feat：用户个人视角 权限管理优化 TencentBlueKing#11138

src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserAuthResourceGroupResource.kt

@@ -30,6 +30,7 @@ package com.tencent.devops.auth.api.user
 
 import com.tencent.devops.auth.pojo.dto.GroupMemberRenewalDTO
 import com.tencent.devops.auth.pojo.dto.RenameGroupDTO
+import com.tencent.devops.auth.pojo.enum.OperateChannel
 import com.tencent.devops.auth.pojo.vo.GroupDetailsInfoVo
 import com.tencent.devops.auth.pojo.vo.IamGroupPoliciesVo
 import com.tencent.devops.common.api.annotation.BkInterfaceI18n
@@ -110,6 +111,9 @@ interface UserAuthResourceGroupResource {
         @QueryParam("action")
         @Parameter(description = "操作")
         action: String?,
+        @QueryParam("operateChannel")
+        @Parameter(description = "操作渠道")
+        operateChannel: OperateChannel?,
         @Parameter(description = "起始位置,从0开始")
         @QueryParam("start")
         start: Int,

src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserAuthResourceMemberResource.kt

@@ -2,6 +2,7 @@ package com.tencent.devops.auth.api.user
 
 import com.tencent.devops.auth.pojo.ResourceMemberInfo
 import com.tencent.devops.auth.pojo.enum.BatchOperateType
+import com.tencent.devops.auth.pojo.enum.OperateChannel
 import com.tencent.devops.auth.pojo.request.GroupMemberCommonConditionReq
 import com.tencent.devops.auth.pojo.request.GroupMemberHandoverConditionReq
 import com.tencent.devops.auth.pojo.request.GroupMemberRenewalConditionReq
@@ -96,8 +97,8 @@ interface UserAuthResourceMemberResource {
 
     @PUT
     @Path("/batch/renewal")
-    @Operation(summary = "批量续期组成员权限--无需进行审批")
-    fun batchRenewalGroupMembers(
+    @Operation(summary = "批量续期组成员权限--管理员视角")
+    fun batchRenewalGroupMembersFromManager(
         @Parameter(description = "用户名", required = true)
         @HeaderParam(AUTH_HEADER_USER_ID)
         userId: String,
@@ -110,8 +111,8 @@ interface UserAuthResourceMemberResource {
 
     @DELETE
     @Path("/batch/remove")
-    @Operation(summary = "批量移除用户组成员")
-    fun batchRemoveGroupMembers(
+    @Operation(summary = "批量移除用户组成员--管理员视角")
+    fun batchRemoveGroupMembersFromManager(
         @Parameter(description = "用户名", required = true)
         @HeaderParam(AUTH_HEADER_USER_ID)
         userId: String,
@@ -124,8 +125,8 @@ interface UserAuthResourceMemberResource {
 
     @PUT
     @Path("/batch/handover")
-    @Operation(summary = "批量交接用户组成员")
-    fun batchHandoverGroupMembers(
+    @Operation(summary = "批量交接用户组成员--管理员视角")
+    fun batchHandoverGroupMembersFromManager(
         @Parameter(description = "用户名", required = true)
         @HeaderParam(AUTH_HEADER_USER_ID)
         userId: String,
@@ -211,6 +212,9 @@ interface UserAuthResourceMemberResource {
         relatedResourceCode: String?,
         @QueryParam("action")
         @Parameter(description = "操作")
-        action: String?
+        action: String?,
+        @QueryParam("operateChannel")
+        @Parameter(description = "操作渠道")
+        operateChannel: OperateChannel?
     ): Result<List<MemberGroupCountWithPermissionsVo>>
 }

src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/enum/OperateChannel.kt

@@ -0,0 +1,37 @@
+/*
+ * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available.
+ *
+ * Copyright (C) 2019 THL A29 Limited, a Tencent company.  All rights reserved.
+ *
+ * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license.
+ *
+ * A copy of the MIT License is included in this file.
+ *
+ *
+ * Terms of the MIT License:
+ * ---------------------------------------------------
+ * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
+ * documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
+ * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to
+ * permit persons to whom the Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all copies or substantial portions of
+ * the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT
+ * LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
+ * NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
+ * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE
+ * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+ *
+ */
+
+package com.tencent.devops.auth.pojo.enum
+
+enum class OperateChannel(val value: String) {
+    // 个人视角
+    PERSONAL("personal"),
+
+    // 管理员视角
+    MANAGER("manager");
+}

src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceMemberService.kt

@@ -637,7 +637,7 @@ class RbacPermissionResourceMemberService(
         return true
     }
 
