cherry-pick [Bug-15215][Api] non-admin should not modify tenantId and queue

#15254
6 months ago · dade149f08
2 changed files with 28 additions and 0 deletions
--- a/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/UsersServiceImpl.java
+++ b/dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/UsersServiceImpl.java
@ -395,6 +395,17 @@ public class UsersServiceImpl extends BaseServiceImpl implements UsersService {
            putMsg(result, Status.USER_NOT_EXIST, userId);
            return result;
        }
+
+        // non-admin should not modify tenantId and queue
+        if (!isAdmin(loginUser)) {
+            if (tenantId != null && user.getTenantId() != tenantId) {
+                throw new ServiceException(Status.USER_NO_OPERATION_PERM);
+            }
+            if (StringUtils.isNotEmpty(queue) && !StringUtils.equals(queue, user.getQueue())) {
+                throw new ServiceException(Status.USER_NO_OPERATION_PERM);
+            }
+        }
+
        if (StringUtils.isNotEmpty(userName)) {

            if (!CheckUtils.checkUserName(userName)) {
--- a/dolphinscheduler-api/src/test/java/org/apache/dolphinscheduler/api/service/UsersServiceTest.java
+++ b/dolphinscheduler-api/src/test/java/org/apache/dolphinscheduler/api/service/UsersServiceTest.java
@ -814,6 +814,23 @@ public class UsersServiceTest {
        return user;
    }

+    /**
+     * get non-admin user
+     *
+     * @return user
+     */
+    private User getNonAdminUser() {
+
+        User user = new User();
+        user.setId(2);
+        user.setUserType(UserType.GENERAL_USER);
+        user.setUserName("userTest0001");
+        user.setUserPassword("userTest0001");
+        user.setTenantId(2);
+        user.setQueue("queue");
+        return user;
+    }
+
    /**
     * get tenant
     *