fix(测试跟踪): 补充项目接口权限校验

--bug=1040238 --user=陈建星 测试跟踪-测试用例相关接口越权处理 https://www.tapd.cn/55049933/s/1511860
This commit is contained in:
AgAngle 2024-05-06 20:25:12 +08:00 committed by 刘瑞斌
parent 69929b34ee
commit 6e0f17897e
2 changed files with 16 additions and 4 deletions

View File

@ -46,6 +46,7 @@ public class BaseProjectController {
@GetMapping("/get/{id}") @GetMapping("/get/{id}")
@RequiresPermissions(value = {PermissionConstants.WORKSPACE_PROJECT_MANAGER_READ, PermissionConstants.PROJECT_MANAGER_READ}, logical = Logical.OR) @RequiresPermissions(value = {PermissionConstants.WORKSPACE_PROJECT_MANAGER_READ, PermissionConstants.PROJECT_MANAGER_READ}, logical = Logical.OR)
public Project getProject(@PathVariable String id) { public Project getProject(@PathVariable String id) {
baseProjectService.checkProjectOwner(id, SessionUtils.getUser().getUserGroups());
return baseProjectService.getProjectById(id); return baseProjectService.getProjectById(id);
} }

View File

@ -4,10 +4,7 @@ import io.metersphere.base.domain.*;
import io.metersphere.base.mapper.ProjectMapper; import io.metersphere.base.mapper.ProjectMapper;
import io.metersphere.base.mapper.UserGroupMapper; import io.metersphere.base.mapper.UserGroupMapper;
import io.metersphere.base.mapper.UserMapper; import io.metersphere.base.mapper.UserMapper;
import io.metersphere.base.mapper.ext.BaseProjectMapper; import io.metersphere.base.mapper.ext.*;
import io.metersphere.base.mapper.ext.BaseProjectVersionMapper;
import io.metersphere.base.mapper.ext.BaseUserGroupMapper;
import io.metersphere.base.mapper.ext.BaseUserMapper;
import io.metersphere.commons.constants.ProjectApplicationType; import io.metersphere.commons.constants.ProjectApplicationType;
import io.metersphere.commons.exception.MSException; import io.metersphere.commons.exception.MSException;
import io.metersphere.commons.utils.FileUtils; import io.metersphere.commons.utils.FileUtils;
@ -241,6 +238,20 @@ public class BaseProjectService {
return project; return project;
} }
public void checkProjectOwner(String projectId, List<UserGroup> userGroups) {
boolean hasPermission = false;
for (UserGroup userGroup : userGroups) {
// 校验是否有当前项目的用户组
if (StringUtils.equals(userGroup.getSourceId(), projectId)) {
hasPermission = true;
break;
}
}
if (!hasPermission) {
MSException.throwException(Translator.get("check_owner_case"));
}
}
public List<Project> getByCaseTemplateId(String templateId) { public List<Project> getByCaseTemplateId(String templateId) {
ProjectExample example = new ProjectExample(); ProjectExample example = new ProjectExample();
example.createCriteria().andCaseTemplateIdEqualTo(templateId); example.createCriteria().andCaseTemplateIdEqualTo(templateId);