From 01975bd545cb411b13a016fcfbc5703105cab660 Mon Sep 17 00:00:00 2001
From: lgcareer <18610854716@163.com>
Date: Fri, 23 Oct 2020 14:03:51 +0800
Subject: [PATCH] [Fix-#3958][api] files should not be created successfully in
 the directory of the authorized file

---
 .../api/service/ResourcesService.java               | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/ResourcesService.java b/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/ResourcesService.java
index d4c10ef8b..28fe64e2c 100644
--- a/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/ResourcesService.java
+++ b/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/ResourcesService.java
@@ -961,6 +961,19 @@ public class ResourcesService extends BaseService {
         if (!result.getCode().equals(Status.SUCCESS.getCode())) {
             return result;
         }
+        if (pid != -1) {
+            Resource parentResource = resourcesMapper.selectById(pid);
+
+            if (parentResource == null) {
+                putMsg(result, Status.PARENT_RESOURCE_NOT_EXIST);
+                return result;
+            }
+
+            if (!hasPerm(loginUser, parentResource.getUserId())) {
+                putMsg(result, Status.USER_NO_OPERATION_PERM);
+                return result;
+            }
+        }
 
         // save data
         Date now = new Date();
-- 
GitLab