feat: add permission control for business directory

leebrouse · leebrouse · commit 46378e983ec5 · 2026-04-17T17:05:48.000+08:00
Signed-off-by: YuTang Song &lt;2313186065@qq.com&gt;
diff --git a/pkg/cli/upgradeassistant/cmd/migrate/430.go b/pkg/cli/upgradeassistant/cmd/migrate/430.go
@@ -25,10 +25,26 @@ import (
 	"github.com/koderover/zadig/v2/pkg/microservice/user/core/repository"
 	usermodels "github.com/koderover/zadig/v2/pkg/microservice/user/core/repository/models"
 	"github.com/koderover/zadig/v2/pkg/microservice/user/core/repository/orm"
+	permissionservice "github.com/koderover/zadig/v2/pkg/microservice/user/core/service/permission"
 	"github.com/koderover/zadig/v2/pkg/setting"
 	internalhandler "github.com/koderover/zadig/v2/pkg/shared/handler"
+	pkgtypes "github.com/koderover/zadig/v2/pkg/types"
 )
 
+type permissionActionSeed430 struct {
+	Name     string
+	Action   string
+	Resource string
+	Scope    int
+}
+
+var businessDirectoryActionSeeds430 = []permissionActionSeed430{
+	{Name: "查看", Action: permissionservice.VerbGetBusinessDirectory, Resource: "BusinessDirectory", Scope: pkgtypes.DBSystemScope},
+	{Name: "新建", Action: permissionservice.VerbCreateBusinessDirectory, Resource: "BusinessDirectory", Scope: pkgtypes.DBSystemScope},
+	{Name: "编辑", Action: permissionservice.VerbEditBusinessDirectory, Resource: "BusinessDirectory", Scope: pkgtypes.DBSystemScope},
+	{Name: "删除", Action: permissionservice.VerbDeleteBusinessDirectory, Resource: "BusinessDirectory", Scope: pkgtypes.DBSystemScope},
+}
+
 func init() {
 	upgradepath.RegisterHandler("4.2.1", "4.3.0", V421ToV430)
 	upgradepath.RegisterHandler("4.3.0", "4.2.1", V430ToV421)
@@ -90,6 +106,16 @@ func migrateGlobalReadOnlyRole(_ *internalhandler.Context, migrationInfo *intern
 	if err != nil {
 		return err
 	}
+	// Ensure business-directory actions exist for upgraded instances.
+	if err := ensureBusinessDirectoryActions430(); err != nil {
+		return err
+	}
+	// Fallback backfill:
+	// - if a role already has get_business_directory, append create/edit/delete
+	// - otherwise append the full business-directory action set.
+	if err := backfillBusinessDirectoryRolePermissions430(); err != nil {
+		return err
+	}
 
 	_ = internalmongodb.NewMigrationColl().UpdateMigrationStatus(migrationInfo.ID, map[string]interface{}{
 		getMigrationFieldBsonTag(migrationInfo, &migrationInfo.Migration430GlobalReadOnlyRole): true,
@@ -98,6 +124,136 @@ func migrateGlobalReadOnlyRole(_ *internalhandler.Context, migrationInfo *intern
 	return nil
 }
 
