组织工作空间添加移除用户时做资源所属检查

backend/src/main/java/io/metersphere/controller/OrganizationController.java

@@ -37,6 +37,7 @@ public class OrganizationController {
     }
 
     @GetMapping("/delete/{organizationId}")
+    @RequiresRoles(RoleConstants.ADMIN)
     public void deleteOrganization(@PathVariable(value = "organizationId") String organizationId) { organizationService.deleteOrganization(organizationId); }
 
     @PostMapping("/update")

backend/src/main/java/io/metersphere/controller/UserController.java

@@ -12,7 +12,9 @@ import io.metersphere.controller.request.member.QueryMemberRequest;
 import io.metersphere.controller.request.organization.AddOrgMemberRequest;
 import io.metersphere.controller.request.organization.QueryOrgMemberRequest;
 import io.metersphere.dto.UserDTO;
+import io.metersphere.service.OrganizationService;
 import io.metersphere.service.UserService;
+import io.metersphere.service.WorkspaceService;
 import io.metersphere.user.SessionUser;
 import io.metersphere.user.SessionUtils;
 import org.apache.shiro.authz.annotation.Logical;
@@ -28,6 +30,10 @@ public class UserController {
 
     @Resource
     private UserService userService;
+    @Resource
+    private OrganizationService organizationService;
+    @Resource
+    private WorkspaceService workspaceService;
 
     // admin api
     @PostMapping("/special/add")
@@ -123,7 +129,6 @@ public class UserController {
     @PostMapping("/switch/source/org/{sourceId}")
     @RequiresRoles(RoleConstants.ORG_ADMIN)
     public UserDTO switchOrganization(@PathVariable(value = "sourceId") String sourceId) {
-        // todo checkOrganizationOwner()
         UserDTO user = SessionUtils.getUser();
         userService.switchUserRole(user,"organization",sourceId);
         return SessionUtils.getUser();
@@ -132,7 +137,6 @@ public class UserController {
     @PostMapping("/switch/source/ws/{sourceId}")
     @RequiresRoles(value = {RoleConstants.TEST_MANAGER,RoleConstants.TEST_VIEWER,RoleConstants.TEST_USER}, logical = Logical.OR)
     public UserDTO switchWorkspace(@PathVariable(value = "sourceId") String sourceId) {
-        // todo checkWorkspaceOwner()
         UserDTO user = SessionUtils.getUser();
         userService.switchUserRole(user, "workspace", sourceId);
         return SessionUtils.getUser();
@@ -150,7 +154,6 @@ public class UserController {
     @RequiresRoles(value = {RoleConstants.ORG_ADMIN,RoleConstants.TEST_MANAGER,
             RoleConstants.TEST_USER,RoleConstants.TEST_VIEWER}, logical = Logical.OR)
     public Pager<List<User>> getMemberList(@PathVariable int goPage, @PathVariable int pageSize, @RequestBody QueryMemberRequest request) {
-        // todo 检查是否是该工作空间的所有者 或者是 该工作空间的父级组织的所有者
         Page<Object> page = PageHelper.startPage(goPage, pageSize, true);
         return PageUtils.setPageInfo(page, userService.getMemberList(request));
     }
@@ -162,7 +165,6 @@ public class UserController {
     @RequiresRoles(value = {RoleConstants.ORG_ADMIN,RoleConstants.TEST_MANAGER,
             RoleConstants.TEST_USER,RoleConstants.TEST_VIEWER}, logical = Logical.OR)
     public List<User> getMemberList(@RequestBody QueryMemberRequest request) {
-        // todo 检查是否是该工作空间的所有者 或者是 该工作空间的父级组织的所有者
         return userService.getMemberList(request);
     }
 
@@ -172,7 +174,8 @@ public class UserController {
     @PostMapping("/ws/member/add")
     @RequiresRoles(value = {RoleConstants.TEST_MANAGER,RoleConstants.ORG_ADMIN}, logical = Logical.OR)
     public void addMember(@RequestBody AddMemberRequest request) {
-        // todo check
+        String wsId = request.getWorkspaceId();
+        workspaceService.checkWorkspaceOwner(wsId);
         userService.addMember(request);
     }
 
@@ -182,7 +185,7 @@ public class UserController {
     @GetMapping("/ws/member/delete/{workspaceId}/{userId}")
     @RequiresRoles(value = {RoleConstants.TEST_MANAGER,RoleConstants.ORG_ADMIN}, logical = Logical.OR)
     public void deleteMember(@PathVariable String workspaceId, @PathVariable String userId) {
-        // todo check
+        workspaceService.checkWorkspaceOwner(workspaceId);
         userService.deleteMember(workspaceId, userId);
     }
 
@@ -190,9 +193,9 @@ public class UserController {
      * 添加组织成员
      */
     @PostMapping("/org/member/add")
-    @RequiresRoles(value = {RoleConstants.ORG_ADMIN,RoleConstants.TEST_MANAGER}, logical = Logical.OR)
+    @RequiresRoles(RoleConstants.ORG_ADMIN)
     public void addOrganizationMember(@RequestBody AddOrgMemberRequest request) {
-        // todo check
+        organizationService.checkOrgOwner(request.getOrganizationId());
         userService.addOrganizationMember(request);
     }
 
