From 3de626c046109bf34fd90dc819789d2d488624b1 Mon Sep 17 00:00:00 2001
From: CaptainB <bin@fit2cloud.com>
Date: Fri, 10 Jun 2022 20:43:42 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=E4=BF=AE=E5=A4=8D=E6=9D=83=E9=99=90?=
 =?UTF-8?q?=E7=9B=B8=E5=85=B3=E9=97=AE=E9=A2=98?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

--bug=1013914 --user=刘瑞斌 【接口测试】只读用户权限，可以调用/project/list/{goPage}/{pageSize} https://www.tapd.cn/55049933/s/1179339
---
 .../metersphere/security/realm/BaseRealm.java | 60 ++++++++++++++++---
 frontend/src/common/js/utils.js               | 16 +----
 2 files changed, 55 insertions(+), 21 deletions(-)

diff --git a/backend/src/main/java/io/metersphere/security/realm/BaseRealm.java b/backend/src/main/java/io/metersphere/security/realm/BaseRealm.java
index e145d0d102..cb416e0d69 100644
--- a/backend/src/main/java/io/metersphere/security/realm/BaseRealm.java
+++ b/backend/src/main/java/io/metersphere/security/realm/BaseRealm.java
@@ -1,21 +1,20 @@
 package io.metersphere.security.realm;
 
+import io.metersphere.base.domain.Group;
 import io.metersphere.base.domain.UserGroupPermission;
 import io.metersphere.commons.user.SessionUser;
 import io.metersphere.commons.utils.SessionUtils;
-import io.metersphere.dto.GroupResourceDTO;
 import io.metersphere.dto.UserDTO;
 import io.metersphere.i18n.Translator;
 import io.metersphere.service.UserService;
+import org.apache.commons.lang3.StringUtils;
 import org.apache.shiro.authc.*;
 import org.apache.shiro.authz.AuthorizationInfo;
 import org.apache.shiro.realm.AuthorizingRealm;
 import org.apache.shiro.subject.PrincipalCollection;
 
 import javax.annotation.Resource;
-import java.util.List;
-import java.util.Objects;
-import java.util.Set;
+import java.util.*;
 import java.util.stream.Collectors;
 
 public abstract class BaseRealm extends AuthorizingRealm {
@@ -44,12 +43,57 @@ public abstract class BaseRealm extends AuthorizingRealm {
 
     @Override
     public boolean isPermitted(PrincipalCollection principals, String permission) {
-        Set<String> permissions = Objects.requireNonNull(SessionUtils.getUser()).getGroupPermissions().stream()
-                .map(GroupResourceDTO::getUserGroupPermissions)
-                .flatMap(List::stream)
+        Map<String, List<UserGroupPermission>> userGroupPermissions = new HashMap<>();
+        Map<String, Group> group = new HashMap<>();
+        SessionUser user = Objects.requireNonNull(SessionUtils.getUser());
+        user.getUserGroups().forEach(ug -> user.getGroupPermissions().forEach(gp -> {
+            if (StringUtils.equals(gp.getGroup().getId(), ug.getGroupId())) {
+                userGroupPermissions.put(ug.getId(), gp.getUserGroupPermissions());
+                group.put(ug.getId(), gp.getGroup());
+            }
+        }));
+
+
+        Set<String> currentProjectPermissions = getCurrentProjectPermissions(userGroupPermissions, group, user);
+        if (currentProjectPermissions.contains(permission)) {
+            return true;
+        }
+
+        Set<String> currentWorkspacePermissions = getCurrentWorkspacePermissions(userGroupPermissions, group, user);
+        if (currentWorkspacePermissions.contains(permission)) {
+            return true;
+        }
+
+        Set<String> systemPermissions = getSystemPermissions(userGroupPermissions, group, user);
+        return systemPermissions.contains(permission);
+    }
+
+    private Set<String> getSystemPermissions(Map<String, List<UserGroupPermission>> userGroupPermissions, Map<String, Group> group, SessionUser user) {
+        return user.getUserGroups().stream()
+                .filter(ug -> group.get(ug.getId()) != null && StringUtils.equals(group.get(ug.getId()).getType(), "SYSTEM"))
+                .filter(ug -> StringUtils.equals(ug.getSourceId(), "system") || StringUtils.equals(ug.getSourceId(), "'adminSourceId'"))
+                .flatMap(ug -> userGroupPermissions.get(ug.getId()).stream())
                 .map(UserGroupPermission::getPermissionId)
                 .collect(Collectors.toSet());
+    }
 
