From 3e1b7749478b4736cc3effe78b55d9c7ee02426c Mon Sep 17 00:00:00 2001 From: greysonfang Date: Mon, 28 Oct 2024 14:53:44 +0800 Subject: [PATCH] =?UTF-8?q?feat=EF=BC=9A=E7=94=A8=E6=88=B7=E4=B8=AA?= =?UTF-8?q?=E4=BA=BA=E8=A7=86=E8=A7=92=20=E6=9D=83=E9=99=90=E7=AE=A1?= =?UTF-8?q?=E7=90=86=E4=BC=98=E5=8C=96=20#11138?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- .../api/user/UserAuthResourceGroupResource.kt | 4 ++ .../user/UserAuthResourceMemberResource.kt | 18 +++++---- .../devops/auth/pojo/enum/OperateChannel.kt | 37 +++++++++++++++++++ .../RbacPermissionResourceMemberService.kt | 6 +-- .../RbacPermissionResourceValidateService.kt | 35 ++++++++++++++++++ .../SamplePermissionResourceMemberService.kt | 6 +-- ...SamplePermissionResourceValidateService.kt | 9 +++++ .../user/UserAuthResourceGroupResourceImpl.kt | 15 ++++++-- .../UserAuthResourceMemberResourceImpl.kt | 26 ++++++++----- .../iam/PermissionResourceMemberService.kt | 6 +-- .../iam/PermissionResourceValidateService.kt | 10 +++++ 11 files changed, 144 insertions(+), 28 deletions(-) create mode 100644 src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/enum/OperateChannel.kt diff --git a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserAuthResourceGroupResource.kt b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserAuthResourceGroupResource.kt index 5dc4c034267..61dca343871 100644 --- a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserAuthResourceGroupResource.kt +++ b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserAuthResourceGroupResource.kt @@ -30,6 +30,7 @@ package com.tencent.devops.auth.api.user import com.tencent.devops.auth.pojo.dto.GroupMemberRenewalDTO import com.tencent.devops.auth.pojo.dto.RenameGroupDTO +import com.tencent.devops.auth.pojo.enum.OperateChannel import com.tencent.devops.auth.pojo.vo.GroupDetailsInfoVo import com.tencent.devops.auth.pojo.vo.IamGroupPoliciesVo import com.tencent.devops.common.api.annotation.BkInterfaceI18n @@ -110,6 +111,9 @@ interface UserAuthResourceGroupResource { @QueryParam("action") @Parameter(description = "操作") action: String?, + @QueryParam("operateChannel") + @Parameter(description = "操作渠道") + operateChannel: OperateChannel?, @Parameter(description = "起始位置,从0开始") @QueryParam("start") start: Int, diff --git a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserAuthResourceMemberResource.kt b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserAuthResourceMemberResource.kt index 26a74ba5b87..f5cab40a861 100644 --- a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserAuthResourceMemberResource.kt +++ b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserAuthResourceMemberResource.kt @@ -2,6 +2,7 @@ package com.tencent.devops.auth.api.user import com.tencent.devops.auth.pojo.ResourceMemberInfo import com.tencent.devops.auth.pojo.enum.BatchOperateType +import com.tencent.devops.auth.pojo.enum.OperateChannel import com.tencent.devops.auth.pojo.request.GroupMemberCommonConditionReq import com.tencent.devops.auth.pojo.request.GroupMemberHandoverConditionReq import com.tencent.devops.auth.pojo.request.GroupMemberRenewalConditionReq @@ -96,8 +97,8 @@ interface UserAuthResourceMemberResource { @PUT @Path("/batch/renewal") - @Operation(summary = "批量续期组成员权限--无需进行审批") - fun batchRenewalGroupMembers( + @Operation(summary = "批量续期组成员权限--管理员视角") + fun batchRenewalGroupMembersFromManager( @Parameter(description = "用户名", required = true) @HeaderParam(AUTH_HEADER_USER_ID) userId: String, @@ -110,8 +111,8 @@ interface UserAuthResourceMemberResource { @DELETE @Path("/batch/remove") - @Operation(summary = "批量移除用户组成员") - fun batchRemoveGroupMembers( + @Operation(summary = "批量移除用户组成员--管理员视角") + fun batchRemoveGroupMembersFromManager( @Parameter(description = "用户名", required = true) @HeaderParam(AUTH_HEADER_USER_ID) userId: String, @@ -124,8 +125,8 @@ interface UserAuthResourceMemberResource { @PUT @Path("/batch/handover") - @Operation(summary = "批量交接用户组成员") - fun batchHandoverGroupMembers( + @Operation(summary = "批量交接用户组成员--管理员视角") + fun batchHandoverGroupMembersFromManager( @Parameter(description = "用户名", required = true) @HeaderParam(AUTH_HEADER_USER_ID) userId: String, @@ -211,6 +212,9 @@ interface UserAuthResourceMemberResource { relatedResourceCode: String?, @QueryParam("action") @Parameter(description = "操作") - action: String? + action: String?, + @QueryParam("operateChannel") + @Parameter(description = "操作渠道") + operateChannel: OperateChannel? ): Result> } diff --git a/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/enum/OperateChannel.kt b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/enum/OperateChannel.kt new file mode 100644 index 00000000000..5c08753de64 --- /dev/null +++ b/src/backend/ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/pojo/enum/OperateChannel.kt @@ -0,0 +1,37 @@ +/* + * Tencent is pleased to support the open source community by making BK-CI 蓝鲸持续集成平台 available. + * + * Copyright (C) 2019 THL A29 Limited, a Tencent company. All rights reserved. + * + * BK-CI 蓝鲸持续集成平台 is licensed under the MIT license. + * + * A copy of the MIT License is included in this file. + * + * + * Terms of the MIT License: + * --------------------------------------------------- + * Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated + * documentation files (the "Software"), to deal in the Software without restriction, including without limitation the + * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in all copies or substantial portions of + * the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT + * LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN + * NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, + * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE + * SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. + * + */ + +package com.tencent.devops.auth.pojo.enum + +enum class OperateChannel(val value: String) { + // 个人视角 + PERSONAL("personal"), + + // 管理员视角 + MANAGER("manager"); +} diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceMemberService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceMemberService.kt index 8fd0e90c4b6..22e6a2dd971 100644 --- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceMemberService.kt +++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceMemberService.kt @@ -637,7 +637,7 @@ class RbacPermissionResourceMemberService( return true } - override fun batchRenewalGroupMembers( + override fun batchRenewalGroupMembersFromManager( userId: String, projectCode: String, renewalConditionReq: GroupMemberRenewalConditionReq @@ -692,7 +692,7 @@ class RbacPermissionResourceMemberService( return expiredAt < PERMANENT_EXPIRED_TIME } - override fun batchDeleteResourceGroupMembers( + override fun batchDeleteResourceGroupMembersFromManager( userId: String, projectCode: String, removeMemberDTO: GroupMemberCommonConditionReq @@ -748,7 +748,7 @@ class RbacPermissionResourceMemberService( ) } - override fun batchHandoverGroupMembers( + override fun batchHandoverGroupMembersFromManager( userId: String, projectCode: String, handoverMemberDTO: GroupMemberHandoverConditionReq diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceValidateService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceValidateService.kt index c0baf8abee1..beaaf8312d2 100644 --- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceValidateService.kt +++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceValidateService.kt @@ -30,6 +30,7 @@ package com.tencent.devops.auth.provider.rbac.service import com.tencent.devops.auth.constant.AuthMessageCode import com.tencent.devops.auth.pojo.dto.PermissionBatchValidateDTO +import com.tencent.devops.auth.pojo.enum.OperateChannel import com.tencent.devops.auth.service.iam.PermissionResourceValidateService import com.tencent.devops.auth.service.iam.PermissionService import com.tencent.devops.common.api.exception.ErrorCodeException @@ -152,6 +153,40 @@ class RbacPermissionResourceValidateService( return true } + override fun validateUserProjectPermissionByChannel( + userId: String, + projectCode: String, + operateChannel: OperateChannel + ) { + if (operateChannel == OperateChannel.PERSONAL) { + // 个人视角校验 + val hasVisitPermission = permissionService.validateUserResourcePermission( + userId = userId, + resourceType = AuthResourceType.PROJECT.value, + action = RbacAuthUtils.buildAction(AuthPermission.VISIT, AuthResourceType.PROJECT), + projectCode = projectCode + ) + if (!hasVisitPermission) { + throw PermissionForbiddenException( + message = "The user does not have permission to visit the