fix: fix the authBuiltinManagement R/W auth issue

Author: HearyShen

backend/modules/evaluation/application/evaluator_app.go

@@ -344,7 +344,7 @@ func (e *EvaluatorHandlerImpl) UpdateEvaluator(ctx context.Context, request *eva
 	}
 	// 如果是builtin分支，补充管理空间校验
 	if request.GetBuiltin() {
-		if err := e.authBuiltinManagement(ctx, request.GetWorkspaceID(), spaceTypeBuiltin); err != nil {
+		if err := e.authBuiltinManagement(ctx, request.GetWorkspaceID(), spaceTypeBuiltin, true); err != nil {
 			return nil, err
 		}
 	}
@@ -583,7 +583,7 @@ func (e *EvaluatorHandlerImpl) GetEvaluatorVersion(ctx context.Context, request
 	}
 	// 鉴权
 	if request.GetBuiltin() {
-		err = e.authBuiltinManagement(ctx, evaluatorDO.SpaceID, spaceTypeBuiltin)
+		err = e.authBuiltinManagement(ctx, evaluatorDO.SpaceID, spaceTypeBuiltin, false)
 		if err != nil {
 			return nil, err
 		}
@@ -1473,7 +1473,7 @@ func (e *EvaluatorHandlerImpl) CreateEvaluatorTemplate(ctx context.Context, requ
 	}
 
 	// 校验评估器模板管理权限
-	err = e.authBuiltinManagement(ctx, request.GetEvaluatorTemplate().GetWorkspaceID(), spaceTypeTemplate)
+	err = e.authBuiltinManagement(ctx, request.GetEvaluatorTemplate().GetWorkspaceID(), spaceTypeTemplate, true)
 	if err != nil {
 		return nil, err
 	}
@@ -1518,7 +1518,7 @@ func (e *EvaluatorHandlerImpl) UpdateEvaluatorTemplate(ctx context.Context, requ
 	}
 
 	// 校验评估器模板管理权限
-	err = e.authBuiltinManagement(ctx, request.GetEvaluatorTemplate().GetWorkspaceID(), spaceTypeTemplate)
+	err = e.authBuiltinManagement(ctx, request.GetEvaluatorTemplate().GetWorkspaceID(), spaceTypeTemplate, true)
 	if err != nil {
 		return nil, err
 	}
@@ -1574,7 +1574,7 @@ func (e *EvaluatorHandlerImpl) DeleteEvaluatorTemplate(ctx context.Context, requ
 	}
 
 	// 校验评估器模板管理权限
-	err = e.authBuiltinManagement(ctx, templateDO.Template.SpaceID, spaceTypeTemplate)
+	err = e.authBuiltinManagement(ctx, templateDO.Template.SpaceID, spaceTypeTemplate, true)
 	if err != nil {
 		return nil, err
 	}
@@ -1637,7 +1637,7 @@ func (e *EvaluatorHandlerImpl) UpdateBuiltinEvaluatorTags(ctx context.Context, r
 		return nil, errorx.NewByCode(errno.EvaluatorNotExistCode)
 	}
 	// 校验是否在builtin管理空间
-	if err := e.authBuiltinManagement(ctx, request.GetWorkspaceID(), spaceTypeBuiltin); err != nil {
+	if err := e.authBuiltinManagement(ctx, request.GetWorkspaceID(), spaceTypeBuiltin, true); err != nil {
 		return nil, err
 	}
 
@@ -1670,7 +1670,19 @@ const (
 )
 
 // validate 校验评估器管理权限
-func (e *EvaluatorHandlerImpl) authBuiltinManagement(ctx context.Context, workspaceID int64, spaceType SpaceType) error {
+func (e *EvaluatorHandlerImpl) authBuiltinManagement(ctx context.Context, workspaceID int64, spaceType SpaceType, authWrite bool) error {
+	if authWrite {
+		// 鉴权
+		err := e.auth.Authorization(ctx, &rpc.AuthorizationParam{
+			ObjectID:      strconv.FormatInt(workspaceID, 10),
+			SpaceID:       workspaceID,
+			ActionObjects: []*rpc.ActionObject{{Action: gptr.Of("listLoopEvaluator"), EntityType: gptr.Of(rpc.AuthEntityType_Space)}}, // listLoopEvaluator为暂时复用的权限点
+		})
+		if err != nil {
+			return err
+		}
+	}
+
 	var allowedSpaceIDs []string
 	switch spaceType {
 	case spaceTypeBuiltin:
@@ -1694,15 +1706,5 @@ func (e *EvaluatorHandlerImpl) authBuiltinManagement(ctx context.Context, worksp
 		}
 	}
 
