Skip to content

Commit

Permalink
feat:用户个人视角 权限管理优化 #11138
Browse files Browse the repository at this point in the history
  • Loading branch information
@fcfang123
fcfang123 committed Dec 6, 2024
1 parent 6bbbd1e commit 3696957
Show file tree
Hide file tree
Showing 8 changed files with 93 additions and 0 deletions.
20 changes: 20 additions & 0 deletions ...i-auth/src/main/kotlin/com/tencent/devops/auth/api/user/UserAuthResourceMemberResource.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -138,6 +138,26 @@ interface UserAuthResourceMemberResource {
removeMemberDTO: GroupMemberRemoveConditionReq
): Result<Boolean>

@DELETE
@Path("/single/{groupId}/{operateChannel}/remove")
@Operation(summary = "退出单个组")
fun deleteResourceGroupMembers(
@Parameter(description = "用户名", required = true)
@HeaderParam(AUTH_HEADER_USER_ID)
userId: String,
@Parameter(description = "项目ID", required = true)
@PathParam("projectId")
projectId: String,
@Parameter(description = "组ID", required = true)
@PathParam("groupId")
groupId: Int,
@Parameter(description = "操作渠道", required = true)
@PathParam("operateChannel")
operateChannel: OperateChannel,
@Parameter(description = "操作对象", required = true)
targetMember: ResourceMemberInfo
): Result<Boolean>

@PUT
@Path("/batch/handover")
@Operation(summary = "批量交接用户组成员--管理员视角")
Expand Down
1 change: 1 addition & 0 deletions ...ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/constant/AuthMessageCode.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -149,4 +149,5 @@ object AuthMessageCode {
const val ERROR_HANDOVER_APPROVAL = "2121094" // 由于您不是该交接申请单的审批人,无法进行任何操作
const val ERROR_HANDOVER_HANDLE = "2121095" // 该交接申请单正在被处理中,请耐心等待
const val ERROR_HANDOVER_AUTHORIZATION = "2121096" // 交接操作不合法,用户没有对应授权的权限
const val ERROR_SINGLE_GROUP_REMOVE = "2121097" // 由于直接退出用户组,会导致授权失效,必须进行用户组移交
}
30 changes: 30 additions & 0 deletions ...in/com/tencent/devops/auth/provider/rbac/service/RbacPermissionManageFacadeServiceImpl.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ import com.tencent.devops.auth.constant.AuthMessageCode.ERROR_HANDOVER_APPROVAL
import com.tencent.devops.auth.constant.AuthMessageCode.ERROR_HANDOVER_FINISH
import com.tencent.devops.auth.constant.AuthMessageCode.ERROR_HANDOVER_HANDLE
import com.tencent.devops.auth.constant.AuthMessageCode.ERROR_HANDOVER_REVOKE
import com.tencent.devops.auth.constant.AuthMessageCode.ERROR_SINGLE_GROUP_REMOVE
import com.tencent.devops.auth.dao.AuthAuthorizationDao
import com.tencent.devops.auth.dao.AuthResourceGroupDao
import com.tencent.devops.auth.dao.AuthResourceGroupMemberDao
Expand Down Expand Up @@ -1316,6 +1317,35 @@ class RbacPermissionManageFacadeServiceImpl(
return true
}

override fun deleteResourceGroupMembers(
userId: String,
projectCode: String,
groupId: Int,
targetMember: ResourceMemberInfo
): Boolean {
logger.info("delete single group members from personal:$userId|$targetMember|$projectCode|$groupId")
// 获取导致流水线代持人权限受到影响的用户组及流水线
val (invalidGroups, invalidPipelines, invalidRepertoryIds) =
listInvalidAuthorizationsAfterOperatedGroups(
projectCode = projectCode,
iamGroupIds = listOf(groupId),
memberId = targetMember.id
)
if (invalidGroups.isNotEmpty() || invalidPipelines.isNotEmpty() || invalidRepertoryIds.isNotEmpty()) {
throw ErrorCodeException(errorCode = ERROR_SINGLE_GROUP_REMOVE)
}
batchOperateGroupMembers(
projectCode = projectCode,
type = BatchOperateType.REMOVE,
conditionReq = GroupMemberRemoveConditionReq(
groupIds = listOf(groupId),
targetMember = targetMember
),
operateGroupMemberTask = ::deleteTask
)
return true
}

private fun handoverTask(
projectCode: String,
groupId: Int,
Expand Down
7 changes: 7 additions & 0 deletions ...in/com/tencent/devops/auth/provider/sample/service/SamplePermissionManageFacadeService.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,13 @@ class SamplePermissionManageFacadeService : PermissionManageFacadeService {
removeMemberDTO: GroupMemberRemoveConditionReq
): Boolean = true

override fun deleteResourceGroupMembers(
userId: String,
projectCode: String,
groupId: Int,
targetMember: ResourceMemberInfo
): Boolean = true

override fun batchOperateGroupMembersCheck(
userId: String,
projectCode: String,
Expand Down
23 changes: 23 additions & 0 deletions .../main/kotlin/com/tencent/devops/auth/resources/user/UserAuthResourceMemberResourceImpl.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,29 @@ class UserAuthResourceMemberResourceImpl(
)
}

override fun deleteResourceGroupMembers(
userId: String,
projectId: String,
groupId: Int,
operateChannel: OperateChannel,
targetMember: ResourceMemberInfo
): Result<Boolean> {
permissionResourceValidateService.validateUserProjectPermissionByChannel(
userId = userId,
projectCode = projectId,
operateChannel = operateChannel,
targetMemberId = targetMember.id
)
return Result(
permissionManageFacadeService.deleteResourceGroupMembers(
userId = userId,
projectCode = projectId,
groupId = groupId,
targetMember = targetMember
)
)
}

@BkManagerCheck
override fun batchHandoverGroupMembersFromManager(
userId: String,
Expand Down
10 changes: 10 additions & 0 deletions ...auth/src/main/kotlin/com/tencent/devops/auth/service/iam/PermissionManageFacadeService.kt
View file
Original file line number Diff line number Diff line change
Expand Up @@ -172,6 +172,16 @@ interface PermissionManageFacadeService {
removeMemberDTO: GroupMemberRemoveConditionReq
): Boolean

/**
* 退出单个组
* */
fun deleteResourceGroupMembers(
userId: String,
projectCode: String,
groupId: Int,
targetMember: ResourceMemberInfo
): Boolean

/**
* 批量操作检查
* */
Expand Down
1 change: 1 addition & 0 deletions support-files/i18n/auth/message_en_US.properties
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,7 @@
2121094=Due to the fact that you are not the approver of this handover request, you are unable to perform any actions on it.
2121095=The handover request is currently being processed. Please be patient and wait for further updates.
2121096=The handover operation is illegal and the user does not have authorization permissions
2121097=Since exiting the group directly will cause the authorization to become invalid, the group must be transferred.
bkAdministratorNotExpired=Permission has not expired and no action is required
bkAgreeRenew=Agree to renew
Expand Down
1 change: 1 addition & 0 deletions support-files/i18n/auth/message_zh_CN.properties
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,6 +89,7 @@
2121094=由于您不是该交接申请单的审批人,无法进行任何操作
2121095=该交接申请单正在被处理中,请耐心等待
2121096=交接操作不合法,用户没有对应授权的权限
2121097=由于直接退出用户组,会导致授权失效,必须进行用户组移交

bkAdministratorNotExpired=权限还未过期,不需要操作
bkAgreeRenew=同意续期
Expand Down

0 comments on commit 3696957

Please sign in to comment.