feat: 未限制仓库修改权限 TencentBlueKing#2004

* feat: api文档优化 TencentBlueKing#2089

* feat: 未限制仓库修改权限 TencentBlueKing#2004

* feat: 未限制仓库修改权限  TencentBlueKing#2004

src/backend/auth/biz-auth/src/main/kotlin/com/tencent/bkrepo/auth/service/bkauth/DevopsPermissionServiceImpl.kt

@@ -154,109 +154,110 @@ class DevopsPermissionServiceImpl constructor(
 
             if (isUserSystemAdmin(uid)) return true
 
-            //user is not local admin, not in project
+            // 用户不为系统管理员，必须为项目下权限
             if (projectId == null) return false
 
-            if (isUserLocalProjectAdmin(uid, projectId) || isDevopsProjectAdmin(uid, projectId!!)) {
+            if (isDevopsProjectAdmin(uid, projectId!!) || isUserLocalProjectAdmin(uid, projectId)) {
                 logger.debug("user is devops/local project admin [$uid, $projectId]")
                 return true
             }
 
+            val pass = when (resourceType) {
+                PROJECT.name -> checkProjectPermission(request)
+                REPO.name, NODE.name -> checkRepoOrNodePermission(request)
+                else -> throw RuntimeException("resource type not supported: $resourceType")
+            }
 
-            // project权限
-            if (resourceType == PROJECT.name) {
-                if (action == MANAGE.name) {
-                    return isDevopsProjectAdmin(uid, projectId!!)
-                }
-                return isDevopsProjectMember(uid, projectId!!, action)
-                        || checkBkIamV3ProjectPermission(projectId!!, uid, action)
+            if (!pass && matchDevopsCond(appId)) {
+                logger.warn("devops forbidden [$request]")
+            } else {
+                logger.debug("devops pass [$request]")
             }
+            return pass
+        }
+    }
 
-            // repo或者node权限
-            val pass = when (repoName) {
+    private fun checkProjectPermission(request: CheckPermissionRequest): Boolean {
+        with(request) {
+            // 只有用户为非项目管理员，代码才会走到这里, action为MANAGE需要项目管理员权限
+            if (action == MANAGE.name) {
+                logger.debug("project request need manage permission [$request]")
+                return false
+            }
+            return isDevopsProjectMember(uid, projectId!!, action)
+                    || checkBkIamV3ProjectPermission(projectId!!, uid, action)
+        }
+    }
+
+    private fun checkRepoOrNodePermission(request: CheckPermissionRequest): Boolean {
+        with(request) {
+            if (action == MANAGE.name) {
+                logger.debug("project request need manage permission [$request]")
+                return false
+            }
+            when (repoName) {
                 CUSTOM, LOG -> {
-                    checkDevopsCustomPermission(request)
+                    return checkDevopsCustomPermission(request)
                 }
                 PIPELINE -> {
-                    checkDevopsPipelineOrProjectPermission(request)
+                    return checkDevopsPipelinePermission(request)
                 }
                 REPORT -> {
-                    checkDevopsReportPermission(action)
+                    return checkDevopsReportPermission(action)
                 }
                 else -> {
-                    checkRepoNotInDevops(request)
+                    return checkRepoNotInDevops(request)
                 }
             }
-
-            if (!pass && matchDevopsCond(appId)) {
-                logger.warn("devops forbidden [$request]")
-            } else {
-                logger.debug("devops pass [$request]")
-            }
-            return pass
         }
     }
 
     private fun checkDevopsCustomPermission(request: CheckPermissionRequest): Boolean {
         logger.debug("check devops custom permission request [$request]")
         with(request) {
+            val isDevopsProjectMember = isDevopsProjectMember(uid, projectId!!, action)
             if (needCheckPathPermission(resourceType, projectId!!, repoName!!)) {
-                val isDevopsProjectMember = isDevopsProjectMember(uid, projectId!!, action)
                 return checkNodeAction(request, null, isDevopsProjectMember)
             }
-            return isDevopsProjectMember(uid, projectId!!, action)
+            return isDevopsProjectMember
         }
     }
 
     private fun checkRepoNotInDevops(request: CheckPermissionRequest): Boolean {
         logger.debug("check repo not in devops request [$request]")
         with(request) {
+            val isDevopsProjectMember = isDevopsProjectMember(uid, projectId!!, action) ||
+                    isUserLocalProjectUser(uid, projectId!!)
             if (needCheckPathPermission(resourceType, projectId!!, repoName!!)) {
-                val isDevopsProjectMember = isDevopsProjectMember(uid, projectId!!, action) ||
-                        isUserLocalProjectUser(uid, projectId!!)
                 return checkNodeAction(request, null, isDevopsProjectMember)
-            } else {
-                return super.checkPermission(request) || isDevopsProjectMember(uid, projectId!!, action)
             }
+            return isDevopsProjectMember
         }
     }
 
     private fun needCheckPathPermission(resourceType: String, projectId: String, repoName: String): Boolean {
         return devopsAuthConfig.enablePathCheck && resourceType == NODE.name && needNodeCheck(projectId, repoName)
     }
 
-    private fun checkDevopsPipelineOrProjectPermission(request: CheckPermissionRequest): Boolean {
-        with(request) {
-            var projectPass = false
-            val pipelinePass = checkDevopsPipelinePermission(uid, projectId!!, path, resourceType, action)
-            if (!pipelinePass) {
-                logger.warn("devops pipeline permission check fail [$request]")
-                projectPass = isDevopsProjectMember(uid, projectId!!, action)
-                if (projectPass) logger.warn("devops pipeline permission widen to project permission [$request]")
-            }
-            return pipelinePass || projectPass
-        }
-    }
-
     private fun checkDevopsReportPermission(action: String): Boolean {
         return action == READ.name || action == WRITE.name || action == VIEW.name
     }
 
-    private fun checkDevopsPipelinePermission(
-        uid: String,
-        projectId: String,
-        path: String?,
-        resourceType: String,
-        action: String
-    ): Boolean {
-        return when (resourceType) {
-            REPO.name -> isDevopsProjectMember(uid, projectId, action)
-            NODE.name -> {
-                val pipelineId = parsePipelineId(path ?: return false) ?: return false
-                pipelinePermission(uid, projectId, pipelineId, action)
+    private fun checkDevopsPipelinePermission(request: CheckPermissionRequest): Boolean {
+        with(request) {
+            return when (resourceType) {
+                REPO.name -> isDevopsProjectMember(uid, projectId!!, action)
+                NODE.name -> {
+                    val pipelineId = parsePipelineId(path ?: return false) ?: return false
+                    val pipelinePass = pipelinePermission(uid, projectId!!, pipelineId, action)
+                    if (pipelinePass) return true
+                    logger.warn("devops pipeline permission widen to project permission [$request]")
+                    return isDevopsProjectMember(uid, projectId!!, action)
+                }
+                else -> throw RuntimeException("resource type not supported: $resourceType")
             }
-            else -> throw RuntimeException("resource type not supported: $resourceType")
         }
+
     }
 
     private fun isDevopsProjectMember(userId: String, projectId: String, action: String): Boolean {