fix: 修复公共流程无法重新执行，提示无权限问题 #7434

gcloud/core/apis/drf/viewsets/taskflow.py

@@ -65,7 +65,10 @@
 from gcloud.core.models import EngineConfig
 from gcloud.iam_auth import IAMMeta, get_iam_client, res_factory
 from gcloud.iam_auth.conf import TASK_ACTIONS
-from gcloud.iam_auth.utils import get_common_flow_allowed_actions_for_user, get_flow_allowed_actions_for_user
+from gcloud.iam_auth.utils import (
+    get_common_flow_allowed_actions_for_user_and_project,
+    get_flow_allowed_actions_for_user,
+)
 from gcloud.taskflow3.domains.auto_retry import AutoRetryNodeStrategyCreator
 from gcloud.taskflow3.models import TaskConfig, TaskFlowInstance, TaskFlowRelation, TimeoutNodeConfig
 from gcloud.tasktmpl3.models import TaskTemplate
@@ -336,10 +339,11 @@ def _inject_template_related_info(request, data):
             for instance in data
             if instance["template_id"] and instance["template_source"] == "common"
         ]
-        common_templates_allowed_actions = get_common_flow_allowed_actions_for_user(
+        common_templates_allowed_actions = get_common_flow_allowed_actions_for_user_and_project(
             request.user.username,
             [IAMMeta.COMMON_FLOW_VIEW_ACTION, IAMMeta.COMMON_FLOW_CREATE_TASK_ACTION],
             common_template_ids,
+            request.query_params.get("project_id"),
         )
         common_template_info = CommonTemplate.objects.filter(id__in=common_template_ids).values(
             "id", "pipeline_template__name", "is_deleted"

gcloud/iam_auth/res_factory.py

@@ -14,13 +14,13 @@
 from iam import Resource
 
 from gcloud.clocked_task.models import ClockedTask
-from gcloud.core.models import Project
 from gcloud.common_template.models import CommonTemplate
-from gcloud.tasktmpl3.models import TaskTemplate
-from gcloud.taskflow3.models import TaskFlowInstance
-from gcloud.periodictask.models import PeriodicTask
 from gcloud.contrib.appmaker.models import AppMaker
+from gcloud.core.models import Project
 from gcloud.iam_auth import IAMMeta
+from gcloud.periodictask.models import PeriodicTask
+from gcloud.taskflow3.models import TaskFlowInstance
+from gcloud.tasktmpl3.models import TaskTemplate
 
 # flow
 
@@ -345,3 +345,25 @@ def resources_for_function_task_obj(task_obj):
             },
         )
     ]
+
+
+def resources_list_for_common_flows_project(common_flow_id_list, project_id):
+    qs = CommonTemplate.objects.filter(id__in=common_flow_id_list, is_deleted=False).values(
+        "id", "pipeline_template__creator", "pipeline_template__name"
+    )
+
+    return [
+        [
+            Resource(
+                IAMMeta.SYSTEM_ID,
+                IAMMeta.COMMON_FLOW_RESOURCE,
+                str(value["id"]),
+                {
+                    "iam_resource_owner": value["pipeline_template__creator"],
+                    "_bk_iam_path_": "/project,{}/".format(project_id),
+                    "name": value["pipeline_template__name"],
+                },
+            )
+        ]
+        for value in qs
+    ]

gcloud/iam_auth/utils.py

@@ -12,9 +12,9 @@
 """
 import logging
 
-from iam import Request, MultiActionRequest, Subject, Action
+from iam import Action, MultiActionRequest, Request, Subject
 from iam.contrib.http import HTTP_AUTH_FORBIDDEN_CODE
-from iam.exceptions import MultiAuthFailedException, AuthFailedException, RawAuthFailedException
+from iam.exceptions import AuthFailedException, MultiAuthFailedException, RawAuthFailedException
 from iam.shortcuts import allow_or_raise_auth_failed
 
 from gcloud.core.models import Project
@@ -23,7 +23,6 @@
 from .conf import IAMMeta
 from .shortcuts import get_iam_client
 
-
 logger = logging.getLogger("root")
 iam = get_iam_client()
 
@@ -164,3 +163,17 @@ def check_and_raise_raw_auth_fail_exception(result: dict, message=None):
     if result.get("code", 0) == HTTP_AUTH_FORBIDDEN_CODE:
         logger.warning(message or result.get("message", "[check_and_raise_raw_auth_fail_exception]"))
         raise RawAuthFailedException(permissions=result.get("permission", {}))
+
+
+def get_common_flow_allowed_actions_for_user_and_project(username, actions, common_flow_id_list, project_id):
+    resources_list = res_factory.resources_list_for_common_flows_project(common_flow_id_list, project_id)
+
+    if not resources_list:
+        return {}
+
+    return get_resources_allowed_actions_for_user(
+        username,
+        IAMMeta.SYSTEM_ID,
+        actions,
+        resources_list,
+    )