ruanwenjun opened a new issue, #18276:
URL: https://github.com/apache/dolphinscheduler/issues/18276

   ### Search before asking
   
   I searched existing issues for `AlertPluginInstanceController permission` 
and `alert plugin instance permission` and did not find a similar report.
   
   ### What happened
   
   On the current `dev` branch, several alert plugin instance APIs do not 
enforce the alert plugin instance permission consistently.
   
   Code paths observed at commit `cd8abbaa626d1b7da229fc6883cbb80b687428d6`:
   
   - `GET /alert-plugin-instances/list` calls 
`AlertPluginInstanceService.queryAll()` without passing `loginUser`.
   - `GET /alert-plugin-instances/verify-name` calls 
`AlertPluginInstanceService.checkExistPluginInstanceName(...)` without any 
permission check.
   - `GET /alert-plugin-instances` calls 
`AlertPluginInstanceService.listPaging(loginUser, ...)`, but the implementation 
ignores `loginUser` and queries all matching alert plugin instances.
   
   In `AlertPluginInstanceServiceImpl`, `create`, `updateById`, `deleteById`, 
and `getById` call `canOperatorPermissions(...)` with 
`AuthorizationType.ALERT_PLUGIN_INSTANCE`, but `queryAll`, 
`checkExistPluginInstanceName`, and `listPaging` do not perform permission 
checks or resource filtering.
   
   This is inconsistent with nearby APIs such as `AlertGroupServiceImpl`, where 
list/query methods filter non-admin users by authorized resource ids before 
returning data.
   
   ### What you expected to happen
   
   Alert plugin instance query and validation APIs should enforce permissions 
consistently.
   
   Users without alert plugin instance view/manage permission should not be 
able to list all alert plugin instances or infer instance names through the 
verify-name endpoint. Depending on the intended authorization model, these APIs 
should either return `USER_NO_OPERATION_PERM` or only return resources the 
current user is authorized to view.
   
   ### How to reproduce
   
   1. Use the current `dev` branch.
   2. Create or use a non-admin user that does not have alert plugin instance 
view/manage permission.
   3. Call the following APIs:
      - `GET /dolphinscheduler/alert-plugin-instances`
      - `GET /dolphinscheduler/alert-plugin-instances/list`
      - `GET 
/dolphinscheduler/alert-plugin-instances/verify-name?alertInstanceName=<name>`
   4. Observe that these code paths are served by unfiltered mapper queries or 
name-existence checks instead of permission denial or authorized-resource 
filtering.
   
   ### Anything else
   
   Relevant files:
   
   - 
`dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/controller/AlertPluginInstanceController.java`
   - 
`dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/AlertPluginInstanceServiceImpl.java`
   - 
`dolphinscheduler-api/src/main/java/org/apache/dolphinscheduler/api/service/impl/AlertGroupServiceImpl.java`
   
   A fix should probably add permission checks or authorized-resource filtering 
to `queryAll`, `checkExistPluginInstanceName`, and `listPaging`, plus tests for 
unauthorized users.
   
   ### Version
   
   dev
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: 
[email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to