-	// 鉴权
-	err := e.auth.Authorization(ctx, &rpc.AuthorizationParam{
-		ObjectID:      strconv.FormatInt(workspaceID, 10),
-		SpaceID:       workspaceID,
-		ActionObjects: []*rpc.ActionObject{{Action: gptr.Of("listLoopEvaluator"), EntityType: gptr.Of(rpc.AuthEntityType_Space)}},
-	})
-	if err != nil {
-		return err
-	}
-
 	return errorx.NewByCode(errno.CommonInvalidParamCode, errorx.WithExtraMsg("workspace_id not in allowed evaluator template spaces"))
 }

backend/modules/evaluation/application/evaluator_app_test.go

@@ -2791,7 +2791,7 @@ func TestEvaluatorHandlerImpl_GetTemplateV2(t *testing.T) {
 		{
 			name: "success - normal request",
 			req: &evaluatorservice.GetTemplateV2Request{
-				EvaluatorTemplateID: templateID,
+				EvaluatorTemplateID: gptr.Of(templateID),
 			},
 			mockSetup: func() {
 				mockTemplateService.EXPECT().
@@ -2811,7 +2811,7 @@ func TestEvaluatorHandlerImpl_GetTemplateV2(t *testing.T) {
 		{
 			name: "success - template not found",
 			req: &evaluatorservice.GetTemplateV2Request{
-				EvaluatorTemplateID: templateID,
+				EvaluatorTemplateID: gptr.Of(templateID),
 			},
 			mockSetup: func() {
 				mockTemplateService.EXPECT().
@@ -2826,7 +2826,7 @@ func TestEvaluatorHandlerImpl_GetTemplateV2(t *testing.T) {
 		{
 			name: "error - service failure",
 			req: &evaluatorservice.GetTemplateV2Request{
-				EvaluatorTemplateID: templateID,
+				EvaluatorTemplateID: gptr.Of(templateID),
 			},
 			mockSetup: func() {
 				mockTemplateService.EXPECT().
@@ -3706,6 +3706,7 @@ func TestEvaluatorHandlerImpl_authBuiltinManagement(t *testing.T) {
 		name        string
 		workspaceID int64
 		spaceType   SpaceType
+		authWrite   bool
 		mockSetup   func()
 		wantErr     bool
 		wantErrCode int32
@@ -3714,6 +3715,7 @@ func TestEvaluatorHandlerImpl_authBuiltinManagement(t *testing.T) {
 			name:        "success - workspace in allowed list for builtin",
 			workspaceID: 123,
 			spaceType:   spaceTypeBuiltin,
+			authWrite:   false,
 			mockSetup: func() {
 				mockConfiger.EXPECT().
 					GetBuiltinEvaluatorSpaceConf(gomock.Any()).
@@ -3725,6 +3727,7 @@ func TestEvaluatorHandlerImpl_authBuiltinManagement(t *testing.T) {
 			name:        "success - workspace in allowed list for template",
 			workspaceID: 456,
 			spaceType:   spaceTypeTemplate,
+			authWrite:   false,
 			mockSetup: func() {
 				mockConfiger.EXPECT().
 					GetEvaluatorTemplateSpaceConf(gomock.Any()).
@@ -3736,6 +3739,7 @@ func TestEvaluatorHandlerImpl_authBuiltinManagement(t *testing.T) {
 			name:        "error - empty config for builtin",
 			workspaceID: 123,
 			spaceType:   spaceTypeBuiltin,
+			authWrite:   false,
 			mockSetup: func() {
 				mockConfiger.EXPECT().
 					GetBuiltinEvaluatorSpaceConf(gomock.Any()).
@@ -3748,6 +3752,7 @@ func TestEvaluatorHandlerImpl_authBuiltinManagement(t *testing.T) {
 			name:        "error - empty config for template",
 			workspaceID: 123,
 			spaceType:   spaceTypeTemplate,
+			authWrite:   false,
 			mockSetup: func() {
 				mockConfiger.EXPECT().
 					GetEvaluatorTemplateSpaceConf(gomock.Any()).
@@ -3760,14 +3765,14 @@ func TestEvaluatorHandlerImpl_authBuiltinManagement(t *testing.T) {
 			name:        "error - workspace not in allowed list",
 			workspaceID: 789,
 			spaceType:   spaceTypeBuiltin,
+			authWrite:   true,
 			mockSetup: func() {
-				mockConfiger.EXPECT().
-					GetBuiltinEvaluatorSpaceConf(gomock.Any()).
-					Return([]string{"123", "456"})
-
 				mockAuth.EXPECT().
 					Authorization(gomock.Any(), gomock.Any()).
 					Return(nil)
+				mockConfiger.EXPECT().
+					GetBuiltinEvaluatorSpaceConf(gomock.Any()).
+					Return([]string{"123", "456"})
 			},
 			wantErr:     true,
 			wantErrCode: errno.CommonInvalidParamCode,
@@ -3776,11 +3781,8 @@ func TestEvaluatorHandlerImpl_authBuiltinManagement(t *testing.T) {
 			name:        "error - auth failed",
 			workspaceID: 789,
 			spaceType:   spaceTypeBuiltin,
+			authWrite:   true,
 			mockSetup: func() {
-				mockConfiger.EXPECT().
-					GetBuiltinEvaluatorSpaceConf(gomock.Any()).
-					Return([]string{"123", "456"})
-
 				mockAuth.EXPECT().
 					Authorization(gomock.Any(), gomock.Any()).
 					Return(errorx.NewByCode(errno.CommonNoPermissionCode))
@@ -3794,7 +3796,7 @@ func TestEvaluatorHandlerImpl_authBuiltinManagement(t *testing.T) {
 		t.Run(tt.name, func(t *testing.T) {
 			tt.mockSetup()
 
-			err := app.authBuiltinManagement(context.Background(), tt.workspaceID, tt.spaceType)
+			err := app.authBuiltinManagement(context.Background(), tt.workspaceID, tt.spaceType, tt.authWrite)
 
 			if tt.wantErr {
 				assert.Error(t, err)