fix: 场景创建权限相关#1005370

--bug=1005370 --user=lyh 【github#4887】接口场景-越权问题 https://www.tapd.cn/55049933/s/1052754
2021-09-28 15:39:34 +08:00 · 2021-09-28 15:39:34 +08:00 · 391e4224a8
parent 7c63b60b97
commit 391e4224a8
3 changed files with 7 additions and 6 deletions
--- a/backend/src/main/java/io/metersphere/api/controller/ApiAutomationController.java
+++ b/backend/src/main/java/io/metersphere/api/controller/ApiAutomationController.java
@ -22,6 +22,7 @@ import io.metersphere.task.service.TaskService;
 import io.metersphere.track.request.testcase.ApiCaseRelevanceRequest;
 import io.metersphere.track.request.testplan.FileOperationRequest;
 import org.apache.commons.lang3.StringUtils;
+import org.apache.shiro.authz.annotation.Logical;
 import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.http.HttpHeaders;
 import org.springframework.http.MediaType;
@ -96,7 +97,7 @@ public class ApiAutomationController {

    @PostMapping(value = "/create")
    @MsAuditLog(module = "api_automation", type = OperLogConstants.CREATE, title = "#request.name", content = "#msClass.getLogDetails(#request.id)", msClass = ApiAutomationService.class)
-    @RequiresPermissions(PermissionConstants.PROJECT_API_SCENARIO_READ_CREATE)
+    @RequiresPermissions(value={PermissionConstants.PROJECT_API_SCENARIO_READ_CREATE, PermissionConstants.PROJECT_API_SCENARIO_READ_COPY}, logical = Logical.OR)
    @SendNotice(taskType = NoticeConstants.TaskType.API_AUTOMATION_TASK, event = NoticeConstants.Event.CREATE, mailTemplate = "api/AutomationCreate", subject = "接口自动化通知")
    public ApiScenario create(@RequestPart("request") SaveApiScenarioRequest request, @RequestPart(value = "bodyFiles", required = false) List<MultipartFile> bodyFiles,
                              @RequestPart(value = "scenarioFiles", required = false) List<MultipartFile> scenarioFiles) {
@ -105,7 +106,7 @@ public class ApiAutomationController {

    @PostMapping(value = "/update")
    @MsAuditLog(module = "api_automation", type = OperLogConstants.UPDATE, beforeEvent = "#msClass.getLogDetails(#request.id)", title = "#request.name", content = "#msClass.getLogDetails(#request.id)", msClass = ApiAutomationService.class)
-    @RequiresPermissions(PermissionConstants.PROJECT_API_SCENARIO_READ_EDIT)
+    @RequiresPermissions(value={PermissionConstants.PROJECT_API_SCENARIO_READ_EDIT, PermissionConstants.PROJECT_API_SCENARIO_READ_COPY}, logical = Logical.OR)
    @SendNotice(taskType = NoticeConstants.TaskType.API_AUTOMATION_TASK, event = NoticeConstants.Event.UPDATE, mailTemplate = "api/AutomationUpdate", subject = "接口自动化通知")
    public ApiScenario update(@RequestPart("request") SaveApiScenarioRequest request, @RequestPart(value = "bodyFiles", required = false) List<MultipartFile> bodyFiles,
                              @RequestPart(value = "scenarioFiles", required = false) List<MultipartFile> scenarioFiles) {
--- a/frontend/src/business/components/api/automation/scenario/ApiScenarioList.vue
+++ b/frontend/src/business/components/api/automation/scenario/ApiScenarioList.vue
@ -391,7 +391,7 @@ export default {
          tip: this.$t('api_test.automation.copy'),
          icon: "el-icon-document-copy",
          exec: this.copy,
-          permissions: ['PROJECT_API_SCENARIO:READ+EDIT']
+          permissions: ['PROJECT_API_SCENARIO:READ+COPY']
        },
        {
          tip: this.$t('commons.delete'),
--- a/frontend/src/business/components/api/automation/scenario/EditApiScenario.vue
+++ b/frontend/src/business/components/api/automation/scenario/EditApiScenario.vue
@ -8,7 +8,7 @@
          <el-link type="primary" style="margin-right: 20px" @click="openHis" v-if="path === '/api/automation/update'">{{ $t('operating_log.change_history') }}</el-link>

          <el-button id="inputDelay" type="primary" size="small" v-prevent-re-click @click="editScenario"
-                     title="ctrl + s" v-permission="['PROJECT_API_SCENARIO:READ+EDIT']">
+                     title="ctrl + s" v-permission="['PROJECT_API_SCENARIO:READ+EDIT', 'PROJECT_API_SCENARIO:READ+CREATE', 'PROJECT_API_SCENARIO:READ+COPY']">
            {{ $t('commons.save') }}
          </el-button>
        </div>
@ -146,7 +146,7 @@
                                 :isReadOnly="scenarioDefinition.length < 1" @showPopover="showPopover"
                                 :project-list="projectList" ref="envPopover" class="ms-message-right"/>
                    <el-tooltip v-if="!debugLoading" content="Ctrl + R" placement="top">
-                      <el-dropdown split-button type="primary" @click="runDebug" class="ms-message-right" size="mini" @command="handleCommand">
+                      <el-dropdown split-button type="primary" @click="runDebug" class="ms-message-right" size="mini" @command="handleCommand" v-permission="['PROJECT_API_SCENARIO:READ+EDIT', 'PROJECT_API_SCENARIO:READ+CREATE']">
                        {{ $t('api_test.request.debug') }}
                        <el-dropdown-menu slot="dropdown">
                          <el-dropdown-item>{{ $t('api_test.automation.generate_report') }}</el-dropdown-item>
@ -223,7 +223,7 @@
          </el-col>
          <!-- 按钮列表 -->
          <el-col :span="3">
-            <div @click="fabClick">
+            <div @click="fabClick" v-permission="['PROJECT_API_SCENARIO:READ+EDIT', 'PROJECT_API_SCENARIO:READ+CREATE']">
              <vue-fab id="fab" mainBtnColor="#783887" size="small" :global-options="globalOptions"
                       :click-auto-close="false" v-outside-click="outsideClick" ref="refFab">
                <fab-item