refactor(系统设置)：增加权限校验

framework/sdk-parent/sdk/src/main/java/io/metersphere/commons/constants/PermissionConstants.java

@@ -213,4 +213,14 @@ public class PermissionConstants {
     public static final String PROJECT_TEMPLATE_READ_API_TEMPLATE = "PROJECT_TEMPLATE:READ+API_TEMPLATE";
     public static final String PROJECT_TEMPLATE_READ_CUSTOM = "PROJECT_TEMPLATE:READ+CUSTOM";
     public static final String PROJECT_TEMPLATE_READ_REPORT_TEMPLATE = "PROJECT_TEMPLATE:READ+REPORT_TEMPLATE";
+
+
+    public static final String WORKSPACE_PROJECT_ENVIRONMENT_GROUP_READ = "WORKSPACE_PROJECT_ENVIRONMENT:READ+CREATE_GROUP";
+    public static final String WORKSPACE_PROJECT_ENVIRONMENT_GROUP_DELETE = "WORKSPACE_PROJECT_ENVIRONMENT:READ+DELETE_GROUP";
+    public static final String WORKSPACE_PROJECT_ENVIRONMENT_GROUP_EDIT = "WORKSPACE_PROJECT_ENVIRONMENT:READ+EDIT_GROUP";
+    public static final String WORKSPACE_PROJECT_ENVIRONMENT_GROUP_COPY = "WORKSPACE_PROJECT_ENVIRONMENT:READ+COPY_GROU";
+
+    public static final String SYSTEM_PLUGIN_DEL = "SYSTEM_PLUGIN:DEL";
+    public static final String SYSTEM_PLUGIN_UPLOAD = "SYSTEM_PLUGIN:UPLOAD";
+    public static final String SYSTEM_PLUGIN_READ = "SYSTEM_PLUGIN:READ";
 }

framework/sdk-parent/sdk/src/main/java/io/metersphere/controller/SystemParameterController.java

@@ -6,6 +6,7 @@ import io.metersphere.base.domain.UserHeader;
 import io.metersphere.commons.constants.OperLogConstants;
 import io.metersphere.commons.constants.OperLogModule;
 import io.metersphere.commons.constants.ParamConstants;
+import io.metersphere.commons.constants.PermissionConstants;
 import io.metersphere.request.HeaderRequest;
 import io.metersphere.dto.BaseSystemConfigDTO;
 import io.metersphere.ldap.domain.LdapInfo;
@@ -13,6 +14,7 @@ import io.metersphere.log.annotation.MsAuditLog;
 import io.metersphere.notice.domain.MailInfo;
 import io.metersphere.service.BaseUserService;
 import io.metersphere.service.SystemParameterService;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.core.env.Environment;
 import org.springframework.web.bind.annotation.*;
 
@@ -33,6 +35,7 @@ public class SystemParameterController {
 
 
     @PostMapping("/edit/email")
+    @RequiresPermissions(PermissionConstants.SYSTEM_SETTING_READ_EDIT)
     @MsAuditLog(module = OperLogModule.SYSTEM_PARAMETER_SETTING, type = OperLogConstants.UPDATE, title = "邮件设置", beforeEvent = "#msClass.getMailLogDetails()", content = "#msClass.getMailLogDetails()", msClass = SystemParameterService.class)
     public void editMail(@RequestBody List<SystemParameter> systemParameter) {
         systemParameterService.editMail(systemParameter);
@@ -59,11 +62,13 @@ public class SystemParameterController {
     }
 
     @GetMapping("/mail/info")
+    @RequiresPermissions(PermissionConstants.SYSTEM_SETTING_READ)
     public MailInfo mailInfo() {
         return systemParameterService.mailInfo(ParamConstants.Classify.MAIL.getValue());
     }
 
     @GetMapping("/base/info")
+    @RequiresPermissions(PermissionConstants.SYSTEM_SETTING_READ)
     public BaseSystemConfigDTO getBaseInfo() {
         return systemParameterService.getBaseInfo();
     }
@@ -74,6 +79,7 @@ public class SystemParameterController {
     }
 
     @PostMapping("/save/base")
+    @RequiresPermissions(PermissionConstants.SYSTEM_SETTING_READ_EDIT)
     @MsAuditLog(module = OperLogModule.SYSTEM_PARAMETER_SETTING, type = OperLogConstants.UPDATE, beforeEvent = "#msClass.getBaseLogDetails()", content = "#msClass.getBaseLogDetails()", msClass = SystemParameterService.class)
     public void saveBaseInfo(@RequestBody List<SystemParameter> systemParameter) {
         systemParameterService.saveBaseInfo(systemParameter);
@@ -85,17 +91,20 @@ public class SystemParameterController {
     }
 
