diff --git a/backend/services/api-test/src/main/java/io/metersphere/api/controller/definition/ApiDefinitionModuleController.java b/backend/services/api-test/src/main/java/io/metersphere/api/controller/definition/ApiDefinitionModuleController.java index 3b98df58c6..6085921098 100644 --- a/backend/services/api-test/src/main/java/io/metersphere/api/controller/definition/ApiDefinitionModuleController.java +++ b/backend/services/api-test/src/main/java/io/metersphere/api/controller/definition/ApiDefinitionModuleController.java @@ -14,6 +14,7 @@ import io.metersphere.system.utils.SessionUtils; import io.swagger.v3.oas.annotations.Operation; import io.swagger.v3.oas.annotations.tags.Tag; import jakarta.annotation.Resource; +import org.apache.shiro.authz.annotation.Logical; import org.apache.shiro.authz.annotation.RequiresPermissions; import org.springframework.validation.annotation.Validated; import org.springframework.web.bind.annotation.*; @@ -64,6 +65,7 @@ public class ApiDefinitionModuleController { @PostMapping("/move") @Operation(summary = "接口测试-接口管理-模块-移动模块") @RequiresPermissions(PermissionConstants.PROJECT_API_DEFINITION_UPDATE) + @CheckOwner(resourceId = "#request.dragNodeId", resourceType = "api_definition_module") public void moveNode(@Validated @RequestBody NodeMoveRequest request) { apiDefinitionModuleService.moveNode(request, SessionUtils.getUserId()); } @@ -94,6 +96,8 @@ public class ApiDefinitionModuleController { @PostMapping("/env/tree") @Operation(summary = "获取环境中的接口树和选中的模块") + @CheckOwner(resourceId = "#request.projectId", resourceType = "project") + @RequiresPermissions(value = {PermissionConstants.PROJECT_API_DEFINITION_READ, PermissionConstants.PROJECT_ENVIRONMENT_READ}, logical = Logical.OR) public EnvApiTreeDTO envTree(@RequestBody @Validated EnvApiModuleRequest request) { return apiDefinitionModuleService.envTree(request); } diff --git a/backend/services/api-test/src/main/java/io/metersphere/api/controller/definition/ApiDefinitionScheduleController.java b/backend/services/api-test/src/main/java/io/metersphere/api/controller/definition/ApiDefinitionScheduleController.java index 315679108b..786076af3a 100644 --- a/backend/services/api-test/src/main/java/io/metersphere/api/controller/definition/ApiDefinitionScheduleController.java +++ b/backend/services/api-test/src/main/java/io/metersphere/api/controller/definition/ApiDefinitionScheduleController.java @@ -8,6 +8,7 @@ import io.metersphere.api.service.definition.ApiDefinitionScheduleService; import io.metersphere.sdk.constants.PermissionConstants; import io.metersphere.system.log.annotation.Log; import io.metersphere.system.log.constants.OperationLogType; +import io.metersphere.system.security.CheckOwner; import io.metersphere.system.utils.SessionUtils; import io.metersphere.validation.groups.Created; import io.metersphere.validation.groups.Updated; @@ -37,6 +38,7 @@ public class ApiDefinitionScheduleController { @PostMapping(value = "/update") @Operation(summary = "接口测试-接口管理-定时同步-更新") @RequiresPermissions(PermissionConstants.PROJECT_API_DEFINITION_IMPORT) + @CheckOwner(resourceId = "#request.id", resourceType = "api_definition_swagger") public String updateSchedule(@RequestBody @Validated({Updated.class}) ApiScheduleRequest request) { return apiDefinitionScheduleService.updateSchedule(request, SessionUtils.getUserId()); } @@ -51,6 +53,7 @@ public class ApiDefinitionScheduleController { @GetMapping(value = "/switch/{id}") @Operation(summary = "接口测试-接口管理-定时同步-开启/关闭") @RequiresPermissions(PermissionConstants.PROJECT_API_DEFINITION_IMPORT) + @CheckOwner(resourceId = "#id", resourceType = "api_definition_swagger") public void updateScheduleEnable(@PathVariable String id) { apiDefinitionScheduleService.switchSchedule(id); } @@ -58,12 +61,15 @@ public class ApiDefinitionScheduleController { @GetMapping("/delete/{id}") @Operation(summary = "接口测试-接口管理-定时同步-删除") @RequiresPermissions(PermissionConstants.PROJECT_API_DEFINITION_IMPORT) + @CheckOwner(resourceId = "#id", resourceType = "api_definition_swagger") public void deleteSchedule(@PathVariable String id) { apiDefinitionScheduleService.deleteSchedule(id); } @GetMapping(value = "/get/{id}") @Operation(summary = "接口测试-接口管理-定时同步-查询") + @RequiresPermissions(PermissionConstants.PROJECT_API_DEFINITION_IMPORT) + @CheckOwner(resourceId = "#id", resourceType = "api_definition_swagger") public ApiScheduleDTO getResourceId(@PathVariable String id) { return apiDefinitionScheduleService.getSchedule(id); } diff --git a/backend/services/api-test/src/main/java/io/metersphere/api/controller/definition/ApiTestCaseController.java b/backend/services/api-test/src/main/java/io/metersphere/api/controller/definition/ApiTestCaseController.java index f0b0b503c7..a97f69231e 100644 --- a/backend/services/api-test/src/main/java/io/metersphere/api/controller/definition/ApiTestCaseController.java +++ b/backend/services/api-test/src/main/java/io/metersphere/api/controller/definition/ApiTestCaseController.java @@ -152,6 +152,7 @@ public class ApiTestCaseController { @PostMapping(value = "/page") @Operation(summary = "接口测试-接口管理-接口用例-分页查询") @RequiresPermissions(PermissionConstants.PROJECT_API_DEFINITION_CASE_READ) + @CheckOwner(resourceId = "#request.getProjectId()", resourceType = "project") public Pager> page(@Validated @RequestBody ApiTestCasePageRequest request) { Page page = PageHelper.startPage(request.getCurrent(), request.getPageSize(), StringUtils.isNotBlank(request.getSortString()) ? request.getSortString() : "pos desc"); @@ -195,6 +196,7 @@ public class ApiTestCaseController { @PostMapping(value = "/trash/page") @Operation(summary = "接口测试-接口管理-接口用例-回收站-分页查询") @RequiresPermissions(PermissionConstants.PROJECT_API_DEFINITION_CASE_READ) + @CheckOwner(resourceId = "#request.getProjectId()", resourceType = "project") public Pager> pageTrash(@Validated @RequestBody ApiTestCasePageRequest request) { Page page = PageHelper.startPage(request.getCurrent(), request.getPageSize(), StringUtils.isNotBlank(request.getSortString()) ? request.getSortString() : "delete_time desc"); @@ -204,6 +206,7 @@ public class ApiTestCaseController { @PostMapping("/edit/pos") @Operation(summary = "接口测试-接口管理-接口用例-拖拽排序") @RequiresPermissions(PermissionConstants.PROJECT_API_DEFINITION_CASE_UPDATE) + @CheckOwner(resourceId = "#request.getTargetId()", resourceType = "api_test_case") public void editPos(@Validated @RequestBody PosRequest request) { apiTestCaseService.moveNode(request); } @@ -261,6 +264,7 @@ public class ApiTestCaseController { @GetMapping("/run/{id}") @Operation(summary = "用例执行, 传ID执行") @RequiresPermissions(PermissionConstants.PROJECT_API_DEFINITION_CASE_EXECUTE) + @CheckOwner(resourceId = "#id", resourceType = "api_test_case") public TaskRequestDTO run(@PathVariable String id, @Schema(description = "报告ID,传了可以实时获取结果,不传则不支持实时获取") @RequestParam(required = false) String reportId) { @@ -277,6 +281,7 @@ public class ApiTestCaseController { @PostMapping("/batch/run") @Operation(summary = "批量执行") @RequiresPermissions(PermissionConstants.PROJECT_API_DEFINITION_CASE_EXECUTE) + @CheckOwner(resourceId = "#request.getSelectIds()", resourceType = "api_test_case") public void batchRun(@Validated @RequestBody ApiTestCaseBatchRunRequest request) { apiTestCaseBatchRunService.asyncBatchRun(request, SessionUtils.getUserId()); } diff --git a/backend/services/api-test/src/main/java/io/metersphere/api/controller/scenario/ApiScenarioController.java b/backend/services/api-test/src/main/java/io/metersphere/api/controller/scenario/ApiScenarioController.java