Skip to content

A
apollo
Commit 3ce56431 authored by Jason Song's avatar Jason Song Committed by GitHub
Browse files
Options

fix potential permission issue

parent 161fa850
Hide whitespace changes
Inline Side-by-side
Showing with 33 additions and 3 deletions
apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/api/AdminServiceAPI.java
View file @ 3ce56431
...@@ -164,6 +164,10 @@ public class AdminServiceAPI { ...@@ -164,6 +164,10 @@ public class AdminServiceAPI {
ItemDTO.class, appId, clusterName, namespaceName, key); ItemDTO.class, appId, clusterName, namespaceName, key);
} }
public ItemDTO loadItemById(Env env, long itemId) {
return restTemplate.get(env, "items/{itemId}", ItemDTO.class, itemId);
}
public void updateItemsByChangeSet(String appId, Env env, String clusterName, String namespace, public void updateItemsByChangeSet(String appId, Env env, String clusterName, String namespace,
ItemChangeSets changeSets) { ItemChangeSets changeSets) {
restTemplate.post(env, "apps/{appId}/clusters/{clusterName}/namespaces/{namespaceName}/itemset", restTemplate.post(env, "apps/{appId}/clusters/{clusterName}/namespaces/{namespaceName}/itemset",
......
apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/ItemController.java
View file @ 3ce56431
...@@ -2,6 +2,7 @@ package com.ctrip.framework.apollo.portal.controller; ...@@ -2,6 +2,7 @@ package com.ctrip.framework.apollo.portal.controller;
import com.ctrip.framework.apollo.common.dto.ItemChangeSets; import com.ctrip.framework.apollo.common.dto.ItemChangeSets;
import com.ctrip.framework.apollo.common.dto.ItemDTO; import com.ctrip.framework.apollo.common.dto.ItemDTO;
import com.ctrip.framework.apollo.common.dto.NamespaceDTO;
import com.ctrip.framework.apollo.common.exception.BadRequestException; import com.ctrip.framework.apollo.common.exception.BadRequestException;
import com.ctrip.framework.apollo.core.enums.ConfigFileFormat; import com.ctrip.framework.apollo.core.enums.ConfigFileFormat;
import com.ctrip.framework.apollo.core.enums.Env; import com.ctrip.framework.apollo.core.enums.Env;
...@@ -12,6 +13,7 @@ import com.ctrip.framework.apollo.portal.entity.model.NamespaceTextModel; ...@@ -12,6 +13,7 @@ import com.ctrip.framework.apollo.portal.entity.model.NamespaceTextModel;
import com.ctrip.framework.apollo.portal.entity.vo.ItemDiffs; import com.ctrip.framework.apollo.portal.entity.vo.ItemDiffs;
import com.ctrip.framework.apollo.portal.entity.vo.NamespaceIdentifier; import com.ctrip.framework.apollo.portal.entity.vo.NamespaceIdentifier;
import com.ctrip.framework.apollo.portal.service.ItemService; import com.ctrip.framework.apollo.portal.service.ItemService;
import com.ctrip.framework.apollo.portal.service.NamespaceService;
import com.ctrip.framework.apollo.portal.spi.UserInfoHolder; import com.ctrip.framework.apollo.portal.spi.UserInfoHolder;
import org.springframework.beans.factory.config.YamlPropertiesFactoryBean; import org.springframework.beans.factory.config.YamlPropertiesFactoryBean;
import org.springframework.core.io.ByteArrayResource; import org.springframework.core.io.ByteArrayResource;
...@@ -38,13 +40,16 @@ import static com.ctrip.framework.apollo.common.utils.RequestPrecondition.checkM ...@@ -38,13 +40,16 @@ import static com.ctrip.framework.apollo.common.utils.RequestPrecondition.checkM
public class ItemController { public class ItemController {
private final ItemService configService; private final ItemService configService;
private final NamespaceService namespaceService;
private final UserInfoHolder userInfoHolder; private final UserInfoHolder userInfoHolder;
private final PermissionValidator permissionValidator; private final PermissionValidator permissionValidator;