     @PostMapping("/save/ldap")
+    @RequiresPermissions(PermissionConstants.SYSTEM_SETTING_READ_EDIT)
     @MsAuditLog(module = OperLogModule.SYSTEM_PARAMETER_SETTING, type = OperLogConstants.UPDATE, beforeEvent = "#msClass.getLogDetails()", content = "#msClass.getLogDetails()", msClass = SystemParameterService.class)
     public void saveLdap(@RequestBody List<SystemParameter> systemParameter) {
         systemParameterService.saveLdap(systemParameter);
     }
 
     @GetMapping("/ldap/info")
+    @RequiresPermissions(PermissionConstants.SYSTEM_SETTING_READ)
     public LdapInfo getLdapInfo() {
         return systemParameterService.getLdapInfo(ParamConstants.Classify.LDAP.getValue());
     }
 
     @PostMapping("save/header")
+    @RequiresPermissions(PermissionConstants.SYSTEM_SETTING_READ_EDIT)
     @MsAuditLog(module = OperLogModule.SYSTEM_PARAMETER_SETTING, type = OperLogConstants.UPDATE, title = "显示设置")
     public void saveHeader(@RequestBody UserHeader userHeader) {
         systemParameterService.saveHeader(userHeader);
@@ -117,6 +126,7 @@ public class SystemParameterController {
     }
 
     @PostMapping("/edit/info")
+    @RequiresPermissions(PermissionConstants.SYSTEM_SETTING_READ_EDIT)
     public SystemParameter editInfo(@RequestBody SystemParameter systemParameter) {
         systemParameterService.editInfo(systemParameter);
         return systemParameter;

framework/sdk-parent/sdk/src/main/java/io/metersphere/log/controller/OperatingLogController.java

@@ -3,11 +3,13 @@ package io.metersphere.log.controller;
 import com.github.pagehelper.Page;
 import com.github.pagehelper.PageHelper;
 import io.metersphere.base.domain.OperatingLogWithBLOBs;
+import io.metersphere.commons.constants.PermissionConstants;
 import io.metersphere.commons.utils.PageUtils;
 import io.metersphere.commons.utils.Pager;
 import io.metersphere.log.service.OperatingLogService;
 import io.metersphere.log.vo.OperatingLogDTO;
 import io.metersphere.log.vo.OperatingLogRequest;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.web.bind.annotation.*;
 
 import jakarta.annotation.Resource;
@@ -21,18 +23,21 @@ public class OperatingLogController {
     private OperatingLogService operatingLogService;
 
     @PostMapping("/list/{goPage}/{pageSize}")
+    @RequiresPermissions(PermissionConstants.SYSTEM_OPERATING_LOG_READ)
     public Pager<List<OperatingLogDTO>> list(@PathVariable int goPage, @PathVariable int pageSize, @RequestBody OperatingLogRequest request) {
         Page<Object> page = PageHelper.startPage(goPage, pageSize, true);
         return PageUtils.setPageInfo(page, operatingLogService.list(request));
     }
 
     @GetMapping("/get/{id}")
+    @RequiresPermissions(PermissionConstants.SYSTEM_OPERATING_LOG_READ)
     public OperatingLogDTO get(@PathVariable String id) {
         return operatingLogService.get(id);
     }
 
 
     @PostMapping("/get/source/{goPage}/{pageSize}")
+    @RequiresPermissions(PermissionConstants.SYSTEM_OPERATING_LOG_READ)
     public Pager<List<OperatingLogDTO>> findBySourceId(@PathVariable int goPage, @PathVariable int pageSize, @RequestBody OperatingLogRequest request) {
         Page<Object> page = PageHelper.startPage(goPage, pageSize, true);
         return PageUtils.setPageInfo(page, operatingLogService.findBySourceId(request));

framework/sdk-parent/sdk/src/main/java/io/metersphere/quota/controller/QuotaController.java

