refactor(接口测试): 补充资源校验

backend/services/api-test/src/main/java/io/metersphere/api/controller/definition/ApiDefinitionModuleController.java

@@ -14,6 +14,7 @@ import io.metersphere.system.utils.SessionUtils;
 import io.swagger.v3.oas.annotations.Operation;
 import io.swagger.v3.oas.annotations.tags.Tag;
 import jakarta.annotation.Resource;
+import org.apache.shiro.authz.annotation.Logical;
 import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.validation.annotation.Validated;
 import org.springframework.web.bind.annotation.*;
@@ -64,6 +65,7 @@ public class ApiDefinitionModuleController {
     @PostMapping("/move")
     @Operation(summary = "接口测试-接口管理-模块-移动模块")
     @RequiresPermissions(PermissionConstants.PROJECT_API_DEFINITION_UPDATE)
+    @CheckOwner(resourceId = "#request.dragNodeId", resourceType = "api_definition_module")
     public void moveNode(@Validated @RequestBody NodeMoveRequest request) {
         apiDefinitionModuleService.moveNode(request, SessionUtils.getUserId());
     }
@@ -94,6 +96,8 @@ public class ApiDefinitionModuleController {
 
     @PostMapping("/env/tree")
     @Operation(summary = "获取环境中的接口树和选中的模块")
+    @CheckOwner(resourceId = "#request.projectId", resourceType = "project")
+    @RequiresPermissions(value = {PermissionConstants.PROJECT_API_DEFINITION_READ, PermissionConstants.PROJECT_ENVIRONMENT_READ}, logical = Logical.OR)
     public EnvApiTreeDTO envTree(@RequestBody @Validated EnvApiModuleRequest request) {
         return apiDefinitionModuleService.envTree(request);
     }

backend/services/api-test/src/main/java/io/metersphere/api/controller/definition/ApiDefinitionScheduleController.java

@@ -8,6 +8,7 @@ import io.metersphere.api.service.definition.ApiDefinitionScheduleService;
 import io.metersphere.sdk.constants.PermissionConstants;
 import io.metersphere.system.log.annotation.Log;
 import io.metersphere.system.log.constants.OperationLogType;
+import io.metersphere.system.security.CheckOwner;
 import io.metersphere.system.utils.SessionUtils;
 import io.metersphere.validation.groups.Created;
 import io.metersphere.validation.groups.Updated;
@@ -37,6 +38,7 @@ public class ApiDefinitionScheduleController {
     @PostMapping(value = "/update")
     @Operation(summary = "接口测试-接口管理-定时同步-更新")
     @RequiresPermissions(PermissionConstants.PROJECT_API_DEFINITION_IMPORT)
+    @CheckOwner(resourceId = "#request.id", resourceType = "api_definition_swagger")
     public String updateSchedule(@RequestBody @Validated({Updated.class}) ApiScheduleRequest request) {
         return apiDefinitionScheduleService.updateSchedule(request, SessionUtils.getUserId());
     }
@@ -51,6 +53,7 @@ public class ApiDefinitionScheduleController {
     @GetMapping(value = "/switch/{id}")
     @Operation(summary = "接口测试-接口管理-定时同步-开启/关闭")
     @RequiresPermissions(PermissionConstants.PROJECT_API_DEFINITION_IMPORT)
+    @CheckOwner(resourceId = "#id", resourceType = "api_definition_swagger")
     public void updateScheduleEnable(@PathVariable String id) {
         apiDefinitionScheduleService.switchSchedule(id);
     }
@@ -58,12 +61,15 @@ public class ApiDefinitionScheduleController {
     @GetMapping("/delete/{id}")
     @Operation(summary = "接口测试-接口管理-定时同步-删除")
     @RequiresPermissions(PermissionConstants.PROJECT_API_DEFINITION_IMPORT)
+    @CheckOwner(resourceId = "#id", resourceType = "api_definition_swagger")
     public void deleteSchedule(@PathVariable String id) {
         apiDefinitionScheduleService.deleteSchedule(id);
     }
 
     @GetMapping(value = "/get/{id}")
     @Operation(summary = "接口测试-接口管理-定时同步-查询")
+    @RequiresPermissions(PermissionConstants.PROJECT_API_DEFINITION_IMPORT)
+    @CheckOwner(resourceId = "#id", resourceType = "api_definition_swagger")
     public ApiScheduleDTO getResourceId(@PathVariable String id) {
         return apiDefinitionScheduleService.getSchedule(id);
     }

backend/services/api-test/src/main/java/io/metersphere/api/controller/definition/ApiTestCaseController.java

