fix(测试跟踪): 补充部分接口权限校验

api-test/backend/src/main/java/io/metersphere/controller/plan/TestPlanApiCaseController.java

@@ -20,6 +20,7 @@ import io.metersphere.dto.RunModeConfigDTO;
 import io.metersphere.log.annotation.MsAuditLog;
 import io.metersphere.log.annotation.MsRequestLog;
 import io.metersphere.request.ResetOrderRequest;
+import io.metersphere.security.CheckOwner;
 import io.metersphere.service.plan.TestPlanApiCaseService;
 import jakarta.annotation.Resource;
 import org.apache.shiro.authz.annotation.RequiresPermissions;
@@ -37,32 +38,38 @@ public class TestPlanApiCaseController {
     TestPlanApiCaseService testPlanApiCaseService;
 
     @PostMapping("/list/{goPage}/{pageSize}")
+    @CheckOwner(resourceId = "#request.getPlanId()", resourceType = "test_plan")
     public Pager<List<TestPlanApiCaseDTO>> list(@PathVariable int goPage, @PathVariable int pageSize, @RequestBody ApiTestCaseRequest request) {
         Page<Object> page = PageHelper.startPage(goPage, pageSize, true);
         return PageUtils.setPageInfo(page, testPlanApiCaseService.list(request));
     }
 
     @GetMapping("/list/failure/{planId}")
+    @CheckOwner(resourceId = "#planId", resourceType = "test_plan")
     public List<TestPlanApiDTO> getFailureList(@PathVariable String planId) {
         return testPlanApiCaseService.getFailureCases(planId);
     }
 
     @GetMapping("/list/errorReport/{planId}")
+    @CheckOwner(resourceId = "#planId", resourceType = "test_plan")
     public List<TestPlanApiDTO> getErrorReportList(@PathVariable String planId) {
         return testPlanApiCaseService.getErrorReportCases(planId);
     }
 
     @GetMapping("/list/unExecute/{planId}")
+    @CheckOwner(resourceId = "#planId", resourceType = "test_plan")
     public List<TestPlanApiDTO> getUnExecuteCases(@PathVariable String planId) {
         return testPlanApiCaseService.getUnExecuteCases(planId);
     }
 
     @GetMapping("/list/all/{planId}")
+    @CheckOwner(resourceId = "#planId", resourceType = "test_plan")
     public List<TestPlanApiDTO> getAllList(@PathVariable String planId) {
         return testPlanApiCaseService.getAllCases(planId);
     }
 
     @GetMapping("/list/{planId}")
+    @CheckOwner(resourceId = "#planId", resourceType = "test_plan")
     public List<TestPlanApiCaseDTO> getByPlanId(@PathVariable String planId) {
         ApiTestCaseRequest request = new ApiTestCaseRequest();
         request.setPlanId(planId);
@@ -70,6 +77,7 @@ public class TestPlanApiCaseController {
     }
 
     @GetMapping("/plan/exec/result/{planId}")
+    @CheckOwner(resourceId = "#planId", resourceType = "test_plan")
     public List<String> getExecResultByPlanId(@PathVariable String planId) {
         return testPlanApiCaseService.getExecResultByPlanId(planId);
     }
@@ -86,11 +94,13 @@ public class TestPlanApiCaseController {
 
     @PostMapping("/relevance/{planId}")
     @MsRequestLog(module = OperLogModule.TRACK_TEST_PLAN)
+    @CheckOwner(resourceId = "#planId", resourceType = "test_plan")
     public void testPlanRelevance(@RequestBody List<String> ids, @PathVariable("planId") String planId) {
         testPlanApiCaseService.relevanceByTestIds(ids, planId);
     }
 
     @GetMapping("/status/{planId}")
+    @CheckOwner(resourceId = "#planId", resourceType = "test_plan")
     public List<String> getStatusByTestPlanId(@PathVariable("planId") String planId) {
         return testPlanApiCaseService.getStatusByTestPlanId(planId);
     }
@@ -207,11 +217,13 @@ public class TestPlanApiCaseController {
     }
 
     @GetMapping("/get/report/ext/{planId}")
+    @CheckOwner(resourceId = "#planId", resourceType = "test_plan")
     public List<ApiDefinitionExecResultWithBLOBs> selectExtForPlanReport(@PathVariable("planId") String planId) {
         return testPlanApiCaseService.selectExtForPlanReport(planId);
     }
 
     @GetMapping("/get/report/scenario/ext/{planId}")
+    @CheckOwner(resourceId = "#planId", resourceType = "test_plan")
     public List<ApiScenarioReportWithBLOBs> selectExtForPlanScenarioReport(@PathVariable("planId") String planId) {
         return testPlanApiCaseService.selectExtForPlanScenarioReport(planId);
     }

api-test/backend/src/main/java/io/metersphere/controller/plan/TestPlanScenarioCaseController.java

@@ -19,6 +19,7 @@ import io.metersphere.dto.RunModeConfigDTO;
 import io.metersphere.log.annotation.MsAuditLog;
 import io.metersphere.log.annotation.MsRequestLog;
 import io.metersphere.request.ResetOrderRequest;
+import io.metersphere.security.CheckOwner;
 import io.metersphere.service.plan.TestPlanScenarioCaseService;
 import io.metersphere.service.scenario.ApiScenarioService;
 import jakarta.annotation.Resource;
@@ -43,26 +44,31 @@ public class TestPlanScenarioCaseController {
     }
 
     @GetMapping("/list/failure/{planId}")
+    @CheckOwner(resourceId = "#planId", resourceType = "test_plan")
     public List<TestPlanScenarioDTO> getFailureList(@PathVariable String planId) {
         return testPlanScenarioCaseService.getFailureCases(planId);
     }
 
     @GetMapping("/list/error-report/{planId}")
+    @CheckOwner(resourceId = "#planId", resourceType = "test_plan")
     public List<TestPlanScenarioDTO> getErrorReportList(@PathVariable String planId) {
         return testPlanScenarioCaseService.getErrorReportCases(planId);
     }
 
     @GetMapping("/list/pending/{planId}")
+    @CheckOwner(resourceId = "#planId", resourceType = "test_plan")
     public List<TestPlanScenarioDTO> getUnExecuteCases(@PathVariable String planId) {
         return testPlanScenarioCaseService.getUnExecuteCases(planId);
     }
 
     @GetMapping("/list/all/{planId}")
+    @CheckOwner(resourceId = "#planId", resourceType = "test_plan")
     public List<TestPlanScenarioDTO> getAllList(@PathVariable String planId) {
         return testPlanScenarioCaseService.getAllCases(planId);
     }
 
     @GetMapping("/list/{planId}")
+    @CheckOwner(resourceId = "#planId", resourceType = "test_plan")
     public List<ApiScenarioDTO> getByPlanId(@PathVariable String planId) {
         TestPlanScenarioRequest request = new TestPlanScenarioRequest();
         request.setPlanId(planId);
@@ -227,6 +233,7 @@ public class TestPlanScenarioCaseController {
     }
 
