Merge pull request #314 from actiontech/support_issue_288

jessun · web-flow · commit 945eecec18dc · 2022-02-18T19:47:21.000+08:00
support workflow operation permission
diff --git a/sqle/api/controller/v1/task.go b/sqle/api/controller/v1/task.go
@@ -216,10 +216,18 @@ func checkCurrentUserCanAccessTask(c echo.Context, task *model.Task) error {
 	if err != nil {
 		return err
 	}
-	if !access {
-		return ErrTaskNoAccess
+	if access {
+		return nil
+	}
+
+	ok, err := s.CheckUserHasOpToInstance(user, task.Instance, []uint{model.OP_WORKFLOW_VIEW_OTHERS})
+	if err != nil {
+		return err
+	}
+	if ok {
+		return nil
 	}
-	return nil
+	return ErrTaskNoAccess
 }
 
 // @Summary 获取Sql审核任务信息
diff --git a/sqle/api/controller/v1/workflow.go b/sqle/api/controller/v1/workflow.go
@@ -2,11 +2,12 @@ package v1
 
 import (
 	"fmt"
-	"github.com/actiontech/sqle/sqle/driver"
 	"net/http"
 	"strconv"
 	"time"
 
+	"github.com/actiontech/sqle/sqle/driver"
+
 	"github.com/actiontech/sqle/sqle/api/controller"
 	"github.com/actiontech/sqle/sqle/errors"
 	"github.com/actiontech/sqle/sqle/log"
@@ -609,7 +610,7 @@ type WorkflowStepResV1 struct {
 	Reason        string     `json:"reason,omitempty"`
 }
 
-func checkCurrentUserCanAccessWorkflow(c echo.Context, workflow *model.Workflow) error {
+func checkCurrentUserCanAccessWorkflow(c echo.Context, workflow *model.Workflow, ops []uint) error {
 	if controller.GetUserName(c) == model.DefaultAdminUser {
 		return nil
 	}
@@ -622,10 +623,23 @@ func checkCurrentUserCanAccessWorkflow(c echo.Context, workflow *model.Workflow)
 	if err != nil {
 		return err
 	}
-	if !access {
-		return ErrWorkflowNoAccess
+	if access {
+		return nil
 	}
-	return nil
+	if len(ops) > 0 {
+		instance, err := s.GetInstanceByWorkflowID(workflow.ID)
+		if err != nil {
+			return err
+		}
+		ok, err := s.CheckUserHasOpToInstance(user, instance, ops)
+		if err != nil {
+			return err
+		}
+		if ok {
+			return nil
+		}
+	}
+	return ErrWorkflowNoAccess
 }
 