@@ -152,6 +152,7 @@ public class ApiTestCaseController {
     @PostMapping(value = "/page")
     @Operation(summary = "接口测试-接口管理-接口用例-分页查询")
     @RequiresPermissions(PermissionConstants.PROJECT_API_DEFINITION_CASE_READ)
+    @CheckOwner(resourceId = "#request.getProjectId()", resourceType = "project")
     public Pager<List<ApiTestCaseDTO>> page(@Validated @RequestBody ApiTestCasePageRequest request) {
         Page<Object> page = PageHelper.startPage(request.getCurrent(), request.getPageSize(),
                 StringUtils.isNotBlank(request.getSortString()) ? request.getSortString() : "pos desc");
@@ -195,6 +196,7 @@ public class ApiTestCaseController {
     @PostMapping(value = "/trash/page")
     @Operation(summary = "接口测试-接口管理-接口用例-回收站-分页查询")
     @RequiresPermissions(PermissionConstants.PROJECT_API_DEFINITION_CASE_READ)
+    @CheckOwner(resourceId = "#request.getProjectId()", resourceType = "project")
     public Pager<List<ApiTestCaseDTO>> pageTrash(@Validated @RequestBody ApiTestCasePageRequest request) {
         Page<Object> page = PageHelper.startPage(request.getCurrent(), request.getPageSize(),
                 StringUtils.isNotBlank(request.getSortString()) ? request.getSortString() : "delete_time desc");
@@ -204,6 +206,7 @@ public class ApiTestCaseController {
     @PostMapping("/edit/pos")
     @Operation(summary = "接口测试-接口管理-接口用例-拖拽排序")
     @RequiresPermissions(PermissionConstants.PROJECT_API_DEFINITION_CASE_UPDATE)
+    @CheckOwner(resourceId = "#request.getTargetId()", resourceType = "api_test_case")
     public void editPos(@Validated @RequestBody PosRequest request) {
         apiTestCaseService.moveNode(request);
     }
@@ -261,6 +264,7 @@ public class ApiTestCaseController {
     @GetMapping("/run/{id}")
     @Operation(summary = "用例执行, 传ID执行")
     @RequiresPermissions(PermissionConstants.PROJECT_API_DEFINITION_CASE_EXECUTE)
+    @CheckOwner(resourceId = "#id", resourceType = "api_test_case")
     public TaskRequestDTO run(@PathVariable String id,
                               @Schema(description = "报告ID，传了可以实时获取结果，不传则不支持实时获取")
                               @RequestParam(required = false) String reportId) {
@@ -277,6 +281,7 @@ public class ApiTestCaseController {
     @PostMapping("/batch/run")
     @Operation(summary = "批量执行")
     @RequiresPermissions(PermissionConstants.PROJECT_API_DEFINITION_CASE_EXECUTE)
+    @CheckOwner(resourceId = "#request.getSelectIds()", resourceType = "api_test_case")
     public void batchRun(@Validated @RequestBody ApiTestCaseBatchRunRequest request) {
         apiTestCaseBatchRunService.asyncBatchRun(request, SessionUtils.getUserId());
     }

backend/services/api-test/src/main/java/io/metersphere/api/controller/scenario/ApiScenarioController.java

@@ -137,6 +137,7 @@ public class ApiScenarioController {
     @GetMapping("/step/get/{stepId}")
     @Operation(summary = "接口测试-接口场景管理-获取场景步骤详情")
     @RequiresPermissions(PermissionConstants.PROJECT_API_SCENARIO_READ)
+    @CheckOwner(resourceId = "#stepId", resourceType = "api_scenario_step")
     public Object getStepDetail(@PathVariable String stepId) {
         return apiScenarioService.getStepDetail(stepId);
     }
@@ -176,6 +177,7 @@ public class ApiScenarioController {
     @GetMapping("/run/{id}")
     @Operation(summary = "接口测试-接口场景管理-场景执行")
     @RequiresPermissions(PermissionConstants.PROJECT_API_SCENARIO_EXECUTE)
+    @CheckOwner(resourceId = "#id", resourceType = "api_scenario")
     public TaskRequestDTO run(@PathVariable String id, @RequestParam(required = false) String reportId) {
         return apiScenarioService.run(id, reportId, SessionUtils.getUserId());
     }
@@ -242,6 +244,7 @@ public class ApiScenarioController {
     @PostMapping("/edit/pos")
     @Operation(summary = "接口测试-接口场景管理-场景-拖拽排序")
     @RequiresPermissions(PermissionConstants.PROJECT_API_DEFINITION_UPDATE)
+    @CheckOwner(resourceId = "#request.getTargetId()", resourceType = "api_scenario")
     public void editPos(@Validated @RequestBody PosRequest request) {
         apiScenarioService.moveNode(request);
     }

