refactor(接口测试): 对接口增加权限控制

--task=1012120 --user=王孝刚检查所有API权限控制是否有加 RequiresPermissions https://www.tapd.cn/55049933/s/1377417
2023-05-31 13:46:54 +08:00 · 2023-05-31 13:46:54 +08:00 · b027ad933f
parent 4aede69d1b
commit b027ad933f
5 changed files with 53 additions and 13 deletions
--- a/api-test/backend/src/main/java/io/metersphere/controller/definition/ApiTestCaseController.java
+++ b/api-test/backend/src/main/java/io/metersphere/controller/definition/ApiTestCaseController.java
@ -10,10 +10,7 @@ import io.metersphere.base.domain.ApiDefinitionExecResultExpand;
 import io.metersphere.base.domain.ApiScenario;
 import io.metersphere.base.domain.ApiTestCase;
 import io.metersphere.base.domain.ApiTestEnvironment;
-import io.metersphere.commons.constants.NoticeConstants;
-import io.metersphere.commons.constants.OperLogConstants;
-import io.metersphere.commons.constants.OperLogModule;
-import io.metersphere.commons.constants.ReportTriggerMode;
+import io.metersphere.commons.constants.*;
 import io.metersphere.commons.utils.PageUtils;
 import io.metersphere.commons.utils.Pager;
 import io.metersphere.dto.MsExecResponseDTO;
@ -24,6 +21,7 @@ import io.metersphere.request.ResetOrderRequest;
 import io.metersphere.service.definition.ApiDefinitionExecResultService;
 import io.metersphere.service.definition.ApiTestCaseService;
 import io.metersphere.service.scenario.ApiScenarioService;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.web.bind.annotation.*;
 import org.springframework.web.multipart.MultipartFile;

@ -47,16 +45,19 @@ public class ApiTestCaseController {
    private ApiScenarioService apiScenarioService;

    @PostMapping("/list")
+    @RequiresPermissions(PermissionConstants.PROJECT_API_DEFINITION_READ)
    public List<ApiTestCaseResult> list(@RequestBody ApiTestCaseRequest request) {
        return apiTestCaseService.list(request);
    }

    @PostMapping("/select/by/id")
+    @RequiresPermissions(PermissionConstants.PROJECT_API_DEFINITION_READ)
    public List<ApiTestCase> selectByIds(@RequestBody ApiTestCaseRequest request) {
        return apiTestCaseService.selectByIds(request);
    }

    @GetMapping("/get-details/{id}")
+    @RequiresPermissions(PermissionConstants.PROJECT_API_DEFINITION_READ)
    public ApiTestCaseResult single(@PathVariable String id) {
        ApiTestCaseRequest request = new ApiTestCaseRequest();
        request.setId(id);
@ -69,6 +70,7 @@ public class ApiTestCaseController {
    }

    @PostMapping("/list/{goPage}/{pageSize}")
+    @RequiresPermissions(PermissionConstants.PROJECT_API_DEFINITION_READ)
    public Pager<List<ApiTestCaseDTO>> listSimple(@PathVariable int goPage, @PathVariable int pageSize, @RequestBody ApiTestCaseRequest request) {
        request.setSelectEnvironment(true);
        apiTestCaseService.initRequestBySearch(request);
@ -77,6 +79,7 @@ public class ApiTestCaseController {
    }

    @GetMapping("/list/{projectId}")
+    @RequiresPermissions(PermissionConstants.PROJECT_API_DEFINITION_READ)
    public List<ApiTestCaseDTO> list(@PathVariable String projectId) {
        ApiTestCaseRequest request = new ApiTestCaseRequest();
        request.setProjectId(projectId);
@ -84,6 +87,7 @@ public class ApiTestCaseController {
    }

    @GetMapping("/get/pass-rate/{id}")
+    @RequiresPermissions(PermissionConstants.PROJECT_API_DEFINITION_READ)
    public String  getPassRate(@PathVariable String id) {
        return apiTestCaseService.getPassRate(id);
    }
@ -110,6 +114,7 @@ public class ApiTestCaseController {
    }