     @PostMapping("/list/module/{planId}")
+    @CheckOwner(resourceId = "#planId", resourceType = "test_plan")
     public List<ApiScenarioModuleDTO> getNodeByPlanId(@PathVariable String planId, @RequestBody List<String> projectIds) {
         return testPlanScenarioCaseService.getNodeByPlanId(projectIds, planId);
     }

api-test/backend/src/main/java/io/metersphere/controller/scenario/ApiScenarioReportController.java

@@ -18,6 +18,7 @@ import io.metersphere.dto.PlanReportCaseDTO;
 import io.metersphere.dto.RequestResult;
 import io.metersphere.log.annotation.MsAuditLog;
 import io.metersphere.notice.annotation.SendNotice;
+import io.metersphere.security.CheckOwner;
 import io.metersphere.service.ApiCheckPermissionService;
 import io.metersphere.service.ShareInfoService;
 import io.metersphere.service.scenario.ApiScenarioReportService;
@@ -40,6 +41,7 @@ public class ApiScenarioReportController {
     private ApiCheckPermissionService apiCheckPermissionService;
 
     @GetMapping("/get/{reportId}")
+    @CheckOwner(resourceId = "#reportId", resourceType = "api_scenario_report")
     public ApiScenarioReportResult get(@PathVariable String reportId) {
         return apiReportService.get(reportId, false);
     }
@@ -51,6 +53,7 @@ public class ApiScenarioReportController {
     }
 
     @GetMapping("/get/detail/{reportId}")
+    @CheckOwner(resourceId = "#reportId", resourceType = "api_scenario_report")
     public ApiScenarioReportResult getAll(@PathVariable String reportId) {
         return apiReportService.get(reportId, true);
     }

performance-test/backend/src/main/java/io/metersphere/controller/PerformanceReportController.java

@@ -61,83 +61,99 @@ public class PerformanceReportController {
 
     @GetMapping("/test/pro/info/{reportId}")
     @RequiresPermissions(PermissionConstants.PROJECT_PERFORMANCE_REPORT_READ)
+    @CheckOwner(resourceId = "#reportId", resourceType = "load_test_report")
     public ReportDTO getReportTestAndProInfo(@PathVariable String reportId) {
         return performanceReportService.getReportTestAndProInfo(reportId);
     }
 
     @GetMapping("/content/{reportId}")
+    @CheckOwner(resourceId = "#reportId", resourceType = "load_test_report")
     public List<Statistics> getReportContent(@PathVariable String reportId) {
         return performanceReportService.getReportStatistics(reportId);
     }
 
     @GetMapping("/content/errors/{reportId}")
+    @CheckOwner(resourceId = "#reportId", resourceType = "load_test_report")
     public List<Errors> getReportErrors(@PathVariable String reportId) {
         return performanceReportService.getReportErrors(reportId);
     }
 
     @GetMapping("/content/{reportKey}/{reportId}")
+    @CheckOwner(resourceId = "#reportId", resourceType = "load_test_report")
     public List<ChartsData> getReportChart(@PathVariable String reportKey, @PathVariable String reportId) {
         return performanceReportService.getReportChart(reportKey, reportId);
     }
 
     @GetMapping("/content/errors_top5/{reportId}")
+    @CheckOwner(resourceId = "#reportId", resourceType = "load_test_report")
     public List<ErrorsTop5> getReportErrorsTop5(@PathVariable String reportId) {
         return performanceReportService.getReportErrorsTOP5(reportId);
     }
 
     @GetMapping("/content/errors_samples/{reportId}")
+    @CheckOwner(resourceId = "#reportId", resourceType = "load_test_report")
     public SamplesRecord getErrorSamples(@PathVariable String reportId) {
         return performanceReportService.getErrorSamples(reportId);
     }
 
     @GetMapping("/content/testoverview/{reportId}")
+    @CheckOwner(resourceId = "#reportId", resourceType = "load_test_report")
     public TestOverview getTestOverview(@PathVariable String reportId) {
         return performanceReportService.getTestOverview(reportId);
     }
 
     @GetMapping("/content/report_time/{reportId}")
+    @CheckOwner(resourceId = "#reportId", resourceType = "load_test_report")
     public ReportTimeInfo getReportTimeInfo(@PathVariable String reportId) {
         return performanceReportService.getReportTimeInfo(reportId);
     }
 
     @GetMapping("/content/load_chart/{reportId}")
+    @CheckOwner(resourceId = "#reportId", resourceType = "load_test_report")
     public List<ChartsData> getLoadChartData(@PathVariable String reportId) {
         return performanceReportService.getLoadChartData(reportId);
     }
 
     @GetMapping("/content/res_chart/{reportId}")
+    @CheckOwner(resourceId = "#reportId", resourceType = "load_test_report")
     public List<ChartsData> getResponseTimeChartData(@PathVariable String reportId) {
         return performanceReportService.getResponseTimeChartData(reportId);
     }
 
     @GetMapping("/content/error_chart/{reportId}")
+    @CheckOwner(resourceId = "#reportId", resourceType = "load_test_report")
     public List<ChartsData> getErrorChartData(@PathVariable String reportId) {
         return performanceReportService.getErrorChartData(reportId);
     }
 
     @GetMapping("/content/response_code_chart/{reportId}")
+    @CheckOwner(resourceId = "#reportId", resourceType = "load_test_report")
     public List<ChartsData> getResponseCodeChartData(@PathVariable String reportId) {
         return performanceReportService.getResponseCodeChartData(reportId);
     }
 
     @GetMapping("/{reportId}")
     @RequiresPermissions(PermissionConstants.PROJECT_PERFORMANCE_REPORT_READ)
+    @CheckOwner(resourceId = "#reportId", resourceType = "load_test_report")
     public LoadTestReportWithBLOBs getLoadTestReport(@PathVariable String reportId) {
         return performanceReportService.getLoadTestReport(reportId);
     }
 
     @GetMapping("log/resource/{reportId}")
+    @CheckOwner(resourceId = "#reportId", resourceType = "load_test_report")
     public List<LogDetailDTO> getResourceIds(@PathVariable String reportId) {
         return performanceReportService.getReportLogResource(reportId);
     }
 
     @GetMapping("log/{reportId}/{resourceId}/{goPage}")
+    @CheckOwner(resourceId = "#reportId", resourceType = "load_test_report")
     public Pager<List<LoadTestReportLog>> logs(@PathVariable String reportId, @PathVariable String resourceId, @PathVariable int goPage) {
         Page<Object> page = PageHelper.startPage(goPage, 5, true);
         return PageUtils.setPageInfo(page, performanceReportService.getReportLogs(reportId, resourceId));
     }
 
     @GetMapping("log/download/{reportId}/{resourceId}")
+    @CheckOwner(resourceId = "#reportId", resourceType = "load_test_report")
     public void downloadLog(@PathVariable String reportId, @PathVariable String resourceId, HttpServletResponse response) throws Exception {
         performanceReportService.downloadLog(response, reportId, resourceId);
     }
@@ -153,18 +169,21 @@ public class PerformanceReportController {
 
     @GetMapping("get-jmx-content/{reportId}")
     @RequiresPermissions(PermissionConstants.PROJECT_PERFORMANCE_REPORT_READ)
+    @CheckOwner(resourceId = "#reportId", resourceType = "load_test_report")
     public List<LoadTestExportJmx> getJmxContent(@PathVariable String reportId) {
         return performanceReportService.getJmxContent(reportId);
     }
 
     @GetMapping("/get-load-config/{reportId}")
     @RequiresPermissions(PermissionConstants.PROJECT_PERFORMANCE_REPORT_READ)
+    @CheckOwner(resourceId = "#reportId", resourceType = "load_test_report")
     public String getLoadConfiguration(@PathVariable String reportId) {
         return performanceReportService.getLoadConfiguration(reportId);
     }
 
     @GetMapping("/get-advanced-config/{reportId}")
     @RequiresPermissions(PermissionConstants.PROJECT_PERFORMANCE_REPORT_READ)
+    @CheckOwner(resourceId = "#reportId", resourceType = "load_test_report")
     public String getAdvancedConfiguration(@PathVariable String reportId) {
         return performanceReportService.getAdvancedConfiguration(reportId);
     }

test-track/backend/src/main/java/io/metersphere/controller/IssueCommentController.java

@@ -11,6 +11,7 @@ import io.metersphere.notice.annotation.SendNotice;
 import io.metersphere.dto.IssueCommentDTO;
 import io.metersphere.request.issues.IssuesRelevanceRequest;
 import io.metersphere.request.issues.SaveIssueCommentRequest;
+import io.metersphere.security.CheckOwner;
 import io.metersphere.service.IssueCommentService;
 import io.metersphere.service.IssuesService;
 import io.metersphere.service.TestCaseCommentService;
@@ -40,6 +41,7 @@ public class IssueCommentController {
 
     @GetMapping("/list/{issueId}")
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_ISSUE_READ)
+    @CheckOwner(resourceId = "#issueId", resourceType = "issues")
     public List<IssueCommentDTO> getComments(@PathVariable String issueId) {
         return issueCommentService.getComments(issueId);
     }
@@ -54,6 +56,7 @@ public class IssueCommentController {
     @PostMapping("/edit")
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_ISSUE_READ_EDIT)
     @MsAuditLog(module = OperLogModule.TRACK_BUG, type = OperLogConstants.UPDATE, beforeEvent = "#msClass.getLogDetails(#request.id)", content = "#msClass.getLogDetails(#request.id)", msClass = TestCaseCommentService.class)
+    @CheckOwner(resourceId = "#request.getIssueId()", resourceType = "issues")
     public IssueComment editComment(@RequestBody SaveIssueCommentRequest request) {
        return issueCommentService.edit(request);
     }

test-track/backend/src/main/java/io/metersphere/controller/IssuesController.java

@@ -26,6 +26,7 @@ import io.metersphere.request.issues.IssueImportRequest;
 import io.metersphere.request.issues.PlatformIssueTypeRequest;
 import io.metersphere.request.testcase.AuthUserIssueRequest;
 import io.metersphere.request.testcase.IssuesCountRequest;
+import io.metersphere.security.CheckOwner;
 import io.metersphere.service.BaseCheckPermissionService;
 import io.metersphere.service.IssuesService;
 import io.metersphere.service.IssuesSyncService;
@@ -96,6 +97,7 @@ public class IssuesController {
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_ISSUE_READ_EDIT)
     @MsAuditLog(module = OperLogModule.TRACK_BUG, type = OperLogConstants.UPDATE, beforeEvent = "#msClass.getLogDetails(#issuesRequest.id)", content = "#msClass.getLogDetails(#issuesRequest.id)", msClass = IssuesService.class)
     @SendNotice(taskType = NoticeConstants.TaskType.DEFECT_TASK, event = NoticeConstants.Event.UPDATE, subject = "缺陷通知")
+    @CheckOwner(resourceId = "#request.getId()", resourceType = "issues")
     public IssuesWithBLOBs updateIssues(@RequestPart(value = "request") IssuesUpdateRequest issuesRequest) {
         return issuesService.updateIssues(issuesRequest);
     }
@@ -108,6 +110,7 @@ public class IssuesController {
 
     @GetMapping("/get/{id}")
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_ISSUE_READ)
+    @CheckOwner(resourceId = "#id", resourceType = "issues")
     public IssuesWithBLOBs getIssue(@PathVariable String id) {
         return issuesService.getIssue(id);
     }
@@ -132,6 +135,7 @@ public class IssuesController {
 
     @GetMapping("/close/{id}")
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_ISSUE_READ_EDIT)
+    @CheckOwner(resourceId = "#id", resourceType = "issues")
     public void closeLocalIssue(@PathVariable String id) {
         issuesService.closeLocalIssue(id);
     }
@@ -139,6 +143,7 @@ public class IssuesController {
     @PostMapping("/delete/relate")
     @MsRequestLog(module = OperLogModule.TRACK_BUG)
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_ISSUE_READ)
+    @CheckOwner(resourceId = "#id", resourceType = "issues")
     public void deleteRelate(@RequestBody IssuesRequest request) {
         issuesService.deleteIssueRelate(request);
     }
@@ -147,6 +152,7 @@ public class IssuesController {
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_ISSUE_READ_DELETE)
     @MsAuditLog(module = OperLogModule.TRACK_BUG, type = OperLogConstants.DELETE, beforeEvent = "#msClass.getLogDetails(#id)", msClass = IssuesService.class)
     @SendNotice(taskType = NoticeConstants.TaskType.DEFECT_TASK, target = "#targetClass.getIssue(#id)", targetClass = IssuesService.class, event = NoticeConstants.Event.DELETE, subject = "缺陷通知")
+    @CheckOwner(resourceId = "#id", resourceType = "issues")
     public void delete(@PathVariable String id) {
         issuesService.delete(id);
     }
@@ -166,6 +172,7 @@ public class IssuesController {
 
     @GetMapping("/tapd/current_owner/{id}")
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_ISSUE_READ)
+    @CheckOwner(resourceId = "#id", resourceType = "issues")
     public List<String> getTapdIssueCurrentOwner(@PathVariable String id) {
         return issuesService.getTapdIssueCurrentOwner(id);
     }
@@ -202,6 +209,7 @@ public class IssuesController {
 
     @GetMapping("/follow/{issueId}")
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_ISSUE_READ)
+    @CheckOwner(resourceId = "#issueId", resourceType = "issues")
     public List<String> getFollows(@PathVariable String issueId) {
         return issuesService.getFollows(issueId);
     }
@@ -209,6 +217,7 @@ public class IssuesController {
     @PostMapping("/up/follows/{issueId}")
     @MsRequestLog(module = OperLogModule.TRACK_BUG)
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_ISSUE_READ_EDIT)
+    @CheckOwner(resourceId = "#issueId", resourceType = "issues")
     public void saveFollows(@PathVariable String issueId,@RequestBody List<String> follows) {
         issuesService.saveFollows(issueId,follows);
     }

test-track/backend/src/main/java/io/metersphere/controller/TestCaseController.java

@@ -20,6 +20,7 @@ import io.metersphere.notice.annotation.SendNotice;
 import io.metersphere.request.ResetOrderRequest;
 import io.metersphere.request.testcase.*;
 import io.metersphere.request.testplan.FileOperationRequest;
+import io.metersphere.security.CheckOwner;
 import io.metersphere.service.BaseCheckPermissionService;
 import io.metersphere.service.BaseProjectApplicationService;
 import io.metersphere.service.FileService;
@@ -169,6 +170,7 @@ public class TestCaseController {
 
     @GetMapping("/relate/test/list/{caseId}")
     @RequiresPermissions(value = {PermissionConstants.PROJECT_TRACK_CASE_READ, PermissionConstants.PROJECT_TRACK_PLAN_READ}, logical = Logical.OR)
+    @CheckOwner(resourceId = "#caseId", resourceType = "test_case")
     public List<TestCaseTestDao> getRelateTest(@PathVariable String caseId) {
         return testCaseService.getRelateTest(caseId);
     }
@@ -176,6 +178,7 @@ public class TestCaseController {
     @PostMapping("/relate/test/{type}/{caseId}")
     @MsRequestLog(module = OperLogModule.TRACK_TEST_CASE)
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_CASE_READ_EDIT)
+    @CheckOwner(resourceId = "#caseId", resourceType = "test_case")
     public void relateTest(@PathVariable String type, @PathVariable String caseId, @RequestBody List<String> apiIds) {
         testCaseService.relateTest(type, caseId, apiIds);
     }
@@ -183,6 +186,7 @@ public class TestCaseController {
     @GetMapping("/relate/delete/{caseId}/{testId}")
     @MsRequestLog(module = OperLogModule.TRACK_TEST_CASE)
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_CASE_READ_EDIT)
+    @CheckOwner(resourceId = "#caseId", resourceType = "test_case")
     public void relateDelete(@PathVariable String caseId, @PathVariable String testId) {
         testCaseService.relateDelete(caseId, testId);
     }
@@ -197,24 +201,28 @@ public class TestCaseController {
 
     @GetMapping("/get/{testCaseId}")
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_CASE_READ)
+    @CheckOwner(resourceId = "#testCaseId", resourceType = "test_case")
     public TestCaseDTO getTestCase(@PathVariable String testCaseId) {
         return testCaseService.getTestCase(testCaseId);
     }
 
     @GetMapping("/get/version/{refId}/{versionId}")
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_CASE_READ)
+    @CheckOwner(resourceId = "#refId", resourceType = "test_case")
     public TestCaseDTO getTestCaseByVersion(@PathVariable String refId, @PathVariable String versionId) {
         return testCaseService.getTestCaseByVersion(refId, versionId);
     }
 
     @GetMapping("/get/step/{testCaseId}")
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_CASE_READ)
+    @CheckOwner(resourceId = "#testCaseId", resourceType = "test_case")
     public TestCaseWithBLOBs getTestCaseStep(@PathVariable String testCaseId) {
         return testCaseService.getTestCaseStep(testCaseId);
     }
 
     @GetMapping("/get/simple/{testCaseId}")
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_CASE_READ)
+    @CheckOwner(resourceId = "#testCaseId", resourceType = "test_case")
     public TestCaseWithBLOBs getSimpleCase(@PathVariable String testCaseId) {
         return testCaseService.getSimpleCase(testCaseId);
     }
@@ -227,6 +235,7 @@ public class TestCaseController {
 
     @GetMapping("/project/{testCaseId}")
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_CASE_READ)
+    @CheckOwner(resourceId = "#testCaseId", resourceType = "test_case")
     public Project getProjectByTestCaseId(@PathVariable String testCaseId) {
         trackCheckPermissionService.checkTestCaseOwner(testCaseId);
         return testCaseService.getProjectByTestCaseId(testCaseId);
@@ -258,6 +267,7 @@ public class TestCaseController {
     @SendNotice(taskType = NoticeConstants.TaskType.TRACK_TEST_CASE_TASK, target = "#targetClass.getTestCase(#request.id)", targetClass = TestCaseService.class,
             event = NoticeConstants.Event.UPDATE, subject = "测试用例通知")
     @RequiresPermissions(value = {PermissionConstants.PROJECT_TRACK_CASE_READ_EDIT, PermissionConstants.PROJECT_TRACK_CASE_READ_CREATE}, logical = Logical.OR)
+    @CheckOwner(resourceId = "#request.getId()", resourceType = "test_case")
     public TestCase editTestCase(@RequestPart("request") EditTestCaseRequest request) {
         return testCaseService.edit(request);
     }
@@ -265,6 +275,7 @@ public class TestCaseController {
     @PostMapping("/delete/{testCaseId}")
     @MsAuditLog(module = OperLogModule.TRACK_TEST_CASE, type = OperLogConstants.DELETE, beforeEvent = "#msClass.getLogDetails(#testCaseId)", msClass = TestCaseService.class)
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_CASE_READ_DELETE)
+    @CheckOwner(resourceId = "#testCaseId", resourceType = "test_case")
     public int deleteTestCase(@PathVariable String testCaseId) {
         trackCheckPermissionService.checkTestCaseOwner(testCaseId);
         return testCaseService.deleteTestCaseBySameVersion(testCaseId);
@@ -275,6 +286,7 @@ public class TestCaseController {
     @SendNotice(taskType = NoticeConstants.TaskType.TRACK_TEST_CASE_TASK, event = NoticeConstants.Event.DELETE, target = "#targetClass.getTestCase(#testCaseId)", targetClass = TestCaseService.class,
             subject = "测试用例通知")
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_CASE_READ_DELETE)
+    @CheckOwner(resourceId = "#testCaseId", resourceType = "test_case")
     public int deleteToGC(@PathVariable String testCaseId) {
         trackCheckPermissionService.checkTestCaseOwner(testCaseId);
         return testCaseService.deleteTestCaseToGc(testCaseId);
@@ -443,6 +455,7 @@ public class TestCaseController {
 
     @GetMapping("/follow/{caseId}")
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_CASE_READ)
+    @CheckOwner(resourceId = "#caseId", resourceType = "test_case")
     public List<String> getFollows(@PathVariable String caseId) {
         return testCaseService.getFollows(caseId);
     }
@@ -450,6 +463,7 @@ public class TestCaseController {
     @PostMapping("/edit/follows/{caseId}")
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_CASE_READ_EDIT)
     @MsRequestLog(module = OperLogModule.TRACK_TEST_CASE)
+    @CheckOwner(resourceId = "#caseId", resourceType = "test_case")
     public void editTestFollows(@PathVariable String caseId, @RequestBody List<String> follows) {
         testCaseService.saveFollows(caseId, follows);
     }
@@ -480,6 +494,7 @@ public class TestCaseController {
      */
     @GetMapping("hasOtherInfo/{caseId}")
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_CASE_READ)
+    @CheckOwner(resourceId = "#caseId", resourceType = "test_case")
     public Boolean hasOtherInfo(@PathVariable String caseId) {
         return testCaseService.hasOtherInfo(caseId);
     }

test-track/backend/src/main/java/io/metersphere/controller/TestCaseNodeController.java

