feat：用户个人视角 权限管理优化 #11138

src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/rbac/service/RbacPermissionResourceValidateService.kt

@@ -156,7 +156,8 @@ class RbacPermissionResourceValidateService(
     override fun validateUserProjectPermissionByChannel(
         userId: String,
         projectCode: String,
-        operateChannel: OperateChannel
+        operateChannel: OperateChannel,
+        targetMemberId: String
     ) {
         if (operateChannel == OperateChannel.PERSONAL) {
             // 个人视角校验
@@ -171,6 +172,11 @@ class RbacPermissionResourceValidateService(
                     message = "The user does not have permission to visit the project!"
                 )
             }
+            if (userId != targetMemberId){
+                throw PermissionForbiddenException(
+                    message = "You do not have permission to operate other user groups!"
+                )
+            }
         } else {
             // 管理员视角校验
             val hasProjectManagePermission = permissionService.validateUserResourcePermission(

src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/provider/sample/service/SamplePermissionResourceValidateService.kt

@@ -51,7 +51,8 @@ class SamplePermissionResourceValidateService : PermissionResourceValidateServic
     override fun validateUserProjectPermissionByChannel(
         userId: String,
         projectCode: String,
-        operateChannel: OperateChannel
+        operateChannel: OperateChannel,
+        targetMemberId: String
     ) {
         return
     }

src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/user/UserAuthHandoverResourceImpl.kt

@@ -1,6 +1,7 @@
 package com.tencent.devops.auth.resources.user
 
 import com.tencent.devops.auth.api.user.UserAuthHandoverResource
+import com.tencent.devops.auth.pojo.enum.OperateChannel
 import com.tencent.devops.auth.pojo.request.HandoverDetailsQueryReq
 import com.tencent.devops.auth.pojo.request.HandoverOverviewQueryReq
 import com.tencent.devops.auth.pojo.request.HandoverOverviewUpdateReq
@@ -11,6 +12,8 @@ import com.tencent.devops.auth.pojo.vo.ResourceType2CountVo
 import com.tencent.devops.auth.service.PermissionAuthorizationService
 import com.tencent.devops.auth.service.iam.PermissionHandoverService
 import com.tencent.devops.auth.service.iam.PermissionManageFacadeService
+import com.tencent.devops.auth.service.iam.PermissionResourceValidateService
+import com.tencent.devops.common.api.exception.PermissionForbiddenException
 import com.tencent.devops.common.api.model.SQLPage
 import com.tencent.devops.common.api.pojo.Result
 import com.tencent.devops.common.auth.api.pojo.ResourceAuthorizationHandoverConditionRequest
@@ -20,13 +23,20 @@ import com.tencent.devops.common.web.RestResource
 class UserAuthHandoverResourceImpl(
     private val permissionAuthorizationService: PermissionAuthorizationService,
     private val permissionManageFacadeService: PermissionManageFacadeService,
-    private val permissionHandoverService: PermissionHandoverService
+    private val permissionHandoverService: PermissionHandoverService,
+    private val permissionResourceValidateService: PermissionResourceValidateService
 ) : UserAuthHandoverResource {
     override fun handoverAuthorizationsApplication(
         userId: String,
         projectId: String,
         condition: ResourceAuthorizationHandoverConditionRequest
     ): Result<Boolean> {
+        permissionResourceValidateService.validateUserProjectPermissionByChannel(
+            userId = userId,
+            projectCode = projectId,
+            operateChannel = OperateChannel.PERSONAL,
+            targetMemberId = condition.handoverFrom!!
+        )
         return Result(
             permissionAuthorizationService.handoverAuthorizationsApplication(
                 operator = userId,
@@ -40,6 +50,12 @@ class UserAuthHandoverResourceImpl(
         userId: String,
         queryRequest: HandoverOverviewQueryReq
     ): Result<SQLPage<HandoverOverviewVo>> {
+        if (userId != queryRequest.memberID) {
+            throw PermissionForbiddenException(
+                message = "You have not permission to view other people's handover details!"
+            )
+        }
+
         return Result(permissionHandoverService.listHandoverOverviews(queryRequest = queryRequest))
     }
 
