feat：用户个人视角权限管理优化 #11138

TencentBlueKing · Dec 9, 2024 · 9b4c44d · 9b4c44d
1 parent 27ba337
commit 9b4c44d
Show file tree

Hide file tree

Showing 5 changed files with 15 additions and 12 deletions.
diff --git a/...ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/constant/AuthMessageCode.kt b/...ci/core/auth/api-auth/src/main/kotlin/com/tencent/devops/auth/constant/AuthMessageCode.kt
@@ -148,6 +148,6 @@ object AuthMessageCode {
     const val ERROR_HANDOVER_REVOKE = "2121093" // 由于您不是该交接申请单的发起人，无法进行撤销操作
     const val ERROR_HANDOVER_APPROVAL = "2121094" // 由于您不是该交接申请单的审批人，无法进行任何操作
     const val ERROR_HANDOVER_HANDLE = "2121095" // 该交接申请单正在被处理中，请耐心等待
-    const val ERROR_HANDOVER_AUTHORIZATION = "2121096" // 交接操作不合法，用户没有对应授权的权限
+    const val ERROR_REPERTORY_HANDOVER_AUTHORIZATION = "2121096" // 交接操作不合法，用户没有对应代码库授权的权限
     const val ERROR_SINGLE_GROUP_REMOVE = "2121098" // 由于直接退出用户组，会导致授权失效，必须进行用户组移交
 }
diff --git a/...com/tencent/devops/auth/provider/rbac/service/RbacPermissionHandoverApplicationService.kt b/...com/tencent/devops/auth/provider/rbac/service/RbacPermissionHandoverApplicationService.kt
@@ -66,8 +66,7 @@ class RbacPermissionHandoverApplicationService(
         return I18nUtil.getCodeLanMessage(messageCode = AuthI18nConstants.BK_APPLY_TO_HANDOVER).let {
             when {
                 groupCount > 0 && authorizationCount > 0 -> {
-                    it.plus(I18nUtil.getCodeLanMessage(AuthI18nConstants.BK_HANDOVER_GROUPS, params = arrayOf(groupCount.toString()))).plus(",")
-                    it.plus(
+                    it.plus(I18nUtil.getCodeLanMessage(AuthI18nConstants.BK_HANDOVER_GROUPS, params = arrayOf(groupCount.toString()))).plus(",").plus(
                         I18nUtil.getCodeLanMessage(AuthI18nConstants.BK_HANDOVER_AUTHORIZATIONS, params = arrayOf(authorizationCount.toString()))
                     )
                 }

diff --git a/...in/com/tencent/devops/auth/provider/rbac/service/RbacPermissionManageFacadeServiceImpl.kt b/...in/com/tencent/devops/auth/provider/rbac/service/RbacPermissionManageFacadeServiceImpl.kt
@@ -712,7 +712,7 @@ class RbacPermissionManageFacadeServiceImpl(
                     ).second
                 )
             }.map { it.iamGroupId }
-            logger.debug("list user groups joined after operated groups:{}", userGroupsJoinedAfterOperatedGroups)
+            logger.debug("list pipeline and project groups joined after operated groups:{}", userGroupsJoinedAfterOperatedGroups)
             // 3.查询未退出的流水线/项目级别的用户组中是否包含项目级别的流水线执行权限。
             // 查询用户在未退出的用户组中否还有整个项目的流水线执行权限。若有的话，则对流水线的代持人权限未造成影响。
             val hasAllPipelineExecutePermAfterOperateGroups = groupPermissionService.isGroupsHasProjectLevelPermission(
@@ -817,9 +817,10 @@ class RbacPermissionManageFacadeServiceImpl(
             onlyExcludeUserDirectlyJoined = true,
             operateChannel = OperateChannel.PERSONAL
         )
-
+        logger.debug("list all user groups joined after operated groups:{}|{}", count, records)
         // 如果退出/交接了项目下所有组，直接返回用户无效代码库oauth列表
         if (count == 0L) {
+            logger.debug("The user has removed/handover all user groups")
             return authAuthorizationDao.list(
                 dslContext = dslContext,
                 condition = ResourceAuthorizationConditionRequest(
@@ -838,11 +839,15 @@ class RbacPermissionManageFacadeServiceImpl(
             relatedResourceCode = projectCode,
             action = ActionId.PROJECT_VISIT
         )
-
+        logger.debug("whether the user has project visit perm after operated groups {}", isHasProjectVisitPermOperatedGroups)
         // 如果有访问权限，返回空列表，否则直接返回用户无效代码库oauth列表
         return if (isHasProjectVisitPermOperatedGroups) {
             emptyList()
         } else {
+            logger.debug(
+                "user does not have perm to visit the project after operated groups|{}|{}|{}",
+                projectCode, memberId, iamGroupIds
+            )
             authAuthorizationDao.list(
                 dslContext = dslContext,
                 condition = ResourceAuthorizationConditionRequest(
@@ -1357,7 +1362,7 @@ class RbacPermissionManageFacadeServiceImpl(
         targetMember: ResourceMemberInfo
     ): Boolean {
         logger.info("delete single group members from personal:$userId|$targetMember|$projectCode|$groupId")
-        if (targetMember.type == MemberType.USER.type){
+        if (targetMember.type == MemberType.USER.type) {
             // 获取导致流水线代持人权限受到影响的用户组及流水线
             val (invalidGroups, invalidPipelines, invalidRepertoryIds) =
                 listInvalidAuthorizationsAfterOperatedGroups(

