fix(缺陷管理): 详情评论非评论人校验问题

--bug=1036296 --user=宋昌昌【缺陷管理】缺陷详情-评论-非评论人也删除评论 https://www.tapd.cn/55049933/s/1469424
2024-12-04 21:19:52 +08:00 · 2024-03-05 15:30:10 +08:00 · 2024-03-05 15:30:10 +08:00 · eeff1a49d1
commit eeff1a49d1
parent 2eca67b682
9 changed files with 30 additions and 13 deletions
--- a/backend/framework/sdk/src/main/resources/i18n/bug.properties
+++ b/backend/framework/sdk/src/main/resources/i18n/bug.properties
@ -90,6 +90,7 @@ bug_comment.parent_id.not_blank=缺陷评论父级ID不能为空
 bug_comment.parent.not_exist=父级评论不存在
 bug_comment.reply_user.not_blank=缺陷回复人不能为空
 bug_comment_not_exist=缺陷评论不存在
 bug_comment_not_owner=非当前评论创建人, 无法操作!
 bug_relate_case_not_found=未查询到关联的用例
 bug_relate_case_type_unknown=关联的用例类型未知, 无法查看
 bug_relate_case_permission_error=无权限查看, 请联系管理员
--- a/backend/framework/sdk/src/main/resources/i18n/bug_en_US.properties
+++ b/backend/framework/sdk/src/main/resources/i18n/bug_en_US.properties
@ -90,6 +90,7 @@ bug_comment.parent_id.not_blank=Bug comment parent-id cannot be empty
 bug_comment.parent.not_exist=Bug comment parent does not exist
 bug_comment.reply_user.not_blank=Bug comment reply-user cannot be empty
 bug_comment_not_exist=Bug comment does not exist
 bug_comment_not_owner=Not owner of the bug comment!
 bug_relate_case_not_found=Bug related case not found
 bug_relate_case_type_unknown=Bug related case type unknown
 bug_relate_case_permission_error=No permission to show the case
--- a/backend/framework/sdk/src/main/resources/i18n/bug_zh_CN.properties
+++ b/backend/framework/sdk/src/main/resources/i18n/bug_zh_CN.properties
@ -90,6 +90,7 @@ bug_comment.parent_id.not_blank=缺陷评论父级ID不能为空
 bug_comment.parent.not_exist=父级评论不存在
 bug_comment.reply_user.not_blank=缺陷回复人不能为空
 bug_comment_not_exist=缺陷评论不存在
 bug_comment_not_owner=非当前评论创建人, 无法操作!
 bug_relate_case_not_found=未查询到关联的用例
 bug_relate_case_type_unknown=关联的用例类型未知, 无法查看
 bug_relate_case_permission_error=无用例查看权限, 请联系管理员
--- a/backend/framework/sdk/src/main/resources/i18n/bug_zh_TW.properties
+++ b/backend/framework/sdk/src/main/resources/i18n/bug_zh_TW.properties
@ -90,6 +90,7 @@ bug_comment.parent_id.not_blank=缺陷評論父級ID不能為空
 bug_comment.parent.not_exist=父級評論不存在
 bug_comment.reply_user.not_blank=缺陷回復人不能為空
 bug_comment_not_exist=缺陷評論不存在
 bug_comment_not_owner=非當前評論創建人, 無法操作!