@@ -12,6 +12,7 @@ import io.metersphere.request.testcase.DragNodeRequest;
 import io.metersphere.request.testcase.QueryNodeRequest;
 import io.metersphere.request.testcase.QueryTestCaseRequest;
 import io.metersphere.request.testreview.QueryCaseReviewRequest;
+import io.metersphere.security.CheckOwner;
 import io.metersphere.service.BaseCheckPermissionService;
 import io.metersphere.service.TestCaseNodeService;
 import io.metersphere.service.wapper.CheckPermissionService;
@@ -101,6 +102,7 @@ public class TestCaseNodeController {
 
     @GetMapping("/list/plan/{planId}")
     @RequiresPermissions(value = {PermissionConstants.PROJECT_TRACK_PLAN_READ})
+    @CheckOwner(resourceId = "#planId", resourceType = "test_plan")
     public List<TestCaseNodeDTO> getNodeByPlanId(@PathVariable String planId) {
         trackCheckPermissionService.checkTestPlanOwner(planId);
         return testCaseNodeService.getNodeByPlanId(planId);
@@ -108,6 +110,7 @@ public class TestCaseNodeController {
 
     @PostMapping("/list/plan/{planId}")
     @RequiresPermissions(value = {PermissionConstants.PROJECT_TRACK_PLAN_READ})
+    @CheckOwner(resourceId = "#planId", resourceType = "test_plan")
     public List<TestCaseNodeDTO> getNodeByPlanId(@PathVariable String planId, @RequestBody(required = false) QueryTestPlanCaseRequest request) {
         trackCheckPermissionService.checkTestPlanOwner(planId);
         return testCaseNodeService.getNodeByPlanId(planId, Optional.ofNullable(request).orElse(new QueryTestPlanCaseRequest()));
@@ -141,6 +144,7 @@ public class TestCaseNodeController {
 
     @GetMapping("/list/plan/{planId}/{runResult}")
     @RequiresPermissions(value = {PermissionConstants.PROJECT_TRACK_PLAN_READ})
+    @CheckOwner(resourceId = "#planId", resourceType = "test_plan")
     public List<TestCaseNodeDTO> getNodeByPlanIdAndRunResult(@PathVariable String planId, @PathVariable String runResult) {
         trackCheckPermissionService.checkTestPlanOwner(planId);
         QueryTestPlanCaseRequest request = new QueryTestPlanCaseRequest();
@@ -151,6 +155,7 @@ public class TestCaseNodeController {
 
     @GetMapping("/list/review/{reviewId}")
     @RequiresPermissions(value = {PermissionConstants.PROJECT_TRACK_REVIEW_READ})
+    @CheckOwner(resourceId = "#reviewId", resourceType = "test_case_review")
     public List<TestCaseNodeDTO> getNodeByReviewId(@PathVariable String reviewId) {
         trackCheckPermissionService.checkTestReviewOwner(reviewId);
         return testCaseNodeService.getNodeByReviewId(reviewId);
@@ -158,6 +163,7 @@ public class TestCaseNodeController {
 
     @PostMapping("/list/review/{reviewId}")
     @RequiresPermissions(value = {PermissionConstants.PROJECT_TRACK_REVIEW_READ})
+    @CheckOwner(resourceId = "#reviewId", resourceType = "test_case_review")
     public List<TestCaseNodeDTO> getNodeByReviewId(@PathVariable String reviewId, @RequestBody(required = false) QueryCaseReviewRequest request) {
         trackCheckPermissionService.checkTestReviewOwner(reviewId);
         return testCaseNodeService.getNodeByReviewId(reviewId, Optional.ofNullable(request).orElse(new QueryCaseReviewRequest()));

test-track/backend/src/main/java/io/metersphere/controller/TestCaseReviewController.java

@@ -18,6 +18,7 @@ import io.metersphere.log.annotation.MsAuditLog;
 import io.metersphere.log.annotation.MsRequestLog;
 import io.metersphere.notice.annotation.SendNotice;
 import io.metersphere.request.testreview.*;
+import io.metersphere.security.CheckOwner;
 import io.metersphere.service.TestCaseReviewService;
 import io.metersphere.service.TestReviewProjectService;
 import io.metersphere.service.wapper.CheckPermissionService;
@@ -87,6 +88,7 @@ public class TestCaseReviewController {
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_REVIEW_READ_EDIT)
     @MsAuditLog(module = OperLogModule.TRACK_TEST_CASE_REVIEW, type = OperLogConstants.UPDATE, beforeEvent = "#msClass.getLogDetails(#testCaseReview.id)", title = "#testCaseReview.name", content = "#msClass.getLogDetails(#testCaseReview.id)", msClass = TestCaseReviewService.class)
     @SendNotice(taskType = NoticeConstants.TaskType.REVIEW_TASK, event = NoticeConstants.Event.UPDATE, subject = "测试评审通知")
+    @CheckOwner(resourceId = "#testCaseReview.getId()", resourceType = "test_case_review")
     public TestCaseReview editCaseReview(@RequestBody SaveTestCaseReviewRequest testCaseReview) {
         return testCaseReviewService.editCaseReview(testCaseReview);
     }
@@ -96,6 +98,7 @@ public class TestCaseReviewController {
     @MsAuditLog(module = OperLogModule.TRACK_TEST_CASE_REVIEW, type = OperLogConstants.DELETE, beforeEvent = "#msClass.getLogDetails(#reviewId)", msClass = TestCaseReviewService.class)
     @SendNotice(taskType = NoticeConstants.TaskType.REVIEW_TASK, target = "#targetClass.getTestReview(#reviewId)", targetClass = TestCaseReviewService.class,
             event = NoticeConstants.Event.DELETE, subject = "测试评审通知")
+    @CheckOwner(resourceId = "#reviewId", resourceType = "test_case_review")
     public void deleteCaseReview(@PathVariable String reviewId) {
         trackCheckPermissionService.checkTestReviewOwner(reviewId);
         testCaseReviewService.deleteCaseReview(reviewId);
@@ -134,6 +137,7 @@ public class TestCaseReviewController {
 
     @GetMapping("/get/{reviewId}")
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_REVIEW_READ)
+    @CheckOwner(resourceId = "#reviewId", resourceType = "test_case_review")
     public TestCaseReview getTestReview(@PathVariable String reviewId) {
         trackCheckPermissionService.checkTestReviewOwner(reviewId);
         return testCaseReviewService.getTestReview(reviewId);
@@ -142,6 +146,7 @@ public class TestCaseReviewController {
     @PostMapping("/edit/status/{reviewId}")
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_REVIEW_READ_EDIT)
     @MsRequestLog(module = OperLogModule.TRACK_TEST_CASE_REVIEW)
+    @CheckOwner(resourceId = "#reviewId", resourceType = "test_case_review")
     public void editTestPlanStatus(@PathVariable String reviewId) {
         trackCheckPermissionService.checkTestReviewOwner(reviewId);
         testCaseReviewService.editTestReviewStatus(reviewId);

test-track/backend/src/main/java/io/metersphere/controller/TestPlanController.java

@@ -25,6 +25,7 @@ import io.metersphere.plan.service.TestPlanProjectService;
 import io.metersphere.plan.service.TestPlanRerunService;
 import io.metersphere.plan.service.TestPlanService;
 import io.metersphere.request.ScheduleRequest;
+import io.metersphere.security.CheckOwner;
 import io.metersphere.service.BaseScheduleService;
 import io.metersphere.service.BaseUserService;
 import io.metersphere.service.wapper.CheckPermissionService;
@@ -58,6 +59,7 @@ public class TestPlanController {
 