project!" + ) + } + } else { + // 管理员视角校验 + val hasProjectManagePermission = permissionService.validateUserResourcePermission( + userId = userId, + resourceType = AuthResourceType.PROJECT.value, + action = RbacAuthUtils.buildAction(AuthPermission.MANAGE, AuthResourceType.PROJECT), + projectCode = projectCode + ) + if (!hasProjectManagePermission) { + throw PermissionForbiddenException( + message = I18nUtil.getCodeLanMessage(AuthMessageCode.ERROR_AUTH_NO_MANAGE_PERMISSION) + ) + } + } + } + private fun checkProjectApprovalStatus(resourceType: String, resourceCode: String) { if (resourceType == AuthResourceType.PROJECT.value) { val projectInfo = diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/service/SamplePermissionResourceMemberService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/service/SamplePermissionResourceMemberService.kt index c412788f26e..cb98cf7b98e 100644 --- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/service/SamplePermissionResourceMemberService.kt +++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/service/SamplePermissionResourceMemberService.kt @@ -82,13 +82,13 @@ class SamplePermissionResourceMemberService : PermissionResourceMemberService { expiredAt: Long ): Boolean = true - override fun batchRenewalGroupMembers( + override fun batchRenewalGroupMembersFromManager( userId: String, projectCode: String, renewalConditionReq: GroupMemberRenewalConditionReq ): Boolean = true - override fun batchDeleteResourceGroupMembers( + override fun batchDeleteResourceGroupMembersFromManager( userId: String, projectCode: String, removeMemberDTO: GroupMemberCommonConditionReq @@ -100,7 +100,7 @@ class SamplePermissionResourceMemberService : PermissionResourceMemberService { memberIds: List ): Boolean = true - override fun batchHandoverGroupMembers( + override fun batchHandoverGroupMembersFromManager( userId: String, projectCode: String, handoverMemberDTO: GroupMemberHandoverConditionReq diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/service/SamplePermissionResourceValidateService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/service/SamplePermissionResourceValidateService.kt index b2ba564a4cf..6ff90235c55 100644 --- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/service/SamplePermissionResourceValidateService.kt +++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/service/SamplePermissionResourceValidateService.kt @@ -29,6 +29,7 @@ package com.tencent.devops.auth.provider.sample.service import com.tencent.devops.auth.pojo.dto.PermissionBatchValidateDTO +import com.tencent.devops.auth.pojo.enum.OperateChannel import com.tencent.devops.auth.service.iam.PermissionResourceValidateService class SamplePermissionResourceValidateService : PermissionResourceValidateService { @@ -46,4 +47,12 @@ class SamplePermissionResourceValidateService : PermissionResourceValidateServic resourceType: String, resourceCode: String ): Boolean = true + + override fun validateUserProjectPermissionByChannel( + userId: String, + projectCode: String, + operateChannel: OperateChannel + ) { + return + } } diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/user/UserAuthResourceGroupResourceImpl.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/user/UserAuthResourceGroupResourceImpl.kt index 4c99458fb86..7a2ee4d98e9 100644 --- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/user/UserAuthResourceGroupResourceImpl.kt +++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/user/UserAuthResourceGroupResourceImpl.kt @@ -33,6 +33,7 @@ import com.tencent.devops.auth.api.user.UserAuthResourceGroupResource import com.tencent.devops.auth.pojo.ResourceMemberInfo import com.tencent.devops.auth.pojo.dto.GroupMemberRenewalDTO import com.tencent.devops.auth.pojo.dto.RenameGroupDTO +import com.tencent.devops.auth.pojo.enum.OperateChannel import com.tencent.devops.auth.pojo.request.GroupMemberCommonConditionReq import com.tencent.devops.auth.pojo.vo.GroupDetailsInfoVo import com.tencent.devops.auth.pojo.vo.IamGroupPoliciesVo @@ -40,6 +41,7 @@ import com.tencent.devops.auth.service.iam.PermissionResourceGroupAndMemberFacad import com.tencent.devops.auth.service.iam.PermissionResourceGroupPermissionService import com.tencent.devops.auth.service.iam.PermissionResourceGroupService import com.tencent.devops.auth.service.iam.PermissionResourceMemberService +import com.tencent.devops.auth.service.iam.PermissionResourceValidateService import com.tencent.devops.common.api.model.SQLPage import com.tencent.devops.common.api.pojo.Result import com.tencent.devops.common.auth.api.BkManagerCheck @@ -51,7 +53,8 @@ class UserAuthResourceGroupResourceImpl @Autowired constructor( private val permissionResourceGroupService: PermissionResourceGroupService, private val permissionResourceMemberService: PermissionResourceMemberService, private val permissionResourceGroupAndMemberFacadeService: PermissionResourceGroupAndMemberFacadeService, - private val permissionResourceGroupPermissionService: PermissionResourceGroupPermissionService + private val permissionResourceGroupPermissionService: PermissionResourceGroupPermissionService, + private val permissionResourceValidateService: PermissionResourceValidateService ) : UserAuthResourceGroupResource { override fun getGroupPolicies( userId: String, @@ -69,7 +72,6 @@ class UserAuthResourceGroupResourceImpl @Autowired constructor( ) } - @BkManagerCheck override fun getMemberGroupsDetails( userId: String, projectId: String, @@ -81,9 +83,16 @@ class UserAuthResourceGroupResourceImpl @Autowired constructor( relatedResourceType: String?, relatedResourceCode: String?, action: String?, + operateChannel: OperateChannel?, start: Int, limit: Int ): Result> { + permissionResourceValidateService.validateUserProjectPermissionByChannel( + userId = userId, + projectCode = projectId, + operateChannel = operateChannel ?: OperateChannel.MANAGER + ) + return Result( permissionResourceGroupAndMemberFacadeService.getMemberGroupsDetails( projectId = projectId, @@ -126,7 +135,7 @@ class UserAuthResourceGroupResourceImpl @Autowired constructor( groupId: Int ): Result { return Result( - permissionResourceMemberService.batchDeleteResourceGroupMembers( + permissionResourceMemberService.batchDeleteResourceGroupMembersFromManager( userId = userId, projectCode = projectId, removeMemberDTO = GroupMemberCommonConditionReq( diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/user/UserAuthResourceMemberResourceImpl.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/user/UserAuthResourceMemberResourceImpl.kt index bd76fea6919..521750c8e5f 100644 --- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/user/UserAuthResourceMemberResourceImpl.kt +++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/user/UserAuthResourceMemberResourceImpl.kt @@ -3,6 +3,7 @@ package com.tencent.devops.auth.resources.user import com.tencent.devops.auth.api.user.UserAuthResourceMemberResource import com.tencent.devops.auth.pojo.ResourceMemberInfo import com.tencent.devops.auth.pojo.enum.BatchOperateType +import com.tencent.devops.auth.pojo.enum.OperateChannel import com.tencent.devops.auth.pojo.request.GroupMemberCommonConditionReq import com.tencent.devops.auth.pojo.request.GroupMemberHandoverConditionReq import com.tencent.devops.auth.pojo.request.GroupMemberRenewalConditionReq @@ -14,6 +15,7 @@ import com.tencent.devops.auth.pojo.vo.GroupDetailsInfoVo import com.tencent.devops.auth.pojo.vo.MemberGroupCountWithPermissionsVo import com.tencent.devops.auth.service.iam.PermissionResourceGroupAndMemberFacadeService import com.tencent.devops.auth.service.iam.PermissionResourceMemberService +import com.tencent.devops.auth.service.iam.PermissionResourceValidateService import com.tencent.devops.auth.service.iam.PermissionService import com.tencent.devops.common.api.model.SQLPage import com.tencent.devops.common.api.pojo.Result @@ -27,7 +29,8 @@ import com.tencent.devops.common.web.RestResource class UserAuthResourceMemberResourceImpl( private val permissionResourceMemberService: PermissionResourceMemberService, private val permissionService: PermissionService, - private val permissionResourceGroupAndMemberFacadeService: PermissionResourceGroupAndMemberFacadeService + private val permissionResourceGroupAndMemberFacadeService: PermissionResourceGroupAndMemberFacadeService, + private val permissionResourceValidateService: PermissionResourceValidateService ) : UserAuthResourceMemberResource { override fun listProjectMembers( userId: String, @@ -96,13 +99,13 @@ class UserAuthResourceMemberResourceImpl( } @BkManagerCheck - override fun