    @PostMapping(value = "/create", consumes = {"multipart/form-data"})
+    @RequiresPermissions(PermissionConstants.PROJECT_API_DEFINITION_READ_CREATE_CASE)
    @MsAuditLog(module = OperLogModule.API_DEFINITION_CASE, type = OperLogConstants.CREATE, title = "#request.name", content = "#msClass.getLogDetails(#request)", msClass = ApiTestCaseService.class)
    @SendNotice(taskType = NoticeConstants.TaskType.API_DEFINITION_TASK, event = NoticeConstants.Event.CASE_CREATE, subject = "接口用例通知")
    public ApiTestCase create(@RequestPart("request") SaveApiTestCaseRequest request, @RequestPart(value = "files", required = false) List<MultipartFile> bodyFiles) {
@ -117,6 +122,7 @@ public class ApiTestCaseController {
    }

    @PostMapping(value = "/update", consumes = {"multipart/form-data"})
+    @RequiresPermissions(PermissionConstants.PROJECT_API_DEFINITION_READ_EDIT_CASE)
    @MsAuditLog(module = OperLogModule.API_DEFINITION_CASE, type = OperLogConstants.UPDATE, beforeEvent = "#msClass.getLogDetails(#request)", title = "#request.name", content = "#msClass.getLogDetails(#request)", msClass = ApiTestCaseService.class)
    @SendNotice(taskType = NoticeConstants.TaskType.API_DEFINITION_TASK, event = NoticeConstants.Event.CASE_UPDATE, subject = "接口用例通知")
    public ApiTestCase update(@RequestPart("request") SaveApiTestCaseRequest request, @RequestPart(value = "files", required = false) List<MultipartFile> bodyFiles) {
@ -131,12 +137,14 @@ public class ApiTestCaseController {
    }

    @GetMapping("/delete/{id}")
+    @RequiresPermissions(PermissionConstants.PROJECT_API_DEFINITION_READ_DELETE_CASE)
    @MsAuditLog(module = OperLogModule.API_DEFINITION_CASE, type = OperLogConstants.DELETE, beforeEvent = "#msClass.getLogDetails(#id)", msClass = ApiTestCaseService.class)
    public void delete(@PathVariable String id) {
        apiTestCaseService.delete(id);
    }

    @GetMapping("/move-gc/{id}")
+    @RequiresPermissions(PermissionConstants.PROJECT_API_DEFINITION_READ_DELETE_CASE)
    @MsAuditLog(module = OperLogModule.API_DEFINITION_CASE, type = OperLogConstants.DELETE, beforeEvent = "#msClass.getLogDetails(#id)", msClass = ApiTestCaseService.class)
    @SendNotice(taskType = NoticeConstants.TaskType.API_DEFINITION_TASK, event = NoticeConstants.Event.CASE_DELETE, target = "#targetClass.get(#id)", targetClass = ApiTestCaseService.class, subject = "接口用例通知")
    public void deleteToGc(@PathVariable String id) {
@ -144,16 +152,19 @@ public class ApiTestCaseController {
    }

    @GetMapping("/get/{id}")
+    @RequiresPermissions(PermissionConstants.PROJECT_API_DEFINITION_READ)
    public ApiTestCaseInfo get(@PathVariable String id) {
        return apiTestCaseService.get(id);
    }

    @PostMapping("/batch/edit")
+    @RequiresPermissions(PermissionConstants.PROJECT_API_DEFINITION_READ_EDIT_CASE)
    public void editApiBath(@RequestBody ApiCaseEditRequest request) {
        apiTestCaseService.editApiBath(request);
    }

    @PostMapping("/edit-batch")
+    @RequiresPermissions(PermissionConstants.PROJECT_API_DEFINITION_READ_EDIT_CASE)
    @MsAuditLog(module = OperLogModule.API_DEFINITION_CASE, type = OperLogConstants.BATCH_UPDATE, beforeEvent = "#msClass.getLogDetails(#request.ids)", content = "#msClass.getLogDetails(#request.ids)", msClass = ApiTestCaseService.class)
    @SendNotice(taskType = NoticeConstants.TaskType.API_DEFINITION_TASK, event = NoticeConstants.Event.CASE_UPDATE, target = "#targetClass.getApiCaseByIds(#request.ids)", targetClass = ApiTestCaseService.class, subject = "接口用例通知")
    public void editApiBathByParam(@RequestBody ApiTestBatchRequest request) {
@ -174,18 +185,21 @@ public class ApiTestCaseController {
    }

    @PostMapping("/del-ids")
+    @RequiresPermissions(PermissionConstants.PROJECT_API_DEFINITION_READ_DELETE_CASE)
    @MsAuditLog(module = OperLogModule.API_DEFINITION_CASE, type = OperLogConstants.BATCH_DEL, beforeEvent = "#msClass.getLogDetails(#ids)", msClass = ApiTestCaseService.class)
    public void deleteBatch(@RequestBody List<String> ids) {
        apiTestCaseService.deleteBatch(ids);
    }

    @PostMapping("/del-batch")
+    @RequiresPermissions(PermissionConstants.PROJECT_API_DEFINITION_READ_DELETE_CASE)
    @MsAuditLog(module = OperLogModule.API_DEFINITION_CASE, type = OperLogConstants.BATCH_DEL, beforeEvent = "#msClass.getLogDetails(#request.ids)", msClass = ApiTestCaseService.class)
    public void deleteBatchByParam(@RequestBody ApiTestBatchRequest request) {
        apiTestCaseService.deleteBatchByParam(request);
    }

    @PostMapping("/move-batch-gc")
+    @RequiresPermissions(PermissionConstants.PROJECT_API_DEFINITION_READ_DELETE_CASE)
    @MsAuditLog(module = OperLogModule.API_DEFINITION_CASE, type = OperLogConstants.BATCH_DEL, beforeEvent = "#msClass.getLogDetails(#request.ids)", msClass = ApiTestCaseService.class)
    @SendNotice(taskType = NoticeConstants.TaskType.API_DEFINITION_TASK, event = NoticeConstants.Event.CASE_DELETE, target = "#targetClass.getApiCaseByIds(#request.ids)", targetClass = ApiTestCaseService.class, subject = "接口用例通知")
    public void deleteToGcByParam(@RequestBody ApiTestBatchRequest request) {
--- a/api-test/backend/src/main/java/io/metersphere/controller/home/ApiHomeController.java
+++ b/api-test/backend/src/main/java/io/metersphere/controller/home/ApiHomeController.java
@ -13,6 +13,7 @@ import io.metersphere.api.dto.definition.RunDefinitionRequest;
 import io.metersphere.api.dto.export.ScenarioToPerformanceInfoDTO;
 import io.metersphere.base.domain.ApiDefinition;
 import io.metersphere.base.domain.Schedule;
+import io.metersphere.commons.constants.PermissionConstants;
 import io.metersphere.commons.constants.ReportTriggerMode;
 import io.metersphere.commons.enums.ExecutionExecuteTypeEnum;
 import io.metersphere.commons.utils.*;
@ -26,6 +27,7 @@ import io.metersphere.service.scenario.ApiScenarioService;
 import io.metersphere.task.service.TaskService;
 import jakarta.annotation.Resource;
 import org.apache.commons.lang3.StringUtils;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.web.bind.annotation.*;
 import org.springframework.web.multipart.MultipartFile;

@ -229,6 +231,7 @@ public class ApiHomeController {
    }

    @PostMapping(value = "/gen/performance/xml", consumes = {"multipart/form-data"})
+    @RequiresPermissions(PermissionConstants.PROJECT_API_DEFINITION_READ_CREATE_PERFORMANCE)
    public ScenarioToPerformanceInfoDTO genPerformanceTest(@RequestPart("request") RunDefinitionRequest runRequest, @RequestPart(value = "files", required = false) List<MultipartFile> bodyFiles) {
        JmxInfoDTO jmxInfoDTO = DataFormattingUtil.getJmxInfoDTO(runRequest, bodyFiles);
        ScenarioToPerformanceInfoDTO returnDTO = new ScenarioToPerformanceInfoDTO();
--- a/api-test/backend/src/main/java/io/metersphere/controller/scenario/ApiScenarioController.java
+++ b/api-test/backend/src/main/java/io/metersphere/controller/scenario/ApiScenarioController.java
@ -50,7 +50,7 @@ public class ApiScenarioController {
    private ExtApiTaskService apiTaskService;

    @PostMapping("/list/{goPage}/{pageSize}")
-    @RequiresPermissions("PROJECT_API_SCENARIO:READ")
+    @RequiresPermissions(PermissionConstants.PROJECT_API_SCENARIO_READ)
    public Pager<List<ApiScenarioDTO>> list(@PathVariable int goPage, @PathVariable int pageSize, @RequestBody ApiScenarioRequest request) {
        Page<Object> page = PageHelper.startPage(goPage, pageSize, true);
        // 查询场景环境
@ -59,18 +59,19 @@ public class ApiScenarioController {
    }

    @PostMapping("/scenario/schedule")
-    @RequiresPermissions("PROJECT_API_SCENARIO:READ")
+    @RequiresPermissions(PermissionConstants.PROJECT_API_SCENARIO_READ)
    public Map<String, ScheduleDTO> scenarioScheduleInfo(@RequestBody List<String> scenarioIds) {
        return apiAutomationService.selectScheduleInfo(scenarioIds);
    }

    @PostMapping("/list")
-    @RequiresPermissions("PROJECT_API_SCENARIO:READ")
+    @RequiresPermissions(PermissionConstants.PROJECT_API_SCENARIO_READ)
    public List<ApiScenarioDTO> listAll(@RequestBody ApiScenarioRequest request) {
        return apiAutomationService.list(request);
    }

    @PostMapping("/select/by/id")
+    @RequiresPermissions(PermissionConstants.PROJECT_API_SCENARIO_READ)
    public List<ApiScenario> selectByIds(@RequestBody ApiScenarioRequest request) {
        if (CollectionUtils.isNotEmpty(request.getIds())) {
            return apiAutomationService.selectByIds(request.getIds());
@ -80,37 +81,38 @@ public class ApiScenarioController {
    }

    @GetMapping("/get/{id}")
-    @RequiresPermissions("PROJECT_API_SCENARIO:READ")
+    @RequiresPermissions(PermissionConstants.PROJECT_API_SCENARIO_READ)
    public ApiScenarioDTO getById(@PathVariable String id) {
        return apiAutomationService.getDto(id);
    }

    @PostMapping("/list/all")
-    @RequiresPermissions("PROJECT_API_SCENARIO:READ")
+    @RequiresPermissions(PermissionConstants.PROJECT_API_SCENARIO_READ)
    public List<ApiScenarioDTO> listAll(@RequestBody ApiScenarioBatchRequest request) {
        return apiAutomationService.listAll(request);
    }

    @PostMapping("/list/all/trash")
+    @RequiresPermissions(PermissionConstants.PROJECT_API_SCENARIO_READ)
    public int listAllTrash(@RequestBody ApiScenarioBatchRequest request) {
        return apiAutomationService.listAllTrash(request);
    }

    @PostMapping("/list-blobs")
-    @RequiresPermissions("PROJECT_API_SCENARIO:READ")
+    @RequiresPermissions(PermissionConstants.PROJECT_API_SCENARIO_READ)
    public List<ApiScenarioWithBLOBs> listWithIds(@RequestBody ApiScenarioBatchRequest request) {
        return apiAutomationService.listWithIds(request);
    }


    @PostMapping("/id/all")
-    @RequiresPermissions("PROJECT_API_SCENARIO:READ")
+    @RequiresPermissions(PermissionConstants.PROJECT_API_SCENARIO_READ)
    public List<String> idAll(@RequestBody ApiScenarioBatchRequest request) {
        return apiAutomationService.idAll(request);
    }

    @GetMapping("/list/{projectId}")
-    @RequiresPermissions("PROJECT_API_SCENARIO:READ")
+    @RequiresPermissions(PermissionConstants.PROJECT_API_SCENARIO_READ)
    public List<ApiScenarioDTO> list(@PathVariable String projectId) {
        ApiScenarioRequest request = new ApiScenarioRequest();
        request.setProjectId(projectId);
@ -147,6 +149,7 @@ public class ApiScenarioController {
    }

    @PostMapping("/del-ids")
+    @RequiresPermissions(PermissionConstants.PROJECT_API_SCENARIO_READ_DELETE)
    @MsAuditLog(module = OperLogModule.API_AUTOMATION, type = OperLogConstants.BATCH_DEL, beforeEvent = "#msClass.getLogDetails(#ids)", msClass = ApiScenarioService.class)
    @SendNotice(taskType = NoticeConstants.TaskType.API_AUTOMATION_TASK, event = NoticeConstants.Event.DELETE, target = "#targetClass.getScenarioCaseByIds(#ids)", targetClass = ApiScenarioService.class, subject = "接口自动化通知")
    public void deleteBatch(@RequestBody List<String> ids) {
@ -160,6 +163,7 @@ public class ApiScenarioController {
    }

    @PostMapping("/move-gc-ids")
+    @RequiresPermissions(PermissionConstants.PROJECT_API_SCENARIO_READ_DELETE)
    @MsAuditLog(module = OperLogModule.API_AUTOMATION, type = OperLogConstants.GC, beforeEvent = "#msClass.getLogDetails(#ids)", msClass = ApiScenarioService.class)
    @SendNotice(taskType = NoticeConstants.TaskType.API_AUTOMATION_TASK, target = "#targetClass.getScenarioCaseByIds(#ids)", targetClass = ApiScenarioService.class, event = NoticeConstants.Event.DELETE, subject = "接口自动化通知")
    public void removeToGc(@RequestBody List<String> ids) {
@ -167,6 +171,7 @@ public class ApiScenarioController {
    }

    @PostMapping("/move-gc-batch")
+    @RequiresPermissions(PermissionConstants.PROJECT_API_SCENARIO_READ_DELETE)
    @MsAuditLog(module = OperLogModule.API_AUTOMATION, type = OperLogConstants.BATCH_GC, beforeEvent = "#msClass.getLogDetails(#request.ids)", msClass = ApiScenarioService.class)
    @SendNotice(taskType = NoticeConstants.TaskType.API_AUTOMATION_TASK, target = "#targetClass.getScenarioCaseByIds(#request.ids)", targetClass = ApiScenarioService.class, event = NoticeConstants.Event.DELETE, subject = "接口自动化通知")
    public void removeToGcByBatch(@RequestBody ApiScenarioBatchRequest request) {
@ -186,6 +191,7 @@ public class ApiScenarioController {
    }

    @GetMapping("/scenario-details/{id}")
+    @RequiresPermissions(PermissionConstants.PROJECT_API_SCENARIO_READ)
    public ApiScenarioDTO getScenarioDefinition(@PathVariable String id) {
        return apiAutomationService.getNewApiScenario(id);
    }
@ -206,6 +212,7 @@ public class ApiScenarioController {
    }

    @PostMapping("/get-scenario-list")
+    @RequiresPermissions(PermissionConstants.PROJECT_API_SCENARIO_READ)
    public List<ApiScenarioDTO> getApiScenarios(@RequestBody List<String> ids) {
        return apiAutomationService.getScenarioDetail(ids);
    }
@ -216,6 +223,7 @@ public class ApiScenarioController {
    }

    @PostMapping(value = "/run/debug")
+    @RequiresPermissions(PermissionConstants.PROJECT_API_SCENARIO_READ_DEBUG)
    @MsAuditLog(module = OperLogModule.API_AUTOMATION, type = OperLogConstants.DEBUG, title = "#request.scenarioName", sourceId = "#request.scenarioId", project = "#request.projectId")
    public String runDebug(@RequestPart("request") RunDefinitionRequest request, @RequestPart(value = "bodyFiles", required = false) List<MultipartFile> bodyFiles, @RequestPart(value = "scenarioFiles", required = false) List<MultipartFile> scenarioFiles) {
        try {
@ -230,6 +238,7 @@ public class ApiScenarioController {
    }

    @PostMapping(value = "/run")
+    @RequiresPermissions(PermissionConstants.PROJECT_API_SCENARIO_READ_RUN)
    @MsAuditLog(module = OperLogModule.API_AUTOMATION, type = OperLogConstants.EXECUTE, content = "#msClass.getLogDetails(#request.ids)", msClass = ApiScenarioService.class)
    public List<MsExecResponseDTO> run(@RequestBody RunScenarioRequest request) {
        if (!StringUtils.equals(request.getExecuteType(), ExecuteType.Saved.name())) {
@ -256,6 +265,7 @@ public class ApiScenarioController {
    }

