Skip to content

A
apollo
Commit 3ce56431 authored by Jason Song's avatar Jason Song Committed by GitHub
Browse files
Options

fix potential permission issue

parent 161fa850
Hide whitespace changes
Inline Side-by-side
Showing with 33 additions and 3 deletions
apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/api/AdminServiceAPI.java
View file @ 3ce56431
......@@ -164,6 +164,10 @@ public class AdminServiceAPI {
ItemDTO.class, appId, clusterName, namespaceName, key);
}
public ItemDTO loadItemById(Env env, long itemId) {
return restTemplate.get(env, "items/{itemId}", ItemDTO.class, itemId);
}
public void updateItemsByChangeSet(String appId, Env env, String clusterName, String namespace,
ItemChangeSets changeSets) {
restTemplate.post(env, "apps/{appId}/clusters/{clusterName}/namespaces/{namespaceName}/itemset",
......
apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ItemController.java
View file @ 3ce56431
......@@ -2,6 +2,7 @@ package com.ctrip.framework.apollo.portal.controller;
import com.ctrip.framework.apollo.common.dto.ItemChangeSets;
import com.ctrip.framework.apollo.common.dto.ItemDTO;
import com.ctrip.framework.apollo.common.dto.NamespaceDTO;
import com.ctrip.framework.apollo.common.exception.BadRequestException;
import com.ctrip.framework.apollo.core.enums.ConfigFileFormat;
import com.ctrip.framework.apollo.core.enums.Env;
......@@ -12,6 +13,7 @@ import com.ctrip.framework.apollo.portal.entity.model.NamespaceTextModel;
import com.ctrip.framework.apollo.portal.entity.vo.ItemDiffs;
import com.ctrip.framework.apollo.portal.entity.vo.NamespaceIdentifier;
import com.ctrip.framework.apollo.portal.service.ItemService;
import com.ctrip.framework.apollo.portal.service.NamespaceService;
import com.ctrip.framework.apollo.portal.spi.UserInfoHolder;
import org.springframework.beans.factory.config.YamlPropertiesFactoryBean;
import org.springframework.core.io.ByteArrayResource;
......@@ -38,13 +40,16 @@ import static com.ctrip.framework.apollo.common.utils.RequestPrecondition.checkM
public class ItemController {
private final ItemService configService;
private final NamespaceService namespaceService;
private final UserInfoHolder userInfoHolder;
private final PermissionValidator permissionValidator;
public ItemController(final ItemService configService, final UserInfoHolder userInfoHolder, final PermissionValidator permissionValidator) {
public ItemController(final ItemService configService, final UserInfoHolder userInfoHolder,
final PermissionValidator permissionValidator, final NamespaceService namespaceService) {
this.configService = configService;
this.userInfoHolder = userInfoHolder;
this.permissionValidator = permissionValidator;
this.namespaceService = namespaceService;
}
@PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName, #env)")
......@@ -99,9 +104,14 @@ public class ItemController {
public void deleteItem(@PathVariable String appId, @PathVariable String env,
@PathVariable String clusterName, @PathVariable String namespaceName,
@PathVariable long itemId) {
if (itemId <= 0) {
throw new BadRequestException("item id invalid");
ItemDTO item = configService.loadItemById(Env.fromString(env), itemId);
NamespaceDTO namespace = namespaceService.loadNamespaceBaseInfo(appId, Env.fromString(env), clusterName, namespaceName);
// In case someone constructs an attack scenario
if (item.getNamespaceId() != namespace.getId()) {
throw new BadRequestException("Invalid request, item and namespace do not match!");
}
configService.deleteItem(Env.valueOf(env), itemId, userInfoHolder.getUser().getUserId());
}
......
apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/service/FavoriteService.java
View file @ 3ce56431
......@@ -67,6 +67,14 @@ public class FavoriteService {
throw new BadRequestException("user id and app id can't be empty at the same time");
}
if (!isUserIdEmpty) {
UserInfo loginUser = userInfoHolder.getUser();
//user can only search his own favorite app
if (!Objects.equals(loginUser.getUserId(), userId)) {
userId = loginUser.getUserId();
}
}
//search by userId
if (isAppIdEmpty && !isUserIdEmpty) {
return favoriteRepository.findByUserIdOrderByPositionAscDataChangeCreatedTimeAsc(userId, page);
......
apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/service/ItemService.java
View file @ 3ce56431
......@@ -114,6 +114,14 @@ public class ItemService {
return itemAPI.loadItem(env, appId, clusterName, namespaceName, key);
}
public ItemDTO loadItemById(Env env, long itemId) {
ItemDTO item = itemAPI.loadItemById(env, itemId);
if (item == null) {
throw new BadRequestException("item not found for itemId " + itemId);
}
return item;
}
public void syncItems(List<NamespaceIdentifier> comparedNamespaces, List<ItemDTO> sourceItems) {
List<ItemDiffs> itemDiffs = compare(comparedNamespaces, sourceItems);
for (ItemDiffs itemDiff : itemDiffs) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment