Skip to content

Commit

Permalink
feat:用户个人视角 权限管理优化 TencentBlueKing#11138
Browse files Browse the repository at this point in the history
  • Loading branch information
fcfang123 committed Dec 10, 2024
1 parent 7784469 commit 6dcf180
Show file tree
Hide file tree
Showing 5 changed files with 15 additions and 12 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -148,6 +148,6 @@ object AuthMessageCode {
const val ERROR_HANDOVER_REVOKE = "2121093" // 由于您不是该交接申请单的发起人,无法进行撤销操作
const val ERROR_HANDOVER_APPROVAL = "2121094" // 由于您不是该交接申请单的审批人,无法进行任何操作
const val ERROR_HANDOVER_HANDLE = "2121095" // 该交接申请单正在被处理中,请耐心等待
const val ERROR_HANDOVER_AUTHORIZATION = "2121096" // 交接操作不合法,用户没有对应授权的权限
const val ERROR_REPERTORY_HANDOVER_AUTHORIZATION = "2121096" // 交接操作不合法,用户没有对应代码库授权的权限
const val ERROR_SINGLE_GROUP_REMOVE = "2121098" // 由于直接退出用户组,会导致授权失效,必须进行用户组移交
}
Original file line number Diff line number Diff line change
Expand Up @@ -66,8 +66,7 @@ class RbacPermissionHandoverApplicationService(
return I18nUtil.getCodeLanMessage(messageCode = AuthI18nConstants.BK_APPLY_TO_HANDOVER).let {
when {
groupCount > 0 && authorizationCount > 0 -> {
it.plus(I18nUtil.getCodeLanMessage(AuthI18nConstants.BK_HANDOVER_GROUPS, params = arrayOf(groupCount.toString()))).plus(",")
it.plus(
it.plus(I18nUtil.getCodeLanMessage(AuthI18nConstants.BK_HANDOVER_GROUPS, params = arrayOf(groupCount.toString()))).plus(",").plus(
I18nUtil.getCodeLanMessage(AuthI18nConstants.BK_HANDOVER_AUTHORIZATIONS, params = arrayOf(authorizationCount.toString()))
)
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -712,7 +712,7 @@ class RbacPermissionManageFacadeServiceImpl(
).second
)
}.map { it.iamGroupId }
logger.debug("list user groups joined after operated groups:{}", userGroupsJoinedAfterOperatedGroups)
logger.debug("list pipeline and project groups joined after operated groups:{}", userGroupsJoinedAfterOperatedGroups)
// 3.查询未退出的流水线/项目级别的用户组中是否包含项目级别的流水线执行权限。
// 查询用户在未退出的用户组中否还有整个项目的流水线执行权限。若有的话,则对流水线的代持人权限未造成影响。
val hasAllPipelineExecutePermAfterOperateGroups = groupPermissionService.isGroupsHasProjectLevelPermission(
Expand Down Expand Up @@ -817,9 +817,10 @@ class RbacPermissionManageFacadeServiceImpl(
onlyExcludeUserDirectlyJoined = true,
operateChannel = OperateChannel.PERSONAL
)

logger.debug("list all user groups joined after operated groups:{}|{}", count, records)
// 如果退出/交接了项目下所有组,直接返回用户无效代码库oauth列表
if (count == 0L) {
logger.debug("The user has removed/handover all user groups")
return authAuthorizationDao.list(
dslContext = dslContext,
condition = ResourceAuthorizationConditionRequest(
Expand All @@ -838,11 +839,15 @@ class RbacPermissionManageFacadeServiceImpl(
relatedResourceCode = projectCode,
action = ActionId.PROJECT_VISIT
)