index 33b4bfa2a8..3e0144de14 100644 --- a/backend/services/api-test/src/main/java/io/metersphere/api/controller/scenario/ApiScenarioController.java +++ b/backend/services/api-test/src/main/java/io/metersphere/api/controller/scenario/ApiScenarioController.java @@ -137,6 +137,7 @@ public class ApiScenarioController { @GetMapping("/step/get/{stepId}") @Operation(summary = "接口测试-接口场景管理-获取场景步骤详情") @RequiresPermissions(PermissionConstants.PROJECT_API_SCENARIO_READ) + @CheckOwner(resourceId = "#stepId", resourceType = "api_scenario_step") public Object getStepDetail(@PathVariable String stepId) { return apiScenarioService.getStepDetail(stepId); } @@ -176,6 +177,7 @@ public class ApiScenarioController { @GetMapping("/run/{id}") @Operation(summary = "接口测试-接口场景管理-场景执行") @RequiresPermissions(PermissionConstants.PROJECT_API_SCENARIO_EXECUTE) + @CheckOwner(resourceId = "#id", resourceType = "api_scenario") public TaskRequestDTO run(@PathVariable String id, @RequestParam(required = false) String reportId) { return apiScenarioService.run(id, reportId, SessionUtils.getUserId()); } @@ -242,6 +244,7 @@ public class ApiScenarioController { @PostMapping("/edit/pos") @Operation(summary = "接口测试-接口场景管理-场景-拖拽排序") @RequiresPermissions(PermissionConstants.PROJECT_API_DEFINITION_UPDATE) + @CheckOwner(resourceId = "#request.getTargetId()", resourceType = "api_scenario") public void editPos(@Validated @RequestBody PosRequest request) { apiScenarioService.moveNode(request); } diff --git a/backend/services/api-test/src/main/java/io/metersphere/api/controller/scenario/ApiScenarioModuleController.java b/backend/services/api-test/src/main/java/io/metersphere/api/controller/scenario/ApiScenarioModuleController.java index f56ab7f99d..1c7589cea4 100644 --- a/backend/services/api-test/src/main/java/io/metersphere/api/controller/scenario/ApiScenarioModuleController.java +++ b/backend/services/api-test/src/main/java/io/metersphere/api/controller/scenario/ApiScenarioModuleController.java @@ -62,6 +62,7 @@ public class ApiScenarioModuleController { @PostMapping("/move") @Operation(summary = "接口测试-接口场景-模块-移动模块") @RequiresPermissions(PermissionConstants.PROJECT_API_SCENARIO_UPDATE) + @CheckOwner(resourceId = "#request.getDragNodeId()", resourceType = "api_scenario_module") public void moveNode(@Validated @RequestBody NodeMoveRequest request) { apiScenarioModuleService.moveNode(request, SessionUtils.getUserId()); } diff --git a/backend/services/api-test/src/main/java/io/metersphere/api/service/definition/ApiDefinitionImportUtilService.java b/backend/services/api-test/src/main/java/io/metersphere/api/service/definition/ApiDefinitionImportUtilService.java index beef9ad6ec..c7493bfa8c 100644 --- a/backend/services/api-test/src/main/java/io/metersphere/api/service/definition/ApiDefinitionImportUtilService.java +++ b/backend/services/api-test/src/main/java/io/metersphere/api/service/definition/ApiDefinitionImportUtilService.java @@ -348,7 +348,7 @@ public class ApiDefinitionImportUtilService { LogDTO dto = new LogDTO( project.getId(), project.getOrganizationId(), - t.getId(), + apiDefinition.getId(), request.getUserId(), OperationLogType.IMPORT.name(), OperationLogModule.API_TEST_MANAGEMENT_DEFINITION, diff --git a/backend/services/project-management/src/main/java/io/metersphere/project/controller/EnvironmentController.java b/backend/services/project-management/src/main/java/io/metersphere/project/controller/EnvironmentController.java index 7b38af462f..cf5f95be62 100644 --- a/backend/services/project-management/src/main/java/io/metersphere/project/controller/EnvironmentController.java +++ b/backend/services/project-management/src/main/java/io/metersphere/project/controller/EnvironmentController.java @@ -42,6 +42,7 @@ public class EnvironmentController { @PostMapping("/list") @Operation(summary = "项目管理-环境-环境目录-列表") @RequiresPermissions(PermissionConstants.PROJECT_ENVIRONMENT_READ) + @CheckOwner(resourceId = "#request.projectId", resourceType = "project") public List list(@Validated @RequestBody EnvironmentFilterRequest request) { return environmentService.list(request); } @@ -57,6 +58,7 @@ public class EnvironmentController { @GetMapping("/scripts/{projectId}") @Operation(summary = "项目管理-环境-环境目录-接口插件前端配置脚本列表") @RequiresPermissions(PermissionConstants.PROJECT_ENVIRONMENT_READ) + @CheckOwner(resourceId = "#projectId", resourceType = "project") public List getPluginScripts(@PathVariable String projectId) { return environmentService.getPluginScripts(projectId); } @@ -99,6 +101,7 @@ public class EnvironmentController { @GetMapping("/database/driver-options/{organizationId}") @Operation(summary = "项目管理-环境-数据库配置-数据库驱动选项") @RequiresPermissions(value = {PermissionConstants.PROJECT_ENVIRONMENT_READ, PermissionConstants.PROJECT_ENVIRONMENT_READ_ADD, PermissionConstants.PROJECT_ENVIRONMENT_READ_UPDATE}, logical = Logical.OR) + @CheckOwner(resourceId = "#organizationId", resourceType = "organization") public List driverOptions(@PathVariable String organizationId) { return environmentService.getDriverOptions(organizationId); } diff --git a/backend/services/project-management/src/main/java/io/metersphere/project/controller/EnvironmentGroupController.java b/backend/services/project-management/src/main/java/io/metersphere/project/controller/EnvironmentGroupController.java index b017592ff9..5255802827 100644 --- a/backend/services/project-management/src/main/java/io/metersphere/project/controller/EnvironmentGroupController.java +++ b/backend/services/project-management/src/main/java/io/metersphere/project/controller/EnvironmentGroupController.java @@ -60,6 +60,7 @@ public class EnvironmentGroupController { @PostMapping("/list") @Operation(summary = "项目管理-环境组-列表") @RequiresPermissions(PermissionConstants.PROJECT_ENVIRONMENT_READ) + @CheckOwner(resourceId = "#request.projectId", resourceType = "project") public List list(@RequestBody EnvironmentFilterRequest request) { return environmentGroupService.list(request); } @@ -75,6 +76,7 @@ public class EnvironmentGroupController { @GetMapping("/get-project/{organizationId}") @Operation(summary = "项目管理-环境组-获取项目") @RequiresPermissions(PermissionConstants.PROJECT_ENVIRONMENT_READ) + @CheckOwner(resourceId = "#organizationId", resourceType = "organization") public List getProject(@PathVariable String organizationId) { return environmentGroupService.getProject(SessionUtils.getUserId(), organizationId); } diff --git a/backend/services/project-management/src/main/java/io/metersphere/project/controller/GlobalParamsController.java b/backend/services/project-management/src/main/java/io/metersphere/project/controller/GlobalParamsController.java index 1e52bc172d..4b51a7d78d 100644 --- a/backend/services/project-management/src/main/java/io/metersphere/project/controller/GlobalParamsController.java +++ b/backend/services/project-management/src/main/java/io/metersphere/project/controller/GlobalParamsController.java @@ -8,6 +8,7 @@ import io.metersphere.sdk.constants.PermissionConstants; import io.metersphere.sdk.domain.ProjectParameter; import io.metersphere.system.log.annotation.Log; import io.metersphere.system.log.constants.OperationLogType; +import io.metersphere.system.security.CheckOwner; import io.metersphere.system.utils.SessionUtils; import io.metersphere.validation.groups.Created; import io.metersphere.validation.groups.Updated; @@ -40,6 +41,7 @@ public class GlobalParamsController { @Operation(summary = "项目管理-环境-全局参数-修改") @RequiresPermissions(PermissionConstants.PROJECT_ENVIRONMENT_READ_UPDATE) @Log(type = OperationLogType.UPDATE, expression = "#msClass.updateLog(#request)", msClass = GlobalParamsLogService.class) + @CheckOwner(resourceId = "#request.id", resourceType = "project_parameter") public ProjectParameter update(@Validated({Updated.class}) @RequestBody GlobalParamsRequest request) { return globalParamsService.update(request, SessionUtils.getUserId()); } @@ -47,6 +49,7 @@ public class GlobalParamsController { @GetMapping("/get/{projectId}") @Operation(summary = "项目管理-环境-全局参数-详情") @RequiresPermissions(PermissionConstants.PROJECT_ENVIRONMENT_READ) + @CheckOwner(resourceId = "#projectId", resourceType = "project") public GlobalParamsDTO get(@PathVariable String projectId) { return globalParamsService.get(projectId); } diff --git a/backend/services/project-management/src/main/java/io/metersphere/project/controller/ProjectController.java b/backend/services/project-management/src/main/java/io/metersphere/project/controller/ProjectController.java index 8114163faf..3586a156cf 100644 --- a/backend/services/project-management/src/main/java/io/metersphere/project/controller/ProjectController.java +++ b/backend/services/project-management/src/main/java/io/metersphere/project/controller/ProjectController.java @@ -42,6 +42,7 @@ public class ProjectController { @GetMapping("/list/options/{organizationId}") @Operation(summary = "根据组织ID获取所有有权限的项目") + @CheckOwner(resourceId = "#organizationId", resourceType = "organization") public List getUserProject(@PathVariable String organizationId) { return projectService.getUserProject(organizationId, SessionUtils.getUserId()); } @@ -49,6 +50,7 @@ public class ProjectController { @PostMapping("/switch") @Operation(summary = "切换项目") @RequiresPermissions(PermissionConstants.PROJECT_BASE_INFO_READ) + @CheckOwner(resourceId = "#request.projectId", resourceType = "project") public UserDTO switchProject(@RequestBody ProjectSwitchRequest request) { return projectService.switchProject(request, SessionUtils.getUserId()); } @@ -65,6 +67,7 @@ public class ProjectController { @GetMapping("/pool-options/{type}/{projectId}") @Operation(summary = "项目管理-获取项目下的资源池") @RequiresPermissions(PermissionConstants.PROJECT_BASE_INFO_READ) + @CheckOwner(resourceId = "#projectId", resourceType = "project") public List getPoolOptions(@PathVariable String type, @PathVariable String projectId) { return projectService.getPoolOptions(projectId, type); } @@ -79,6 +82,7 @@ public class ProjectController { @GetMapping("/get-member/option/{projectId}") @Operation(summary = "项目管理-获取成员下拉选项") @RequiresPermissions(PermissionConstants.PROJECT_BASE_INFO_READ) + @CheckOwner(resourceId = "#projectId", resourceType = "project") public List getMemberOption(@PathVariable String projectId, @Schema(description = "查询关键字,根据邮箱和用户名查询") @RequestParam(value = "keyword", required = false) String keyword) { diff --git a/backend/services/project-management/src/test/java/io/metersphere/project/controller/ProjectControllerTests.java b/backend/services/project-management/src/test/java/io/metersphere/project/controller/ProjectControllerTests.java index 47dae720c8..2482ac6002 100644 --- a/backend/services/project-management/src/test/java/io/metersphere/project/controller/ProjectControllerTests.java +++ b/backend/services/project-management/src/test/java/io/metersphere/project/controller/ProjectControllerTests.java @@ -214,6 +214,16 @@ public class ProjectControllerTests extends BaseTest { example.createCriteria().andOrganizationIdEqualTo(DEFAULT_ORGANIZATION_ID).andEnableEqualTo(true); Assertions.assertEquals(projectMapper.countByExample(example), list.size()); + UserRoleRelation userRoleRelation = new