public ItemController(final ItemService configService, final UserInfoHolder userInfoHolder, final PermissionValidator permissionValidator) { public ItemController(final ItemService configService, final UserInfoHolder userInfoHolder,
final PermissionValidator permissionValidator, final NamespaceService namespaceService) {
this.configService = configService; this.configService = configService;
this.userInfoHolder = userInfoHolder; this.userInfoHolder = userInfoHolder;
this.permissionValidator = permissionValidator; this.permissionValidator = permissionValidator;
this.namespaceService = namespaceService;
} }
@PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName, #env)") @PreAuthorize(value = "@permissionValidator.hasModifyNamespacePermission(#appId, #namespaceName, #env)")
...@@ -99,9 +104,14 @@ public class ItemController { ...@@ -99,9 +104,14 @@ public class ItemController {
public void deleteItem(@PathVariable String appId, @PathVariable String env, public void deleteItem(@PathVariable String appId, @PathVariable String env,
@PathVariable String clusterName, @PathVariable String namespaceName, @PathVariable String clusterName, @PathVariable String namespaceName,
@PathVariable long itemId) { @PathVariable long itemId) {
if (itemId <= 0) { ItemDTO item = configService.loadItemById(Env.fromString(env), itemId);
throw new BadRequestException("item id invalid"); NamespaceDTO namespace = namespaceService.loadNamespaceBaseInfo(appId, Env.fromString(env), clusterName, namespaceName);
// In case someone constructs an attack scenario
if (item.getNamespaceId() != namespace.getId()) {
throw new BadRequestException("Invalid request, item and namespace do not match!");
} }
configService.deleteItem(Env.valueOf(env), itemId, userInfoHolder.getUser().getUserId()); configService.deleteItem(Env.valueOf(env), itemId, userInfoHolder.getUser().getUserId());
} }
......
apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/service/FavoriteService.java
View file @ 3ce56431
...@@ -67,6 +67,14 @@ public class FavoriteService { ...@@ -67,6 +67,14 @@ public class FavoriteService {
throw new BadRequestException("user id and app id can't be empty at the same time"); throw new BadRequestException("user id and app id can't be empty at the same time");
} }
if (!isUserIdEmpty) {
UserInfo loginUser = userInfoHolder.getUser();
//user can only search his own favorite app
if (!Objects.equals(loginUser.getUserId(), userId)) {
userId = loginUser.getUserId();
}
}
//search by userId //search by userId
if (isAppIdEmpty && !isUserIdEmpty) { if (isAppIdEmpty && !isUserIdEmpty) {
return favoriteRepository.findByUserIdOrderByPositionAscDataChangeCreatedTimeAsc(userId, page); return favoriteRepository.findByUserIdOrderByPositionAscDataChangeCreatedTimeAsc(userId, page);
......
apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/service/ItemService.java
View file @ 3ce56431
...@@ -114,6 +114,14 @@ public class ItemService { ...@@ -114,6 +114,14 @@ public class ItemService {
return itemAPI.loadItem(env, appId, clusterName, namespaceName, key); return itemAPI.loadItem(env, appId, clusterName, namespaceName, key);
} }
public ItemDTO loadItemById(Env env, long itemId) {
ItemDTO item = itemAPI.loadItemById(env, itemId);
if (item == null) {
throw new BadRequestException("item not found for itemId " + itemId);
}
return item;
}
public void syncItems(List<NamespaceIdentifier> comparedNamespaces, List<ItemDTO> sourceItems) { public void syncItems(List<NamespaceIdentifier> comparedNamespaces, List<ItemDTO> sourceItems) {
List<ItemDiffs> itemDiffs = compare(comparedNamespaces, sourceItems); List<ItemDiffs> itemDiffs = compare(comparedNamespaces, sourceItems);
for (ItemDiffs itemDiff : itemDiffs) { for (ItemDiffs itemDiff : itemDiffs) {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment