fix the potential permission issue with assigning app roles (#2629)

bce744df · Jason Song · GitHub · d42331e6 · bce744df · bce744df
Commit bce744df authored Oct 01, 2019 by Jason Song Committed by GitHub Oct 01, 2019
2 changed files
--- a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/component/PermissionValidator.java
+++ b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/component/PermissionValidator.java
@@ -137,6 +137,8 @@ public class PermissionValidator {
  public boolean hasManageAppMasterPermission(String appId) {
    // the manage app master permission might not be initialized, so we need to check isSuperAdmin first
    return isSuperAdmin() ||
-            systemRoleManagerService.hasManageAppMasterPermission(userInfoHolder.getUser().getUserId(), appId);
+        (hasAssignRolePermission(appId) &&
+         systemRoleManagerService.hasManageAppMasterPermission(userInfoHolder.getUser().getUserId(), appId)
+        );
  }
 }
--- a/apollo-portal/src/main/resources/static/app.html
+++ b/apollo-portal/src/main/resources/static/app.html
@@ -63,7 +63,7 @@
                            应用负责人</label>
                        <div class="col-sm-6 J_ownerSelectorPanel">
                            <apollouserselector apollo-id="'ownerSelector'"  disabled="isOpenManageAppMasterRoleLimit"></apollouserselector>
-                            <small style="color: maroon" ng-if="isOpenManageAppMasterRoleLimit">(开启应用管理员添加限制后，应用负责人和项目管理员默认为本账号，不可选择)</small>
+                            <small style="color: maroon" ng-if="isOpenManageAppMasterRoleLimit">(开启项目管理员分配权限控制后，应用负责人和项目管理员默认为本账号，不可选择)</small>
                        </div>
                    </div>