feat：用户个人视角权限管理优化 TencentBlueKing#11138

fcfang123 · Dec 10, 2024 · 55169f8 · 55169f8
1 parent 6dcf180
commit 55169f8
Show file tree

Hide file tree

Showing 8 changed files with 50 additions and 48 deletions.
diff --git a/...uth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/config/RbacAuthConfiguration.kt b/...uth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/config/RbacAuthConfiguration.kt
@@ -338,7 +338,8 @@ class RbacAuthConfiguration {
         rbacCacheService: RbacCacheService,
         resourceGroupMemberService: RbacPermissionResourceMemberService,
         client: Client,
-        resourceMemberService: PermissionResourceMemberService
+        resourceMemberService: PermissionResourceMemberService,
+        permissionManageFacadeService: PermissionManageFacadeService
     ) = RbacPermissionProjectService(
         authHelper = authHelper,
         authResourceService = authResourceService,
@@ -347,7 +348,8 @@ class RbacAuthConfiguration {
         rbacCacheService = rbacCacheService,
         resourceGroupMemberService = resourceGroupMemberService,
         client = client,
-        resourceMemberService = resourceMemberService
+        resourceMemberService = resourceMemberService,
+        permissionManageFacadeService = permissionManageFacadeService
     )
 
     @Bean

diff --git a/...in/com/tencent/devops/auth/provider/rbac/service/RbacPermissionManageFacadeServiceImpl.kt b/...in/com/tencent/devops/auth/provider/rbac/service/RbacPermissionManageFacadeServiceImpl.kt
@@ -63,6 +63,7 @@ import com.tencent.devops.common.api.util.PageUtil
 import com.tencent.devops.common.api.util.timestamp
 import com.tencent.devops.common.api.util.timestampmilli
 import com.tencent.devops.common.auth.api.ActionId
+import com.tencent.devops.common.auth.api.AuthPermission
 import com.tencent.devops.common.auth.api.AuthResourceType
 import com.tencent.devops.common.auth.api.ResourceTypeId
 import com.tencent.devops.common.auth.api.pojo.ResetAllResourceAuthorizationReq
@@ -1891,6 +1892,33 @@ class RbacPermissionManageFacadeServiceImpl(
         }
     }
 
+    override fun isProjectMember(
+        projectCode: String,
+        userId: String
+    ): Boolean {
+        // 获取用户加入的项目级用户组模板ID
+        val iamTemplateIds = listProjectMemberGroupTemplateIds(
+            projectCode = projectCode,
+            memberId = userId
+        )
+        val memberDeptInfos = deptService.getUserInfo(
+            userId = "admin",
+            name = userId
+        )?.deptInfo?.map { it.name!! }
+
+        return authResourceGroupMemberDao.isMemberInProject(
+            dslContext = dslContext,
+            projectCode = projectCode,
+            userId = userId,
+            iamTemplateIds = iamTemplateIds,
+            memberDeptInfos = memberDeptInfos
+        ) || rbacCacheService.validateUserProjectPermission(
+            userId = userId,
+            projectCode = projectCode,
+            permission = AuthPermission.VISIT
+        )
+    }
+
     private fun listGroupsOfHandoverPreview(queryReq: HandoverDetailsQueryReq): SQLPage<HandoverGroupDetailVo> {
         val projectCode = queryReq.projectCode
         val previewConditionReq = queryReq.previewConditionReq!!

diff --git a/...main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionProjectService.kt b/...main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionProjectService.kt
@@ -32,6 +32,7 @@ import com.tencent.bk.sdk.iam.helper.AuthHelper
 import com.tencent.devops.auth.constant.AuthMessageCode
 import com.tencent.devops.auth.dao.AuthResourceGroupDao
 import com.tencent.devops.auth.pojo.vo.ProjectPermissionInfoVO
+import com.tencent.devops.auth.service.iam.PermissionManageFacadeService
 import com.tencent.devops.auth.service.iam.PermissionProjectService
 import com.tencent.devops.auth.service.iam.PermissionResourceMemberService
 import com.tencent.devops.common.api.exception.ErrorCodeException
@@ -56,7 +57,8 @@ class RbacPermissionProjectService(
     private val rbacCacheService: RbacCacheService,
     private val resourceGroupMemberService: RbacPermissionResourceMemberService,
     private val client: Client,
-    private val resourceMemberService: PermissionResourceMemberService
+    private val resourceMemberService: PermissionResourceMemberService,
+    private val permissionManageFacadeService: PermissionManageFacadeService
 ) : PermissionProjectService {
 