@@ -200,9 +203,9 @@ public class UserController {
      * 删除组织成员
      */
     @GetMapping("/org/member/delete/{organizationId}/{userId}")
-    @RequiresRoles(value = {RoleConstants.ORG_ADMIN,RoleConstants.TEST_MANAGER}, logical = Logical.OR)
+    @RequiresRoles(RoleConstants.ORG_ADMIN)
     public void delOrganizationMember(@PathVariable String organizationId, @PathVariable String userId) {
-        // todo check
+        organizationService.checkOrgOwner(organizationId);
         userService.delOrganizationMember(organizationId, userId);
     }
 
@@ -210,10 +213,8 @@ public class UserController {
      * 查询组织成员列表
      */
     @PostMapping("/org/member/list/{goPage}/{pageSize}")
-    @RequiresRoles(value = {RoleConstants.ORG_ADMIN,RoleConstants.TEST_MANAGER,
-            RoleConstants.TEST_USER,RoleConstants.TEST_VIEWER}, logical = Logical.OR)
+    @RequiresRoles(value = {RoleConstants.ORG_ADMIN,RoleConstants.TEST_MANAGER}, logical = Logical.OR)
     public Pager<List<User>> getOrgMemberList(@PathVariable int goPage, @PathVariable int pageSize, @RequestBody QueryOrgMemberRequest request) {
-        // todo check
         Page<Object> page = PageHelper.startPage(goPage, pageSize, true);
         return PageUtils.setPageInfo(page, userService.getOrgMemberList(request));
     }
@@ -222,10 +223,8 @@ public class UserController {
      * 组织成员列表不分页
      */
     @PostMapping("/org/member/list/all")
-    @RequiresRoles(value = {RoleConstants.ORG_ADMIN,RoleConstants.TEST_MANAGER,
-            RoleConstants.TEST_USER,RoleConstants.TEST_VIEWER}, logical = Logical.OR)
+    @RequiresRoles(value = {RoleConstants.ORG_ADMIN,RoleConstants.TEST_MANAGER}, logical = Logical.OR)
     public List<User> getOrgMemberList(@RequestBody QueryOrgMemberRequest request) {
-        // todo check
         return userService.getOrgMemberList(request);
     }
 

backend/src/main/java/io/metersphere/controller/UserRoleController.java

@@ -26,6 +26,7 @@ public class UserRoleController {
     }
 
     @GetMapping("/list/ws/{workspaceId}/{userId}")
+    @RequiresRoles(value = {RoleConstants.ADMIN,RoleConstants.ORG_ADMIN}, logical = Logical.OR)
     public List<Role> getWorkspaceMemberRole(@PathVariable String workspaceId, @PathVariable String userId) {
         return userRoleService.getWorkspaceMemberRoles(workspaceId, userId);
     }

backend/src/main/java/io/metersphere/controller/WorkspaceController.java

@@ -40,7 +40,7 @@ public class WorkspaceController {
     @PostMapping("update")
     @RequiresRoles(RoleConstants.ORG_ADMIN)
     public Workspace updateWorkspace(@RequestBody Workspace workspace) {
-        workspaceService.checkOwner(workspace.getId());
+        workspaceService.checkWorkspaceOwnerByOrgAdmin(workspace.getId());
         return workspaceService.saveWorkspace(workspace);
     }
 
@@ -53,7 +53,7 @@ public class WorkspaceController {
     @GetMapping("delete/{workspaceId}")
     @RequiresRoles(RoleConstants.ORG_ADMIN)
     public void deleteWorkspace(@PathVariable String workspaceId) {
-        workspaceService.checkOwner(workspaceId);
+        workspaceService.checkWorkspaceOwnerByOrgAdmin(workspaceId);
         workspaceService.deleteWorkspace(workspaceId);
     }
 

backend/src/main/java/io/metersphere/service/OrganizationService.java

@@ -6,8 +6,13 @@ import io.metersphere.base.mapper.UserMapper;
 import io.metersphere.base.mapper.UserRoleMapper;
 import io.metersphere.base.mapper.ext.ExtOrganizationMapper;
 import io.metersphere.base.mapper.ext.ExtUserRoleMapper;
+import io.metersphere.commons.constants.RoleConstants;
+import io.metersphere.commons.exception.MSException;
 import io.metersphere.dto.OrganizationMemberDTO;
 import io.metersphere.dto.UserRoleHelpDTO;
+import io.metersphere.i18n.Translator;
+import io.metersphere.user.SessionUser;
+import io.metersphere.user.SessionUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.springframework.beans.BeanUtils;
 import org.springframework.stereotype.Service;
@@ -109,4 +114,16 @@ public class OrganizationService {
     public Integer checkSourceRole(String orgId, String userId, String roleId) {
         return extOrganizationMapper.checkSourceRole(orgId, userId, roleId);
     }
+
+    public void checkOrgOwner(String organizationId) {
+        SessionUser user = SessionUtils.getUser();
+        List<String> collect = user.getUserRoles().stream()
+                .filter(ur -> RoleConstants.ORG_ADMIN.equals(ur.getRoleId()))
+                .map(UserRole::getSourceId)
+                .collect(Collectors.toList());
+        if (!collect.contains(organizationId)) {
+            MSException.throwException(Translator.get("organization_does_not_belong_to_user"));
+        }
+
+    }
 }

