From b3e60336ef8e8f9aac83bd576ef858c1ba55ebe0 Mon Sep 17 00:00:00 2001 From: lepdou Date: Fri, 25 Nov 2016 15:58:56 +0800 Subject: [PATCH] branch restful api add permission validate --- .../portal/auth/PermissionValidator.java | 4 +++ .../controller/NamespaceBranchController.java | 30 +++++++++++++++++-- .../service/NamespaceBranchService.java | 10 ------- .../scripts/directive/item-modal-directive.js | 13 +++++--- .../views/component/namespace-panel.html | 12 ++++++++ 5 files changed, 52 insertions(+), 17 deletions(-) diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/auth/PermissionValidator.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/auth/PermissionValidator.java index b44e2ab68..a59d24c03 100644 --- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/auth/PermissionValidator.java +++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/auth/PermissionValidator.java @@ -30,6 +30,10 @@ public class PermissionValidator { } + public boolean hasOperateNamespacePermission(String appId, String namespaceName){ + return hasModifyNamespacePermission(appId, namespaceName) || hasReleaseNamespacePermission(appId, namespaceName); + } + public boolean hasAssignRolePermission(String appId) { return rolePermissionService.userHasPermission(userInfoHolder.getUser().getUserId(), PermissionType.ASSIGN_ROLE, diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/NamespaceBranchController.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/NamespaceBranchController.java index c5ea77764..89b6a969f 100644 --- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/NamespaceBranchController.java +++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/NamespaceBranchController.java @@ -1,15 +1,18 @@ package com.ctrip.framework.apollo.portal.controller; -import com.ctrip.framework.apollo.common.constants.NamespaceBranchStatus; import com.ctrip.framework.apollo.common.dto.GrayReleaseRuleDTO; import com.ctrip.framework.apollo.common.dto.NamespaceDTO; import com.ctrip.framework.apollo.common.dto.ReleaseDTO; import com.ctrip.framework.apollo.core.enums.Env; +import com.ctrip.framework.apollo.portal.auth.PermissionValidator; import com.ctrip.framework.apollo.portal.entity.model.NamespaceReleaseModel; import com.ctrip.framework.apollo.portal.entity.vo.NamespaceVO; import com.ctrip.framework.apollo.portal.service.NamespaceBranchService; +import com.ctrip.framework.apollo.portal.service.ReleaseService; import org.springframework.beans.factory.annotation.Autowired; +import org.springframework.security.access.AccessDeniedException; +import org.springframework.security.access.prepost.PreAuthorize; import org.springframework.web.bind.annotation.PathVariable; import org.springframework.web.bind.annotation.RequestBody; import org.springframework.web.bind.annotation.RequestMapping; @@ -20,6 +23,10 @@ import org.springframework.web.bind.annotation.RestController; @RestController public class NamespaceBranchController { + @Autowired + private PermissionValidator permissionValidator; + @Autowired + private ReleaseService releaseService; @Autowired private NamespaceBranchService namespaceBranchService; @@ -31,6 +38,7 @@ public class NamespaceBranchController { return namespaceBranchService.findBranch(appId, Env.valueOf(env), clusterName, namespaceName); } + @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName)") @RequestMapping(value = "/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/branches", method = RequestMethod.POST) public NamespaceDTO createBranch(@PathVariable String appId, @PathVariable String env, @@ -46,21 +54,35 @@ public class NamespaceBranchController { @PathVariable String clusterName, @PathVariable String namespaceName, @PathVariable String branchName) { + + boolean canDelete = permissionValidator.hasReleaseNamespacePermission(appId, namespaceName) || + (permissionValidator.hasModifyNamespacePermission(appId, namespaceName) && + releaseService.loadLatestRelease(appId, Env.valueOf(env), branchName, namespaceName) == null); + + + if (!canDelete) { + throw new AccessDeniedException("Forbidden operation. " + + "Caused by: 1.you don't have release permission " + + "or 2. you don't have modification permission " + + "or 3. you have modification permission but branch has been released"); + } + namespaceBranchService.deleteBranch(appId, Env.valueOf(env), clusterName, namespaceName, branchName); } + + @PreAuthorize(value = "@permissionValidator.hasReleaseNamespacePermission(#appId, #namespaceName)") @RequestMapping(value = "/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/branches/{branchName}/merge", method = RequestMethod.POST) public ReleaseDTO merge(@PathVariable String appId, @PathVariable String env, @PathVariable String clusterName, @PathVariable String namespaceName, @PathVariable String branchName, @RequestParam(value = "deleteBranch", defaultValue = "true") boolean deleteBranch, @RequestBody NamespaceReleaseModel model) { - ReleaseDTO createdRelease = namespaceBranchService.merge(appId, Env.valueOf(env), clusterName, namespaceName, branchName, + return namespaceBranchService.merge(appId, Env.valueOf(env), clusterName, namespaceName, branchName, model.getReleaseTitle(), model.getReleaseComment(), deleteBranch); - return createdRelease; } @@ -73,6 +95,8 @@ public class NamespaceBranchController { return namespaceBranchService.findBranchGrayRules(appId, Env.valueOf(env), clusterName, namespaceName, branchName); } + + @PreAuthorize(value = "@permissionValidator.hasOperateNamespacePermission(#appId, #namespaceName)") @RequestMapping(value = "/apps/{appId}/envs/{env}/clusters/{clusterName}/namespaces/{namespaceName}/branches/{branchName}/rules", method = RequestMethod.PUT) public void updateBranchRules(@PathVariable String appId, @PathVariable String env, @PathVariable String clusterName, @PathVariable String namespaceName, diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/service/NamespaceBranchService.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/service/NamespaceBranchService.java index 71e64a9ee..b9c8b4c80 100644 --- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/service/NamespaceBranchService.java +++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/service/NamespaceBranchService.java @@ -76,16 +76,6 @@ public class NamespaceBranchService { String operator = userInfoHolder.getUser().getUserId(); - //Refusing request if user has not release permission and branch has been released - if (!permissionValidator.hasReleaseNamespacePermission(appId, namespaceName) - && (!permissionValidator.hasModifyNamespacePermission(appId, namespaceName) || - releaseService.loadLatestRelease(appId, env, branchName, namespaceName) != null)) { - throw new BadRequestException("Forbidden operation. " - + "Cause by: you has not release permission " - + "or you has not modify permission " - + "or you has modify permission but branch has been released"); - } - namespaceBranchAPI.deleteBranch(appId, env, clusterName, namespaceName, branchName, operator); Cat.logEvent(CatEventType.DELETE_GRAY_RELEASE, diff --git a/apollo-portal/src/main/resources/static/scripts/directive/item-modal-directive.js b/apollo-portal/src/main/resources/static/scripts/directive/item-modal-directive.js index 4f4858474..eb6fc639c 100644 --- a/apollo-portal/src/main/resources/static/scripts/directive/item-modal-directive.js +++ b/apollo-portal/src/main/resources/static/scripts/directive/item-modal-directive.js @@ -53,14 +53,18 @@ function itemModalDirective(toastr, AppUtil, EventManager, ConfigService) { scope.toOperationNamespace.baseInfo.namespaceName, scope.item).then( function (result) { - + toastr.success("添加成功,如需生效请发布"); + scope.item.addItemBtnDisabled = false; + AppUtil.hideModal('#itemModal'); EventManager.emit(EventManager.EventType.REFRESH_NAMESPACE, { namespace: scope.toOperationNamespace }); - toastr.success("添加成功,如需生效请发布"); + + }, function (result) { toastr.error(AppUtil.errorMsg(result), "添加失败"); + scope.item.addItemBtnDisabled = false; }); } else { if (selectedClusters.length == 0) { @@ -75,6 +79,8 @@ function itemModalDirective(toastr, AppUtil, EventManager, ConfigService) { scope.toOperationNamespace.baseInfo.namespaceName, scope.item).then( function (result) { + scope.item.addItemBtnDisabled = false; + AppUtil.hideModal('#itemModal'); toastr.success(cluster.env + " , " + scope.item.key, "添加成功,如需生效请发布"); if (cluster.env == scope.env && cluster.name == scope.cluster) { @@ -86,12 +92,11 @@ function itemModalDirective(toastr, AppUtil, EventManager, ConfigService) { } }, function (result) { toastr.error(AppUtil.errorMsg(result), "添加失败"); + scope.item.addItemBtnDisabled = false; }); }); } - scope.item.addItemBtnDisabled = false; - AppUtil.hideModal('#itemModal'); } else { diff --git a/apollo-portal/src/main/resources/static/views/component/namespace-panel.html b/apollo-portal/src/main/resources/static/views/component/namespace-panel.html index 352531684..d289c43f2 100644 --- a/apollo-portal/src/main/resources/static/views/component/namespace-panel.html +++ b/apollo-portal/src/main/resources/static/views/component/namespace-panel.html @@ -875,6 +875,11 @@
+
+ Tips: + 您没有权限编辑灰度规则, 具有namespace修改权或者发布权的人员才可以编辑灰度规则. 如需要编辑灰度规则,请找项目管理员申请权限. +
+ @@ -892,9 +897,11 @@ @@ -902,6 +909,7 @@
+ +
+ +
-- GitLab