Merge branch 'master' into bugfix-autodelete-role

spaceluke · web-flow · commit 47bbd8bdc522 · 2025-06-08T23:10:35.000+08:00
diff --git a/CHANGES.md b/CHANGES.md
@@ -13,6 +13,7 @@ Apollo 2.5.0
 * [Feature: Enhanced parameter verification for edit item](https://github.com/apolloconfig/apollo/pull/5376)
 * [Feature: Added a new feature to get instance count by namespace.](https://github.com/apolloconfig/apollo/pull/5381)
 * [Bugfix: Remove cluster-related roles and permissions upon deletion](https://github.com/apolloconfig/apollo/pull/5395)
+* [Security: Prevent unauthorized access to other users' apps in /apps/by-owner endpoint](https://github.com/apolloconfig/apollo/pull/5396)
 
 ------------------
 All issues and pull requests are [here](https://github.com/apolloconfig/apollo/milestone/16?closed=1)
diff --git a/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/AppController.java b/apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/controller/AppController.java
@@ -28,6 +28,7 @@
 import com.ctrip.framework.apollo.core.ConfigConsts;
 import com.ctrip.framework.apollo.portal.component.PortalSettings;
 import com.ctrip.framework.apollo.portal.enricher.adapter.AppDtoUserInfoEnrichedAdapter;
+import com.ctrip.framework.apollo.portal.entity.bo.UserInfo;
 import com.ctrip.framework.apollo.portal.entity.model.AppModel;
 import com.ctrip.framework.apollo.portal.entity.po.Role;
 import com.ctrip.framework.apollo.portal.entity.vo.EnvClusterInfo;
@@ -102,11 +103,14 @@ public List<App> findApps(@RequestParam(value = "appIds", required = false) Stri
     return appService.findByAppIds(Sets.newHashSet(appIds.split(",")));
   }
 
-  @GetMapping("/by-owner")
-  public List<App> findAppsByOwner(@RequestParam("owner") String owner, Pageable page) {
+  @GetMapping("/by-self")
+  public List<App> findAppsBySelf(Pageable page) {
+    UserInfo loginUser = userInfoHolder.getUser();
+    String userId = loginUser.getUserId();
+    
     Set<String> appIds = Sets.newHashSet();
 
-    List<Role> userRoles = rolePermissionService.findUserRoles(owner);
+    List<Role> userRoles = rolePermissionService.findUserRoles(userId);
 
     for (Role role : userRoles) {
       String appId = RoleUtils.extractAppIdFromRoleName(role.getRoleName());
diff --git a/apollo-portal/src/main/resources/static/scripts/controller/IndexController.js b/apollo-portal/src/main/resources/static/scripts/controller/IndexController.js
@@ -76,7 +76,7 @@ function IndexController($scope, $window, $translate, toastr, AppUtil, AppServic
 
     function getUserCreatedApps() {
         var size = 10;
-        AppService.find_app_by_owner($scope.userId, $scope.createdAppPage, size)
+        AppService.find_app_by_self($scope.createdAppPage, size)
             .then(function (result) {
                 $scope.createdAppPage += 1;
                 $scope.hasMoreCreatedApps = result.length == size;
diff --git a/apollo-portal/src/main/resources/static/scripts/services/AppService.js b/apollo-portal/src/main/resources/static/scripts/services/AppService.js
@@ -21,10 +21,10 @@ appService.service('AppService', ['$resource', '$q', 'AppUtil', function ($resou
             isArray: true,
             url: AppUtil.prefixPath() + '/apps'
         },
-        find_app_by_owner: {
+        find_app_by_self: {
             method: 'GET',
             isArray: true,
-            url: AppUtil.prefixPath() + '/apps/by-owner'
+            url: AppUtil.prefixPath() + '/apps/by-self'
         },
         load_navtree: {
             method: 'GET',
@@ -89,10 +89,9 @@ appService.service('AppService', ['$resource', '$q', 'AppUtil', function ($resou
             });
             return d.promise;
         },
-        find_app_by_owner: function (owner, page, size) {
+        find_app_by_self: function (page, size) {
             var d = $q.defer();
-            app_resource.find_app_by_owner({
-                                               owner: owner,
+            app_resource.find_app_by_self({
                                                page: page,
                                                size: size
                                            }, function (result) {
