Merge pull request #3078 from actiontech/fix_save_audit_plan

LordofAvernus · web-flow · commit 9dd221c89582 · 2025-07-04T11:06:37.000+08:00
fix: permission for save audit plan
diff --git a/sqle/api/controller/v1/instance_audit_plan.go b/sqle/api/controller/v1/instance_audit_plan.go
@@ -650,7 +650,7 @@ func GetInstanceAuditPlanOverview(c echo.Context) error {
 		return controller.JSONBaseErrorReq(c, err)
 	}
 	// check current user instance audit plan permission
-	detail, exist, err := GetInstanceAuditPlanIfCurrentUserCanView(c, projectUID, instanceAuditPlanID, v1.OpPermissionTypeViewOtherAuditPlan)
+	detail, exist, err := GetInstanceAuditPlanIfCurrentUserCanView(c, projectUID, instanceAuditPlanID)
 	if err != nil {
 		return controller.JSONBaseErrorReq(c, err)
 	}
@@ -901,7 +901,7 @@ func GetInstanceAuditPlanSQLs(c echo.Context) error {
 		return controller.JSONBaseErrorReq(c, err)
 	}
 	// check current user instance audit plan permission
-	_, exist, err := GetInstanceAuditPlanIfCurrentUserCanView(c, projectUID, instanceAuditPlanID, v1.OpPermissionTypeViewOtherAuditPlan)
+	_, exist, err := GetInstanceAuditPlanIfCurrentUserCanView(c, projectUID, instanceAuditPlanID)
 	if err != nil {
 		return controller.JSONBaseErrorReq(c, err)
 	}
@@ -1000,7 +1000,7 @@ func GetInstanceAuditPlanSQLMeta(c echo.Context) error {
 		return controller.JSONBaseErrorReq(c, err)
 	}
 	// check current user instance audit plan permission
-	_, exist, err := GetInstanceAuditPlanIfCurrentUserCanView(c, projectUID, instanceAuditPlanID, v1.OpPermissionTypeViewOtherAuditPlan)
+	_, exist, err := GetInstanceAuditPlanIfCurrentUserCanView(c, projectUID, instanceAuditPlanID)
 	if err != nil {
 		return controller.JSONBaseErrorReq(c, err)
 	}
@@ -1100,7 +1100,7 @@ func GetInstanceAuditPlanSQLData(c echo.Context) error {
 		return controller.JSONBaseErrorReq(c, err)
 	}
 	// check current user instance audit plan permission
-	_, exist, err := GetInstanceAuditPlanIfCurrentUserCanView(c, projectUID, instanceAuditPlanID, v1.OpPermissionTypeViewOtherAuditPlan)
+	_, exist, err := GetInstanceAuditPlanIfCurrentUserCanView(c, projectUID, instanceAuditPlanID)
 	if err != nil {
 		return controller.JSONBaseErrorReq(c, err)
 	}
@@ -1166,7 +1166,7 @@ func GetInstanceAuditPlanSQLExport(c echo.Context) error {
 		return controller.JSONBaseErrorReq(c, err)
 	}
 	// check current user instance audit plan permission
-	_, exist, err := GetInstanceAuditPlanIfCurrentUserCanView(c, projectUID, instanceAuditPlanID, v1.OpPermissionTypeViewOtherAuditPlan)
+	_, exist, err := GetInstanceAuditPlanIfCurrentUserCanView(c, projectUID, instanceAuditPlanID)
 	if err != nil {
 		return controller.JSONBaseErrorReq(c, err)
 	}
@@ -1262,7 +1262,7 @@ func GetAuditPlanSqlAnalysisData(c echo.Context) error {
 	if err != nil {
 		return controller.JSONBaseErrorReq(c, err)
 	}
-	detail, exist, err := GetInstanceAuditPlanIfCurrentUserCanView(c, projectUID, insAuditPlanID, v1.OpPermissionTypeViewOtherAuditPlan)
+	detail, exist, err := GetInstanceAuditPlanIfCurrentUserCanView(c, projectUID, insAuditPlanID)
 	if err != nil {
 		return controller.JSONBaseErrorReq(c, err)
 	}