 bug_relate_case_not_found=未查詢到關聯的用例
 bug_relate_case_type_unknown=關聯的用例類型未知, 無法查看
 bug_relate_case_permission_error=無權限查看, 請聯繫管理員
--- a/backend/services/bug-management/src/main/java/io/metersphere/bug/controller/BugCommentController.java
+++ b/backend/services/bug-management/src/main/java/io/metersphere/bug/controller/BugCommentController.java
@ -51,6 +51,6 @@ public class BugCommentController {
    @Operation(summary = "缺陷管理-评论-删除评论")
    @RequiresPermissions(PermissionConstants.PROJECT_BUG_READ)
    public void delete(@PathVariable String commentId) {
-        bugCommentService.deleteComment(commentId);
+        bugCommentService.deleteComment(commentId, SessionUtils.getUserId());
    }
 }
--- a/backend/services/bug-management/src/main/java/io/metersphere/bug/service/BugCommentService.java
+++ b/backend/services/bug-management/src/main/java/io/metersphere/bug/service/BugCommentService.java
@ -128,7 +128,7 @@ public class BugCommentService {
     * @return 缺陷评论
     */
    public BugComment updateComment(BugCommentEditRequest request, String currentUser) {
-        checkComment(request.getId());
+        checkComment(request.getId(), currentUser);
        BugComment bugComment = getBugComment(request, currentUser, true);
        return updateBugCommentAndNotice(request, bugComment, currentUser);
    }
@ -137,8 +137,8 @@ public class BugCommentService {
     * 删除评论
     * @param commentId 评论ID
     */
-    public void deleteComment(String commentId) {
+    public void deleteComment(String commentId, String currentUser) {
-        checkComment(commentId);
+        checkComment(commentId, currentUser);
        BugComment bugComment = bugCommentMapper.selectByPrimaryKey(commentId);
        if (StringUtils.isEmpty(bugComment.getParentId())) {
            // 如果是父评论, 先删除子评论
@ -270,14 +270,17 @@ public class BugCommentService {
    }
    /**
-     * 校验评论是否存在
+     * 校验评论是否存在, 评论创建人是否当前用户
     * @param commentId 评论ID
     */
-    private void checkComment(String commentId) {
+    private void checkComment(String commentId, String currentUser) {
        BugComment bugComment = bugCommentMapper.selectByPrimaryKey(commentId);
        if (bugComment == null) {
            throw new IllegalArgumentException(Translator.get("bug_comment_not_exist"));
        }
        if (!StringUtils.equals(bugComment.getCreateUser(), currentUser)) {
            throw new IllegalArgumentException(Translator.get("bug_comment_not_owner"));
        }
    }
    /**
--- a/backend/services/bug-management/src/test/java/io/metersphere/bug/controller/BugCommentControllerTests.java
+++ b/backend/services/bug-management/src/test/java/io/metersphere/bug/controller/BugCommentControllerTests.java
@ -210,6 +210,10 @@ public class BugCommentControllerTests extends BaseTest {
        this.requestGet(BUG_COMMENT_DELETE + "/default-bug-comment-id-4");
        BugComment comment1 = bugCommentMapper.selectByPrimaryKey("default-bug-comment-id-4");
        Assertions.assertNull(comment1);
        // 删除非当前评论人的评论
        this.requestGet(BUG_COMMENT_DELETE + "/default-bug-comment-id-5");
        BugComment comment2 = bugCommentMapper.selectByPrimaryKey("default-bug-comment-id-5");
        Assertions.assertTrue(StringUtils.equals(comment2.getId(), "default-bug-comment-id-5"));
    }
    @Test
--- a/backend/services/bug-management/src/test/resources/dml/init_bug_comment.sql
+++ b/backend/services/bug-management/src/test/resources/dml/init_bug_comment.sql
@ -15,9 +15,10 @@ INSERT INTO bug (id, num, title, handle_users, handle_user, create_user, create_
 INSERT INTO bug_comment (id, bug_id, reply_user, notifier, parent_id, content, create_user, create_time, update_user, update_time) VALUES
