fix: 修复权限相关问题

--bug=1013914 --user=刘瑞斌 【接口测试】只读用户权限,可以调用/project/list/{goPage}/{pageSize} https://www.tapd.cn/55049933/s/1179339
This commit is contained in:
CaptainB 2022-06-10 20:43:42 +08:00 committed by f2c-ci-robot[bot]
parent 2dfb5568fb
commit 3de626c046
2 changed files with 55 additions and 21 deletions

View File

@ -1,21 +1,20 @@
package io.metersphere.security.realm;
import io.metersphere.base.domain.Group;
import io.metersphere.base.domain.UserGroupPermission;
import io.metersphere.commons.user.SessionUser;
import io.metersphere.commons.utils.SessionUtils;
import io.metersphere.dto.GroupResourceDTO;
import io.metersphere.dto.UserDTO;
import io.metersphere.i18n.Translator;
import io.metersphere.service.UserService;
import org.apache.commons.lang3.StringUtils;
import org.apache.shiro.authc.*;
import org.apache.shiro.authz.AuthorizationInfo;
import org.apache.shiro.realm.AuthorizingRealm;
import org.apache.shiro.subject.PrincipalCollection;
import javax.annotation.Resource;
import java.util.List;
import java.util.Objects;
import java.util.Set;
import java.util.*;
import java.util.stream.Collectors;
public abstract class BaseRealm extends AuthorizingRealm {
@ -44,12 +43,57 @@ public abstract class BaseRealm extends AuthorizingRealm {
@Override
public boolean isPermitted(PrincipalCollection principals, String permission) {
Set<String> permissions = Objects.requireNonNull(SessionUtils.getUser()).getGroupPermissions().stream()
.map(GroupResourceDTO::getUserGroupPermissions)
.flatMap(List::stream)
Map<String, List<UserGroupPermission>> userGroupPermissions = new HashMap<>();
Map<String, Group> group = new HashMap<>();
SessionUser user = Objects.requireNonNull(SessionUtils.getUser());
user.getUserGroups().forEach(ug -> user.getGroupPermissions().forEach(gp -> {
if (StringUtils.equals(gp.getGroup().getId(), ug.getGroupId())) {
userGroupPermissions.put(ug.getId(), gp.getUserGroupPermissions());
group.put(ug.getId(), gp.getGroup());
}
}));
Set<String> currentProjectPermissions = getCurrentProjectPermissions(userGroupPermissions, group, user);
if (currentProjectPermissions.contains(permission)) {
return true;
}
Set<String> currentWorkspacePermissions = getCurrentWorkspacePermissions(userGroupPermissions, group, user);
if (currentWorkspacePermissions.contains(permission)) {
return true;
}
Set<String> systemPermissions = getSystemPermissions(userGroupPermissions, group, user);
return systemPermissions.contains(permission);
}
private Set<String> getSystemPermissions(Map<String, List<UserGroupPermission>> userGroupPermissions, Map<String, Group> group, SessionUser user) {
return user.getUserGroups().stream()
.filter(ug -> group.get(ug.getId()) != null && StringUtils.equals(group.get(ug.getId()).getType(), "SYSTEM"))
.filter(ug -> StringUtils.equals(ug.getSourceId(), "system") || StringUtils.equals(ug.getSourceId(), "'adminSourceId'"))
.flatMap(ug -> userGroupPermissions.get(ug.getId()).stream())
.map(UserGroupPermission::getPermissionId)
.collect(Collectors.toSet());
}
return permissions.contains(permission);
private Set<String> getCurrentWorkspacePermissions(Map<String, List<UserGroupPermission>> userGroupPermissions, Map<String, Group> group, SessionUser user) {
String currentWorkspaceId = SessionUtils.getCurrentWorkspaceId();
return user.getUserGroups().stream()
.filter(ug -> group.get(ug.getId()) != null && StringUtils.equals(group.get(ug.getId()).getType(), "WORKSPACE"))
.filter(ug -> StringUtils.equals(ug.getSourceId(), currentWorkspaceId))
.flatMap(ug -> userGroupPermissions.get(ug.getId()).stream())
.map(UserGroupPermission::getPermissionId)
.collect(Collectors.toSet());
}
private Set<String> getCurrentProjectPermissions(Map<String, List<UserGroupPermission>> userGroupPermissions, Map<String, Group> group, SessionUser user) {
String currentProjectId = SessionUtils.getCurrentProjectId();
return user.getUserGroups().stream()
.filter(ug -> group.get(ug.getId()) != null && StringUtils.equals(group.get(ug.getId()).getType(), "PROJECT"))
.filter(ug -> StringUtils.equals(ug.getSourceId(), currentProjectId))
.flatMap(ug -> userGroupPermissions.get(ug.getId()).stream())
.map(UserGroupPermission::getPermissionId)
.collect(Collectors.toSet());
}
}

View File

@ -34,16 +34,12 @@ export function hasPermission(permission) {
// todo 权限验证
let currentProjectPermissions = user.userGroups.filter(ug => ug.group && ug.group.type === 'PROJECT')
.filter(ug => ug.sourceId === getCurrentProjectID())
.map(ug => ug.userGroupPermissions)
.reduce((total, current) => {
return total.concat(current);
}, [])
.flatMap(ug => ug.userGroupPermissions)
.map(g => g.permissionId)
.reduce((total, current) => {
total.add(current);
return total;
}, new Set);
for (const p of currentProjectPermissions) {
if (p === permission) {
return true;
@ -52,10 +48,7 @@ export function hasPermission(permission) {
let currentWorkspacePermissions = user.userGroups.filter(ug => ug.group && ug.group.type === 'WORKSPACE')
.filter(ug => ug.sourceId === getCurrentWorkspaceId())
.map(ug => ug.userGroupPermissions)
.reduce((total, current) => {
return total.concat(current);
}, [])
.flatMap(ug => ug.userGroupPermissions)
.map(g => g.permissionId)
.reduce((total, current) => {
total.add(current);
@ -70,10 +63,7 @@ export function hasPermission(permission) {
let systemPermissions = user.userGroups.filter(gp => gp.group && gp.group.type === 'SYSTEM')
.filter(ug => ug.sourceId === 'system' || ug.sourceId === 'adminSourceId')
.map(ug => ug.userGroupPermissions)
.reduce((total, current) => {
return total.concat(current);
}, [])
.flatMap(ug => ug.userGroupPermissions)
.map(g => g.permissionId)
.reduce((total, current) => {
total.add(current);