diff --git a/...uth/src/main/kotlin/com/tencent/devops/auth/service/PermissionAuthorizationServiceImpl.kt b/...uth/src/main/kotlin/com/tencent/devops/auth/service/PermissionAuthorizationServiceImpl.kt
@@ -3,7 +3,7 @@ package com.tencent.devops.auth.service
 import com.tencent.bk.sdk.iam.constants.ManagerScopesEnum
 import com.tencent.devops.auth.constant.AuthI18nConstants
 import com.tencent.devops.auth.constant.AuthMessageCode
-import com.tencent.devops.auth.constant.AuthMessageCode.ERROR_HANDOVER_AUTHORIZATION
+import com.tencent.devops.auth.constant.AuthMessageCode.ERROR_REPERTORY_HANDOVER_AUTHORIZATION
 import com.tencent.devops.auth.dao.AuthAuthorizationDao
 import com.tencent.devops.auth.pojo.dto.HandoverDetailDTO
 import com.tencent.devops.auth.pojo.dto.HandoverOverviewCreateDTO
@@ -297,7 +297,7 @@ class PermissionAuthorizationServiceImpl(
             condition = finalCondition
         )
         if (!handoverResult[ResourceAuthorizationHandoverStatus.FAILED].isNullOrEmpty()) {
-            throw ErrorCodeException(errorCode = ERROR_HANDOVER_AUTHORIZATION)
+            throw ErrorCodeException(errorCode = ERROR_REPERTORY_HANDOVER_AUTHORIZATION)
         }
         val resourceAuthorizationList = getResourceAuthorizationList(condition = finalCondition)
         val authorizationCount = resourceAuthorizationList.size
@@ -394,7 +394,7 @@ class PermissionAuthorizationServiceImpl(
         )[ResourceAuthorizationHandoverStatus.FAILED].isNullOrEmpty()
         if (!canHandoverRepertory) {
             throw ErrorCodeException(
-                errorCode = ERROR_HANDOVER_AUTHORIZATION
+                errorCode = ERROR_REPERTORY_HANDOVER_AUTHORIZATION
             )
         }
     }

diff --git a/support-files/i18n/auth/message_zh_CN.properties b/support-files/i18n/auth/message_zh_CN.properties
@@ -88,7 +88,7 @@
 2121093=由于您不是该交接申请单的发起人，无法进行撤销操作
 2121094=由于您不是该交接申请单的审批人，无法进行任何操作
 2121095=该交接申请单正在被处理中，请耐心等待
-2121096=交接操作不合法，用户没有对应授权的权限
+2121096=交接操作不合法，用户没有对应代码库授权的权限，请交接完代码库授权后再进行重试。
 2121098=由于直接退出用户组，会导致授权失效，必须进行用户组移交
 
 bkAdministratorNotExpired=权限还未过期，不需要操作
@@ -343,7 +343,6 @@ rule.resourceType.name=质量红线规则
 bkMemberExpiredAtDisplayExpired=已过期
 bkMemberExpiredAtDisplayNormal={0} 天
 bkMemberExpiredAtDisplayPermanent=永久
-
 bkApplyToHandover=申请移交
 bkHandoverGroups={0}个权限用户组
 bkHandoverAuthorizations={0}个授权