diff --git a/backend/framework/sdk/src/main/resources/i18n/commons.properties b/backend/framework/sdk/src/main/resources/i18n/commons.properties index 72958f3486..36184580ee 100644 --- a/backend/framework/sdk/src/main/resources/i18n/commons.properties +++ b/backend/framework/sdk/src/main/resources/i18n/commons.properties @@ -409,6 +409,7 @@ get_plugin_instance_error=获取插件接口实现类错误! user_role_relation_exist_error=用户已在当前用户组! internal_user_role_permission_error=内置用户组无法编辑与删除! user_role_relation_remove_admin_user_permission_error=无法将 admin 用户将系统管理员用户组删除! +internal_admin_user_role_permission_error=内置管理员用户组无法修改权限! # customField internal_custom_field_permission_error=系统字段或模板无法删除! internal_template_permission_error=系统模板无法删除! diff --git a/backend/framework/sdk/src/main/resources/i18n/commons_en_US.properties b/backend/framework/sdk/src/main/resources/i18n/commons_en_US.properties index a789423754..2e43eb6d4d 100644 --- a/backend/framework/sdk/src/main/resources/i18n/commons_en_US.properties +++ b/backend/framework/sdk/src/main/resources/i18n/commons_en_US.properties @@ -412,6 +412,7 @@ get_plugin_instance_error=Get the plugin instance error! user_role_relation_exist_error=The user is already in the current user group! internal_user_role_permission_error=Internal user groups cannot be edited or deleted! user_role_relation_remove_admin_user_permission_error=Unable to delete the admin user from the system administrator user group! +internal_admin_user_role_permission_error=Internal admin user group cannot be edited or deleted! # customField internal_custom_field_permission_error=System fields cannot be deleted! diff --git a/backend/framework/sdk/src/main/resources/i18n/commons_zh_CN.properties b/backend/framework/sdk/src/main/resources/i18n/commons_zh_CN.properties index bc1d243fad..cc901524bc 100644 --- a/backend/framework/sdk/src/main/resources/i18n/commons_zh_CN.properties +++ b/backend/framework/sdk/src/main/resources/i18n/commons_zh_CN.properties @@ -410,6 +410,7 @@ get_plugin_instance_error=获取插件接口实现类错误! user_role_relation_exist_error=用户已在当前用户组! internal_user_role_permission_error=内置用户组无法编辑与删除! user_role_relation_remove_admin_user_permission_error=无法将 admin 用户将系统管理员用户组删除! +internal_admin_user_role_permission_error=内置管理员用户组无法修改权限! # customField internal_custom_field_permission_error=系统字段或模板无法删除! internal_template_permission_error=系统模板无法删除! diff --git a/backend/framework/sdk/src/main/resources/i18n/commons_zh_TW.properties b/backend/framework/sdk/src/main/resources/i18n/commons_zh_TW.properties index d6c7c8cd34..fe683c08e4 100644 --- a/backend/framework/sdk/src/main/resources/i18n/commons_zh_TW.properties +++ b/backend/framework/sdk/src/main/resources/i18n/commons_zh_TW.properties @@ -409,6 +409,7 @@ get_plugin_instance_error=獲取插件接口實現類錯誤! user_role_relation_exist_error=用戶已在當前用戶組! internal_user_role_permission_error=內置用戶組無法編輯與刪除! user_role_relation_remove_admin_user_permission_error=無法將 admin 用戶將系統管理員用戶組刪除! +internal_admin_user_role_permission_error=內置管理員用戶組無法修改權限! # customField internal_custom_field_permission_error=系統字段或模板無法刪除! internal_template_permission_error=系統模板無法刪除! diff --git a/backend/services/system-setting/src/main/java/io/metersphere/system/controller/handler/result/CommonResultCode.java b/backend/services/system-setting/src/main/java/io/metersphere/system/controller/handler/result/CommonResultCode.java index c4ab3123a0..3126369092 100644 --- a/backend/services/system-setting/src/main/java/io/metersphere/system/controller/handler/result/CommonResultCode.java +++ b/backend/services/system-setting/src/main/java/io/metersphere/system/controller/handler/result/CommonResultCode.java @@ -28,7 +28,8 @@ public enum CommonResultCode implements IResultCode { STATUS_ITEM_NOT_EXIST(100015, "status_item.not.exist"), STATUS_ITEM_EXIST(100016, "status_item.exist"), FIELD_VALIDATE_ERROR(100017, "field_validate_error"), - STATUS_DEFINITION_REQUIRED_ERROR(100018, "status_definition_required_error");; + STATUS_DEFINITION_REQUIRED_ERROR(100018, "status_definition_required_error"), + ADMIN_USER_ROLE_PERMISSION(100019, "internal_admin_user_role_permission_error"); private int code; diff --git a/backend/services/system-setting/src/main/java/io/metersphere/system/service/BaseUserRoleService.java b/backend/services/system-setting/src/main/java/io/metersphere/system/service/BaseUserRoleService.java index 56cba081ff..26bda3e1da 100644 --- a/backend/services/system-setting/src/main/java/io/metersphere/system/service/BaseUserRoleService.java +++ b/backend/services/system-setting/src/main/java/io/metersphere/system/service/BaseUserRoleService.java @@ -1,5 +1,6 @@ package io.metersphere.system.service; +import io.metersphere.sdk.constants.InternalUserRole; import io.metersphere.sdk.constants.UserRoleEnum; import io.metersphere.sdk.exception.MSException; import io.metersphere.sdk.util.JSON; @@ -26,6 +27,7 @@ import org.springframework.transaction.annotation.Transactional; import java.util.*; import java.util.stream.Collectors; +import static io.metersphere.system.controller.handler.result.CommonResultCode.ADMIN_USER_ROLE_PERMISSION; import static io.metersphere.system.controller.handler.result.CommonResultCode.INTERNAL_USER_ROLE_PERMISSION; import static io.metersphere.system.controller.result.SystemResultCode.NO_GLOBAL_USER_ROLE_PERMISSION; @@ -186,6 +188,13 @@ public class BaseUserRoleService { } } + public void checkAdminUserRole(UserRole userRole) { + if (StringUtils.equalsAny(userRole.getId(), InternalUserRole.ADMIN.getValue(), + InternalUserRole.ORG_ADMIN.getValue(), InternalUserRole.PROJECT_ADMIN.getValue())) { + throw new MSException(ADMIN_USER_ROLE_PERMISSION); + } + } + /** * 校验是否是全局用户组,是全局抛异常 */ diff --git a/backend/services/system-setting/src/main/java/io/metersphere/system/service/GlobalUserRoleService.java b/backend/services/system-setting/src/main/java/io/metersphere/system/service/GlobalUserRoleService.java index b86c9b8d8f..cdfbcbf17a 100644 --- a/backend/services/system-setting/src/main/java/io/metersphere/system/service/GlobalUserRoleService.java +++ b/backend/services/system-setting/src/main/java/io/metersphere/system/service/GlobalUserRoleService.java @@ -61,6 +61,7 @@ public class GlobalUserRoleService extends BaseUserRoleService { /** * 校验是否是全局用户组,非全局抛异常 */ + @Override public void checkGlobalUserRole(UserRole userRole) { if (!StringUtils.equals(userRole.getScopeId(), UserRoleScope.GLOBAL)) { throw new MSException(GLOBAL_USER_ROLE_PERMISSION); @@ -153,7 +154,8 @@ public class GlobalUserRoleService extends BaseUserRoleService { public void updatePermissionSetting(PermissionSettingUpdateRequest request) { UserRole userRole = getWithCheck(request.getUserRoleId()); checkGlobalUserRole(userRole); - checkInternalUserRole(userRole); + // 内置管理员级别用户组无法更改权限 + checkAdminUserRole(userRole); super.updatePermissionSetting(request); } } diff --git