-    override fun batchRenewalGroupMembers(
+    override fun batchRenewalGroupMembersFromManager(
         userId: String,
         projectCode: String,
         renewalConditionReq: GroupMemberRenewalConditionReq
@@ -692,7 +692,7 @@ class RbacPermissionResourceMemberService(
         return expiredAt < PERMANENT_EXPIRED_TIME
     }
 
-    override fun batchDeleteResourceGroupMembers(
+    override fun batchDeleteResourceGroupMembersFromManager(
         userId: String,
         projectCode: String,
         removeMemberDTO: GroupMemberCommonConditionReq
@@ -748,7 +748,7 @@ class RbacPermissionResourceMemberService(
         )
     }
 
-    override fun batchHandoverGroupMembers(
+    override fun batchHandoverGroupMembersFromManager(
         userId: String,
         projectCode: String,
         handoverMemberDTO: GroupMemberHandoverConditionReq

src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceValidateService.kt

@@ -30,6 +30,7 @@ package com.tencent.devops.auth.provider.rbac.service
 
 import com.tencent.devops.auth.constant.AuthMessageCode
 import com.tencent.devops.auth.pojo.dto.PermissionBatchValidateDTO
+import com.tencent.devops.auth.pojo.enum.OperateChannel
 import com.tencent.devops.auth.service.iam.PermissionResourceValidateService
 import com.tencent.devops.auth.service.iam.PermissionService
 import com.tencent.devops.common.api.exception.ErrorCodeException
@@ -152,6 +153,40 @@ class RbacPermissionResourceValidateService(
         return true
     }
 
+    override fun validateUserProjectPermissionByChannel(
+        userId: String,
+        projectCode: String,
+        operateChannel: OperateChannel
+    ) {
+        if (operateChannel == OperateChannel.PERSONAL) {
+            // 个人视角校验
+            val hasVisitPermission = permissionService.validateUserResourcePermission(
+                userId = userId,
+                resourceType = AuthResourceType.PROJECT.value,
+                action = RbacAuthUtils.buildAction(AuthPermission.VISIT, AuthResourceType.PROJECT),
+                projectCode = projectCode
+            )
+            if (!hasVisitPermission) {
+                throw PermissionForbiddenException(
+                    message = "The user does not have permission to visit the project!"
+                )
+            }
+        } else {
+            // 管理员视角校验
+            val hasProjectManagePermission = permissionService.validateUserResourcePermission(
+                userId = userId,
+                resourceType = AuthResourceType.PROJECT.value,
+                action = RbacAuthUtils.buildAction(AuthPermission.MANAGE, AuthResourceType.PROJECT),
+                projectCode = projectCode
+            )
+            if (!hasProjectManagePermission) {
+                throw PermissionForbiddenException(
+                    message = I18nUtil.getCodeLanMessage(AuthMessageCode.ERROR_AUTH_NO_MANAGE_PERMISSION)
+                )
+            }
+        }
+    }
+
     private fun checkProjectApprovalStatus(resourceType: String, resourceCode: String) {
         if (resourceType == AuthResourceType.PROJECT.value) {
             val projectInfo =

src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/service/SamplePermissionResourceMemberService.kt

@@ -82,13 +82,13 @@ class SamplePermissionResourceMemberService : PermissionResourceMemberService {
         expiredAt: Long
     ): Boolean = true
 
-    override fun batchRenewalGroupMembers(
+    override fun batchRenewalGroupMembersFromManager(
         userId: String,
         projectCode: String,
         renewalConditionReq: GroupMemberRenewalConditionReq
     ): Boolean = true
 
-    override fun batchDeleteResourceGroupMembers(
+    override fun batchDeleteResourceGroupMembersFromManager(
         userId: String,
         projectCode: String,
         removeMemberDTO: GroupMemberCommonConditionReq
@@ -100,7 +100,7 @@ class SamplePermissionResourceMemberService : PermissionResourceMemberService {
         memberIds: List<String>
     ): Boolean = true
 
-    override fun batchHandoverGroupMembers(
+    override fun batchHandoverGroupMembersFromManager(
         userId: String,
         projectCode: String,
         handoverMemberDTO: GroupMemberHandoverConditionReq

src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/service/SamplePermissionResourceValidateService.kt