UserRoleRelation(); + userRoleRelation.setUserId("admin1"); + userRoleRelation.setOrganizationId(DEFAULT_ORGANIZATION_ID); + userRoleRelation.setSourceId(DEFAULT_ORGANIZATION_ID); + userRoleRelation.setRoleId("1"); + userRoleRelation.setCreateTime(System.currentTimeMillis()); + userRoleRelation.setCreateUser("admin"); + userRoleRelation.setId(IDGenerator.nextStr()); + userRoleRelationMapper.insertSelective(userRoleRelation); + mvcResult = mockMvc.perform(MockMvcRequestBuilders.post("/login") .content(String.format("{\"username\":\"%s\",\"password\":\"%s\"}", "admin1", "admin1@metersphere.io")) .contentType(MediaType.APPLICATION_JSON)) diff --git a/backend/services/system-setting/src/main/java/io/metersphere/system/controller/OrganizationProjectController.java b/backend/services/system-setting/src/main/java/io/metersphere/system/controller/OrganizationProjectController.java index 4f1f58905a..7f04ed43af 100644 --- a/backend/services/system-setting/src/main/java/io/metersphere/system/controller/OrganizationProjectController.java +++ b/backend/services/system-setting/src/main/java/io/metersphere/system/controller/OrganizationProjectController.java @@ -62,6 +62,7 @@ public class OrganizationProjectController { @PostMapping("/page") @RequiresPermissions(PermissionConstants.ORGANIZATION_PROJECT_READ) @Operation(summary = "系统设置-组织-项目-获取项目列表") + @CheckOwner(resourceId = "#request.getOrganizationId()", resourceType = "organization") public Pager> getProjectList(@Validated @RequestBody OrganizationProjectRequest request) { Page page = PageHelper.startPage(request.getCurrent(), request.getPageSize(), StringUtils.isNotBlank(request.getSortString()) ? request.getSortString() : "create_time desc"); @@ -120,6 +121,7 @@ public class OrganizationProjectController { @PostMapping("/member-list") @RequiresPermissions(PermissionConstants.ORGANIZATION_PROJECT_READ) @Operation(summary = "系统设置-组织-项目-成员列表") + @CheckOwner(resourceId = "#reuqest.projectId", resourceType = "project") public Pager> getProjectMember(@Validated @RequestBody ProjectMemberRequest request) { Page page = PageHelper.startPage(request.getCurrent(), request.getPageSize()); return PageUtils.setPageInfo(page, organizationProjectService.getProjectMember(request)); @@ -150,6 +152,7 @@ public class OrganizationProjectController { @GetMapping("/user-admin-list/{organizationId}") @Operation(summary = "系统设置-组织-项目-获取管理员列表") @RequiresPermissions(PermissionConstants.ORGANIZATION_PROJECT_READ) + @CheckOwner(resourceId = "#organizationId", resourceType = "organization") public List getUserAdminList(@PathVariable String organizationId, @Schema(description = "查询关键字,根据邮箱和用户名查询") @RequestParam(value = "keyword", required = false) String keyword) { return organizationProjectService.getUserAdminList(organizationId, keyword); @@ -158,6 +161,7 @@ public class OrganizationProjectController { @GetMapping("/user-member-list/{organizationId}/{projectId}") @Operation(summary = "系统设置-组织-项目-获取成员列表") @RequiresPermissions(PermissionConstants.ORGANIZATION_PROJECT_READ) + @CheckOwner(resourceId = "#organizationId", resourceType = "organization") public List getUserMemberList(@PathVariable String organizationId, @PathVariable String projectId, @Schema(description = "查询关键字,根据邮箱和用户名查询") @RequestParam(value = "keyword", required = false) String keyword) { @@ -167,6 +171,7 @@ public class OrganizationProjectController { @PostMapping("/pool-options") @Operation(summary = "系统设置-组织-项目-获取资源池下拉选项") @RequiresPermissions(PermissionConstants.ORGANIZATION_PROJECT_READ) + @CheckOwner(resourceId = "#request.organizationId", resourceType = "organization") public List getProjectOptions(@Validated @RequestBody ProjectPoolRequest request) { return organizationProjectService.getTestResourcePoolOptions(request); }