feat：支持管理员查看项目成员 TencentBlueKing#9620

fcfang123 · Jun 18, 2024 · de2e095 · de2e095
1 parent 988c569
commit de2e095
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 10 deletions.
diff --git a/...th/src/main/kotlin/com/tencent/devops/auth/resources/UserAuthAuthorizationResourceImpl.kt b/...th/src/main/kotlin/com/tencent/devops/auth/resources/UserAuthAuthorizationResourceImpl.kt
@@ -1,24 +1,37 @@
 package com.tencent.devops.auth.resources
 
 import com.tencent.devops.auth.api.user.UserAuthAuthorizationResource
+import com.tencent.devops.auth.constant.AuthMessageCode
 import com.tencent.devops.common.auth.api.pojo.ResourceAuthorizationConditionDTO
 import com.tencent.devops.common.auth.api.pojo.ResourceAuthorizationDTO
 import com.tencent.devops.auth.service.PermissionAuthorizationService
+import com.tencent.devops.auth.service.iam.PermissionProjectService
 import com.tencent.devops.auth.service.iam.PermissionResourceService
+import com.tencent.devops.common.api.exception.PermissionForbiddenException
 import com.tencent.devops.common.api.pojo.Result
 import com.tencent.devops.common.auth.api.AuthResourceType
 import com.tencent.devops.common.web.RestResource
+import com.tencent.devops.common.web.utils.I18nUtil
 
 @RestResource
 class UserAuthAuthorizationResourceImpl(
     val permissionAuthorizationService: PermissionAuthorizationService,
+    val permissionProjectService: PermissionProjectService
 ) : UserAuthAuthorizationResource {
     override fun listResourceAuthorization(
         userId: String,
         projectId: String,
         condition: ResourceAuthorizationConditionDTO
     ): Result<List<ResourceAuthorizationDTO>> {
-        // todo 管理员校验
+        val hasProjectManagePermission = permissionProjectService.checkProjectManager(
+            userId = userId,
+            projectCode = condition.projectCode
+        )
+        if (!hasProjectManagePermission) {
+            throw PermissionForbiddenException(
+                message = I18nUtil.getCodeLanMessage(AuthMessageCode.ERROR_AUTH_NO_MANAGE_PERMISSION)
+            )
+        }
         return Result(
             permissionAuthorizationService.listResourceAuthorizations(
                 condition = condition

diff --git a/...uth/src/main/kotlin/com/tencent/devops/auth/service/PermissionAuthorizationServiceImpl.kt b/...uth/src/main/kotlin/com/tencent/devops/auth/service/PermissionAuthorizationServiceImpl.kt
@@ -1,24 +1,26 @@
 package com.tencent.devops.auth.service
 
+import com.tencent.devops.auth.constant.AuthMessageCode
 import com.tencent.devops.auth.dao.AuthAuthorizationDao
+import com.tencent.devops.auth.service.iam.PermissionProjectService
+import com.tencent.devops.common.api.exception.ErrorCodeException
+import com.tencent.devops.common.api.exception.PermissionForbiddenException
 import com.tencent.devops.common.auth.api.pojo.ResourceAuthorizationConditionDTO
 import com.tencent.devops.common.auth.api.pojo.ResourceAuthorizationDTO
 import com.tencent.devops.common.auth.api.pojo.ResourceAuthorizationHandoverConditionDTO
 import com.tencent.devops.common.auth.api.pojo.ResourceAuthorizationHandoverDTO
-import com.tencent.devops.common.auth.enums.HandoverChannelCode
-import com.tencent.devops.auth.service.iam.PermissionResourceService
-import com.tencent.devops.common.api.exception.ErrorCodeException
-import com.tencent.devops.common.auth.api.AuthResourceType
 import com.tencent.devops.common.auth.api.pojo.ResourceAuthorizationHandoverResult
+import com.tencent.devops.common.auth.enums.HandoverChannelCode
 import com.tencent.devops.common.auth.enums.ResourceAuthorizationHandoverStatus
+import com.tencent.devops.common.web.utils.I18nUtil
 import org.jooq.DSLContext
 import org.springframework.stereotype.Service
 
 @Service
 class PermissionAuthorizationServiceImpl constructor(
     private val dslContext: DSLContext,
     private val authAuthorizationDao: AuthAuthorizationDao,
-    private val permissionResourceService: PermissionResourceService
+    private val permissionProjectService: PermissionProjectService
 ) : PermissionAuthorizationService {
     override fun addResourceAuthorization(resourceAuthorizationList: List<ResourceAuthorizationDTO>): Boolean {
         authAuthorizationDao.batchAddOrUpdate(
@@ -112,12 +114,15 @@ class PermissionAuthorizationServiceImpl constructor(
     ) {
         // 若是在授权管理界面操作，则只要校验操作人是否为管理员即可
         if (condition.handoverChannel == HandoverChannelCode.MANAGER) {
-            permissionResourceService.hasManagerPermission(
+            val hasProjectManagePermission = permissionProjectService.checkProjectManager(
                 userId = operator,
-                projectId = condition.projectCode,
-                resourceType = AuthResourceType.PROJECT.value,
-                resourceCode = condition.projectCode
+                projectCode = condition.projectCode
             )
+            if (!hasProjectManagePermission){
+                throw PermissionForbiddenException(
+                    message = I18nUtil.getCodeLanMessage(AuthMessageCode.ERROR_AUTH_NO_MANAGE_PERMISSION)
+                )
+            }
         } else {
             val record = condition.resourceAuthorizationHandoverList.first()
             validateSingleResourcePermission?.invoke(