diff --git a/sqle/api/controller/v1/project_permission.go b/sqle/api/controller/v1/project_permission.go
@@ -299,7 +299,7 @@ func GetAuditPlanIfCurrentUserCanOp(c echo.Context, projectId, auditPlanName str
 	return ap, false, errors.NewUserNotPermissionError(dmsV1.GetOperationTypeDesc(opType))
 }
 
-func GetInstanceAuditPlanIfCurrentUserCanView(c echo.Context, projectId, instanceAuditPlanID string, opType dmsV1.OpPermissionType) (*model.InstanceAuditPlan, bool, error) {
+func GetInstanceAuditPlanIfCurrentUserCanView(c echo.Context, projectId, instanceAuditPlanID string) (*model.InstanceAuditPlan, bool, error) {
 	storage := model.GetStorage()
 
 	ap, exist, err := storage.GetInstanceAuditPlanDetail(instanceAuditPlanID)
@@ -329,8 +329,8 @@ func GetInstanceAuditPlanIfCurrentUserCanView(c echo.Context, projectId, instanc
 			return ap, true, nil
 		}
 	}
-
-	if opType != "" {
+	opTypes := []dmsV1.OpPermissionType{dmsV1.OpPermissionTypeViewOtherAuditPlan, dmsV1.OpPermissionTypeSaveAuditPlan}
+	for _, opType := range opTypes {
 		dbServiceReq := &dmsV2.ListDBServiceReq{
 			ProjectUid: projectId,
 		}
@@ -344,7 +344,7 @@ func GetInstanceAuditPlanIfCurrentUserCanView(c echo.Context, projectId, instanc
 			}
 		}
 	}
-	return ap, false, errors.NewUserNotPermissionError(dmsV1.GetOperationTypeDesc(opType))
+	return ap, false, errors.NewUserNotPermissionError(dmsV1.GetOperationTypeDesc(dmsV1.OpPermissionTypeViewOtherAuditPlan))
 }
 
 func GetInstanceAuditPlanIfCurrentUserCanOp(c echo.Context, projectId, instanceAuditPlanID string, opType dmsV1.OpPermissionType) (*model.InstanceAuditPlan, bool, error) {
diff --git a/sqle/api/controller/v2/instance_audit_plan.go b/sqle/api/controller/v2/instance_audit_plan.go
@@ -248,7 +248,8 @@ func GetInstanceAuditPlans(c echo.Context) error {
 		"offset":                             offset,
 	}
 	if !up.CanViewProject() {
-		accessibleInstanceId := up.GetInstancesByOP(dmsCommonV1.OpPermissionTypeViewOtherAuditPlan)
+		// 如果有配置SQL管控权限，那么可以查看自己创建的或者该权限对应数据源的
+		accessibleInstanceId := up.GetInstancesByOP(dmsCommonV1.OpPermissionTypeViewOtherAuditPlan, dmsCommonV1.OpPermissionTypeSaveAuditPlan)
 		if len(accessibleInstanceId) > 0 {
 			data["accessible_instances_id"] = fmt.Sprintf("\"%s\"", strings.Join(accessibleInstanceId, "\",\""))
 		}
@@ -381,7 +382,7 @@ func GetInstanceAuditPlanDetail(c echo.Context) error {
 		return controller.JSONBaseErrorReq(c, err)
 	}
 	// check current user instance audit plan permission
-	detail, exist, err := v1.GetInstanceAuditPlanIfCurrentUserCanView(c, projectUID, instanceAuditPlanID, dmsCommonV1.OpPermissionTypeViewOtherAuditPlan)
+	detail, exist, err := v1.GetInstanceAuditPlanIfCurrentUserCanView(c, projectUID, instanceAuditPlanID)
 	if err != nil {
 		return controller.JSONBaseErrorReq(c, err)
 	}

Original file line number	Diff line number	Diff line change
`@@ -650,7 +650,7 @@ func GetInstanceAuditPlanOverview(c echo.Context) error {`
`650`	`650`	`return controller.JSONBaseErrorReq(c, err)`
`651`	`651`	`}`
`652`	`652`	`// check current user instance audit plan permission`
`653`		`- detail, exist, err := GetInstanceAuditPlanIfCurrentUserCanView(c, projectUID, instanceAuditPlanID, v1.OpPermissionTypeViewOtherAuditPlan)`
	`653`	`+ detail, exist, err := GetInstanceAuditPlanIfCurrentUserCanView(c, projectUID, instanceAuditPlanID)`
`654`	`654`	`if err != nil {`
`655`	`655`	`return controller.JSONBaseErrorReq(c, err)`
`656`	`656`	`}`
`@@ -901,7 +901,7 @@ func GetInstanceAuditPlanSQLs(c echo.Context) error {`
`901`	`901`	`return controller.JSONBaseErrorReq(c, err)`
`902`	`902`	`}`
`903`	`903`	`// check current user instance audit plan permission`
`904`		`- _, exist, err := GetInstanceAuditPlanIfCurrentUserCanView(c, projectUID, instanceAuditPlanID, v1.OpPermissionTypeViewOtherAuditPlan)`
	`904`	`+ _, exist, err := GetInstanceAuditPlanIfCurrentUserCanView(c, projectUID, instanceAuditPlanID)`
`905`	`905`	`if err != nil {`
`906`	`906`	`return controller.JSONBaseErrorReq(c, err)`
`907`	`907`	`}`
`@@ -1000,7 +1000,7 @@ func GetInstanceAuditPlanSQLMeta(c echo.Context) error {`
`1000`	`1000`	`return controller.JSONBaseErrorReq(c, err)`
`1001`	`1001`	`}`
`1002`	`1002`	`// check current user instance audit plan permission`
`1003`		`- _, exist, err := GetInstanceAuditPlanIfCurrentUserCanView(c, projectUID, instanceAuditPlanID, v1.OpPermissionTypeViewOtherAuditPlan)`
	`1003`	`+ _, exist, err := GetInstanceAuditPlanIfCurrentUserCanView(c, projectUID, instanceAuditPlanID)`
`1004`	`1004`	`if err != nil {`
`1005`	`1005`	`return controller.JSONBaseErrorReq(c, err)`
`1006`	`1006`	`}`
`@@ -1100,7 +1100,7 @@ func GetInstanceAuditPlanSQLData(c echo.Context) error {`
`1100`	`1100`	`return controller.JSONBaseErrorReq(c, err)`
`1101`	`1101`	`}`
`1102`	`1102`	`// check current user instance audit plan permission`
`1103`		`- _, exist, err := GetInstanceAuditPlanIfCurrentUserCanView(c, projectUID, instanceAuditPlanID, v1.OpPermissionTypeViewOtherAuditPlan)`
	`1103`	`+ _, exist, err := GetInstanceAuditPlanIfCurrentUserCanView(c, projectUID, instanceAuditPlanID)`
`1104`	`1104`	`if err != nil {`
`1105`	`1105`	`return controller.JSONBaseErrorReq(c, err)`
`1106`	`1106`	`}`
`@@ -1166,7 +1166,7 @@ func GetInstanceAuditPlanSQLExport(c echo.Context) error {`
`1166`	`1166`	`return controller.JSONBaseErrorReq(c, err)`
`1167`	`1167`	`}`
`1168`	`1168`	`// check current user instance audit plan permission`
`1169`		`- _, exist, err := GetInstanceAuditPlanIfCurrentUserCanView(c, projectUID, instanceAuditPlanID, v1.OpPermissionTypeViewOtherAuditPlan)`
	`1169`	`+ _, exist, err := GetInstanceAuditPlanIfCurrentUserCanView(c, projectUID, instanceAuditPlanID)`
`1170`	`1170`	`if err != nil {`
`1171`	`1171`	`return controller.JSONBaseErrorReq(c, err)`
`1172`	`1172`	`}`
`@@ -1262,7 +1262,7 @@ func GetAuditPlanSqlAnalysisData(c echo.Context) error {`
`1262`	`1262`	`if err != nil {`
`1263`	`1263`	`return controller.JSONBaseErrorReq(c, err)`
`1264`	`1264`	`}`
`1265`		`- detail, exist, err := GetInstanceAuditPlanIfCurrentUserCanView(c, projectUID, insAuditPlanID, v1.OpPermissionTypeViewOtherAuditPlan)`
	`1265`	`+ detail, exist, err := GetInstanceAuditPlanIfCurrentUserCanView(c, projectUID, insAuditPlanID)`
`1266`	`1266`	`if err != nil {`
`1267`	`1267`	`return controller.JSONBaseErrorReq(c, err)`
`1268`	`1268`	`}`