-        return permissions.contains(permission);
+    private Set<String> getCurrentWorkspacePermissions(Map<String, List<UserGroupPermission>> userGroupPermissions, Map<String, Group> group, SessionUser user) {
+        String currentWorkspaceId = SessionUtils.getCurrentWorkspaceId();
+        return user.getUserGroups().stream()
+                .filter(ug -> group.get(ug.getId()) != null && StringUtils.equals(group.get(ug.getId()).getType(), "WORKSPACE"))
+                .filter(ug -> StringUtils.equals(ug.getSourceId(), currentWorkspaceId))
+                .flatMap(ug -> userGroupPermissions.get(ug.getId()).stream())
+                .map(UserGroupPermission::getPermissionId)
+                .collect(Collectors.toSet());
+    }
+
+    private Set<String> getCurrentProjectPermissions(Map<String, List<UserGroupPermission>> userGroupPermissions, Map<String, Group> group, SessionUser user) {
+        String currentProjectId = SessionUtils.getCurrentProjectId();
+        return user.getUserGroups().stream()
+                .filter(ug -> group.get(ug.getId()) != null && StringUtils.equals(group.get(ug.getId()).getType(), "PROJECT"))
+                .filter(ug -> StringUtils.equals(ug.getSourceId(), currentProjectId))
+                .flatMap(ug -> userGroupPermissions.get(ug.getId()).stream())
+                .map(UserGroupPermission::getPermissionId)
+                .collect(Collectors.toSet());
     }
 }
diff --git a/frontend/src/common/js/utils.js b/frontend/src/common/js/utils.js
index 2a7a48fda7..8adef78c28 100644
--- a/frontend/src/common/js/utils.js
+++ b/frontend/src/common/js/utils.js
@@ -34,16 +34,12 @@ export function hasPermission(permission) {
   // todo 权限验证
   let currentProjectPermissions = user.userGroups.filter(ug => ug.group && ug.group.type === 'PROJECT')
     .filter(ug => ug.sourceId === getCurrentProjectID())
-    .map(ug => ug.userGroupPermissions)
-    .reduce((total, current) => {
-      return total.concat(current);
-    }, [])
+    .flatMap(ug => ug.userGroupPermissions)
     .map(g => g.permissionId)
     .reduce((total, current) => {
       total.add(current);
       return total;
     }, new Set);
-
   for (const p of currentProjectPermissions) {
     if (p === permission) {
       return true;
@@ -52,10 +48,7 @@ export function hasPermission(permission) {
 
   let currentWorkspacePermissions = user.userGroups.filter(ug => ug.group && ug.group.type === 'WORKSPACE')
     .filter(ug => ug.sourceId === getCurrentWorkspaceId())
-    .map(ug => ug.userGroupPermissions)
-    .reduce((total, current) => {
-      return total.concat(current);
-    }, [])
+    .flatMap(ug => ug.userGroupPermissions)
     .map(g => g.permissionId)
     .reduce((total, current) => {
       total.add(current);
@@ -70,10 +63,7 @@ export function hasPermission(permission) {
 
   let systemPermissions = user.userGroups.filter(gp => gp.group && gp.group.type === 'SYSTEM')
     .filter(ug => ug.sourceId === 'system' || ug.sourceId === 'adminSourceId')
-    .map(ug => ug.userGroupPermissions)
-    .reduce((total, current) => {
-      return total.concat(current);
-    }, [])
+    .flatMap(ug => ug.userGroupPermissions)
     .map(g => g.permissionId)
     .reduce((total, current) => {
       total.add(current);