From 732222ab98efc5c50d106f24958fece6347ea94e Mon Sep 17 00:00:00 2001
From: jerryjzhang <jerryjzhang@tencent.com>
Date: Wed, 5 Mar 2025 14:29:40 +0800
Subject: [PATCH] (fix)(headless)Fix database permission check.

(fix)(headless)Fix database permission check.
---
 .../service/impl/DatabaseServiceImpl.java     | 43 ++++++++++++++++++-
 1 file changed, 41 insertions(+), 2 deletions(-)

diff --git a/headless/server/src/main/java/com/tencent/supersonic/headless/server/service/impl/DatabaseServiceImpl.java b/headless/server/src/main/java/com/tencent/supersonic/headless/server/service/impl/DatabaseServiceImpl.java
index b26aac388..89b84f30c 100644
--- a/headless/server/src/main/java/com/tencent/supersonic/headless/server/service/impl/DatabaseServiceImpl.java
+++ b/headless/server/src/main/java/com/tencent/supersonic/headless/server/service/impl/DatabaseServiceImpl.java
@@ -5,6 +5,7 @@ import com.baomidou.mybatisplus.extension.service.impl.ServiceImpl;
 import com.google.common.collect.Lists;
 import com.tencent.supersonic.common.pojo.QueryColumn;
 import com.tencent.supersonic.common.pojo.User;
+import com.tencent.supersonic.common.pojo.enums.AuthType;
 import com.tencent.supersonic.common.pojo.enums.EngineType;
 import com.tencent.supersonic.headless.api.pojo.DBColumn;
 import com.tencent.supersonic.headless.api.pojo.enums.DataType;
@@ -79,8 +80,9 @@ public class DatabaseServiceImpl extends ServiceImpl<DatabaseDOMapper, DatabaseD
 
     @Override
     public List<DatabaseResp> getDatabaseList(User user) {
-        List<DatabaseResp> databaseResps =
-                list().stream().map(DatabaseConverter::convert).collect(Collectors.toList());
+        List<DatabaseResp> databaseResps = list().stream().map(DatabaseConverter::convert)
+                .filter(database -> filterByAuth(database, user, AuthType.VIEWER))
+                .collect(Collectors.toList());
         fillPermission(databaseResps, user);
         return databaseResps;
     }
@@ -100,6 +102,43 @@ public class DatabaseServiceImpl extends ServiceImpl<DatabaseDOMapper, DatabaseD
         });
     }
 
+    private boolean filterByAuth(DatabaseResp database, User user, AuthType authType) {
+        if (user.isSuperAdmin() || user.getName().equals(database.getCreatedBy())) {
+            return true;
+        }
+        authType = authType == null ? AuthType.VIEWER : authType;
+        switch (authType) {
+            case ADMIN:
+                return checkAdminPermission(user, database);
+            case VIEWER:
+            default:
+                return checkViewPermission(user, database);
+        }
+    }
+
+    private boolean checkAdminPermission(User user, DatabaseResp database) {
+        List<String> admins = database.getAdmins();
+        if (user.isSuperAdmin()) {
+            return true;
+        }
+        if (admins.contains(user.getName()) || database.getCreatedBy().equals(user.getName())) {
+            return true;
+        }
+        return false;
+    }
+
+    private boolean checkViewPermission(User user, DatabaseResp database) {
+        if (checkAdminPermission(user, database)) {
+            return true;
+        }
+        List<String> viewers = database.getViewers();
+
+        if (viewers.contains(user.getName())) {
+            return true;
+        }
+        return false;
+    }
+
     @Override
     public void deleteDatabase(Long databaseId) {
         ModelFilter modelFilter = new ModelFilter();