a/backend/services/system-setting/src/test/java/io/metersphere/system/controller/GlobalUserRoleControllerTests.java b/backend/services/system-setting/src/test/java/io/metersphere/system/controller/GlobalUserRoleControllerTests.java index e6dd3639dc..4d2aa431dc 100644 --- a/backend/services/system-setting/src/test/java/io/metersphere/system/controller/GlobalUserRoleControllerTests.java +++ b/backend/services/system-setting/src/test/java/io/metersphere/system/controller/GlobalUserRoleControllerTests.java @@ -1,26 +1,26 @@ package io.metersphere.system.controller; -import io.metersphere.system.base.BaseTest; import io.metersphere.sdk.constants.*; -import io.metersphere.system.dto.permission.Permission; -import io.metersphere.system.dto.permission.PermissionDefinitionItem; -import io.metersphere.system.dto.sdk.request.PermissionSettingUpdateRequest; -import io.metersphere.system.dto.sdk.request.UserRoleUpdateRequest; -import io.metersphere.system.log.constants.OperationLogType; -import io.metersphere.system.service.BaseUserRolePermissionService; -import io.metersphere.system.service.BaseUserRoleRelationService; -import io.metersphere.system.uid.IDGenerator; import io.metersphere.sdk.util.BeanUtils; -import io.metersphere.system.utils.SessionUtils; +import io.metersphere.system.base.BaseTest; import io.metersphere.system.controller.param.PermissionSettingUpdateRequestDefinition; import io.metersphere.system.controller.param.UserRoleUpdateRequestDefinition; import io.metersphere.system.domain.User; import io.metersphere.system.domain.UserRole; import io.metersphere.system.domain.UserRoleRelation; import io.metersphere.system.domain.UserRoleRelationExample; +import io.metersphere.system.dto.permission.Permission; +import io.metersphere.system.dto.permission.PermissionDefinitionItem; +import io.metersphere.system.dto.sdk.request.PermissionSettingUpdateRequest; +import io.metersphere.system.dto.sdk.request.UserRoleUpdateRequest; +import io.metersphere.system.log.constants.OperationLogType; import io.metersphere.system.mapper.UserMapper; import io.metersphere.system.mapper.UserRoleMapper; import io.metersphere.system.mapper.UserRoleRelationMapper; +import io.metersphere.system.service.BaseUserRolePermissionService; +import io.metersphere.system.service.BaseUserRoleRelationService; +import io.metersphere.system.uid.IDGenerator; +import io.metersphere.system.utils.SessionUtils; import jakarta.annotation.Resource; import org.apache.commons.collections.CollectionUtils; import org.junit.jupiter.api.*; @@ -34,6 +34,7 @@ import java.util.stream.Collectors; import static io.metersphere.sdk.constants.InternalUserRole.ADMIN; import static io.metersphere.sdk.constants.InternalUserRole.MEMBER; +import static io.metersphere.system.controller.handler.result.CommonResultCode.ADMIN_USER_ROLE_PERMISSION; import static io.metersphere.system.controller.handler.result.CommonResultCode.INTERNAL_USER_ROLE_PERMISSION; import static io.metersphere.system.controller.handler.result.MsHttpResultCode.NOT_FOUND; import static io.metersphere.system.controller.result.SystemResultCode.GLOBAL_USER_ROLE_EXIST; @@ -234,7 +235,7 @@ class GlobalUserRoleControllerTests extends BaseTest { // @@操作内置用户组异常 request.setUserRoleId(ADMIN.getValue()); - assertErrorCode(this.requestPost(PERMISSION_UPDATE, request), INTERNAL_USER_ROLE_PERMISSION); + assertErrorCode(this.requestPost(PERMISSION_UPDATE, request), ADMIN_USER_ROLE_PERMISSION); // @@校验 NOT_FOUND 异常 request.setUserRoleId("1111");