 func convertWorkflowToRes(workflow *model.Workflow, task *model.Task) *WorkflowResV1 {
@@ -763,7 +777,7 @@ func GetWorkflow(c echo.Context) error {
 	}
 	err = checkCurrentUserCanAccessWorkflow(c, &model.Workflow{
 		Model: model.Model{ID: uint(id)},
-	})
+	}, []uint{model.OP_WORKFLOW_VIEW_OTHERS})
 	if err != nil {
 		return controller.JSONBaseErrorReq(c, err)
 	}
@@ -904,7 +918,7 @@ func GetWorkflows(c echo.Context) error {
 		"offset":                                 offset,
 	}
 	s := model.GetStorage()
-	workflows, count, err := s.GetWorkflowsByReq(data)
+	workflows, count, err := s.GetWorkflowsByReq(data, user)
 	if err != nil {
 		return controller.JSONBaseErrorReq(c, err)
 	}
@@ -970,7 +984,7 @@ func ApproveWorkflow(c echo.Context) error {
 	}
 	err = checkCurrentUserCanAccessWorkflow(c, &model.Workflow{
 		Model: model.Model{ID: uint(id)},
-	})
+	}, []uint{})
 	if err != nil {
 		return controller.JSONBaseErrorReq(c, err)
 	}
@@ -1052,7 +1066,7 @@ func RejectWorkflow(c echo.Context) error {
 	}
 	err = checkCurrentUserCanAccessWorkflow(c, &model.Workflow{
 		Model: model.Model{ID: uint(id)},
-	})
+	}, []uint{})
 	if err != nil {
 		return controller.JSONBaseErrorReq(c, err)
 	}
@@ -1116,7 +1130,7 @@ func CancelWorkflow(c echo.Context) error {
 	}
 	err = checkCurrentUserCanAccessWorkflow(c, &model.Workflow{
 		Model: model.Model{ID: uint(id)},
-	})
+	}, []uint{})
 	if err != nil {
 		return controller.JSONBaseErrorReq(c, err)
 	}
@@ -1227,7 +1241,7 @@ func UpdateWorkflow(c echo.Context) error {
 	}
 	err = checkCurrentUserCanAccessWorkflow(c, &model.Workflow{
 		Model: model.Model{ID: uint(id)},
-	})
+	}, []uint{})
 	if err != nil {
 		return controller.JSONBaseErrorReq(c, err)
 	}
@@ -1354,7 +1368,7 @@ func UpdateWorkflowSchedule(c echo.Context) error {
 	}
 	err = checkCurrentUserCanAccessWorkflow(c, &model.Workflow{
 		Model: model.Model{ID: uint(id)},
-	})
+	}, []uint{})
 	if err != nil {
 		return controller.JSONBaseErrorReq(c, err)
 	}
@@ -1415,7 +1429,7 @@ func ExecuteTaskOnWorkflow(c echo.Context) error {
 	}
 	err = checkCurrentUserCanAccessWorkflow(c, &model.Workflow{
 		Model: model.Model{ID: uint(id)},
-	})
+	}, []uint{})
 	if err != nil {
 		return controller.JSONBaseErrorReq(c, err)
 	}
diff --git a/sqle/errors/errors.go b/sqle/errors/errors.go
@@ -12,6 +12,8 @@ const (
 