+func ensureBusinessDirectoryActions430() error {
+	tx := repository.DB.Begin()
+	if tx.Error != nil {
+		return fmt.Errorf("failed to begin tx for business directory action migration, err: %s", tx.Error)
+	}
+
+	for _, seed := range businessDirectoryActionSeeds430 {
+		action, err := orm.GetActionByVerb(seed.Action, tx)
+		if err != nil {
+			tx.Rollback()
+			return fmt.Errorf("failed to query action %s, err: %s", seed.Action, err)
+		}
+		if action != nil && action.ID != 0 {
+			continue
+		}
+
+		action = &usermodels.Action{
+			Name:     seed.Name,
+			Action:   seed.Action,
+			Resource: seed.Resource,
+			Scope:    seed.Scope,
+		}
+		if err := orm.CreateAction(action, tx); err != nil {
+			tx.Rollback()
+			return fmt.Errorf("failed to create action %s, err: %s", seed.Action, err)
+		}
+	}
+
+	if err := tx.Commit().Error; err != nil {
+		return fmt.Errorf("failed to commit business directory action migration tx, err: %s", err)
+	}
+	return nil
+}
+
+// backfillBusinessDirectoryRolePermissions430 provides a migration fallback for
+// historical system roles:
+// 1) If a role already has get_business_directory, only append write verbs.
+// 2) If a role does not have get_business_directory, append the full set.
+// global-read-only role is skipped to keep readonly semantics.
+func backfillBusinessDirectoryRolePermissions430() error {
+	tx := repository.DB.Begin()
+	if tx.Error != nil {
+		return fmt.Errorf("failed to begin tx for business directory permission backfill, err: %s", tx.Error)
+	}
+
+	actionIDMap := make(map[string]uint, len(businessDirectoryActionSeeds430))
+	for _, seed := range businessDirectoryActionSeeds430 {
+		action, err := orm.GetActionByVerb(seed.Action, tx)
+		if err != nil {
+			tx.Rollback()
+			return fmt.Errorf("failed to query action %s for backfill, err: %s", seed.Action, err)
+		}
+		if action == nil || action.ID == 0 {
+			tx.Rollback()
+			return fmt.Errorf("action %s is missing while backfilling business directory permissions", seed.Action)
+		}
+		actionIDMap[seed.Action] = action.ID
+	}
+
+	roles, err := orm.ListRoleByNamespace(permissionservice.GeneralNamespace, tx)
+	if err != nil {
+		tx.Rollback()
+		return fmt.Errorf("failed to list system roles for business directory backfill, err: %s", err)
+	}
+
+	for _, role := range roles {
+		if role == nil || role.ID == 0 {
+			continue
+		}
+		// Keep global-read-only role as readonly.
+		if role.GlobalReadOnly {
+			continue
+		}
+
+		actions, err := orm.ListActionByRole(role.ID, tx)
+		if err != nil {
+			tx.Rollback()
+			return fmt.Errorf("failed to list actions for role %d during business directory backfill, err: %s", role.ID, err)
+		}
+
+		existingVerbs := map[string]struct{}{}
+		for _, action := range actions {
+			if action == nil {
+				continue
+			}
+			existingVerbs[action.Action] = struct{}{}
+		}
+
+		// Fallback strategy:
+		// - has get_business_directory: only backfill create/edit/delete
+		// - does not have get_business_directory: backfill get/create/edit/delete
+		targetVerbs := []string{
+			permissionservice.VerbGetBusinessDirectory,
+			permissionservice.VerbCreateBusinessDirectory,
+			permissionservice.VerbEditBusinessDirectory,
+			permissionservice.VerbDeleteBusinessDirectory,
+		}
+		if _, hasGet := existingVerbs[permissionservice.VerbGetBusinessDirectory]; hasGet {
+			targetVerbs = []string{
+				permissionservice.VerbCreateBusinessDirectory,
+				permissionservice.VerbEditBusinessDirectory,
+				permissionservice.VerbDeleteBusinessDirectory,
+			}
+		}
+
+		missingActionIDs := make([]uint, 0)
+		for _, verb := range targetVerbs {
+			if _, ok := existingVerbs[verb]; ok {
+				continue
+			}
+			if actionID, ok := actionIDMap[verb]; ok {
+				missingActionIDs = append(missingActionIDs, actionID)
+			}
+		}
+
+		if len(missingActionIDs) == 0 {
+			continue
+		}
+		if err := orm.BulkCreateRoleActionBindings(role.ID, missingActionIDs, tx); err != nil {
+			tx.Rollback()
+			return fmt.Errorf("failed to backfill business directory permissions for role %d, err: %s", role.ID, err)
+		}
+	}
+
+	if err := tx.Commit().Error; err != nil {
+		return fmt.Errorf("failed to commit business directory permission backfill tx, err: %s", err)
+	}
+	return nil
+}
+
 // backfill global read only role
 func backfillGlobalReadOnlyRole() error {
 	tx := repository.DB.Begin()
diff --git a/pkg/microservice/aslan/core/application/handler/application.go b/pkg/microservice/aslan/core/application/handler/application.go
@@ -39,6 +39,10 @@ func CreateApplication(c *gin.Context) {
 		ctx.UnAuthorized = true
 		return
 	}
+	if !ctx.Resources.IsSystemAdmin && !ctx.Resources.SystemActions.BusinessDirectory.Create {
+		ctx.UnAuthorized = true
+		return
+	}
 	args := new(commonmodels.Application)
 	data, _ := c.GetRawData()
 	c.Request.Body = io.NopCloser(bytes.NewBuffer(data))
@@ -58,6 +62,11 @@ func BulkCreateApplications(c *gin.Context) {
 		return
 	}
 
+	if !ctx.Resources.IsSystemAdmin && !ctx.Resources.SystemActions.BusinessDirectory.Create {
+		ctx.UnAuthorized = true
+		return
+	}
+
 	var args []*commonmodels.Application
 	data, _ := c.GetRawData()
 	c.Request.Body = io.NopCloser(bytes.NewBuffer(data))
@@ -74,8 +83,17 @@ func BulkCreateApplications(c *gin.Context) {
 }
 
 func GetApplication(c *gin.Context) {
-	ctx := internalhandler.NewContext(c)
+	ctx, err := internalhandler.NewContextWithAuthorization(c)
 	defer func() { internalhandler.JSONResponse(c, ctx) }()
+	if err != nil {
+		ctx.RespErr = fmt.Errorf("authorization Info Generation failed: err %s", err)
+		ctx.UnAuthorized = true
+		return
+	}
+	if !ctx.Resources.IsSystemAdmin && !ctx.Resources.SystemActions.BusinessDirectory.View {
+		ctx.UnAuthorized = true
+		return
+	}
 	ctx.Resp, ctx.RespErr = service.GetApplication(c.Param("id"), ctx.Logger)
 }
 
@@ -87,6 +105,10 @@ func UpdateApplication(c *gin.Context) {
 		ctx.UnAuthorized = true
 		return
 	}
+	if !ctx.Resources.IsSystemAdmin && !ctx.Resources.SystemActions.BusinessDirectory.Edit {
+		ctx.UnAuthorized = true
+		return
+	}
 	args := new(commonmodels.Application)
 	data, _ := c.GetRawData()
 	if err := json.Unmarshal(data, args); err != nil {
@@ -104,12 +126,25 @@ func DeleteApplication(c *gin.Context) {
 		ctx.UnAuthorized = true
 		return
 	}
+	if !ctx.Resources.IsSystemAdmin && !ctx.Resources.SystemActions.BusinessDirectory.Delete {
+		ctx.UnAuthorized = true
+		return
+	}
 	ctx.RespErr = service.DeleteApplication(c.Param("id"), ctx.Logger)
 }
 
 func SearchApplications(c *gin.Context) {
-	ctx := internalhandler.NewContext(c)
+	ctx, err := internalhandler.NewContextWithAuthorization(c)
 	defer func() { internalhandler.JSONResponse(c, ctx) }()
+	if err != nil {
+		ctx.RespErr = fmt.Errorf("authorization Info Generation failed: err %s", err)
+		ctx.UnAuthorized = true
+		return
+	}
+	if !ctx.Resources.IsSystemAdmin && !ctx.Resources.SystemActions.BusinessDirectory.View {
+		ctx.UnAuthorized = true
+		return
+	}
 	var req service.SearchApplicationsRequest
 	if err := c.ShouldBindJSON(&req); err != nil {
 		ctx.RespErr = e.ErrInvalidParam.AddErr(err)
@@ -124,8 +159,17 @@ func SearchApplications(c *gin.Context) {
 }
 
 func ListApplicationEnvs(c *gin.Context) {
-	ctx := internalhandler.NewContext(c)
+	ctx, err := internalhandler.NewContextWithAuthorization(c)
 	defer func() { internalhandler.JSONResponse(c, ctx) }()
+	if err != nil {
+		ctx.RespErr = fmt.Errorf("authorization Info Generation failed: err %s", err)
+		ctx.UnAuthorized = true
+		return
+	}
+	if !ctx.Resources.IsSystemAdmin && !ctx.Resources.SystemActions.BusinessDirectory.View {
+		ctx.UnAuthorized = true
+		return
+	}
 	resp, err := service.ListApplicationEnvs(c.Param("id"), ctx.Logger)
 	if err != nil {
 		ctx.RespErr = err
diff --git a/pkg/microservice/user/core/init/action_initialization.sql b/pkg/microservice/user/core/init/action_initialization.sql
@@ -71,6 +71,9 @@ VALUES
     ("删除", "delete_release_plan", "ReleasePlan", 2),
     ("配置", "edit_config_release_plan", "ReleasePlan", 2),
     ("查看", "get_business_directory", "BusinessDirectory", 2),
+    ("新建", "create_business_directory", "BusinessDirectory", 2),
+    ("编辑", "edit_business_directory", "BusinessDirectory", 2),
+    ("删除", "delete_business_directory", "BusinessDirectory", 2),
     ("查看", "get_cluster_management", "ClusterManagement", 2),
     ("新建", "create_cluster_management", "ClusterManagement", 2),
     ("编辑", "edit_cluster_management", "ClusterManagement", 2),
diff --git a/pkg/microservice/user/core/init/dm_action_initialization.sql b/pkg/microservice/user/core/init/dm_action_initialization.sql
@@ -68,6 +68,9 @@ VALUES
     ('编辑', 'edit_release_plan', 'ReleasePlan', 2),
     ('删除', 'delete_release_plan', 'ReleasePlan', 2),
     ('查看', 'get_business_directory', 'BusinessDirectory', 2),
+    ('新建', 'create_business_directory', 'BusinessDirectory', 2),
+    ('编辑', 'edit_business_directory', 'BusinessDirectory', 2),
+    ('删除', 'delete_business_directory', 'BusinessDirectory', 2),
     ('查看', 'get_cluster_management', 'ClusterManagement', 2),
     ('新建', 'create_cluster_management', 'ClusterManagement', 2),
     ('编辑', 'edit_cluster_management', 'ClusterManagement', 2),
diff --git a/pkg/microservice/user/core/service/permission/authz.go b/pkg/microservice/user/core/service/permission/authz.go
@@ -1057,6 +1057,12 @@ func modifySystemAction(systemActions *SystemActions, verb string) {
 		systemActions.ReleasePlan.EditConfig = true
 	case VerbGetBusinessDirectory:
 		systemActions.BusinessDirectory.View = true
+	case VerbCreateBusinessDirectory:
+		systemActions.BusinessDirectory.Create = true
+	case VerbEditBusinessDirectory:
+		systemActions.BusinessDirectory.Edit = true
+	case VerbDeleteBusinessDirectory:
+		systemActions.BusinessDirectory.Delete = true
 	case VerbGetClusterManagement:
 		systemActions.ClusterManagement.View = true
 	case VerbCreateClusterManagement:
diff --git a/pkg/microservice/user/core/service/permission/types.go b/pkg/microservice/user/core/service/permission/types.go
@@ -152,7 +152,10 @@ const (
 	VerbEditHelmRepoManagement   = "edit_helmrepo_management"
 	VerbDeleteHelmRepoManagement = "delete_helmrepo_management"
 	// business directory
-	VerbGetBusinessDirectory = "get_business_directory"
+	VerbGetBusinessDirectory    = "get_business_directory"
+	VerbCreateBusinessDirectory = "create_business_directory"
+	VerbEditBusinessDirectory   = "edit_business_directory"
+	VerbDeleteBusinessDirectory = "delete_business_directory"
 	// dbinstance management
 	VerbGetDBInstanceManagement    = "get_dbinstance_management"
 	VerbCreateDBInstanceManagement = "create_dbinstance_management"
@@ -345,7 +348,10 @@ type ReleasePlanActions struct {
 }
 
 type BusinessDirectoryActions struct {
-	View bool
+	View       bool
+	Create     bool
+	Edit bool
+	Delete     bool
 }
 
 type ClusterManagementActions struct {
diff --git a/pkg/shared/client/user/user_auth.go b/pkg/shared/client/user/user_auth.go
@@ -178,6 +178,10 @@ type ReleasePlanActions struct {
 
 type BusinessDirectoryActions struct {
 	View bool
+	// Edit business directory metadata/configuration.
+	Edit bool
+	Create     bool
+	Delete     bool
 }
 
 type ClusterManagementActions struct {

Original file line number	Diff line number	Diff line change
`@@ -178,6 +178,10 @@ type ReleasePlanActions struct {`
`178`	`178`
`179`	`179`	`type BusinessDirectoryActions struct {`
`180`	`180`	`View bool`
	`181`	`+ // Edit business directory metadata/configuration.`
	`182`	`+ Edit bool`
	`183`	`+ Create bool`
	`184`	`+ Delete bool`
`181`	`185`	`}`
`182`	`186`
`183`	`187`	`type ClusterManagementActions struct {`