     @GetMapping("/auto-check/{testPlanId}")
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_PLAN_READ)
+    @CheckOwner(resourceId = "#testPlanId", resourceType = "test_plan")
     public void autoCheck(@PathVariable String testPlanId) {
         testPlanService.checkTestPlanStatus(testPlanId);
     }
@@ -120,6 +122,7 @@ public class TestPlanController {
 
     @GetMapping("/get/{testPlanId}")
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_PLAN_READ)
+    @CheckOwner(resourceId = "#testPlanId", resourceType = "test_plan")
     public TestPlan getTestPlan(@PathVariable String testPlanId) {
         checkPermissionService.checkTestPlanOwner(testPlanId);
         return testPlanService.getTestPlan(testPlanId);
@@ -141,6 +144,7 @@ public class TestPlanController {
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_PLAN_READ_EDIT)
     @MsAuditLog(module = OperLogModule.TRACK_TEST_PLAN, type = OperLogConstants.UPDATE, beforeEvent = "#msClass.getLogDetails(#testPlanDTO.id)", content = "#msClass.getLogDetails(#testPlanDTO.id)", msClass = TestPlanService.class)
     @SendNotice(taskType = NoticeConstants.TaskType.TEST_PLAN_TASK, event = NoticeConstants.Event.UPDATE, subject = "测试计划通知")
+    @CheckOwner(resourceId = "#testPlanDTO.getId()", resourceType = "test_plan")
     public TestPlan editTestPlan(@RequestBody AddTestPlanRequest testPlanDTO) {
         TestPlan testPlan = testPlanService.editTestPlanWithRequest(testPlanDTO);
         testPlan.setStage(StatusReference.statusMap.containsKey(testPlan.getStage()) ? StatusReference.statusMap.get(testPlan.getStage()) : testPlan.getStage());
@@ -151,6 +155,7 @@ public class TestPlanController {
     @PostMapping("/fresh/{planId}")
     @MsRequestLog(module = OperLogModule.TRACK_TEST_PLAN)
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_PLAN_READ)
+    @CheckOwner(resourceId = "#planId", resourceType = "test_plan")
     public TestPlan freshRecentPlan(@PathVariable String planId) {
         AddTestPlanRequest request = new AddTestPlanRequest();
         request.setId(planId);
@@ -161,6 +166,7 @@ public class TestPlanController {
     @PostMapping("/edit/status/{planId}")
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_PLAN_READ)
     @MsAuditLog(module = OperLogModule.TRACK_TEST_PLAN, type = OperLogConstants.UPDATE, beforeEvent = "#msClass.getLogDetails(#planId)", content = "#msClass.getLogDetails(#planId)", msClass = TestPlanService.class)
+    @CheckOwner(resourceId = "#planId", resourceType = "test_plan")
     public void editTestPlanStatus(@PathVariable String planId) {
         checkPermissionService.checkTestPlanOwner(planId);
         testPlanService.checkTestPlanStatus(planId);
@@ -176,6 +182,7 @@ public class TestPlanController {
     @PostMapping("/edit/follows/{planId}")
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_PLAN_READ_EDIT)
     @MsRequestLog(module = OperLogModule.TRACK_TEST_PLAN)
+    @CheckOwner(resourceId = "#planId", resourceType = "test_plan")
     public void editTestFollows(@PathVariable String planId, @RequestBody List<String> follows) {
         testPlanService.editTestFollows(planId, follows);
     }
@@ -185,6 +192,7 @@ public class TestPlanController {
     @MsAuditLog(module = OperLogModule.TRACK_TEST_PLAN, type = OperLogConstants.DELETE, beforeEvent = "#msClass.getLogDetails(#testPlanId)", msClass = TestPlanService.class)
     @SendNotice(taskType = NoticeConstants.TaskType.TEST_PLAN_TASK, target = "#targetClass.getTransferPlan(#testPlanId)", targetClass = TestPlanService.class,
             event = NoticeConstants.Event.DELETE, subject = "测试计划通知")
+    @CheckOwner(resourceId = "#testPlanId", resourceType = "test_plan")
     public int deleteTestPlan(@PathVariable String testPlanId) {
         checkPermissionService.checkTestPlanOwner(testPlanId);
         return testPlanService.deleteTestPlan(testPlanId);
@@ -200,12 +208,14 @@ public class TestPlanController {
     @PostMapping("/relevance")
     @MsAuditLog(module = OperLogModule.TRACK_TEST_PLAN, type = OperLogConstants.ASSOCIATE_CASE, content = "#msClass.getLogDetails(#request)", msClass = TestPlanService.class)
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_PLAN_READ_RELEVANCE_OR_CANCEL)
+    @CheckOwner(resourceId = "#request.getPlanId()", resourceType = "test_plan")
     public void testPlanRelevance(@RequestBody PlanCaseRelevanceRequest request) {
         testPlanService.testPlanRelevance(request);
     }
 
     @GetMapping("/project/name/{planId}")
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_PLAN_READ)
+    @CheckOwner(resourceId = "#planId", resourceType = "test_plan")
     public String getProjectNameByPlanId(@PathVariable String planId) {
         return testPlanService.getProjectNameByPlanId(planId);
     }
@@ -231,6 +241,7 @@ public class TestPlanController {
     @RequiresPermissions(value = {PermissionConstants.PROJECT_TRACK_PLAN_READ_CREATE, PermissionConstants.PROJECT_TRACK_PLAN_READ_COPY}, logical = Logical.OR)
     @MsAuditLog(module = OperLogModule.TRACK_TEST_PLAN, type = OperLogConstants.COPY, content = "#msClass.getLogDetails(#id)", msClass = TestPlanService.class)
     @SendNotice(taskType = NoticeConstants.TaskType.TEST_PLAN_TASK, event = NoticeConstants.Event.CREATE, subject = "测试计划通知")
+    @CheckOwner(resourceId = "#id", resourceType = "test_plan")
     public TestPlan copy(@PathVariable String id) {
         TestPlan result = testPlanService.copy(id);
         result.setStage(StatusReference.statusMap.containsKey(result.getStage()) ? StatusReference.statusMap.get(result.getStage()) : result.getStage());
@@ -264,6 +275,7 @@ public class TestPlanController {
 
     @GetMapping("/case/relevance/project/id/{testPlanId}/{caseType}")
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_PLAN_READ)
+    @CheckOwner(resourceId = "#testPlanId", resourceType = "test_plan")
     public List<String> getRelevanceProjectIds(@PathVariable String testPlanId, @PathVariable String caseType) {
         return testPlanService.getRelevanceProjectIdsByCaseType(testPlanId, caseType);
     }
@@ -306,12 +318,14 @@ public class TestPlanController {
 
     @GetMapping("/report/export/{planId}/{lang}")
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_REPORT_READ_EXPORT)
+    @CheckOwner(resourceId = "#planId", resourceType = "test_plan")
     public void exportHtmlReport(@PathVariable String planId, @PathVariable(required = false) String lang, HttpServletResponse response) throws UnsupportedEncodingException, JsonProcessingException {
         testPlanService.exportPlanReport(planId, lang, response);
     }
 
