switch to runtime check

cmd/dashboard/controller/alertrule.go

@@ -62,7 +62,7 @@ func createAlertRule(c *gin.Context) (uint64, error) {
 	r.TriggerMode = arf.TriggerMode
 	r.Enable = &enable
 
-	if err := validateRule(c, &r); err != nil {
+	if err := validateRule(&r); err != nil {
 		return 0, err
 	}
 
@@ -116,7 +116,7 @@ func updateAlertRule(c *gin.Context) (any, error) {
 	r.TriggerMode = arf.TriggerMode
 	r.Enable = &enable
 
-	if err := validateRule(c, &r); err != nil {
+	if err := validateRule(&r); err != nil {
 		return 0, err
 	}
 
@@ -164,34 +164,9 @@ func batchDeleteAlertRule(c *gin.Context) (any, error) {
 	return nil, nil
 }
 
-func validateRule(c *gin.Context, r *model.AlertRule) error {
+func validateRule(r *model.AlertRule) error {
 	if len(r.Rules) > 0 {
 		for _, rule := range r.Rules {
-			singleton.ServerLock.RLock()
-			isCoverAll := rule.Cover == model.RuleCoverAll
-			isCoverIgnoreAll := rule.Cover == model.RuleCoverIgnoreAll
-			for s, enabled := range rule.Ignore {
-				if isCoverAll {
-					for id, server := range singleton.ServerList {
-						if enabled && id == s {
-							continue
-						}
-						if !server.HasPermission(c) {
-							singleton.ServerLock.RUnlock()
-							return singleton.Localizer.ErrorT("permission denied")
-						}
-					}
-				} else if isCoverIgnoreAll && enabled {
-					if server, ok := singleton.ServerList[s]; ok {
-						if !server.HasPermission(c) {
-							singleton.ServerLock.RUnlock()
-							return singleton.Localizer.ErrorT("permission denied")
-						}
-					}
-				}
-			}
-			singleton.ServerLock.RUnlock()
-
 			if !rule.IsTransferDurationRule() {
 				if rule.Duration < 3 {
 					return singleton.Localizer.ErrorT("duration need to be at least 3")

cmd/dashboard/controller/service.go

@@ -210,10 +210,6 @@ func createService(c *gin.Context) (uint64, error) {
 	m.RecoverTriggerTasks = mf.RecoverTriggerTasks
 	m.FailTriggerTasks = mf.FailTriggerTasks
 
-	if err := validateServers(c, &m); err != nil {
-		return 0, err
-	}
-
 	if err := singleton.DB.Create(&m).Error; err != nil {
 		return 0, newGormError("%v", err)
 	}
@@ -355,32 +351,3 @@ func batchDeleteService(c *gin.Context) (any, error) {
 	singleton.ServiceSentinelShared.UpdateServiceList()
 	return nil, nil
 }
-
-func validateServers(c *gin.Context, ss *model.Service) error {
-	singleton.ServerLock.RLock()
-	defer singleton.ServerLock.RUnlock()
-
-	isCoverAll := ss.Cover == model.ServiceCoverAll
-	isCoverIgnoreAll := ss.Cover == model.ServiceCoverIgnoreAll
-
-	for s, enabled := range ss.SkipServers {
-		if isCoverAll {
-			for id, server := range singleton.ServerList {
-				if enabled && id == s {
-					continue
-				}
-				if !server.HasPermission(c) {
-					return singleton.Localizer.ErrorT("permission denied")
-				}
-			}
-		} else if isCoverIgnoreAll && enabled {
-			if server, ok := singleton.ServerList[s]; ok {
-				if !server.HasPermission(c) {
-					return singleton.Localizer.ErrorT("permission denied")
-				}
-			}
-		}
-	}
-
-	return nil
-}

cmd/dashboard/controller/waf.go

@@ -18,7 +18,7 @@ import (
 // @Param limit query uint false "Page limit"
 // @Param offset query uint false "Page offset"
 // @Produce json
-// @Success 200 {object} model.CommonResponse[[]model.WAFApiMock]
+// @Success 200 {object} model.PaginatedResponse[[]model.WAFApiMock, model.WAFApiMock]
 // @Router /waf [get]
 func listBlockedAddress(c *gin.Context) (*model.Value[[]*model.WAF], error) {
 	limit, err := strconv.Atoi(c.Query("limit"))

cmd/dashboard/rpc/rpc.go

@@ -100,12 +100,28 @@ func DispatchTask(serviceSentinelDispatchBus <-chan model.Service) {
 				continue
 			}
 			if task.Cover == model.ServiceCoverIgnoreAll && task.SkipServers[singleton.SortedServerList[workedServerIndex].ID] {
-				singleton.SortedServerList[workedServerIndex].TaskStream.Send(task.PB())
+				var role uint8 = model.RoleMember
+				server := singleton.SortedServerList[workedServerIndex]
+				if err := singleton.DB.Model(&model.User{}).Select("role").Where("id = ?", task.UserID).Limit(1).Scan(&role).Error; err != nil {
+					workedServerIndex++
+					continue
+				}
+				if task.UserID == server.UserID || role == model.RoleAdmin {
+					singleton.SortedServerList[workedServerIndex].TaskStream.Send(task.PB())
+				}
 				workedServerIndex++
 				continue
 			}
 			if task.Cover == model.ServiceCoverAll && !task.SkipServers[singleton.SortedServerList[workedServerIndex].ID] {
-				singleton.SortedServerList[workedServerIndex].TaskStream.Send(task.PB())
+				var role uint8 = model.RoleMember
+				server := singleton.SortedServerList[workedServerIndex]
+				if err := singleton.DB.Model(&model.User{}).Select("role").Where("id = ?", task.UserID).Limit(1).Scan(&role).Error; err != nil {
+					workedServerIndex++
+					continue
+				}
+				if task.UserID == server.UserID || role == model.RoleAdmin {
+					singleton.SortedServerList[workedServerIndex].TaskStream.Send(task.PB())
+				}
 				workedServerIndex++
 				continue
 			}

model/alertrule.go

@@ -63,9 +63,18 @@ func (r *AlertRule) Enabled() bool {
 
 // Snapshot 对传入的Server进行该报警规则下所有type的检查 返回每项检查结果
 func (r *AlertRule) Snapshot(cycleTransferStats *CycleTransferStats, server *Server, db *gorm.DB) []bool {
-	point := make([]bool, 0, len(r.Rules))
-	for _, rule := range r.Rules {
-		point = append(point, rule.Snapshot(cycleTransferStats, server, db))
+	point := make([]bool, len(r.Rules))
+
+	var role uint8 = RoleMember
+	if err := db.Model(&User{}).Select("role").Where("id = ?", r.UserID).Limit(1).Scan(&role).Error; err != nil {
+		return point
+	}
+	if r.UserID != server.UserID && role != RoleAdmin {
+		return point
+	}
+
+	for i, rule := range r.Rules {
+		point[i] = rule.Snapshot(cycleTransferStats, server, db)
 	}
 	return point
 }