @RequestBody FunctionalCasePageRequest request) {
        return functionalCaseService.moduleCount(request, true);
    }
@ -55,6 +58,7 @@ public class FunctionalCaseTrashController {
    @Operation(summary = "用例管理-功能用例-回收站-恢复用例")
    @RequiresPermissions(PermissionConstants.FUNCTIONAL_CASE_READ_DELETE)
    @Log(type = OperationLogType.RECOVER, expression = "#msClass.recoverLog(#id)", msClass = FunctionalCaseLogService.class)
+    @CheckOwner(resourceId = "#id", resourceType = "functional_case")
    public void recoverCase(@PathVariable String id) {
        functionalCaseTrashService.recoverCase(id, SessionUtils.getUserId());
    }
@ -62,6 +66,7 @@ public class FunctionalCaseTrashController {
    @PostMapping("/batch/recover")
    @Operation(summary = "用例管理-功能用例-回收站-批量恢复用例")
    @RequiresPermissions(PermissionConstants.FUNCTIONAL_CASE_READ_DELETE)
+    @CheckOwner(resourceId = "#request.getProjectId()", resourceType = "project")
    @Log(type = OperationLogType.RECOVER, expression = "#msClass.batchRecoverLog(#request)", msClass = FunctionalCaseLogService.class)
    public void batchRecoverCase(@Validated @RequestBody FunctionalCaseBatchRequest request) {
        functionalCaseTrashService.batchRecoverCase(request, SessionUtils.getUserId());
@ -71,6 +76,7 @@ public class FunctionalCaseTrashController {
    @Operation(summary = "用例管理-功能用例-回收站-彻底删除用例")
    @RequiresPermissions(PermissionConstants.FUNCTIONAL_CASE_READ_DELETE)
    @Log(type = OperationLogType.DELETE, expression = "#msClass.deleteTrashCaseLog(#id)", msClass = FunctionalCaseLogService.class)
+    @CheckOwner(resourceId = "#id", resourceType = "functional_case")
    public void deleteCase(@PathVariable String id) {
        functionalCaseTrashService.deleteCase(id, SessionUtils.getUserId());
    }
@ -78,6 +84,7 @@ public class FunctionalCaseTrashController {
    @PostMapping("/batch/delete")
    @Operation(summary = "用例管理-功能用例-回收站-批量彻底删除用例")
    @RequiresPermissions(PermissionConstants.FUNCTIONAL_CASE_READ_DELETE)
+    @CheckOwner(resourceId = "#request.getProjectId()", resourceType = "project")
    @Log(type = OperationLogType.DELETE, expression = "#msClass.batchDeleteTrashCaseLog(#request)", msClass = FunctionalCaseLogService.class)
    public void batchDeleteCase(@Validated @RequestBody FunctionalCaseBatchRequest request) {
        functionalCaseTrashService.batchDeleteCase(request, SessionUtils.getUserId());
--- a/backend/services/case-management/src/main/java/io/metersphere/functional/controller/ReviewFunctionalCaseController.java
+++ b/backend/services/case-management/src/main/java/io/metersphere/functional/controller/ReviewFunctionalCaseController.java
@ -4,6 +4,7 @@ import io.metersphere.functional.dto.CaseReviewHistoryDTO;
 import io.metersphere.functional.request.ReviewFunctionalCaseRequest;
 import io.metersphere.functional.service.ReviewFunctionalCaseService;
 import io.metersphere.sdk.constants.PermissionConstants;
+import io.metersphere.system.security.CheckOwner;
 import io.metersphere.system.utils.SessionUtils;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.tags.Tag;
@ -25,6 +26,7 @@ public class ReviewFunctionalCaseController {
    @PostMapping("/save")
    @Operation(summary = "用例管理-用例评审-评审功能用例-提交评审")
    @RequiresPermissions(PermissionConstants.CASE_REVIEW_REVIEW)
+    @CheckOwner(resourceId = "#request.getProjectId()", resourceType = "project")
    public void saveReview(@Validated @RequestBody ReviewFunctionalCaseRequest request) {
        reviewFunctionalCaseService.saveReview(request, SessionUtils.getUserId());
    }