     @GetMapping("/get/report/export/{planId}")
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_REPORT_READ_EXPORT)
+    @CheckOwner(resourceId = "#planId", resourceType = "test_plan")
     public TestPlanReportDataStruct getExportHtmlReport(@PathVariable String planId, HttpServletResponse response) throws UnsupportedEncodingException {
         return testPlanService.buildPlanReport(planId, true);
     }
@@ -379,12 +393,14 @@ public class TestPlanController {
 
     @GetMapping("/principal/{planId}")
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_PLAN_READ)
+    @CheckOwner(resourceId = "#planId", resourceType = "test_plan")
     public List<User> getPlanPrincipal(@PathVariable String planId) {
         return testPlanService.getPlanPrincipal(planId);
     }
 
     @GetMapping("/follow/{planId}")
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_PLAN_READ)
+    @CheckOwner(resourceId = "#planId", resourceType = "test_plan")
     public List<User> getPlanFollow(@PathVariable String planId) {
         return testPlanService.getPlanFollow(planId);
     }
@@ -443,6 +459,7 @@ public class TestPlanController {
     @GetMapping(value = "/status/reset/{planId}")
     @MsRequestLog(module = OperLogModule.TRACK_TEST_PLAN)
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_PLAN_READ)
+    @CheckOwner(resourceId = "#planId", resourceType = "test_plan")
     public void resetStatus(@PathVariable String planId) {
         testPlanService.resetStatus(planId);
     }

test-track/backend/src/main/java/io/metersphere/controller/TestPlanReportController.java

@@ -20,6 +20,7 @@ import io.metersphere.plan.dto.TestPlanReportDataStruct;
 import io.metersphere.plan.request.TestPlanReportSaveRequest;
 import io.metersphere.plan.service.TestPlanReportService;
 import io.metersphere.request.report.QueryTestPlanReportRequest;
+import io.metersphere.security.CheckOwner;
 import jakarta.annotation.Resource;
 import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.web.bind.annotation.*;
@@ -48,12 +49,14 @@ public class TestPlanReportController {
 
     @GetMapping("/getMetric/{planId}")
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_REPORT_READ)
+    @CheckOwner(resourceId = "#planId", resourceType = "test_plan")
     public TestPlanReportDTO getMetric(@PathVariable String planId) {
         return testPlanReportService.getMetric(planId);
     }
 
     @GetMapping("/real-time/{planId}")
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_REPORT_READ)
+    @CheckOwner(resourceId = "#planId", resourceType = "test_plan")
     public TestPlanReportDataStruct getRealTimeReport(@PathVariable String planId) {
         return testPlanReportService.getRealTimeReport(planId);
     }
@@ -66,6 +69,7 @@ public class TestPlanReportController {
 
     @GetMapping("/status/{planId}")
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_REPORT_READ)
+    @CheckOwner(resourceId = "#planId", resourceType = "test_plan")
     public String getStatus(@PathVariable String planId) {
         TestPlanReport report = testPlanReportService.getTestPlanReport(planId);
         String status = report.getStatus();
@@ -89,6 +93,7 @@ public class TestPlanReportController {
 
     @GetMapping("/saveTestPlanReport/{planId}/{triggerMode}")
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_REPORT_READ_EDIT)
+    @CheckOwner(resourceId = "#planId", resourceType = "test_plan")
     public String saveTestPlanReport(@PathVariable String planId, @PathVariable String triggerMode) {
         String userId = SessionUtils.getUser().getId();
         String reportId = UUID.randomUUID().toString();

test-track/backend/src/main/java/io/metersphere/controller/TestPlanTestCaseController.java

@@ -18,6 +18,7 @@ import io.metersphere.plan.request.function.TestPlanFuncCaseBatchRequest;
 import io.metersphere.plan.request.function.TestPlanFuncCaseEditRequest;
 import io.metersphere.plan.service.TestPlanTestCaseService;
 import io.metersphere.request.ResetOrderRequest;
+import io.metersphere.security.CheckOwner;
 import org.apache.commons.lang3.StringUtils;
 import org.apache.shiro.authz.annotation.Logical;
 import org.apache.shiro.authz.annotation.RequiresPermissions;
@@ -36,6 +37,7 @@ public class TestPlanTestCaseController {
 
     @PostMapping("/list/{goPage}/{pageSize}")
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_PLAN_READ)
+    @CheckOwner(resourceId = "#request.getPlanId()", resourceType = "test_plan")
     public Pager<List<TestPlanCaseDTO>> getTestPlanCases(@PathVariable int goPage, @PathVariable int pageSize, @RequestBody QueryTestPlanCaseRequest request) {
         QueryTestPlanCaseRequest paramRequest = testPlanTestCaseService.setCustomNumOrderParam(request);
         Page<Object> page = PageHelper.startPage(goPage, pageSize, true);
@@ -46,6 +48,7 @@ public class TestPlanTestCaseController {
     /*jenkins测试计划下全部用例*/
     @GetMapping("/list/{planId}")
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_PLAN_READ)
+    @CheckOwner(resourceId = "#planId", resourceType = "test_plan")
     public List<TestPlanCaseDTO> getTestPlanCaseByPlanId(@PathVariable String planId) {
         QueryTestPlanCaseRequest request = new QueryTestPlanCaseRequest();
         request.setPlanId(planId);
@@ -55,6 +58,7 @@ public class TestPlanTestCaseController {
 
     @PostMapping("/list/minder")
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_PLAN_READ)
+    @CheckOwner(resourceId = "#request.getPlanId()", resourceType = "test_plan")
     public List<TestPlanCaseDTO> listForMinder(@RequestBody QueryTestPlanCaseRequest request) {
         return testPlanTestCaseService.listForMinder(request);
     }
@@ -68,6 +72,7 @@ public class TestPlanTestCaseController {
 
     @GetMapping("/list/node/{planId}/{nodePaths}")
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_PLAN_READ)
+    @CheckOwner(resourceId = "#planId", resourceType = "test_plan")
     public List<TestPlanCaseDTO> getTestPlanCasesByNodePath(@PathVariable String planId, @PathVariable String nodePaths) {
         String nodePath = nodePaths.replace("f", "/");
         String[] array = nodePath.split(",");
@@ -81,6 +86,7 @@ public class TestPlanTestCaseController {
 