@@ -29,6 +29,7 @@
 package com.tencent.devops.auth.provider.sample.service
 
 import com.tencent.devops.auth.pojo.dto.PermissionBatchValidateDTO
+import com.tencent.devops.auth.pojo.enum.OperateChannel
 import com.tencent.devops.auth.service.iam.PermissionResourceValidateService
 
 class SamplePermissionResourceValidateService : PermissionResourceValidateService {
@@ -46,4 +47,12 @@ class SamplePermissionResourceValidateService : PermissionResourceValidateServic
         resourceType: String,
         resourceCode: String
     ): Boolean = true
+
+    override fun validateUserProjectPermissionByChannel(
+        userId: String,
+        projectCode: String,
+        operateChannel: OperateChannel
+    ) {
+        return
+    }
 }

src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/user/UserAuthResourceGroupResourceImpl.kt

@@ -33,13 +33,15 @@ import com.tencent.devops.auth.api.user.UserAuthResourceGroupResource
 import com.tencent.devops.auth.pojo.ResourceMemberInfo
 import com.tencent.devops.auth.pojo.dto.GroupMemberRenewalDTO
 import com.tencent.devops.auth.pojo.dto.RenameGroupDTO
+import com.tencent.devops.auth.pojo.enum.OperateChannel
 import com.tencent.devops.auth.pojo.request.GroupMemberCommonConditionReq
 import com.tencent.devops.auth.pojo.vo.GroupDetailsInfoVo
 import com.tencent.devops.auth.pojo.vo.IamGroupPoliciesVo
 import com.tencent.devops.auth.service.iam.PermissionResourceGroupAndMemberFacadeService
 import com.tencent.devops.auth.service.iam.PermissionResourceGroupPermissionService
 import com.tencent.devops.auth.service.iam.PermissionResourceGroupService
 import com.tencent.devops.auth.service.iam.PermissionResourceMemberService
+import com.tencent.devops.auth.service.iam.PermissionResourceValidateService
 import com.tencent.devops.common.api.model.SQLPage
 import com.tencent.devops.common.api.pojo.Result
 import com.tencent.devops.common.auth.api.BkManagerCheck
@@ -51,7 +53,8 @@ class UserAuthResourceGroupResourceImpl @Autowired constructor(
     private val permissionResourceGroupService: PermissionResourceGroupService,
     private val permissionResourceMemberService: PermissionResourceMemberService,
     private val permissionResourceGroupAndMemberFacadeService: PermissionResourceGroupAndMemberFacadeService,
-    private val permissionResourceGroupPermissionService: PermissionResourceGroupPermissionService
+    private val permissionResourceGroupPermissionService: PermissionResourceGroupPermissionService,
+    private val permissionResourceValidateService: PermissionResourceValidateService
 ) : UserAuthResourceGroupResource {
     override fun getGroupPolicies(
         userId: String,
@@ -69,7 +72,6 @@ class UserAuthResourceGroupResourceImpl @Autowired constructor(
         )
     }
 
-    @BkManagerCheck
     override fun getMemberGroupsDetails(
         userId: String,
         projectId: String,
@@ -81,9 +83,16 @@ class UserAuthResourceGroupResourceImpl @Autowired constructor(
         relatedResourceType: String?,
         relatedResourceCode: String?,
         action: String?,
+        operateChannel: OperateChannel?,
         start: Int,
         limit: Int
     ): Result<SQLPage<GroupDetailsInfoVo>> {
+        permissionResourceValidateService.validateUserProjectPermissionByChannel(
+            userId = userId,
+            projectCode = projectId,
+            operateChannel = operateChannel ?: OperateChannel.MANAGER
+        )
+
         return Result(
             permissionResourceGroupAndMemberFacadeService.getMemberGroupsDetails(
                 projectId = projectId,
@@ -126,7 +135,7 @@ class UserAuthResourceGroupResourceImpl @Autowired constructor(
         groupId: Int
     ): Result<Boolean> {
         return Result(
-            permissionResourceMemberService.batchDeleteResourceGroupMembers(
+            permissionResourceMemberService.batchDeleteResourceGroupMembersFromManager(
                 userId = userId,
                 projectCode = projectId,
                 removeMemberDTO = GroupMemberCommonConditionReq(

src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/user/UserAuthResourceMemberResourceImpl.kt

