fix(系统设置): 修复用户越权问题

2024-04-25 18:33:35 +08:00 · 2024-04-25 18:33:35 +08:00 · a7298117db
parent c2e69ff9ec
commit a7298117db
3 changed files with 67 additions and 37 deletions
--- a/system-setting/backend/src/main/java/io/metersphere/controller/UserController.java
+++ b/system-setting/backend/src/main/java/io/metersphere/controller/UserController.java
@ -96,11 +96,18 @@ public class UserController {
    }

    @PostMapping("/special/ws/member/list/all")
-    @RequiresPermissions(value = {PermissionConstants.SYSTEM_WORKSPACE_READ, PermissionConstants.WORKSPACE_USER_READ}, logical = Logical.OR)
+    @RequiresPermissions(value = {PermissionConstants.SYSTEM_WORKSPACE_READ}, logical = Logical.OR)
    public List<User> getMemberListByAdmin(@RequestBody QueryMemberRequest request) {
        return baseUserService.getMemberList(request);
    }

+    @PostMapping("/special/currentWs/member/list/all")
+    @RequiresPermissions(value = {PermissionConstants.WORKSPACE_USER_READ}, logical = Logical.OR)
+    public List<User> getMemberListByAdminProject(@RequestBody QueryMemberRequest request) {
+        baseCheckPermissionService.checkWorkspacePermission(request.getWorkspaceId());
+        return baseUserService.getMemberList(request);
+    }
+
    @PostMapping("/special/ws/member/add")
    @MsAuditLog(module = OperLogModule.WORKSPACE_MEMBER, type = OperLogConstants.CREATE, content = "#msClass.getLogDetails(#request.userIds,#request.workspaceId)", msClass = UserService.class)
    public void addMemberByAdmin(@RequestBody AddMemberRequest request) {
--- a/system-setting/frontend/src/api/user.js
+++ b/system-setting/frontend/src/api/user.js
@ -1,24 +1,29 @@
 /* 前后端不分离的登录方式 */
-import {get, post, put, request} from 'metersphere-frontend/src/plugins/request'
+import {
+  get,
+  post,
+  put,
+  request,
+} from "metersphere-frontend/src/plugins/request";

 export function login(data) {
-  return post('/signin', data)
+  return post("/signin", data);
 }

 export function logout() {
-  return get('/signout')
+  return get("/signout");
 }

 export function isLogin() {
-  return get('/is-login')
+  return get("/is-login");
 }

 export function getCurrentUser() {
-  return get('/currentUser')
+  return get("/currentUser");
 }

 export function updateInfo(id, data) {
-  return put('/samples/user/info/update/' + id, data)
+  return put("/samples/user/info/update/" + id, data);
 }

 export function specialDeleteUserById(id) {
@ -26,19 +31,19 @@ export function specialDeleteUserById(id) {
 }

 export function specialCreateUser(user) {
-  return post('/user/special/add', user);
+  return post("/user/special/add", user);
 }

 export function specialModifyUser(user) {
-  return post('/user/special/update', user);
+  return post("/user/special/update", user);
 }

 export function specialModifyPassword(user) {
-  return post('/user/special/password', user);
+  return post("/user/special/password", user);
 }

 export function specialListUsers(data, page, size) {
-  return post(`/user/special/list/${page}/${size}`, data)
+  return post(`/user/special/list/${page}/${size}`, data);
 }

 export function specialGetUserGroup(userId) {
@ -46,15 +51,19 @@ export function specialGetUserGroup(userId) {
 }

 export function specialModifyUserDisable(user) {
-  return post('/user/special/update_status', user);
+  return post("/user/special/update_status", user);
 }

 export function specialBatchProcessUser(params) {
-  return post('/user/special/batch-process-user', params);
+  return post("/user/special/batch-process-user", params);
 }

 export function getWorkspaceMemberSpecial(param) {
-  return post('/user/special/ws/member/list/all', param);
+  return post("/user/special/ws/member/list/all", param);
+}
+
+export function getCurrentWorkspaceMemberSpecial(param) {
+  return post("/user/special/currentWs/member/list/all", param);
 }

 export function getWorkspaceMemberListSpecial(goPage, pageSize, param) {
@ -62,7 +71,7 @@ export function getWorkspaceMemberListSpecial(goPage, pageSize, param) {
 }