     @GetMapping("/list/node/all/{planId}/{nodePaths}")
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_PLAN_READ)
+    @CheckOwner(resourceId = "#planId", resourceType = "test_plan")
     public List<TestPlanCaseDTO> getTestPlanCasesByNodePaths(@PathVariable String planId, @PathVariable String nodePaths) {
         String nodePath = nodePaths.replace("f", StringUtils.EMPTY);
         String[] array = nodePath.split(",");
@@ -132,6 +138,7 @@ public class TestPlanTestCaseController {
     @PostMapping("/minder/edit")
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_PLAN_READ_RUN)
     @MsAuditLog(module = OperLogModule.TRACK_TEST_PLAN, type = OperLogConstants.MINDER_OPERATION, content = "#msClass.getCaseLogDetails(#testPlanTestCases)", msClass = TestPlanTestCaseService.class)
+    @CheckOwner(resourceId = "#request.getPlanId()", resourceType = "test_plan")
     public void editTestCaseForMinder(@RequestBody List<TestPlanTestCaseWithBLOBs> testPlanTestCases) {
         testPlanTestCaseService.editTestCaseForMinder(testPlanTestCases);
     }
@@ -139,6 +146,7 @@ public class TestPlanTestCaseController {
     @PostMapping("/batch/edit")
     @RequiresPermissions(value = {PermissionConstants.PROJECT_TRACK_PLAN_READ_RUN, PermissionConstants.PROJECT_TRACK_PLAN_READ_CASE_BATCH_EDIT}, logical = Logical.OR)
     @MsAuditLog(module = OperLogModule.TRACK_TEST_PLAN, type = OperLogConstants.BATCH_UPDATE, beforeEvent = "#msClass.batchLogDetails(#request.ids)", content = "#msClass.getLogDetails(#request.ids)", msClass = TestPlanTestCaseService.class)
+    @CheckOwner(resourceId = "#request.getPlanId()", resourceType = "test_plan")
     public void editTestCaseBath(@RequestBody TestPlanCaseBatchRequest request) {
         testPlanTestCaseService.editTestCaseBath(request);
     }
@@ -159,12 +167,14 @@ public class TestPlanTestCaseController {
 
     @PostMapping("/list/all/{planId}")
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_PLAN_READ)
+    @CheckOwner(resourceId = "#planId", resourceType = "test_plan")
     public List<TestPlanCaseDTO> getFailureCases(@PathVariable String planId, @RequestBody(required = false) List<String> statusList) {
         return testPlanTestCaseService.getAllCasesByStatusList(planId, statusList);
     }
 
     @GetMapping("/list/all/{planId}")
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_PLAN_READ)
+    @CheckOwner(resourceId = "#planId", resourceType = "test_plan")
     public List<TestPlanCaseDTO> getAllCases(@PathVariable String planId) {
         return testPlanTestCaseService.getAllCases(planId);
     }

test-track/backend/src/main/java/io/metersphere/controller/TestReviewTestCaseController.java

@@ -18,6 +18,7 @@ import io.metersphere.request.testplancase.TestReviewCaseBatchRequest;
 import io.metersphere.request.testreview.DeleteRelevanceRequest;
 import io.metersphere.request.testreview.QueryCaseReviewRequest;
 import io.metersphere.request.testreview.TestCaseReviewTestCaseEditRequest;
+import io.metersphere.security.CheckOwner;
 import io.metersphere.service.TestReviewTestCaseService;
 import org.apache.shiro.authz.annotation.RequiresPermissions;
 import org.springframework.web.bind.annotation.*;
@@ -34,6 +35,7 @@ public class TestReviewTestCaseController {
 
     @PostMapping("/list/{goPage}/{pageSize}")
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_REVIEW_READ)
+    @CheckOwner(resourceId = "#request.getReviewId()", resourceType = "test_case_review")
     public Pager<List<TestReviewCaseDTO>> getTestReviewCases(@PathVariable int goPage, @PathVariable int pageSize, @RequestBody QueryCaseReviewRequest request) {
         Page<Object> page = PageHelper.startPage(goPage, pageSize, true);
         return PageUtils.setPageInfo(page, testReviewTestCaseService.list(request));
@@ -70,18 +72,21 @@ public class TestReviewTestCaseController {
     @PostMapping("/minder/edit/{reviewId}")
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_REVIEW_READ_EDIT)
     @MsAuditLog(module = OperLogModule.TRACK_TEST_CASE_REVIEW, type = OperLogConstants.ASSOCIATE_CASE, content = "#msClass.getLogDetails(#testCases)", msClass = TestReviewTestCaseService.class)
+    @CheckOwner(resourceId = "#reviewId", resourceType = "test_case_review")
     public void editTestCaseForMinder(@PathVariable("reviewId") String reviewId, @RequestBody List<TestCaseReviewTestCase> testCases) {
         testReviewTestCaseService.editTestCaseForMinder(reviewId, testCases);
     }
 
     @PostMapping("/list/minder")
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_REVIEW_READ)
+    @CheckOwner(resourceId = "#request.getReviewId()", resourceType = "test_case_review")
     public List<TestReviewCaseDTO> listForMinder(@RequestBody QueryCaseReviewRequest request) {
         return testReviewTestCaseService.listForMinder(request);
     }
 
     @PostMapping("/list/minder/{goPage}/{pageSize}")
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_REVIEW_READ)
+    @CheckOwner(resourceId = "#request.getReviewId()", resourceType = "test_case_review")
     public Pager<List<TestReviewCaseDTO>> listForMinder(@PathVariable int goPage, @PathVariable int pageSize, @RequestBody QueryCaseReviewRequest request) {
         Page<Object> page = PageHelper.startPage(goPage, pageSize, true);
         return PageUtils.setPageInfo(page, testReviewTestCaseService.listForMinder(request));
@@ -90,6 +95,7 @@ public class TestReviewTestCaseController {
     @PostMapping("/edit")
     @RequiresPermissions(PermissionConstants.PROJECT_TRACK_REVIEW_READ_REVIEW)
     @MsAuditLog(module = OperLogModule.TRACK_TEST_CASE_REVIEW, type = OperLogConstants.REVIEW, content = "#msClass.getLogDetails(#testCaseReviewTestCase)", msClass = TestReviewTestCaseService.class)
+    @CheckOwner(resourceId = "#testCaseReviewTestCase.getReviewId()", resourceType = "test_case_review")
     public TestReviewTestCaseEditResult editTestCase(@RequestBody TestCaseReviewTestCaseEditRequest testCaseReviewTestCase) {
         return testReviewTestCaseService.editTestCase(testCaseReviewTestCase);
     }

test-track/backend/src/main/java/io/metersphere/service/TestReviewTestCaseService.java

@@ -455,8 +455,8 @@ public class TestReviewTestCaseService {
         return comments;
     }
 
-    public TestReviewCaseDTO get(String reviewId) {
+    public TestReviewCaseDTO get(String testReviewTestCaseId) {
-        TestReviewCaseDTO testReviewCaseDTO = extTestReviewCaseMapper.get(reviewId);
+        TestReviewCaseDTO testReviewCaseDTO = extTestReviewCaseMapper.get(testReviewTestCaseId);
         testReviewCaseDTO.setFields(testCaseService.getCustomFieldByCaseId(testReviewCaseDTO.getCaseId()));
         return testReviewCaseDTO;
     }

test-track/frontend/src/business/case/components/TestCaseEdit.vue

@@ -818,6 +818,7 @@ export default {
         });
       }
 
+      if (this.caseId) {
         getTestCaseFollow(this.caseId).then((response) => {
           this.form.follows = response.data;
           for (let i = 0; i < response.data.length; i++) {
@@ -827,6 +828,7 @@ export default {
             }
           }
         });
+      }
 
       getProjectApplicationConfig("CASE_PUBLIC", this.projectId).then((res) => {
         let data = res.data;