@@ -3,6 +3,7 @@ package com.tencent.devops.auth.resources.user
 import com.tencent.devops.auth.api.user.UserAuthResourceMemberResource
 import com.tencent.devops.auth.pojo.ResourceMemberInfo
 import com.tencent.devops.auth.pojo.enum.BatchOperateType
+import com.tencent.devops.auth.pojo.enum.OperateChannel
 import com.tencent.devops.auth.pojo.request.GroupMemberCommonConditionReq
 import com.tencent.devops.auth.pojo.request.GroupMemberHandoverConditionReq
 import com.tencent.devops.auth.pojo.request.GroupMemberRenewalConditionReq
@@ -14,6 +15,7 @@ import com.tencent.devops.auth.pojo.vo.GroupDetailsInfoVo
 import com.tencent.devops.auth.pojo.vo.MemberGroupCountWithPermissionsVo
 import com.tencent.devops.auth.service.iam.PermissionResourceGroupAndMemberFacadeService
 import com.tencent.devops.auth.service.iam.PermissionResourceMemberService
+import com.tencent.devops.auth.service.iam.PermissionResourceValidateService
 import com.tencent.devops.auth.service.iam.PermissionService
 import com.tencent.devops.common.api.model.SQLPage
 import com.tencent.devops.common.api.pojo.Result
@@ -27,7 +29,8 @@ import com.tencent.devops.common.web.RestResource
 class UserAuthResourceMemberResourceImpl(
     private val permissionResourceMemberService: PermissionResourceMemberService,
     private val permissionService: PermissionService,
-    private val permissionResourceGroupAndMemberFacadeService: PermissionResourceGroupAndMemberFacadeService
+    private val permissionResourceGroupAndMemberFacadeService: PermissionResourceGroupAndMemberFacadeService,
+    private val permissionResourceValidateService: PermissionResourceValidateService
 ) : UserAuthResourceMemberResource {
     override fun listProjectMembers(
         userId: String,
@@ -96,13 +99,13 @@ class UserAuthResourceMemberResourceImpl(
     }
 
     @BkManagerCheck
-    override fun batchRenewalGroupMembers(
+    override fun batchRenewalGroupMembersFromManager(
         userId: String,
         projectId: String,
         renewalConditionReq: GroupMemberRenewalConditionReq
     ): Result<Boolean> {
         return Result(
-            permissionResourceMemberService.batchRenewalGroupMembers(
+            permissionResourceMemberService.batchRenewalGroupMembersFromManager(
                 userId = userId,
                 projectCode = projectId,
                 renewalConditionReq = renewalConditionReq
@@ -111,13 +114,13 @@ class UserAuthResourceMemberResourceImpl(
     }
 
     @BkManagerCheck
-    override fun batchRemoveGroupMembers(
+    override fun batchRemoveGroupMembersFromManager(
         userId: String,
         projectId: String,
         removeMemberDTO: GroupMemberCommonConditionReq
     ): Result<Boolean> {
         return Result(
-            permissionResourceMemberService.batchDeleteResourceGroupMembers(
+            permissionResourceMemberService.batchDeleteResourceGroupMembersFromManager(
                 userId = userId,
                 projectCode = projectId,
                 removeMemberDTO = removeMemberDTO
@@ -126,13 +129,13 @@ class UserAuthResourceMemberResourceImpl(
     }
 
     @BkManagerCheck
-    override fun batchHandoverGroupMembers(
+    override fun batchHandoverGroupMembersFromManager(
         userId: String,
         projectId: String,
         handoverMemberDTO: GroupMemberHandoverConditionReq
     ): Result<Boolean> {
         return Result(
-            permissionResourceMemberService.batchHandoverGroupMembers(
+            permissionResourceMemberService.batchHandoverGroupMembersFromManager(
                 userId = userId,
                 projectCode = projectId,
                 handoverMemberDTO = handoverMemberDTO
@@ -187,7 +190,6 @@ class UserAuthResourceMemberResourceImpl(
         )
     }
 
-    @BkManagerCheck
     override fun getMemberGroupCount(
         userId: String,
         projectId: String,
@@ -197,8 +199,14 @@ class UserAuthResourceMemberResourceImpl(
         maxExpiredAt: Long?,
         relatedResourceType: String?,
         relatedResourceCode: String?,
-        action: String?
+        action: String?,
+        operateChannel: OperateChannel?
     ): Result<List<MemberGroupCountWithPermissionsVo>> {
+        permissionResourceValidateService.validateUserProjectPermissionByChannel(
+            userId = userId,
+            projectCode = projectId,
+            operateChannel = operateChannel ?: OperateChannel.MANAGER
+        )
         return Result(
             permissionResourceGroupAndMemberFacadeService.getMemberGroupsCount(
                 projectCode = projectId,