@@ -5,6 +5,7 @@ import com.github.pagehelper.PageHelper;
 import io.metersphere.base.domain.Quota;
 import io.metersphere.commons.constants.OperLogConstants;
 import io.metersphere.commons.constants.OperLogModule;
+import io.metersphere.commons.constants.PermissionConstants;
 import io.metersphere.commons.utils.PageUtils;
 import io.metersphere.commons.utils.Pager;
 import io.metersphere.commons.utils.SessionUtils;
@@ -13,6 +14,7 @@ import io.metersphere.quota.dto.QuotaConstants;
 import io.metersphere.quota.dto.QuotaResult;
 import io.metersphere.quota.service.QuotaManagementService;
 import org.apache.commons.lang3.StringUtils;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.web.bind.annotation.*;
 
 import jakarta.annotation.Resource;
@@ -28,6 +30,7 @@ public class QuotaController {
     private QuotaManagementService quotaManagementService;
 
     @GetMapping("/default/workspace")
+    @RequiresPermissions(PermissionConstants.SYSTEM_QUOTA_READ)
     public Quota getWsDefaultQuota() {
         return quotaManagementService.getDefaultQuota(QuotaConstants.DefaultType.workspace);
     }
@@ -38,6 +41,7 @@ public class QuotaController {
     }
 
     @PostMapping("/save/default/workspace")
+    @RequiresPermissions(PermissionConstants.SYSTEM_QUOTA_READ_EDIT)
     @MsAuditLog(module = OperLogModule.SYSTEM_QUOTA_MANAGEMENT, type = OperLogConstants.UPDATE, beforeEvent = "#msClass.getLogDetails(#quota.id)", content = "#msClass.getLogDetails(#quota.id)", msClass = QuotaManagementService.class)
     public void saveWsDefaultQuota(@RequestBody Quota quota) {
         quota.setId(QuotaConstants.DefaultType.workspace.name());
@@ -55,6 +59,7 @@ public class QuotaController {
     }
 
     @PostMapping("/list/workspace/{goPage}/{pageSize}")
+    @RequiresPermissions(PermissionConstants.SYSTEM_QUOTA_READ)
     public Pager<List<QuotaResult>> listWsQuota(@PathVariable int goPage, @PathVariable int pageSize, @RequestBody Map<String, String> param) {
         Page<Object> page = PageHelper.startPage(goPage, pageSize, true);
         return PageUtils.setPageInfo(page, quotaManagementService.listWorkspaceQuota(param.get("name")));
@@ -67,12 +72,14 @@ public class QuotaController {
     }
 
     @PostMapping("/save")
+    @RequiresPermissions(PermissionConstants.SYSTEM_QUOTA_READ_EDIT)
     @MsAuditLog(module = OperLogModule.SYSTEM_QUOTA_MANAGEMENT, type = OperLogConstants.UPDATE, beforeEvent = "#msClass.getLogDetails(#quota.id)", content = "#msClass.getLogDetails(#quota.id)", msClass = QuotaManagementService.class)
     public void saveQuota(@RequestBody Quota quota) {
         quotaManagementService.saveQuota(quota);
     }
 
     @PostMapping("/delete")
+    @RequiresPermissions(PermissionConstants.SYSTEM_QUOTA_READ_EDIT)
     @MsAuditLog(module = OperLogModule.SYSTEM_QUOTA_MANAGEMENT, type = OperLogConstants.DELETE, beforeEvent = "#msClass.getLogDetails(#quota.id)", msClass = QuotaManagementService.class)
     public void delete(@RequestBody Quota quota) {
         quotaManagementService.deleteQuota(quota.getId());

system-setting/backend/src/main/java/io/metersphere/controller/EnvironmentGroupController.java

@@ -2,10 +2,12 @@ package io.metersphere.controller;
 
 import io.metersphere.base.domain.EnvironmentGroup;
 import io.metersphere.commons.constants.OperLogModule;
+import io.metersphere.commons.constants.PermissionConstants;
 import io.metersphere.environment.dto.EnvironmentGroupRequest;
 import io.metersphere.log.annotation.MsRequestLog;
 import io.metersphere.service.EnvironmentGroupProjectService;
 import io.metersphere.service.EnvironmentGroupService;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.web.bind.annotation.*;
 
 import jakarta.annotation.Resource;
@@ -22,35 +24,41 @@ public class EnvironmentGroupController {
 
     @PostMapping("/add")
     @MsRequestLog(module = OperLogModule.PROJECT_ENVIRONMENT_SETTING)
+    @RequiresPermissions(PermissionConstants.WORKSPACE_PROJECT_ENVIRONMENT_GROUP_READ)
     public EnvironmentGroup add(@RequestBody EnvironmentGroupRequest request) {
         return environmentGroupService.add(request);
     }
 