     companion object {
@@ -153,7 +155,7 @@ class RbacPermissionProjectService(
         userId: String,
         projectCode: String
     ): Boolean {
-        return resourceMemberService.isProjectMember(
+        return permissionManageFacadeService.isProjectMember(
             projectCode = projectCode,
             userId = userId
         )
@@ -167,7 +169,7 @@ class RbacPermissionProjectService(
 //            resourceCode = projectCode,
 //            group = null
 //        ).contains(userId)
-        return resourceMemberService.isProjectMember(
+        return permissionManageFacadeService.isProjectMember(
             projectCode = projectCode,
             userId = userId
         )

diff --git a/...tlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceMemberService.kt b/...tlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceMemberService.kt
@@ -41,10 +41,7 @@ class RbacPermissionResourceMemberService(
     private val authResourceGroupDao: AuthResourceGroupDao,
     private val authResourceGroupMemberDao: AuthResourceGroupMemberDao,
     private val dslContext: DSLContext,
-    private val deptService: DeptService,
-    private val permissionAuthorizationService: PermissionAuthorizationService,
-    private val syncIamGroupMemberService: PermissionResourceGroupSyncService,
-    private val rbacCacheService: RbacCacheService
+    private val deptService: DeptService
 ) : PermissionResourceMemberService {
     override fun getResourceGroupMembers(
         projectCode: String,
@@ -348,33 +345,6 @@ class RbacPermissionResourceMemberService(
         return true
     }
 
-    override fun isProjectMember(
-        projectCode: String,
-        userId: String
-    ): Boolean {
-        // 获取用户加入的项目级用户组模板ID
-        val iamTemplateIds = listProjectMemberGroupTemplateIds(
-            projectCode = projectCode,
-            memberId = userId
-        )
-        val memberDeptInfos = deptService.getUserInfo(
-            userId = "admin",
-            name = userId
-        )?.deptInfo?.map { it.name!! }
-
-        return authResourceGroupMemberDao.isMemberInProject(
-            dslContext = dslContext,
-            projectCode = projectCode,
-            userId = userId,
-            iamTemplateIds = iamTemplateIds,
-            memberDeptInfos = memberDeptInfos
-        ) || rbacCacheService.validateUserProjectPermission(
-            userId = userId,
-            projectCode = projectCode,
-            permission = AuthPermission.VISIT
-        )
-    }
-
     private fun verifyGroupBelongToProject(
         projectCode: String,
         iamGroupId: Int

diff --git a/...in/com/tencent/devops/auth/provider/sample/service/SamplePermissionManageFacadeService.kt b/...in/com/tencent/devops/auth/provider/sample/service/SamplePermissionManageFacadeService.kt
@@ -163,4 +163,8 @@ class SamplePermissionManageFacadeService : PermissionManageFacadeService {
     override fun listGroupsOfHandover(queryReq: HandoverDetailsQueryReq): SQLPage<HandoverGroupDetailVo> {
         return SQLPage(0, emptyList())
     }
+
+    override fun isProjectMember(projectCode: String, userId: String): Boolean {
+        return true
+    }
 }
diff --git a/.../com/tencent/devops/auth/provider/sample/service/SamplePermissionResourceMemberService.kt b/.../com/tencent/devops/auth/provider/sample/service/SamplePermissionResourceMemberService.kt
@@ -35,13 +35,6 @@ class SamplePermissionResourceMemberService : PermissionResourceMemberService {
         departments: List<String>?
     ) = true
 
-    override fun isProjectMember(
-        projectCode: String,
-        userId: String
-    ): Boolean {
-        return true
-    }
-
     override fun batchDeleteResourceGroupMembers(
         projectCode: String,
         iamGroupId: Int,

diff --git a/...auth/src/main/kotlin/com/tencent/devops/auth/service/iam/PermissionManageFacadeService.kt b/...auth/src/main/kotlin/com/tencent/devops/auth/service/iam/PermissionManageFacadeService.kt
@@ -232,4 +232,12 @@ interface PermissionManageFacadeService {
      * 获取交接中用户组相关-分为预览/交接单审批两个场景
      * */
     fun listGroupsOfHandover(queryReq: HandoverDetailsQueryReq): SQLPage<HandoverGroupDetailVo>
+
+    /**
+     * 校验是否为项目成员
+     * */
+    fun isProjectMember(
+        projectCode: String,
+        userId: String
+    ): Boolean
 }
diff --git a/...th/src/main/kotlin/com/tencent/devops/auth/service/iam/PermissionResourceMemberService.kt b/...th/src/main/kotlin/com/tencent/devops/auth/service/iam/PermissionResourceMemberService.kt
@@ -104,9 +104,4 @@ interface PermissionResourceMemberService {
         members: List<String>? = emptyList(),
         departments: List<String>? = emptyList()
     ): Boolean
-
-    fun isProjectMember(
-        projectCode: String,
-        userId: String
-    ): Boolean
 }