 	HttpRequestFormatError ErrorCode = 2001
 
+	ErrAccessDeniedError ErrorCode = 3001
+
 	LoginAuthFail     ErrorCode = 4001
 	UserDisabled      ErrorCode = 4005
 	TaskNotExist      ErrorCode = 4006
@@ -94,3 +96,7 @@ func HttpRequestFormatErrWrapper(err error) error {
 func ConnectStorageErrWrapper(err error) error {
 	return New(ConnectStorageError, err)
 }
+
+func NewAccessDeniedErr(format string, a ...interface{}) error {
+	return New(ErrAccessDeniedError, fmt.Errorf(format, a...))
+}
diff --git a/sqle/model/instance.go b/sqle/model/instance.go
@@ -183,3 +183,146 @@ func (s *Storage) GetInstanceNamesByWorkflowTemplateId(id uint) ([]string, error
 	}
 	return names, nil
 }
+
+func (s *Storage) CheckUserHasOpToInstance(user *User, instance *Instance, ops []uint) (bool, error) {
+	query := `
+SELECT instances.id
+FROM instances
+LEFT JOIN instance_role ON instance_role.instance_id = instances.id
+LEFT JOIN roles ON roles.id = instance_role.role_id AND roles.deleted_at IS NULL AND roles.stat = 0
+LEFT JOIN role_operations ON role_operations.role_id = roles.id
+LEFT JOIN user_role ON user_role.role_id = roles.id
+LEFT JOIN users ON users.id = user_role.user_id AND users.stat = 0
+WHERE
+instances.deleted_at IS NULL
+AND instances.id = ?
+AND users.id = ?
+AND role_operations.op_code IN (?)
+GROUP BY instances.id
+UNION
+SELECT instances.id
+FROM instances
+LEFT JOIN instance_role ON instance_role.instance_id = instances.id
+LEFT JOIN roles ON roles.id = instance_role.role_id AND roles.deleted_at IS NULL AND roles.stat = 0
+LEFT JOIN role_operations ON role_operations.role_id = roles.id
+JOIN user_group_roles ON roles.id = user_group_roles.role_id
+JOIN user_groups ON user_groups.id = user_group_roles.user_group_id AND user_groups.deleted_at IS NULL
+JOIN user_group_users ON user_groups.id = user_group_users.user_group_id 
+JOIN users ON users.id = user_group_users.user_id AND users.deleted_at IS NULL AND users.stat=0
+WHERE 
+instances.deleted_at IS NULL
+AND instances.id = ?
+AND users.id = ?
+AND role_operations.op_code IN (?)
+GROUP BY instances.id
+`
+	var instances []*Instance
+	err := s.db.Raw(query, instance.ID, user.ID, ops, instance.ID, user.ID, ops).Scan(&instances).Error
+	if err != nil {
+		return false, errors.ConnectStorageErrWrapper(err)
+	}
+	return len(instances) > 0, nil
+}
+
+func (s *Storage) GetUserCanOpInstances(user *User, ops []uint) (instances []*Instance, err error) {
+	query := `
+SELECT instances.id
+FROM instances
+LEFT JOIN instance_role ON instance_role.instance_id = instances.id
+LEFT JOIN roles ON roles.id = instance_role.role_id AND roles.deleted_at IS NULL AND roles.stat = 0
+LEFT JOIN role_operations ON role_operations.role_id = roles.id
+LEFT JOIN user_role ON user_role.role_id = roles.id
+LEFT JOIN users ON users.id = user_role.user_id AND users.stat = 0
+WHERE
+instances.deleted_at IS NULL
+AND users.id = ?
+AND role_operations.op_code IN (?)
+GROUP BY instances.id
+UNION
+SELECT instances.id
+FROM instances
+LEFT JOIN instance_role ON instance_role.instance_id = instances.id
+LEFT JOIN roles ON roles.id = instance_role.role_id AND roles.deleted_at IS NULL AND roles.stat = 0
+LEFT JOIN role_operations ON role_operations.role_id = roles.id
+JOIN user_group_roles ON roles.id = user_group_roles.role_id
+JOIN user_groups ON user_groups.id = user_group_roles.user_group_id AND user_groups.deleted_at IS NULL
+JOIN user_group_users ON user_groups.id = user_group_users.user_group_id 
+JOIN users ON users.id = user_group_users.user_id AND users.deleted_at IS NULL AND users.stat=0
+WHERE 
+instances.deleted_at IS NULL
+AND users.id = ?
+AND role_operations.op_code IN (?)
+GROUP BY instances.id
+`
+	err = s.db.Raw(query, user.ID, ops, user.ID, ops).Scan(&instances).Error
+	if err != nil {
+		return nil, errors.ConnectStorageErrWrapper(err)
+	}
+	return
+}
+
+func getInstanceIDsFromInstances(instances []*Instance) (ids []uint) {
+	ids = make([]uint, len(instances))
+	for i := range instances {
+		ids[i] = instances[i].ID
+	}
+	return ids
+}
+
+//SELECT instances.id
+//FROM instances
+//LEFT JOIN instance_role ON instance_role.instance_id = instances.id
+//LEFT JOIN roles ON roles.id = instance_role.role_id AND roles.deleted_at IS NULL AND roles.stat = 0
+//LEFT JOIN role_operations ON role_operations.role_id = roles.id
+//LEFT JOIN user_role ON user_role.role_id = roles.id
+//LEFT JOIN users ON users.id = user_role.user_id AND users.stat = 0
+//WHERE
+//instances.deleted_at IS NULL
+//AND users.id = 5
+//AND role_operations.op_code IN (20200)
+//GROUP BY instances.id
+//UNION
+//SELECT instances.id
+//FROM instances
+//LEFT JOIN instance_role ON instance_role.instance_id = instances.id
+//LEFT JOIN roles ON roles.id = instance_role.role_id AND roles.deleted_at IS NULL AND roles.stat = 0
+//LEFT JOIN role_operations ON role_operations.role_id = roles.id
+//JOIN user_group_roles ON roles.id = user_group_roles.role_id
+//JOIN user_groups ON user_groups.id = user_group_roles.user_group_id AND user_groups.deleted_at IS NULL
+//JOIN user_group_users ON user_groups.id = user_group_users.user_group_id
+//JOIN users ON users.id = user_group_users.user_id AND users.deleted_at IS NULL AND users.stat=0
+//WHERE
+//instances.deleted_at IS NULL
+//AND users.id = 5
+//AND role_operations.op_code IN (20200)
+//GROUP BY instances.id
+
+//SELECT instances.id
+//FROM instances
+//LEFT JOIN instance_role ON instance_role.instance_id = instances.id
+//LEFT JOIN roles ON roles.id = instance_role.role_id AND roles.deleted_at IS NULL AND roles.stat = 0
+//LEFT JOIN role_operations ON role_operations.role_id = roles.id
+//LEFT JOIN user_role ON user_role.role_id = roles.id
+//LEFT JOIN users ON users.id = user_role.user_id AND users.stat = 0
+//WHERE
+//instances.deleted_at IS NULL
+//AND instances.id = 5
+//AND users.id = 4
+//AND role_operations.op_code IN (20200)
+//GROUP BY instances.id
+//UNION
+//SELECT instances.id
+//FROM instances
+//LEFT JOIN instance_role ON instance_role.instance_id = instances.id
+//LEFT JOIN roles ON roles.id = instance_role.role_id AND roles.deleted_at IS NULL AND roles.stat = 0
+//LEFT JOIN role_operations ON role_operations.role_id = roles.id
+//JOIN user_group_roles ON roles.id = user_group_roles.role_id
+//JOIN user_groups ON user_groups.id = user_group_roles.user_group_id AND user_groups.deleted_at IS NULL
+//JOIN user_group_users ON user_groups.id = user_group_users.user_group_id
+//JOIN users ON users.id = user_group_users.user_id AND users.deleted_at IS NULL AND users.stat=0
+//WHERE
+//instances.deleted_at IS NULL
+//AND instances.id = 5
+//AND users.id = 4
+//AND role_operations.op_code IN (20200)
+//GROUP BY instances.id
diff --git a/sqle/model/workflow.go b/sqle/model/workflow.go
@@ -601,3 +601,21 @@ func (s *Storage) TaskWorkflowIsRunning(taskIds []uint) (bool, error) {
 	err := s.db.Where("status = ? AND task_id IN (?)", WorkflowStatusRunning, taskIds).Find(&workflowRecords).Error
 	return len(workflowRecords) > 0, errors.New(errors.ConnectStorageError, err)
 }
+
+func (s *Storage) GetInstanceByWorkflowID(workflowID uint) (*Instance, error) {
+	query := `
+SELECT instances.id 
+FROM workflows AS w
+LEFT JOIN workflow_records AS wr ON wr.id = w.workflow_record_id
+LEFT JOIN tasks ON tasks.id = wr.task_id
+LEFT JOIN instances ON instances.id = tasks.instance_id
+WHERE 
+w.id = ?
+LIMIT 1`
+	instance := &Instance{}
+	err := s.db.Raw(query, workflowID).Scan(instance).Error
+	if err != nil {
+		return nil, errors.ConnectStorageErrWrapper(err)
+	}
+	return instance, err
+}
diff --git a/sqle/model/workflow_list.go b/sqle/model/workflow_list.go
@@ -3,6 +3,8 @@ package model
 import (
 	"database/sql"
 	"time"
+
+	"github.com/actiontech/sqle/sqle/utils"
 )
 