     @PostMapping("/batch/add")
+    @RequiresPermissions(PermissionConstants.WORKSPACE_PROJECT_ENVIRONMENT_READ_CREATE)
     public void batchAdd(@RequestBody EnvironmentGroupRequest request) {
         environmentGroupService.batchAdd(request);
     }
 
     @GetMapping("/delete/{id}")
     @MsRequestLog(module = OperLogModule.PROJECT_ENVIRONMENT_SETTING)
+    @RequiresPermissions(PermissionConstants.WORKSPACE_PROJECT_ENVIRONMENT_GROUP_DELETE)
     public void delete(@PathVariable String id) {
         environmentGroupService.delete(id);
     }
 
     @PostMapping("/update")
     @MsRequestLog(module = OperLogModule.PROJECT_ENVIRONMENT_SETTING)
+    @RequiresPermissions(PermissionConstants.WORKSPACE_PROJECT_ENVIRONMENT_GROUP_EDIT)
     public EnvironmentGroup update(@RequestBody EnvironmentGroupRequest request) {
         return environmentGroupService.update(request);
     }
 
     @PostMapping("/modify")
     @MsRequestLog(module = OperLogModule.PROJECT_ENVIRONMENT_SETTING)
+    @RequiresPermissions(PermissionConstants.WORKSPACE_PROJECT_ENVIRONMENT_GROUP_EDIT)
     public void modify(@RequestBody EnvironmentGroupRequest request) {
         environmentGroupService.modify(request);
     }
 
     @GetMapping("/copy/{id}")
     @MsRequestLog(module = OperLogModule.PROJECT_ENVIRONMENT_SETTING)
+    @RequiresPermissions(PermissionConstants.WORKSPACE_PROJECT_ENVIRONMENT_GROUP_COPY)
     public void copy(@PathVariable String id) {
         environmentGroupService.copy(id);
     }

system-setting/backend/src/main/java/io/metersphere/controller/PluginController.java

@@ -3,11 +3,13 @@ package io.metersphere.controller;
 import io.metersphere.base.domain.Plugin;
 import io.metersphere.commons.constants.OperLogConstants;
 import io.metersphere.commons.constants.OperLogModule;
+import io.metersphere.commons.constants.PermissionConstants;
 import io.metersphere.commons.exception.MSException;
 import io.metersphere.log.annotation.MsAuditLog;
 import io.metersphere.request.PluginDTO;
 import io.metersphere.request.PluginRequest;
 import io.metersphere.service.PluginService;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.web.bind.annotation.*;
 import org.springframework.web.multipart.MultipartFile;
 
@@ -23,6 +25,7 @@ public class PluginController {
     private PluginService pluginService;
 
     @PostMapping("/add/{scenario}")
+    @RequiresPermissions(PermissionConstants.SYSTEM_PLUGIN_UPLOAD)
     @MsAuditLog(module = OperLogModule.PLUGIN_MANAGE, type = OperLogConstants.CREATE, title = "#file.getOriginalFilename()", msClass = PluginService.class)
     public void create(@RequestPart(value = "file", required = false) MultipartFile file, @PathVariable String scenario) {
         if (file == null) {
@@ -32,16 +35,19 @@ public class PluginController {
     }
 
     @GetMapping("/list")
+    @RequiresPermissions(PermissionConstants.SYSTEM_PLUGIN_READ)
     public List<PluginDTO> list(String name) {
         return pluginService.list(name);
     }
 
     @GetMapping("/get/{id}")
+    @RequiresPermissions(PermissionConstants.SYSTEM_PLUGIN_READ)
     public Plugin get(@PathVariable String id) {
         return pluginService.get(id);
     }
 
     @GetMapping("/delete/{scenario}/{id}")
+    @RequiresPermissions(PermissionConstants.SYSTEM_PLUGIN_DEL)
     @MsAuditLog(module = OperLogModule.PLUGIN_MANAGE, type = OperLogConstants.DELETE, beforeEvent = "#msClass.getLogDetails(#id)", msClass = PluginService.class)
     public void delete(@PathVariable String scenario, @PathVariable String id) {
         pluginService.delete(scenario, id);

system-setting/backend/src/main/java/io/metersphere/controller/TestResourcePoolController.java

@@ -4,6 +4,7 @@ import com.github.pagehelper.Page;
 import com.github.pagehelper.PageHelper;
 import io.metersphere.commons.constants.OperLogConstants;
 import io.metersphere.commons.constants.OperLogModule;
+import io.metersphere.commons.constants.PermissionConstants;
 import io.metersphere.commons.utils.PageUtils;
 import io.metersphere.commons.utils.Pager;
 import io.metersphere.consul.CacheNode;
@@ -12,6 +13,7 @@ import io.metersphere.dto.UpdatePoolDTO;
 import io.metersphere.log.annotation.MsAuditLog;
 import io.metersphere.request.resourcepool.QueryResourcePoolRequest;
 import io.metersphere.service.TestResourcePoolService;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.web.bind.annotation.*;
 
 import jakarta.annotation.Resource;
@@ -28,6 +30,7 @@ public class TestResourcePoolController {
     @PostMapping("/add")
     @MsAuditLog(module = OperLogModule.SYSTEM_TEST_RESOURCE, type = OperLogConstants.CREATE, content = "#msClass.getLogDetails(#testResourcePoolDTO.id)", msClass = TestResourcePoolService.class)
     @CacheNode // 把监控节点缓存起来
+    @RequiresPermissions(PermissionConstants.SYSTEM_TEST_POOL_READ_CREATE)
     public TestResourcePoolDTO addTestResourcePool(@RequestBody TestResourcePoolDTO testResourcePoolDTO) {
         return testResourcePoolService.addTestResourcePool(testResourcePoolDTO);
     }
@@ -35,6 +38,7 @@ public class TestResourcePoolController {
     @GetMapping("/delete/{testResourcePoolId}")
     @MsAuditLog(module = OperLogModule.SYSTEM_TEST_RESOURCE, type = OperLogConstants.DELETE, beforeEvent = "#msClass.getLogDetails(#testResourcePoolId)", msClass = TestResourcePoolService.class)
     @CacheNode // 把监控节点缓存起来
+    @RequiresPermissions(PermissionConstants.SYSTEM_TEST_POOL_READ_DELETE)
     public void deleteTestResourcePool(@PathVariable(value = "testResourcePoolId") String testResourcePoolId) {
         testResourcePoolService.deleteTestResourcePool(testResourcePoolId);
     }
@@ -42,6 +46,7 @@ public class TestResourcePoolController {
     @PostMapping("/update")
     @MsAuditLog(module = OperLogModule.SYSTEM_TEST_RESOURCE, type = OperLogConstants.UPDATE, beforeEvent = "#msClass.getLogDetails(#testResourcePoolDTO.id)", content = "#msClass.getLogDetails(#testResourcePoolDTO.id)", msClass = TestResourcePoolService.class)
     @CacheNode // 把监控节点缓存起来
+    @RequiresPermissions(PermissionConstants.SYSTEM_TEST_POOL_READ_EDIT)
     public void updateTestResourcePool(@RequestBody TestResourcePoolDTO testResourcePoolDTO) {
         testResourcePoolService.updateTestResourcePool(testResourcePoolDTO);
     }
@@ -49,6 +54,7 @@ public class TestResourcePoolController {
     @GetMapping("/update/{poolId}/{status}")
     @MsAuditLog(module = OperLogModule.SYSTEM_TEST_RESOURCE, type = OperLogConstants.UPDATE, beforeEvent = "#msClass.getLogDetails(#poolId)", content = "#msClass.getLogDetails(#poolId)", msClass = TestResourcePoolService.class)
     @CacheNode // 把监控节点缓存起来
+    @RequiresPermissions(PermissionConstants.SYSTEM_TEST_POOL_READ_EDIT)
     public void updateTestResourcePoolStatus(@PathVariable String poolId, @PathVariable String status) {
         testResourcePoolService.updateTestResourcePoolStatus(poolId, status);
     }
@@ -59,12 +65,14 @@ public class TestResourcePoolController {
     }
 
     @PostMapping("list/{goPage}/{pageSize}")
+    @RequiresPermissions(PermissionConstants.SYSTEM_TEST_POOL_READ)
     public Pager<List<TestResourcePoolDTO>> listResourcePools(@PathVariable int goPage, @PathVariable int pageSize, @RequestBody QueryResourcePoolRequest request) {
         Page<Object> page = PageHelper.startPage(goPage, pageSize, true);
         return PageUtils.setPageInfo(page, testResourcePoolService.listResourcePools(request));
     }
 
     @GetMapping("/list/quota/ws/valid/{workspaceId}")
+    @RequiresPermissions(PermissionConstants.SYSTEM_TEST_POOL_READ)
     public List<TestResourcePoolDTO> listWsValidQuotaResourcePools(@PathVariable String workspaceId) {
         return testResourcePoolService.listWsValidQuotaResourcePools(workspaceId);
     }