    @PostMapping(value = "/run/batch")
+    @RequiresPermissions(PermissionConstants.PROJECT_API_SCENARIO_READ_RUN)
    @MsAuditLog(module = OperLogModule.API_AUTOMATION, type = OperLogConstants.EXECUTE, content = "#msClass.getLogDetails(#request.ids)", msClass = ApiScenarioService.class)
    public List<MsExecResponseDTO> runBatch(@RequestBody RunScenarioRequest request) {
        request.setExecuteType(ExecuteType.Saved.name());
@ -292,24 +302,28 @@ public class ApiScenarioController {
    }

    @PostMapping(value = "/schedule/update")
+    @RequiresPermissions(PermissionConstants.PROJECT_API_SCENARIO_READ_SCHEDULE)
    @MsAuditLog(module = OperLogModule.API_AUTOMATION_SCHEDULE, type = OperLogConstants.UPDATE, title = "#request.name", beforeEvent = "#msClass.getLogDetails(#request.id)", content = "#msClass.getLogDetails(#request.id)", msClass = ApiScenarioService.class)
    public void updateSchedule(@RequestBody Schedule request) {
        apiAutomationService.updateSchedule(request);
    }

    @PostMapping(value = "/schedule/create")
+    @RequiresPermissions(PermissionConstants.PROJECT_API_SCENARIO_READ_SCHEDULE)
    @MsAuditLog(module = OperLogModule.API_AUTOMATION_SCHEDULE, type = OperLogConstants.CREATE, title = "#request.name", content = "#msClass.getLogDetails(#request)", msClass = ApiScenarioService.class)
    public void createSchedule(@RequestBody ScheduleRequest request) {
        apiAutomationService.createSchedule(request);
    }

    @PostMapping(value = "/gen-jmx")
+    @RequiresPermissions(PermissionConstants.PROJECT_API_SCENARIO_READ_CREATE_PERFORMANCE)
    public ScenarioToPerformanceInfoDTO genPerformanceTestJmx(@RequestBody GenScenarioRequest runRequest) throws Exception {
        runRequest.setExecuteType(ExecuteType.Completed.name());
        return apiAutomationService.genPerformanceTestJmx(runRequest);
    }

    @PostMapping("/gen-jmx-batch")
+    @RequiresPermissions(PermissionConstants.PROJECT_API_SCENARIO_READ_CREATE_PERFORMANCE_BATCH)
    public ScenarioToPerformanceInfoDTO batchGenPerformanceTestJmx(@RequestBody ApiScenarioBatchRequest request) {
        return apiAutomationService.batchGenPerformanceTestJmx(request);
    }
@ -445,7 +459,7 @@ public class ApiScenarioController {
    }

    @GetMapping("/get-base-case/{projectId}")
-    @RequiresPermissions("PROJECT_API_SCENARIO:READ")
+    @RequiresPermissions(PermissionConstants.PROJECT_API_SCENARIO_READ)
    public List<BaseCase> getBaseCaseByProjectId(@PathVariable String projectId) {
        return apiAutomationService.getBaseCaseByProjectId(projectId);
    }
--- a/api-test/backend/src/main/java/io/metersphere/controller/scenario/ApiScenarioReportController.java
+++ b/api-test/backend/src/main/java/io/metersphere/controller/scenario/ApiScenarioReportController.java
@ -11,6 +11,7 @@ import io.metersphere.base.domain.ApiScenarioReport;
 import io.metersphere.commons.constants.NoticeConstants;
 import io.metersphere.commons.constants.OperLogConstants;
 import io.metersphere.commons.constants.OperLogModule;
+import io.metersphere.commons.constants.PermissionConstants;
 import io.metersphere.commons.utils.PageUtils;
 import io.metersphere.commons.utils.Pager;
 import io.metersphere.dto.PlanReportCaseDTO;
@ -20,6 +21,7 @@ import io.metersphere.notice.annotation.SendNotice;
 import io.metersphere.service.ShareInfoService;
 import io.metersphere.service.scenario.ApiScenarioReportService;
 import jakarta.annotation.Resource;
+import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.web.bind.annotation.*;

 import java.util.List;
@ -35,22 +37,26 @@ public class ApiScenarioReportController {
    private ShareInfoService shareInfoService;

