[I] [Bug][API] Non-admin users cannot delete their own access tokens [dolphinscheduler]

Tue, 24 Feb 2026 23:57:45 -0800 


dill21yu opened a new issue, #17995:
URL: https://github.com/apache/dolphinscheduler/issues/17995

   ### Search before asking
   
   - [x] I had searched in the 
[issues](https://github.com/apache/dolphinscheduler/issues?q=is%3Aissue) and 
found no similar issues.
   
   
   ### What happened
   
   Non-admin users receive "当前用户没有操作权限" (Current user has no operation 
permission) when trying to delete their own access tokens, even though they 
should be able to manage their own tokens.
   
   
   ### What you expected to happen
   
   1、Non-admin users can delete their own access tokens 
   or
   2、Non-admin users cannot manage access tokens 
   
   ### How to reproduce
   
   <img width="1661" height="302" alt="Image" 
src="https://github.com/user-attachments/assets/b68969f9-0d5c-4f1f-9e61-661fc1620ad9";
 />[](url)
   Non-admin user create an access token , then delete it.
   
   ### Anything else
   
   Root Cause Analysis
   The permission check consists of two layers:
   1. Two-layer permission check in deleteAccessTokenById
   // AccessTokenServiceImpl.deleteAccessTokenById  
   if (!canOperatorPermissions(loginUser, null, AuthorizationType.ACCESS_TOKEN, 
ACCESS_TOKEN_DELETE)) {  
       throw new ServiceException(Status.USER_NO_OPERATION_PERM);  
   }  
   // Later ownership check  
   if (accessToken.getUserId() != loginUser.getId() && 
!loginUser.getUserType().equals(UserType.ADMIN_USER)) {  
       throw new ServiceException(Status.USER_NO_OPERATION_PERM);  
   }
   
   2. operationPermissionCheck calls permissionCheck which always returns false
   // ResourcePermissionCheckServiceImpl.operationPermissionCheck  
   return RESOURCE_LIST_MAP.get(authorizationType).permissionCheck(userId, 
permissionKey, logger);
   
   3. AccessTokenResourcePermissionCheck.permissionCheck hardcoded false
   @Override  
   public boolean permissionCheck(int userId, String url, Logger logger) {  
       return false;  
   }
   This causes the first layer to fail even when the resource ownership check 
would pass.
   
   ### Version
   
   dev
   
   ### Are you willing to submit PR?
   
   - [x] Yes I am willing to submit a PR!
   
   ### Code of Conduct
   
   - [x] I agree to follow this project's [Code of 
Conduct](https://www.apache.org/foundation/policies/conduct)
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: 
[email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to