batchRenewalGroupMembers( + override fun batchRenewalGroupMembersFromManager( userId: String, projectId: String, renewalConditionReq: GroupMemberRenewalConditionReq ): Result { return Result( - permissionResourceMemberService.batchRenewalGroupMembers( + permissionResourceMemberService.batchRenewalGroupMembersFromManager( userId = userId, projectCode = projectId, renewalConditionReq = renewalConditionReq @@ -111,13 +114,13 @@ class UserAuthResourceMemberResourceImpl( } @BkManagerCheck - override fun batchRemoveGroupMembers( + override fun batchRemoveGroupMembersFromManager( userId: String, projectId: String, removeMemberDTO: GroupMemberCommonConditionReq ): Result { return Result( - permissionResourceMemberService.batchDeleteResourceGroupMembers( + permissionResourceMemberService.batchDeleteResourceGroupMembersFromManager( userId = userId, projectCode = projectId, removeMemberDTO = removeMemberDTO @@ -126,13 +129,13 @@ class UserAuthResourceMemberResourceImpl( } @BkManagerCheck - override fun batchHandoverGroupMembers( + override fun batchHandoverGroupMembersFromManager( userId: String, projectId: String, handoverMemberDTO: GroupMemberHandoverConditionReq ): Result { return Result( - permissionResourceMemberService.batchHandoverGroupMembers( + permissionResourceMemberService.batchHandoverGroupMembersFromManager( userId = userId, projectCode = projectId, handoverMemberDTO = handoverMemberDTO @@ -187,7 +190,6 @@ class UserAuthResourceMemberResourceImpl( ) } - @BkManagerCheck override fun getMemberGroupCount( userId: String, projectId: String, @@ -197,8 +199,14 @@ class UserAuthResourceMemberResourceImpl( maxExpiredAt: Long?, relatedResourceType: String?, relatedResourceCode: String?, - action: String? + action: String?, + operateChannel: OperateChannel? ): Result> { + permissionResourceValidateService.validateUserProjectPermissionByChannel( + userId = userId, + projectCode = projectId, + operateChannel = operateChannel ?: OperateChannel.MANAGER + ) return Result( permissionResourceGroupAndMemberFacadeService.getMemberGroupsCount( projectCode = projectId, diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/iam/PermissionResourceMemberService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/iam/PermissionResourceMemberService.kt index 91073660f2f..70c0b422239 100644 --- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/iam/PermissionResourceMemberService.kt +++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/iam/PermissionResourceMemberService.kt @@ -76,7 +76,7 @@ interface PermissionResourceMemberService { departments: List? = emptyList() ): Boolean - fun batchDeleteResourceGroupMembers( + fun batchDeleteResourceGroupMembersFromManager( userId: String, projectCode: String, removeMemberDTO: GroupMemberCommonConditionReq @@ -88,7 +88,7 @@ interface PermissionResourceMemberService { memberIds: List ): Boolean - fun batchHandoverGroupMembers( + fun batchHandoverGroupMembersFromManager( userId: String, projectCode: String, handoverMemberDTO: GroupMemberHandoverConditionReq @@ -147,7 +147,7 @@ interface PermissionResourceMemberService { expiredAt: Long ): Boolean - fun batchRenewalGroupMembers( + fun batchRenewalGroupMembersFromManager( userId: String, projectCode: String, renewalConditionReq: GroupMemberRenewalConditionReq diff --git a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/iam/PermissionResourceValidateService.kt b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/iam/PermissionResourceValidateService.kt index e81196b7eec..2f0478edd23 100644 --- a/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/iam/PermissionResourceValidateService.kt +++ b/src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/iam/PermissionResourceValidateService.kt @@ -29,6 +29,7 @@ package com.tencent.devops.auth.service.iam import com.tencent.devops.auth.pojo.dto.PermissionBatchValidateDTO +import com.tencent.devops.auth.pojo.enum.OperateChannel interface PermissionResourceValidateService { fun batchValidateUserResourcePermission( @@ -46,4 +47,13 @@ interface PermissionResourceValidateService { resourceType: String, resourceCode: String ): Boolean + + /** + * 根据渠道来校验用户权限,主要用户管理界面/个人视角 + */ + fun validateUserProjectPermissionByChannel( + userId: String, + projectCode: String, + operateChannel: OperateChannel + ) }