[Bug-15215][Api] non-admin should not modify tenantId and queue (#15254)

* bugfix-15215：Users are not allowed to modify the default tenant and queue through the update API * fix: #15215
6 months ago · 7bfc6dc3cf
2 changed files with 42 additions and 0 deletions
--- a/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/UsersServiceImpl.java
+++ b/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/UsersServiceImpl.java
@ -385,6 +385,17 @@ public class UsersServiceImpl extends BaseServiceImpl implements UsersService {
        if (user == null) {
            throw new ServiceException(Status.USER_NOT_EXIST, userId);
        }
+
+        // non-admin should not modify tenantId and queue
+        if (!isAdmin(loginUser)) {
+            if (tenantId != null && user.getTenantId() != tenantId) {
+                throw new ServiceException(Status.USER_NO_OPERATION_PERM);
+            }
+            if (StringUtils.isNotEmpty(queue) && !StringUtils.equals(queue, user.getQueue())) {
+                throw new ServiceException(Status.USER_NO_OPERATION_PERM);
+            }
+        }
+
        if (StringUtils.isNotEmpty(userName)) {

            if (!CheckUtils.checkUserName(userName)) {
--- a/dolphinscheduler-api/src/test/java/org/apache/dolphinscheduler/api/service/UsersServiceTest.java
+++ b/dolphinscheduler-api/src/test/java/org/apache/dolphinscheduler/api/service/UsersServiceTest.java
@ -335,6 +335,20 @@ public class UsersServiceTest {
                "queue",
                1,
                "Asia/Shanghai"));
+
+        // non-admin should not modify tenantId and queue
+        when(userMapper.selectById(2)).thenReturn(getNonAdminUser());
+        User user = userMapper.selectById(2);
+        assertThrowsServiceException(Status.USER_NO_OPERATION_PERM, () -> usersService.updateUser(user,
+                2,
+                userName,
+                userPassword,
+                "abc@qq.com",
+                null,
+                "13457864543",
+                "offline",
+                1,
+                "Asia/Shanghai"));
    }

    @Test
@ -889,6 +903,23 @@ public class UsersServiceTest {
        return user;
    }

+    /**
+     * get non-admin user
+     *
+     * @return user
+     */
+    private User getNonAdminUser() {
+
+        User user = new User();
+        user.setId(2);
+        user.setUserType(UserType.GENERAL_USER);
+        user.setUserName("userTest0001");
+        user.setUserPassword("userTest0001");
+        user.setTenantId(2);
+        user.setQueue("queue");
+        return user;
+    }
+
    /**
     * get tenant
     *