logger.debug("whether the user has project visit perm after operated groups {}", isHasProjectVisitPermOperatedGroups)
// 如果有访问权限,返回空列表,否则直接返回用户无效代码库oauth列表
return if (isHasProjectVisitPermOperatedGroups) {
emptyList()
} else {
logger.debug(
"user does not have perm to visit the project after operated groups|{}|{}|{}",
projectCode, memberId, iamGroupIds
)
authAuthorizationDao.list(
dslContext = dslContext,
condition = ResourceAuthorizationConditionRequest(
Expand Down Expand Up @@ -1357,7 +1362,7 @@ class RbacPermissionManageFacadeServiceImpl(
targetMember: ResourceMemberInfo
): Boolean {
logger.info("delete single group members from personal:$userId|$targetMember|$projectCode|$groupId")
if (targetMember.type == MemberType.USER.type){
if (targetMember.type == MemberType.USER.type) {
// 获取导致流水线代持人权限受到影响的用户组及流水线
val (invalidGroups, invalidPipelines, invalidRepertoryIds) =
listInvalidAuthorizationsAfterOperatedGroups(
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ package com.tencent.devops.auth.service
import com.tencent.bk.sdk.iam.constants.ManagerScopesEnum
import com.tencent.devops.auth.constant.AuthI18nConstants
import com.tencent.devops.auth.constant.AuthMessageCode
import com.tencent.devops.auth.constant.AuthMessageCode.ERROR_HANDOVER_AUTHORIZATION
import com.tencent.devops.auth.constant.AuthMessageCode.ERROR_REPERTORY_HANDOVER_AUTHORIZATION
import com.tencent.devops.auth.dao.AuthAuthorizationDao
import com.tencent.devops.auth.pojo.dto.HandoverDetailDTO
import com.tencent.devops.auth.pojo.dto.HandoverOverviewCreateDTO
Expand Down Expand Up @@ -297,7 +297,7 @@ class PermissionAuthorizationServiceImpl(
condition = finalCondition
)
if (!handoverResult[ResourceAuthorizationHandoverStatus.FAILED].isNullOrEmpty()) {
throw ErrorCodeException(errorCode = ERROR_HANDOVER_AUTHORIZATION)
throw ErrorCodeException(errorCode = ERROR_REPERTORY_HANDOVER_AUTHORIZATION)
}
val resourceAuthorizationList = getResourceAuthorizationList(condition = finalCondition)
val authorizationCount = resourceAuthorizationList.size
Expand Down Expand Up @@ -394,7 +394,7 @@ class PermissionAuthorizationServiceImpl(
)[ResourceAuthorizationHandoverStatus.FAILED].isNullOrEmpty()
if (!canHandoverRepertory) {
throw ErrorCodeException(
errorCode = ERROR_HANDOVER_AUTHORIZATION
errorCode = ERROR_REPERTORY_HANDOVER_AUTHORIZATION
)
}
}
Expand Down
3 changes: 1 addition & 2 deletions support-files/i18n/auth/message_zh_CN.properties
Original file line number Diff line number Diff line change
Expand Up @@ -88,7 +88,7 @@
2121093=由于您不是该交接申请单的发起人,无法进行撤销操作
2121094=由于您不是该交接申请单的审批人,无法进行任何操作
2121095=该交接申请单正在被处理中,请耐心等待
2121096=交接操作不合法,用户没有对应授权的权限
2121096=交接操作不合法,用户没有对应代码库授权的权限,请交接完代码库授权后再进行重试。
2121098=由于直接退出用户组,会导致授权失效,必须进行用户组移交

bkAdministratorNotExpired=权限还未过期,不需要操作
Expand Down Expand Up @@ -343,7 +343,6 @@ rule.resourceType.name=质量红线规则
bkMemberExpiredAtDisplayExpired=已过期
bkMemberExpiredAtDisplayNormal={0} 天
bkMemberExpiredAtDisplayPermanent=永久

bkApplyToHandover=申请移交
bkHandoverGroups={0}个权限用户组
bkHandoverAuthorizations={0}个授权

0 comments on commit 6dcf180

Please sign in to comment.