    ('default-bug-comment-id-1', 'default-bug-id-for-comment', null, null, null, 'This is a test comment!', 'admin', UNIX_TIMESTAMP() * 1000, 'admin', UNIX_TIMESTAMP() * 1000),
-    ('default-bug-comment-id-2', 'default-bug-id-for-comment', 'admin', 'oasis-user-id1;oasis-user-id2', 'default-bug-comment-id-1', 'This is a test comment!', 'oasis-user-id', UNIX_TIMESTAMP() * 1000, 'admin', UNIX_TIMESTAMP() * 1000),
+    ('default-bug-comment-id-2', 'default-bug-id-for-comment', 'admin', 'oasis-user-id1;oasis-user-id2', 'default-bug-comment-id-1', 'This is a test comment!', 'admin', UNIX_TIMESTAMP() * 1000, 'admin', UNIX_TIMESTAMP() * 1000),
-    ('default-bug-comment-id-3', 'default-bug-id-for-comment', null, null, null, 'This is a test comment!', 'oasis-user-id1', UNIX_TIMESTAMP() * 1000 + 1000, 'admin', UNIX_TIMESTAMP() * 1000),
+    ('default-bug-comment-id-3', 'default-bug-id-for-comment', null, null, null, 'This is a test comment!', 'admin', UNIX_TIMESTAMP() * 1000 + 1000, 'admin', UNIX_TIMESTAMP() * 1000),
-    ('default-bug-comment-id-4', 'default-bug-id-for-comment', 'oasis-user-id1', null, 'default-bug-comment-id-3', 'This is a test comment!', 'oasis-user-id2', UNIX_TIMESTAMP() * 1000 + 1000, 'admin', UNIX_TIMESTAMP() * 1000);
+    ('default-bug-comment-id-4', 'default-bug-id-for-comment', 'oasis-user-id1', null, 'default-bug-comment-id-3', 'This is a test comment!', 'admin', UNIX_TIMESTAMP() * 1000 + 1000, 'admin', UNIX_TIMESTAMP() * 1000),
    ('default-bug-comment-id-5', 'default-bug-id-for-comment', 'oasis-user-id1', null, null, 'This is a test comment!', 'oasis', UNIX_TIMESTAMP() * 1000 - 1000, 'admin', UNIX_TIMESTAMP() * 1000);
 INSERT INTO bug_custom_field (bug_id, field_id, value) VALUE ('default-bug-id-for-comment1', 'comment_test_field', '["default", "default-1"]');
--- a/frontend/src/components/business/ms-comment/comment-item.vue
+++ b/frontend/src/components/business/ms-comment/comment-item.vue
@ -1,8 +1,8 @@
 <template>
  <div class="flex flex-row gap-[8px]">
-    <div class="p-1"> <MsAvatar :avatar="props.element.commentUserInfos[0].avatar" /></div>
+    <div class="p-1"> <MsAvatar :avatar="creatorInfo.avatar" /></div>
    <div class="flex w-full flex-col">
-      <div class="font-medium text-[var(--color-text-1)]">{{ props.element.commentUserInfos[0].name }}</div>
+      <div class="font-medium text-[var(--color-text-1)]">{{ creatorInfo.name }}</div>
      <div v-dompurify-html="props.element.content" class="markdown-body mt-[4px]"></div>
      <div class="mb-4 mt-[16px] flex flex-row items-center">
@ -28,7 +28,7 @@
            <span>{{ t('ms.comment.reply') }}</span>
          </div>
          <div
-            v-if="hasEditAuth"
+            v-if="hasAuth"
            class="comment-btn hover:bg-[var(--color-bg-3)]"
            :class="{ 'bg-[var(--color-text-n8)]': status === 'edit' }"
            @click="editClick"
@ -37,6 +37,7 @@
            <span>{{ t('ms.comment.edit') }}</span>
          </div>
          <div
            v-if="hasAuth"
            class="comment-btn hover:bg-[rgb(var(--danger-1))]"
            :class="{ 'bg-[rgb(var(--danger-2))]': status === 'delete' }"
            @click="deleteClick"
@ -76,7 +77,7 @@
  }>();
  // 是否拥有编辑｜删除权限
-  const hasEditAuth = computed(() => {
+  const hasAuth = computed(() => {
    return props.element.createUser === userStore.id;
  });
@ -109,6 +110,10 @@
    emit('delete');
    status.value = 'delete';
  };
  const creatorInfo = computed(() => {
    return props.element.commentUserInfos.filter((item) => item.id === props.element.createUser)[0];
  });
 </script>
 <style lang="less" scoped>