backend/src/main/java/io/metersphere/service/WorkspaceService.java

@@ -91,15 +91,16 @@ public class WorkspaceService {
     }
 
     /**
-     * ORG_ADMIN 需要检查是否有操作此工作空间的权限
+     * ORG_ADMIN需要检查是否有操作此工作空间的权限
      */
-    public void checkOwner(String workspaceId) {
+    public void checkWorkspaceOwnerByOrgAdmin(String workspaceId) {
+        checkWorkspaceIsExist(workspaceId);
+        WorkspaceExample example = new WorkspaceExample();
         SessionUser user = SessionUtils.getUser();
         List<String> orgIds = user.getUserRoles().stream()
                 .filter(ur -> RoleConstants.ORG_ADMIN.equals(ur.getRoleId()))
                 .map(UserRole::getSourceId)
                 .collect(Collectors.toList());
-        WorkspaceExample example = new WorkspaceExample();
         example.createCriteria()
                 .andOrganizationIdIn(orgIds)
                 .andIdEqualTo(workspaceId);
@@ -108,6 +109,48 @@ public class WorkspaceService {
         }
     }
 
+    public void checkWorkspaceOwnerByTestManager(String workspaceId) {
+        checkWorkspaceIsExist(workspaceId);
+        SessionUser user = SessionUtils.getUser();
+        List<String> wsIds = user.getUserRoles().stream()
+                .filter(ur -> RoleConstants.TEST_MANAGER.equals(ur.getRoleId()))
+                .map(UserRole::getSourceId)
+                .collect(Collectors.toList());
+        boolean contains = wsIds.contains(workspaceId);
+        if (!contains) {
+            MSException.throwException(Translator.get("workspace_does_not_belong_to_user"));
+        }
+    }
+
+    public void checkWorkspaceOwner(String workspaceId) {
+        checkWorkspaceIsExist(workspaceId);
+        WorkspaceExample example = new WorkspaceExample();
+        SessionUser user = SessionUtils.getUser();
+        List<String> orgIds = user.getUserRoles().stream()
+                .filter(ur -> RoleConstants.ORG_ADMIN.equals(ur.getRoleId()))
+                .map(UserRole::getSourceId)
+                .collect(Collectors.toList());
+        example.createCriteria()
+                .andOrganizationIdIn(orgIds)
+                .andIdEqualTo(workspaceId);
+        List<String> wsIds = user.getUserRoles().stream()
+                .filter(ur -> RoleConstants.TEST_MANAGER.equals(ur.getRoleId()))
+                .map(UserRole::getSourceId)
+                .collect(Collectors.toList());
+        boolean contains = wsIds.contains(workspaceId);
+        if (workspaceMapper.countByExample(example) == 0 && !contains) {
+            MSException.throwException(Translator.get("workspace_does_not_belong_to_user"));
+        }
+    }
+
+    public void checkWorkspaceIsExist(String workspaceId) {
+        WorkspaceExample example = new WorkspaceExample();
+        example.createCriteria().andIdEqualTo(workspaceId);
+        if (workspaceMapper.countByExample(example) == 0) {
+            MSException.throwException("workspace_not_exist");
+        }
+    }
+
     public List<Workspace> getWorkspaceListByUserId(String userId) {
         List<UserRoleHelpDTO> userRoleHelpList = extUserRoleMapper.getUserRoleHelpList(userId);
         List<String> workspaceIds = new ArrayList<>();

backend/src/main/resources/i18n/en-US.json

@@ -5,5 +5,6 @@
   "project_name_already_exists": "The project name already exists",
   "workspace_name_is_null": "Workspace name cannot be null",
   "workspace_name_already_exists": "The workspace name already exists",
-  "workspace_does_not_belong_to_user": "The current workspace does not belong to the current user"
+  "workspace_does_not_belong_to_user": "The current workspace does not belong to the current user",
+  "organization_does_not_belong_to_user": "The current organization does not belong to the current user"
 }
\ No newline at end of file

backend/src/main/resources/i18n/zh-CN.json

@@ -5,5 +5,6 @@
   "project_name_already_exists": "项目名称已存在",
   "workspace_name_is_null": "工作空间名不能为空",
   "workspace_name_already_exists": "工作空间名已存在",
-  "workspace_does_not_belong_to_user": "当前工作空间不属于当前用户"
+  "workspace_does_not_belong_to_user": "当前工作空间不属于当前用户",
+  "organization_does_not_belong_to_user": "当前组织不属于当前用户"
 }
\ No newline at end of file