Original file line number	Diff line number	Diff line change
`@@ -299,7 +299,7 @@ func GetAuditPlanIfCurrentUserCanOp(c echo.Context, projectId, auditPlanName str`
`299`	`299`	`return ap, false, errors.NewUserNotPermissionError(dmsV1.GetOperationTypeDesc(opType))`
`300`	`300`	`}`
`301`	`301`
`302`		`-func GetInstanceAuditPlanIfCurrentUserCanView(c echo.Context, projectId, instanceAuditPlanID string, opType dmsV1.OpPermissionType) (*model.InstanceAuditPlan, bool, error) {`
	`302`	`+func GetInstanceAuditPlanIfCurrentUserCanView(c echo.Context, projectId, instanceAuditPlanID string) (*model.InstanceAuditPlan, bool, error) {`
`303`	`303`	`storage := model.GetStorage()`
`304`	`304`
`305`	`305`	`ap, exist, err := storage.GetInstanceAuditPlanDetail(instanceAuditPlanID)`
`@@ -329,8 +329,8 @@ func GetInstanceAuditPlanIfCurrentUserCanView(c echo.Context, projectId, instanc`
`329`	`329`	`return ap, true, nil`
`330`	`330`	`}`
`331`	`331`	`}`
`332`		`-`
`333`		`- if opType != "" {`
	`332`	`+ opTypes := []dmsV1.OpPermissionType{dmsV1.OpPermissionTypeViewOtherAuditPlan, dmsV1.OpPermissionTypeSaveAuditPlan}`
	`333`	`+ for _, opType := range opTypes {`
`334`	`334`	`dbServiceReq := &dmsV2.ListDBServiceReq{`
`335`	`335`	`ProjectUid: projectId,`
`336`	`336`	`}`
`@@ -344,7 +344,7 @@ func GetInstanceAuditPlanIfCurrentUserCanView(c echo.Context, projectId, instanc`
`344`	`344`	`}`
`345`	`345`	`}`
`346`	`346`	`}`
`347`		`- return ap, false, errors.NewUserNotPermissionError(dmsV1.GetOperationTypeDesc(opType))`
	`347`	`+ return ap, false, errors.NewUserNotPermissionError(dmsV1.GetOperationTypeDesc(dmsV1.OpPermissionTypeViewOtherAuditPlan))`
`348`	`348`	`}`
`349`	`349`
`350`	`350`	`func GetInstanceAuditPlanIfCurrentUserCanOp(c echo.Context, projectId, instanceAuditPlanID string, opType dmsV1.OpPermissionType) (*model.InstanceAuditPlan, bool, error) {`
Original file line number	Diff line number	Diff line change
`@@ -248,7 +248,8 @@ func GetInstanceAuditPlans(c echo.Context) error {`
`248`	`248`	`"offset": offset,`
`249`	`249`	`}`
`250`	`250`	`if !up.CanViewProject() {`
`251`		`- accessibleInstanceId := up.GetInstancesByOP(dmsCommonV1.OpPermissionTypeViewOtherAuditPlan)`
	`251`	`+ // 如果有配置SQL管控权限，那么可以查看自己创建的或者该权限对应数据源的`
	`252`	`+ accessibleInstanceId := up.GetInstancesByOP(dmsCommonV1.OpPermissionTypeViewOtherAuditPlan, dmsCommonV1.OpPermissionTypeSaveAuditPlan)`
`252`	`253`	`if len(accessibleInstanceId) > 0 {`
`253`	`254`	`data["accessible_instances_id"] = fmt.Sprintf("\"%s\"", strings.Join(accessibleInstanceId, "\",\""))`
`254`	`255`	`}`
`@@ -381,7 +382,7 @@ func GetInstanceAuditPlanDetail(c echo.Context) error {`
`381`	`382`	`return controller.JSONBaseErrorReq(c, err)`
`382`	`383`	`}`
`383`	`384`	`// check current user instance audit plan permission`
`384`		`- detail, exist, err := v1.GetInstanceAuditPlanIfCurrentUserCanView(c, projectUID, instanceAuditPlanID, dmsCommonV1.OpPermissionTypeViewOtherAuditPlan)`
	`385`	`+ detail, exist, err := v1.GetInstanceAuditPlanIfCurrentUserCanView(c, projectUID, instanceAuditPlanID)`
`385`	`386`	`if err != nil {`
`386`	`387`	`return controller.JSONBaseErrorReq(c, err)`
`387`	`388`	`}`