@@ -65,6 +81,12 @@ class UserAuthHandoverResourceImpl(
     }
 
     override fun handleHanoverApplication(userId: String, request: HandoverOverviewUpdateReq): Result<Boolean> {
+        permissionResourceValidateService.validateUserProjectPermissionByChannel(
+            userId = userId,
+            projectCode = request.projectCode,
+            operateChannel = OperateChannel.PERSONAL,
+            targetMemberId = request.operator
+        )
         return Result(permissionManageFacadeService.handleHanoverApplication(request = request))
     }
 }

src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/user/UserAuthResourceGroupResourceImpl.kt

@@ -90,7 +90,8 @@ class UserAuthResourceGroupResourceImpl @Autowired constructor(
         permissionResourceValidateService.validateUserProjectPermissionByChannel(
             userId = userId,
             projectCode = projectId,
-            operateChannel = operateChannel ?: OperateChannel.MANAGER
+            operateChannel = operateChannel ?: OperateChannel.MANAGER,
+            targetMemberId = memberId
         )
 
         return Result(
@@ -118,6 +119,12 @@ class UserAuthResourceGroupResourceImpl @Autowired constructor(
         groupId: Int,
         memberRenewalDTO: GroupMemberRenewalDTO
     ): Result<Boolean> {
+        permissionResourceValidateService.validateUserProjectPermissionByChannel(
+            userId = userId,
+            projectCode = projectId,
+            operateChannel = OperateChannel.PERSONAL,
+            targetMemberId = userId
+        )
         return Result(
             permissionResourceMemberService.renewalGroupMember(
                 userId = userId,

src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/resources/user/UserAuthResourceMemberResourceImpl.kt

@@ -134,6 +134,12 @@ class UserAuthResourceMemberResourceImpl(
         projectId: String,
         removeMemberDTO: GroupMemberRemoveConditionReq
     ): Result<Boolean> {
+        permissionResourceValidateService.validateUserProjectPermissionByChannel(
+            userId = userId,
+            projectCode = projectId,
+            operateChannel = OperateChannel.PERSONAL,
+            targetMemberId = removeMemberDTO.targetMember.id
+        )
         return Result(
             permissionManageFacadeService.batchDeleteResourceGroupMembersFromPersonal(
                 userId = userId,
@@ -163,6 +169,12 @@ class UserAuthResourceMemberResourceImpl(
         projectId: String,
         handoverMemberDTO: GroupMemberHandoverConditionReq
     ): Result<Boolean> {
+        permissionResourceValidateService.validateUserProjectPermissionByChannel(
+            userId = userId,
+            projectCode = projectId,
+            operateChannel = OperateChannel.PERSONAL,
+            targetMemberId = handoverMemberDTO.targetMember.id
+        )
         return Result(
             permissionManageFacadeService.batchHandoverApplicationFromPersonal(
                 userId = userId,
@@ -172,13 +184,18 @@ class UserAuthResourceMemberResourceImpl(
         )
     }
 
-    @BkManagerCheck
     override fun batchOperateGroupMembersCheck(
         userId: String,
         projectId: String,
         batchOperateType: BatchOperateType,
         conditionReq: GroupMemberCommonConditionReq
     ): Result<BatchOperateGroupMemberCheckVo> {
+        permissionResourceValidateService.validateUserProjectPermissionByChannel(
+            userId = userId,
+            projectCode = projectId,
+            operateChannel = conditionReq.operateChannel,
+            targetMemberId = conditionReq.targetMember.id
+        )
         return Result(
             permissionManageFacadeService.batchOperateGroupMembersCheck(
                 userId = userId,
@@ -234,7 +251,8 @@ class UserAuthResourceMemberResourceImpl(
         permissionResourceValidateService.validateUserProjectPermissionByChannel(
             userId = userId,
             projectCode = projectId,
-            operateChannel = operateChannel ?: OperateChannel.MANAGER
+            operateChannel = operateChannel ?: OperateChannel.MANAGER,
+            targetMemberId = memberId
         )
         return Result(
             permissionManageFacadeService.getMemberGroupsCount(

src/backend/ci/core/auth/biz-auth/src/main/kotlin/com/tencent/devops/auth/service/iam/PermissionResourceValidateService.kt

@@ -54,6 +54,7 @@ interface PermissionResourceValidateService {
     fun validateUserProjectPermissionByChannel(
         userId: String,
         projectCode: String,
-        operateChannel: OperateChannel
+        operateChannel: OperateChannel,
+        targetMemberId: String
     )
 }