 type WorkflowListDetail struct {
@@ -68,9 +70,15 @@ WHERE
 w.deleted_at IS NULL 
 
 {{- if .check_user_can_access }}
-AND (w.create_user_id = :current_user_id 
+AND (
+w.create_user_id = :current_user_id 
 OR curr_ass_user.id = :current_user_id
 OR all_ass_user.id = :current_user_id
+
+{{- if .viewable_instance_ids }} 
+OR inst.id IN (:viewable_instance_ids)
+{{- end }}
+
 )
 {{- end }}
 
@@ -121,9 +129,22 @@ AND inst.name = :filter_task_instance_name
 
 `
 
-func (s *Storage) GetWorkflowsByReq(data map[string]interface{}) (
+func (s *Storage) GetWorkflowsByReq(data map[string]interface{}, user *User) (
 	result []*WorkflowListDetail, count uint64, err error) {
 
+	// get workflow ids only for user can access by OP_WORKFLOW_VIEW_OTHERS
+	var ids []uint
+	{
+		instances, err := s.GetUserCanOpInstances(user, []uint{OP_WORKFLOW_VIEW_OTHERS})
+		if err != nil {
+			return result, 0, err
+		}
+		ids = getInstanceIDsFromInstances(instances)
+	}
+	if len(ids) > 0 {
+		data["viewable_instance_ids"] = utils.JoinUintSliceToString(ids, ", ")
+	}
+
 	err = s.getListResult(workflowsQueryBodyTpl, workflowsQueryTpl, data, &result)
 	if err != nil {
 		return result, 0, err