backend/services/api-test/src/main/java/io/metersphere/api/controller/scenario/ApiScenarioModuleController.java

@@ -62,6 +62,7 @@ public class ApiScenarioModuleController {
     @PostMapping("/move")
     @Operation(summary = "接口测试-接口场景-模块-移动模块")
     @RequiresPermissions(PermissionConstants.PROJECT_API_SCENARIO_UPDATE)
+    @CheckOwner(resourceId = "#request.getDragNodeId()", resourceType = "api_scenario_module")
     public void moveNode(@Validated @RequestBody NodeMoveRequest request) {
         apiScenarioModuleService.moveNode(request, SessionUtils.getUserId());
     }

backend/services/api-test/src/main/java/io/metersphere/api/service/definition/ApiDefinitionImportUtilService.java

@@ -348,7 +348,7 @@ public class ApiDefinitionImportUtilService {
             LogDTO dto = new LogDTO(
                     project.getId(),
                     project.getOrganizationId(),
-                    t.getId(),
+                    apiDefinition.getId(),
                     request.getUserId(),
                     OperationLogType.IMPORT.name(),
                     OperationLogModule.API_TEST_MANAGEMENT_DEFINITION,

backend/services/project-management/src/main/java/io/metersphere/project/controller/EnvironmentController.java

@@ -42,6 +42,7 @@ public class EnvironmentController {
     @PostMapping("/list")
     @Operation(summary = "项目管理-环境-环境目录-列表")
     @RequiresPermissions(PermissionConstants.PROJECT_ENVIRONMENT_READ)
+    @CheckOwner(resourceId = "#request.projectId", resourceType = "project")
     public List<Environment> list(@Validated @RequestBody EnvironmentFilterRequest request) {
         return environmentService.list(request);
     }
@@ -57,6 +58,7 @@ public class EnvironmentController {
     @GetMapping("/scripts/{projectId}")
     @Operation(summary = "项目管理-环境-环境目录-接口插件前端配置脚本列表")
     @RequiresPermissions(PermissionConstants.PROJECT_ENVIRONMENT_READ)
+    @CheckOwner(resourceId = "#projectId", resourceType = "project")
     public List<EnvironmentPluginScriptDTO> getPluginScripts(@PathVariable String projectId) {
         return environmentService.getPluginScripts(projectId);
     }
@@ -99,6 +101,7 @@ public class EnvironmentController {
     @GetMapping("/database/driver-options/{organizationId}")
     @Operation(summary = "项目管理-环境-数据库配置-数据库驱动选项")
     @RequiresPermissions(value = {PermissionConstants.PROJECT_ENVIRONMENT_READ, PermissionConstants.PROJECT_ENVIRONMENT_READ_ADD, PermissionConstants.PROJECT_ENVIRONMENT_READ_UPDATE}, logical = Logical.OR)
+    @CheckOwner(resourceId = "#organizationId", resourceType = "organization")
     public List<OptionDTO> driverOptions(@PathVariable String organizationId) {
         return environmentService.getDriverOptions(organizationId);
     }

backend/services/project-management/src/main/java/io/metersphere/project/controller/EnvironmentGroupController.java

@@ -60,6 +60,7 @@ public class EnvironmentGroupController {
     @PostMapping("/list")
     @Operation(summary = "项目管理-环境组-列表")
     @RequiresPermissions(PermissionConstants.PROJECT_ENVIRONMENT_READ)
+    @CheckOwner(resourceId = "#request.projectId", resourceType = "project")
     public List<EnvironmentGroup> list(@RequestBody EnvironmentFilterRequest request) {
         return environmentGroupService.list(request);
     }
@@ -75,6 +76,7 @@ public class EnvironmentGroupController {
     @GetMapping("/get-project/{organizationId}")
     @Operation(summary = "项目管理-环境组-获取项目")
     @RequiresPermissions(PermissionConstants.PROJECT_ENVIRONMENT_READ)
+    @CheckOwner(resourceId = "#organizationId", resourceType = "organization")
     public List<OptionDTO> getProject(@PathVariable String organizationId) {
         return environmentGroupService.getProject(SessionUtils.getUserId(), organizationId);
     }

backend/services/project-management/src/main/java/io/metersphere/project/controller/GlobalParamsController.java

@@ -8,6 +8,7 @@ import io.metersphere.sdk.constants.PermissionConstants;
 import io.metersphere.sdk.domain.ProjectParameter;
 import io.metersphere.system.log.annotation.Log;
 import io.metersphere.system.log.constants.OperationLogType;
+import io.metersphere.system.security.CheckOwner;
 import io.metersphere.system.utils.SessionUtils;
 import io.metersphere.validation.groups.Created;
 import io.metersphere.validation.groups.Updated;
@@ -40,6 +41,7 @@ public class GlobalParamsController {
     @Operation(summary = "项目管理-环境-全局参数-修改")
     @RequiresPermissions(PermissionConstants.PROJECT_ENVIRONMENT_READ_UPDATE)
     @Log(type = OperationLogType.UPDATE, expression = "#msClass.updateLog(#request)", msClass = GlobalParamsLogService.class)
+    @CheckOwner(resourceId = "#request.id", resourceType = "project_parameter")
     public ProjectParameter update(@Validated({Updated.class}) @RequestBody GlobalParamsRequest request) {
         return globalParamsService.update(request, SessionUtils.getUserId());
     }
@@ -47,6 +49,7 @@ public class GlobalParamsController {
     @GetMapping("/get/{projectId}")
     @Operation(summary = "项目管理-环境-全局参数-详情")
     @RequiresPermissions(PermissionConstants.PROJECT_ENVIRONMENT_READ)
+    @CheckOwner(resourceId = "#projectId", resourceType = "project")
     public GlobalParamsDTO get(@PathVariable String projectId) {
         return globalParamsService.get(projectId);
     }

backend/services/project-management/src/main/java/io/metersphere/project/controller/ProjectController.java

@@ -42,6 +42,7 @@ public class ProjectController {
 
     @GetMapping("/list/options/{organizationId}")
     @Operation(summary = "根据组织ID获取所有有权限的项目")
+    @CheckOwner(resourceId = "#organizationId", resourceType = "organization")
     public List<Project> getUserProject(@PathVariable String organizationId) {
         return projectService.getUserProject(organizationId, SessionUtils.getUserId());
     }
@@ -49,6 +50,7 @@ public class ProjectController {
     @PostMapping("/switch")
     @Operation(summary = "切换项目")
     @RequiresPermissions(PermissionConstants.PROJECT_BASE_INFO_READ)
+    @CheckOwner(resourceId = "#request.projectId", resourceType = "project")
     public UserDTO switchProject(@RequestBody ProjectSwitchRequest request) {
         return projectService.switchProject(request, SessionUtils.getUserId());
     }
@@ -65,6 +67,7 @@ public class ProjectController {
     @GetMapping("/pool-options/{type}/{projectId}")
     @Operation(summary = "项目管理-获取项目下的资源池")
     @RequiresPermissions(PermissionConstants.PROJECT_BASE_INFO_READ)
+    @CheckOwner(resourceId = "#projectId", resourceType = "project")
     public List<OptionDTO> getPoolOptions(@PathVariable String type, @PathVariable String projectId) {
         return projectService.getPoolOptions(projectId, type);
     }
@@ -79,6 +82,7 @@ public class ProjectController {
     @GetMapping("/get-member/option/{projectId}")
     @Operation(summary = "项目管理-获取成员下拉选项")
     @RequiresPermissions(PermissionConstants.PROJECT_BASE_INFO_READ)
+    @CheckOwner(resourceId = "#projectId", resourceType = "project")
     public List<UserExtendDTO> getMemberOption(@PathVariable String projectId,
                                                @Schema(description = "查询关键字，根据邮箱和用户名查询")
                                                @RequestParam(value = "keyword", required = false) String keyword) {

backend/services/project-management/src/test/java/io/metersphere/project/controller/ProjectControllerTests.java

@@ -214,6 +214,16 @@ public class ProjectControllerTests extends BaseTest {
         example.createCriteria().andOrganizationIdEqualTo(DEFAULT_ORGANIZATION_ID).andEnableEqualTo(true);
         Assertions.assertEquals(projectMapper.countByExample(example), list.size());
 
+        UserRoleRelation userRoleRelation = new UserRoleRelation();
+        userRoleRelation.setUserId("admin1");
+        userRoleRelation.setOrganizationId(DEFAULT_ORGANIZATION_ID);
+        userRoleRelation.setSourceId(DEFAULT_ORGANIZATION_ID);
+        userRoleRelation.setRoleId("1");
+        userRoleRelation.setCreateTime(System.currentTimeMillis());
+        userRoleRelation.setCreateUser("admin");
+        userRoleRelation.setId(IDGenerator.nextStr());
+        userRoleRelationMapper.insertSelective(userRoleRelation);
+
         mvcResult = mockMvc.perform(MockMvcRequestBuilders.post("/login")
                         .content(String.format("{\"username\":\"%s\",\"password\":\"%s\"}", "admin1", "admin1@metersphere.io"))
                         .contentType(MediaType.APPLICATION_JSON))

backend/services/system-setting/src/main/java/io/metersphere/system/controller/OrganizationProjectController.java

@@ -62,6 +62,7 @@ public class OrganizationProjectController {
     @PostMapping("/page")
     @RequiresPermissions(PermissionConstants.ORGANIZATION_PROJECT_READ)
     @Operation(summary = "系统设置-组织-项目-获取项目列表")
+    @CheckOwner(resourceId = "#request.getOrganizationId()", resourceType = "organization")
     public Pager<List<ProjectDTO>> getProjectList(@Validated @RequestBody OrganizationProjectRequest request) {
         Page<Object> page = PageHelper.startPage(request.getCurrent(), request.getPageSize(),
                 StringUtils.isNotBlank(request.getSortString()) ? request.getSortString() : "create_time desc");
@@ -120,6 +121,7 @@ public class OrganizationProjectController {
     @PostMapping("/member-list")
     @RequiresPermissions(PermissionConstants.ORGANIZATION_PROJECT_READ)
     @Operation(summary = "系统设置-组织-项目-成员列表")
+    @CheckOwner(resourceId = "#reuqest.projectId", resourceType = "project")
     public Pager<List<UserExtendDTO>> getProjectMember(@Validated @RequestBody ProjectMemberRequest request) {
         Page<Object> page = PageHelper.startPage(request.getCurrent(), request.getPageSize());
         return PageUtils.setPageInfo(page, organizationProjectService.getProjectMember(request));
@@ -150,6 +152,7 @@ public class OrganizationProjectController {
     @GetMapping("/user-admin-list/{organizationId}")
     @Operation(summary = "系统设置-组织-项目-获取管理员列表")
     @RequiresPermissions(PermissionConstants.ORGANIZATION_PROJECT_READ)
+    @CheckOwner(resourceId = "#organizationId", resourceType = "organization")
     public List<UserExtendDTO> getUserAdminList(@PathVariable String organizationId, @Schema(description = "查询关键字，根据邮箱和用户名查询")
     @RequestParam(value = "keyword", required = false) String keyword) {
         return organizationProjectService.getUserAdminList(organizationId, keyword);
@@ -158,6 +161,7 @@ public class OrganizationProjectController {
     @GetMapping("/user-member-list/{organizationId}/{projectId}")
     @Operation(summary = "系统设置-组织-项目-获取成员列表")
     @RequiresPermissions(PermissionConstants.ORGANIZATION_PROJECT_READ)
+    @CheckOwner(resourceId = "#organizationId", resourceType = "organization")
     public List<UserExtendDTO> getUserMemberList(@PathVariable String organizationId, @PathVariable String projectId,
                                                  @Schema(description = "查询关键字，根据邮箱和用户名查询")
                                                  @RequestParam(value = "keyword", required = false) String keyword) {
@@ -167,6 +171,7 @@ public class OrganizationProjectController {
     @PostMapping("/pool-options")
     @Operation(summary = "系统设置-组织-项目-获取资源池下拉选项")
     @RequiresPermissions(PermissionConstants.ORGANIZATION_PROJECT_READ)
+    @CheckOwner(resourceId = "#request.organizationId", resourceType = "organization")
     public List<OptionDTO> getProjectOptions(@Validated @RequestBody ProjectPoolRequest request) {
         return organizationProjectService.getTestResourcePoolOptions(request);
     }