Wangyizhi1 commented on issue #6236:
URL:
https://github.com/apache/dolphinscheduler/issues/6236#issuecomment-921426392
The reason for this problem is that the front end should obtain actionable
projects through GET projects/created-and-authed instead of GET projects/list.
The projects/list interface will return all projects, including those for which
the current user does not have permission. When an unauthorized projectCode is
passed in, it is reasonable for the backend to throw an error on the GET
projects/{projectCode}/process-definition/all interface.
In the old version, there may be ultra vires.
=====
这个问题的原因在于,前端应该通过 GET projects/created-and-authed 而不是 GET projects/list
来获取可以操作的projects。GET projects/list 接口会返回所有的项目,包括当前用户没有权限的。
当传入未授权的projectCode时,后端在 GET projects/{projectCode}/process-definition/all
接口抛出错误是合理的。
老版本中这里可能存在越权问题。
Fixed in #6238
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