Original file line number	Diff line number	Diff line change
`@@ -2,11 +2,12 @@ package v1`
`2`	`2`
`3`	`3`	`import (`
`4`	`4`	`"fmt"`
`5`		`- "github.com/actiontech/sqle/sqle/driver"`
`6`	`5`	`"net/http"`
`7`	`6`	`"strconv"`
`8`	`7`	`"time"`
`9`	`8`
	`9`	`+ "github.com/actiontech/sqle/sqle/driver"`
	`10`	`+`
`10`	`11`	`"github.com/actiontech/sqle/sqle/api/controller"`
`11`	`12`	`"github.com/actiontech/sqle/sqle/errors"`
`12`	`13`	`"github.com/actiontech/sqle/sqle/log"`
`@@ -609,7 +610,7 @@ type WorkflowStepResV1 struct {`
`609`	`610`	Reason string `json:"reason,omitempty"`
`610`	`611`	`}`
`611`	`612`
`612`		`-func checkCurrentUserCanAccessWorkflow(c echo.Context, workflow *model.Workflow) error {`
	`613`	`+func checkCurrentUserCanAccessWorkflow(c echo.Context, workflow *model.Workflow, ops []uint) error {`
`613`	`614`	`if controller.GetUserName(c) == model.DefaultAdminUser {`
`614`	`615`	`return nil`
`615`	`616`	`}`
`@@ -622,10 +623,23 @@ func checkCurrentUserCanAccessWorkflow(c echo.Context, workflow *model.Workflow)`
`622`	`623`	`if err != nil {`
`623`	`624`	`return err`
`624`	`625`	`}`
`625`		`- if !access {`
`626`		`- return ErrWorkflowNoAccess`
	`626`	`+ if access {`
	`627`	`+ return nil`
`627`	`628`	`}`
`628`		`- return nil`
	`629`	`+ if len(ops) > 0 {`
	`630`	`+ instance, err := s.GetInstanceByWorkflowID(workflow.ID)`
	`631`	`+ if err != nil {`
	`632`	`+ return err`
	`633`	`+ }`
	`634`	`+ ok, err := s.CheckUserHasOpToInstance(user, instance, ops)`
	`635`	`+ if err != nil {`
	`636`	`+ return err`
	`637`	`+ }`
	`638`	`+ if ok {`
	`639`	`+ return nil`
	`640`	`+ }`
	`641`	`+ }`
	`642`	`+ return ErrWorkflowNoAccess`
`629`	`643`	`}`
`630`	`644`
`631`	`645`	`func convertWorkflowToRes(workflow model.Workflow, task model.Task) *WorkflowResV1 {`
`@@ -763,7 +777,7 @@ func GetWorkflow(c echo.Context) error {`
`763`	`777`	`}`
`764`	`778`	`err = checkCurrentUserCanAccessWorkflow(c, &model.Workflow{`
`765`	`779`	`Model: model.Model{ID: uint(id)},`
`766`		`- })`
	`780`	`+ }, []uint{model.OP_WORKFLOW_VIEW_OTHERS})`
`767`	`781`	`if err != nil {`
`768`	`782`	`return controller.JSONBaseErrorReq(c, err)`
`769`	`783`	`}`
`@@ -904,7 +918,7 @@ func GetWorkflows(c echo.Context) error {`
`904`	`918`	`"offset": offset,`
`905`	`919`	`}`
`906`	`920`	`s := model.GetStorage()`
`907`		`- workflows, count, err := s.GetWorkflowsByReq(data)`
	`921`	`+ workflows, count, err := s.GetWorkflowsByReq(data, user)`
`908`	`922`	`if err != nil {`
`909`	`923`	`return controller.JSONBaseErrorReq(c, err)`
`910`	`924`	`}`
`@@ -970,7 +984,7 @@ func ApproveWorkflow(c echo.Context) error {`
`970`	`984`	`}`
`971`	`985`	`err = checkCurrentUserCanAccessWorkflow(c, &model.Workflow{`
`972`	`986`	`Model: model.Model{ID: uint(id)},`
`973`		`- })`
	`987`	`+ }, []uint{})`
`974`	`988`	`if err != nil {`
`975`	`989`	`return controller.JSONBaseErrorReq(c, err)`
`976`	`990`	`}`
`@@ -1052,7 +1066,7 @@ func RejectWorkflow(c echo.Context) error {`
`1052`	`1066`	`}`
`1053`	`1067`	`err = checkCurrentUserCanAccessWorkflow(c, &model.Workflow{`
`1054`	`1068`	`Model: model.Model{ID: uint(id)},`
`1055`		`- })`
	`1069`	`+ }, []uint{})`
`1056`	`1070`	`if err != nil {`
`1057`	`1071`	`return controller.JSONBaseErrorReq(c, err)`
`1058`	`1072`	`}`
`@@ -1116,7 +1130,7 @@ func CancelWorkflow(c echo.Context) error {`
`1116`	`1130`	`}`
`1117`	`1131`	`err = checkCurrentUserCanAccessWorkflow(c, &model.Workflow{`
`1118`	`1132`	`Model: model.Model{ID: uint(id)},`
`1119`		`- })`
	`1133`	`+ }, []uint{})`
`1120`	`1134`	`if err != nil {`
`1121`	`1135`	`return controller.JSONBaseErrorReq(c, err)`
`1122`	`1136`	`}`
`@@ -1227,7 +1241,7 @@ func UpdateWorkflow(c echo.Context) error {`
`1227`	`1241`	`}`
`1228`	`1242`	`err = checkCurrentUserCanAccessWorkflow(c, &model.Workflow{`
`1229`	`1243`	`Model: model.Model{ID: uint(id)},`
`1230`		`- })`
	`1244`	`+ }, []uint{})`
`1231`	`1245`	`if err != nil {`
`1232`	`1246`	`return controller.JSONBaseErrorReq(c, err)`
`1233`	`1247`	`}`
`@@ -1354,7 +1368,7 @@ func UpdateWorkflowSchedule(c echo.Context) error {`
`1354`	`1368`	`}`
`1355`	`1369`	`err = checkCurrentUserCanAccessWorkflow(c, &model.Workflow{`
`1356`	`1370`	`Model: model.Model{ID: uint(id)},`
`1357`		`- })`
	`1371`	`+ }, []uint{})`
`1358`	`1372`	`if err != nil {`
`1359`	`1373`	`return controller.JSONBaseErrorReq(c, err)`
`1360`	`1374`	`}`
`@@ -1415,7 +1429,7 @@ func ExecuteTaskOnWorkflow(c echo.Context) error {`
`1415`	`1429`	`}`
`1416`	`1430`	`err = checkCurrentUserCanAccessWorkflow(c, &model.Workflow{`
`1417`	`1431`	`Model: model.Model{ID: uint(id)},`
`1418`		`- })`
	`1432`	`+ }, []uint{})`
`1419`	`1433`	`if err != nil {`
`1420`	`1434`	`return controller.JSONBaseErrorReq(c, err)`
`1421`	`1435`	`}`