 export function addWorkspaceMemberSpecial(param) {
-  return post('/user/special/ws/member/add', param);
+  return post("/user/special/ws/member/add", param);
 }

 export function delWorkspaceMemberSpecialById(workspaceId, userId) {
@ -82,15 +91,18 @@ export function getWorkspaceMemberPages(goPage, pageSize, param) {
 }

 export function addWorkspaceMember(member) {
-  return post('user/ws/member/add', member);
+  return post("user/ws/member/add", member);
 }

 export function getProjectMemberPages(goPage, pageSize, workspaceId, param) {
-  return post(`/user/ws/project/member/list/${workspaceId}/${goPage}/${pageSize}`, param);
+  return post(
+    `/user/ws/project/member/list/${workspaceId}/${goPage}/${pageSize}`,
+    param
+  );
 }

 export function getCurrentProjectUserList() {
-  return get('/user/project/member/list');
+  return get("/user/project/member/list");
 }

 export function getCurrentProjectUserPages(goPage, pageSize, param) {
@ -98,7 +110,7 @@ export function getCurrentProjectUserPages(goPage, pageSize, param) {
 }

 export function updateCurrentUser(user) {
-  return post('/user/update/current', user);
+  return post("/user/update/current", user);
 }

 export function delProjectMember(projectId, memberId) {
@ -106,27 +118,35 @@ export function delProjectMember(projectId, memberId) {
 }

 export function addProjectMember(member) {
-  return post('user/project/member/add', member);
+  return post("user/project/member/add", member);
 }

 export function exportUserExample() {
-  fileDownload('/user/export/template');
+  fileDownload("/user/export/template");
 }

 export function fileDownload(url) {
  let config = {
    method: "get",
    url,
-    responseType: 'blob'
-  }
+    responseType: "blob",
+  };
  let promise = request(config);
-  promise.then(response => {
-      let fileName = window.decodeURI(response.headers['content-disposition'].split('=')[1]);
+  promise
+    .then((response) => {
+      let fileName = window.decodeURI(
+        response.headers["content-disposition"].split("=")[1]
+      );
      let link = document.createElement("a");
-      link.href = window.URL.createObjectURL(new Blob([response.data], {type: "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet;charset=utf-8"}));
+      link.href = window.URL.createObjectURL(
+        new Blob([response.data], {
+          type: "application/vnd.openxmlformats-officedocument.spreadsheetml.sheet;charset=utf-8",
+        })
+      );
      link.download = fileName;
      link.click();
-    }).catch(() => {
+    })
+    .catch(() => {
      //
    });
 }
@ -137,18 +157,21 @@ export function userImport(file, files, param) {
    formData.append("file", file);
  }
  if (files) {
-    files.forEach(f => {
+    files.forEach((f) => {
      formData.append("files", f);
    });
  }
-  formData.append('request', new Blob([JSON.stringify(param)], {type: 'application/json'}));
+  formData.append(
+    "request",
+    new Blob([JSON.stringify(param)], { type: "application/json" })
+  );
  let config = {
-    method: 'POST',
-    url: '/user/import',
+    method: "POST",
+    url: "/user/import",
    data: formData,
    headers: {
-      'Content-Type': undefined
-    }
+      "Content-Type": undefined,
+    },
  };
  return request(config);
 }
--- a/system-setting/frontend/src/business/workspace/project/MsProject.vue
+++ b/system-setting/frontend/src/business/workspace/project/MsProject.vue
@ -204,7 +204,7 @@ import {isSuperUser} from "metersphere-frontend/src/api/user.js";
 import {
  addProjectMember,
  delProjectMember,
-  getWorkspaceMemberSpecial,
+  getCurrentWorkspaceMemberSpecial,
  getProjectMemberPages,
  updateCurrentUser
 } from "../../../api/user";
@ -337,7 +337,7 @@ export default {
      })
    },
    getMaintainerOptions() {
-      getWorkspaceMemberSpecial({name: '', workspaceId: getCurrentWorkspaceId()}).then(res => {
+      getCurrentWorkspaceMemberSpecial({name: '', workspaceId: getCurrentWorkspaceId()}).then(res => {
        this.userFilters = res.data.map(u => {
          return {text: u.name, value: u.id};
        });