    @GetMapping("/get/{reportId}")
+    @RequiresPermissions(PermissionConstants.PROJECT_API_REPORT_READ)
    public ApiScenarioReportResult get(@PathVariable String reportId) {
        return apiReportService.get(reportId, false);
    }

    @GetMapping("/get/{shareId}/{reportId}")
+    @RequiresPermissions(PermissionConstants.PROJECT_API_REPORT_READ)
    public ApiScenarioReportResult get(@PathVariable String shareId, @PathVariable String reportId) {
        shareInfoService.validateExpired(shareId);
        return apiReportService.get(reportId, false);
    }

    @GetMapping("/get/detail/{reportId}")
+    @RequiresPermissions(PermissionConstants.PROJECT_API_REPORT_READ)
    public ApiScenarioReportResult getAll(@PathVariable String reportId) {
        return apiReportService.get(reportId, true);
    }

    @PostMapping("/list/{goPage}/{pageSize}")
+    @RequiresPermissions(PermissionConstants.PROJECT_API_REPORT_READ)
    public Pager<List<ApiScenarioReportResult>> list(@PathVariable int goPage, @PathVariable int pageSize, @RequestBody QueryAPIReportRequest request) {
        Page<Object> page = PageHelper.startPage(goPage, pageSize, true);
        return PageUtils.setPageInfo(page, apiReportService.list(request));
@ -68,6 +74,7 @@ public class ApiScenarioReportController {
    }

    @PostMapping("/delete")
+    @RequiresPermissions(PermissionConstants.PROJECT_API_REPORT_READ_DELETE)
    @MsAuditLog(module = OperLogModule.API_AUTOMATION_REPORT, type = OperLogConstants.DELETE, beforeEvent = "#msClass.getLogDetails(#request.id)", msClass = ApiScenarioReportService.class)
    @SendNotice(taskType = NoticeConstants.TaskType.API_REPORT_TASK, event = NoticeConstants.Event.DELETE, target = "#targetClass.get(#request.id, false)", targetClass = ApiScenarioReportService.class,
            subject = "接口报告通知")
@ -76,6 +83,7 @@ public class ApiScenarioReportController {
    }

    @PostMapping("/batch/delete")
+    @RequiresPermissions(PermissionConstants.PROJECT_API_REPORT_READ_DELETE)
    @MsAuditLog(module = OperLogModule.API_AUTOMATION_REPORT, type = OperLogConstants.BATCH_DEL, beforeEvent = "#msClass.getLogDetails(#request.ids)", msClass = ApiScenarioReportService.class)
    @SendNotice(taskType = NoticeConstants.TaskType.API_REPORT_TASK, event = NoticeConstants.Event.DELETE, target = "#targetClass.getByIds(#request.ids)", targetClass = ApiScenarioReportService.class,
            subject = "接口报告通知")
--- a/framework/sdk-parent/sdk/src/main/java/io/metersphere/commons/constants/PermissionConstants.java
+++ b/framework/sdk-parent/sdk/src/main/java/io/metersphere/commons/constants/PermissionConstants.java
@ -153,6 +153,7 @@ public class PermissionConstants {
    public static final String PROJECT_API_SCENARIO_READ_EXPORT_SCENARIO = "PROJECT_API_SCENARIO:READ+EXPORT_SCENARIO";
    public static final String PROJECT_API_SCENARIO_READ_MOVE_BATCH = "PROJECT_API_SCENARIO:READ+MOVE_BATCH";
    public static final String PROJECT_API_SCENARIO_READ_CREATE_PERFORMANCE = "PROJECT_API_SCENARIO:READ+CREATE_PERFORMANCE";
+    public static final String PROJECT_API_SCENARIO_READ_CREATE_PERFORMANCE_BATCH = "PROJECT_API_SCENARIO:READ+CREATE_PERFORMANCE_BATCH";

    public static final String PROJECT_UI_SCENARIO_READ = "PROJECT_UI_SCENARIO:READ";
    public static final String PROJECT_UI_SCENARIO_READ_CREATE = "PROJECT_UI_SCENARIO:READ+CREATE";