Skip to content

fix(sql_workbench): enforce business write permission for auto workflow exec#648

Merged
Seechi-Yolo merged 1 commit into
mainfrom
dms/fix-workflow-auto-online-permission
Jul 8, 2026
Merged

fix(sql_workbench): enforce business write permission for auto workflow exec#648
Seechi-Yolo merged 1 commit into
mainfrom
dms/fix-workflow-auto-online-permission

Conversation

@LordofAvernus

@LordofAvernus LordofAvernus commented Jul 8, 2026

Copy link
Copy Markdown
Collaborator

Summary

Replace hardcoded admin bypass in ODC and CloudBeaver checkWorkflowPermission with CanOpGlobal(..., isBusinessWrite=true). Global admins and sys users must have business write permission enabled before workbench non-DQL statements can auto-create and execute workflows. Other users still require project admin or create+audit+execute permissions on the target data source.

Test plan

  • Admin with BWP off rejected on non-DQL auto workflow exec (ODC + CB)
  • Global admin with BWP on can auto exec
  • Dev engineer (create only) rejected
  • Project member with create+audit+execute on data source succeeds

Fixes actiontech/dms-ee#810
Related: actiontech/dms-ee#905

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown

PR Reviewer Guide 🔍

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪
🧪 No relevant tests
🔒 No security concerns identified
⚡ No major issues detected

@github-actions

github-actions Bot commented Jul 8, 2026

Copy link
Copy Markdown

PR Code Suggestions ✨

Explore these optional code suggestions:

CategorySuggestion                                                                                                                                    Impact
General
增加错误日志

建议在调用 CanOpGlobal 返回错误时增加日志输出,这样可以在运行时快速定位问题原因,提高调试效率。错误日志应包括 userUid 或其他关键上下文信息。

internal/dms/biz/cloudbeaver.go [2063-2067]

 canOpGlobal, err := cu.opPermissionVerifyUsecase.CanOpGlobal(ctx, userUid, true)
 if err != nil {
+    log.Errorf("检查全局操作权限失败, userUid: %s, err: %v", userUid, err)
 	return false, fmt.Errorf("check global op permission err: %v", err)
 }
 if canOpGlobal {
 	return true, nil
 }
Suggestion importance[1-10]: 5

__

Why: 该建议增加了错误日志来更好地记录调用 CanOpGlobal 时的错误并包含 userUid 信息,这有助于调试。不过此更改仅对日志记录作增强,对核心逻辑无重大改动,因此评分为5。

Low

@Seechi-Yolo
Seechi-Yolo merged commit 64a3b09 into main Jul 8, 2026
1 check passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants