feat: add rpc interface permission check (#3366)

* pb * fix: Modifying other fields while setting IsPrivateChat does not take effect * fix: quote message error revoke * refactoring scheduled tasks * refactoring scheduled tasks * refactoring scheduled tasks * refactoring scheduled tasks * refactoring scheduled tasks * refactoring scheduled tasks * upgrading pkg tools * fix * fix * optimize log output * feat: support GetLastMessage * feat: support GetLastMessage * feat: s3 switch * feat: s3 switch * fix: GetUsersOnline * feat: SendBusinessNotification supported configuration parameters * feat: SendBusinessNotification supported configuration parameters * feat: SendBusinessNotification supported configuration parameters * feat: seq conversion failed without exiting * fix: DeleteDoc crash * fix: fill send time * fix: fill send time * fix: crash caused by withdrawing messages from users who have left the group * fix: user msg timestamp * seq read config * seq read config * fix: the source message of the reference is withdrawn, and the referenced message is deleted * feat: optimize the default notification.yml * fix: shouldPushOffline * fix: the sorting is wrong after canceling the administrator in group settings * feat: Sending messages supports returning fields modified by webhook * feat: Sending messages supports returning fields modified by webhook * feat: Sending messages supports returning fields modified by webhook * fix: oss specifies content-type when uploading * fix: the version number contains a line break * fix: the version number contains a line break * feat: GetConversationsHasReadAndMaxSeq support pinned * feat: GetConversationsHasReadAndMaxSeq support pinned * feat: GetConversationsHasReadAndMaxSeq support pinned * fix: transferring the group owner to a muted member, incremental version error * feat: unified conversion code * feat: update gomake * fix: in standalone mode, the user online status is wrong * fix: add permission check * fix: add permission check (cherry picked from commit 748d783d36) # Conflicts: # internal/rpc/conversation/conversation.go # internal/rpc/group/cache.go # internal/rpc/group/statistics.go # internal/rpc/msg/send.go
2026-05-06 10:05:58 +08:00 · 2025-05-20 11:30:00 +08:00
parent ab32167b19
commit 505ce8aad1
23 changed files with 516 additions and 180 deletions
@@ -17,13 +17,14 @@ package group
 import (
 	"context"

+	"github.com/openimsdk/open-im-server/v3/pkg/authverify"
 	"github.com/openimsdk/open-im-server/v3/pkg/common/convert"
 	pbgroup "github.com/openimsdk/protocol/group"
 )

 // GetGroupInfoCache get group info from cache.
-func (s *groupServer) GetGroupInfoCache(ctx context.Context, req *pbgroup.GetGroupInfoCacheReq) (*pbgroup.GetGroupInfoCacheResp, error) {
-	group, err := s.db.TakeGroup(ctx, req.GroupID)
+func (g *groupServer) GetGroupInfoCache(ctx context.Context, req *pbgroup.GetGroupInfoCacheReq) (*pbgroup.GetGroupInfoCacheResp, error) {
+	group, err := g.db.TakeGroup(ctx, req.GroupID)
 	if err != nil {
 		return nil, err
 	}
@@ -32,8 +33,11 @@ func (s *groupServer) GetGroupInfoCache(ctx context.Context, req *pbgroup.GetGro
 	}, nil
 }

-func (s *groupServer) GetGroupMemberCache(ctx context.Context, req *pbgroup.GetGroupMemberCacheReq) (*pbgroup.GetGroupMemberCacheResp, error) {
-	members, err := s.db.TakeGroupMember(ctx, req.GroupID, req.GroupMemberID)
+func (g *groupServer) GetGroupMemberCache(ctx context.Context, req *pbgroup.GetGroupMemberCacheReq) (*pbgroup.GetGroupMemberCacheResp, error) {
+	if err := authverify.CheckAccess(ctx, req.GroupMemberID); err != nil {
+		return nil, err
+	}
+	members, err := g.db.TakeGroupMember(ctx, req.GroupID, req.GroupMemberID)
 	if err != nil {
 		return nil, err
 	}
@@ -476,6 +476,19 @@ func (g *groupServer) GetGroupAllMember(ctx context.Context, req *pbgroup.GetGro
 	if err != nil {
 		return nil, err
 	}
+	if !authverify.IsAdmin(ctx) {
+		var inGroup bool
+		opUserID := mcontext.GetOpUserID(ctx)
+		for _, member := range members {
+			if member.UserID == opUserID {
+				inGroup = true
+				break
+			}
+		}
+		if !inGroup {
+			return nil, errs.ErrNoPermission.WrapMsg("opuser not in group")
+		}
+	}
 	if err := g.PopulateGroupMember(ctx, members...); err != nil {
 		return nil, err
 	}
@@ -486,11 +499,24 @@ func (g *groupServer) GetGroupAllMember(ctx context.Context, req *pbgroup.GetGro
 	return &resp, nil
 }

+func (g *groupServer) checkAdminOrInGroup(ctx context.Context, groupID string) error {
+	if authverify.IsAdmin(ctx) {
+		return nil
+	}
+	opUserID := mcontext.GetOpUserID(ctx)
+	members, err := g.db.FindGroupMembers(ctx, groupID, []string{opUserID})
+	if err != nil {
+		return err
+	}
+	if len(members) == 0 {
+		return errs.ErrNoPermission.WrapMsg("op user not in group")
+	}
+	return nil
+}
+
 func (g *groupServer) GetGroupMemberList(ctx context.Context, req *pbgroup.GetGroupMemberListReq) (*pbgroup.GetGroupMemberListResp, error) {
-	if opUserID := mcontext.GetOpUserID(ctx); !datautil.Contain(opUserID, g.config.Share.IMAdminUserID...) {
-		if _, err := g.db.TakeGroupMember(ctx, req.GroupID, opUserID); err != nil {
-			return nil, err
-		}
+	if err := g.checkAdminOrInGroup(ctx, req.GroupID); err != nil {
+		return nil, err
 	}
 	var (
 		total   int64
@@ -631,6 +657,9 @@ func (g *groupServer) GetGroupMembersInfo(ctx context.Context, req *pbgroup.GetG
 	if req.GroupID == "" {
 		return nil, errs.ErrArgs.WrapMsg("groupID empty")
 	}
+	if err := g.checkAdminOrInGroup(ctx, req.GroupID); err != nil {
+		return nil, err
+	}
 	members, err := g.getGroupMembersInfo(ctx, req.GroupID, req.UserIDs)
 	if err != nil {
 		return nil, err
@@ -658,6 +687,9 @@ func (g *groupServer) getGroupMembersInfo(ctx context.Context, groupID string, u

 // GetGroupApplicationList handles functions that get a list of group requests.
 func (g *groupServer) GetGroupApplicationList(ctx context.Context, req *pbgroup.GetGroupApplicationListReq) (*pbgroup.GetGroupApplicationListResp, error) {
+	if err := authverify.CheckAccess(ctx, req.FromUserID); err != nil {
+		return nil, err
+	}
 	groupIDs, err := g.db.FindUserManagedGroupID(ctx, req.FromUserID)
 	if err != nil {
 		return nil, err
@@ -1652,6 +1684,11 @@ func (g *groupServer) GetGroupAbstractInfo(ctx context.Context, req *pbgroup.Get
 	if datautil.Duplicate(req.GroupIDs) {
 		return nil, errs.ErrArgs.WrapMsg("groupIDs duplicate")
 	}
+	for _, groupID := range req.GroupIDs {
+		if err := g.checkAdminOrInGroup(ctx, groupID); err != nil {
+			return nil, err
+		}
+	}
 	groups, err := g.db.FindGroup(ctx, req.GroupIDs)
 	if err != nil {
 		return nil, err
@@ -1699,6 +1736,9 @@ func (g *groupServer) GetGroupMemberUserIDs(ctx context.Context, req *pbgroup.Ge
 	if err != nil {
 		return nil, err
 	}
+	if err := authverify.CheckAccessIn(ctx, userIDs...); err != nil {
+		return nil, err
+	}
 	return &pbgroup.GetGroupMemberUserIDsResp{
 		UserIDs: userIDs,
 	}, nil
@@ -18,24 +18,28 @@ import (
 	"context"
 	"time"

+	"github.com/openimsdk/open-im-server/v3/pkg/authverify"
 	"github.com/openimsdk/protocol/group"
 	"github.com/openimsdk/tools/errs"
 )

-func (s *groupServer) GroupCreateCount(ctx context.Context, req *group.GroupCreateCountReq) (*group.GroupCreateCountResp, error) {
+func (g *groupServer) GroupCreateCount(ctx context.Context, req *group.GroupCreateCountReq) (*group.GroupCreateCountResp, error) {
 	if req.Start > req.End {
 		return nil, errs.ErrArgs.WrapMsg("start > end: %d > %d", req.Start, req.End)
 	}
-	total, err := s.db.CountTotal(ctx, nil)
+	if err := authverify.CheckAdmin(ctx); err != nil {
+		return nil, err
+	}
+	total, err := g.db.CountTotal(ctx, nil)
 	if err != nil {
 		return nil, err
 	}
 	start := time.UnixMilli(req.Start)
-	before, err := s.db.CountTotal(ctx, &start)
+	before, err := g.db.CountTotal(ctx, &start)
 	if err != nil {
 		return nil, err
 	}
-	count, err := s.db.CountRangeEverydayTotal(ctx, start, time.UnixMilli(req.End))
+	count, err := g.db.CountRangeEverydayTotal(ctx, start, time.UnixMilli(req.End))
 	if err != nil {
 		return nil, err
 	}
@@ -11,9 +11,6 @@ import (
 	"github.com/openimsdk/protocol/constant"
 	pbgroup "github.com/openimsdk/protocol/group"
 	"github.com/openimsdk/protocol/sdkws"
-	"github.com/openimsdk/tools/errs"
-	"github.com/openimsdk/tools/mcontext"
-	"github.com/openimsdk/tools/utils/datautil"
 )

 const versionSyncLimit = 500
@@ -23,10 +20,8 @@ func (g *groupServer) GetFullGroupMemberUserIDs(ctx context.Context, req *pbgrou
 	if err != nil {
 		return nil, err
 	}
-	if opUserID := mcontext.GetOpUserID(ctx); !datautil.Contain(opUserID, g.config.Share.IMAdminUserID...) {
-		if !datautil.Contain(opUserID, userIDs...) {
-			return nil, errs.ErrNoPermission.WrapMsg("user not in group")
-		}
+	if err := authverify.CheckAccessIn(ctx, userIDs...); err != nil {
+		return nil, err
 	}
 	vl, err := g.db.FindMaxGroupMemberVersionCache(ctx, req.GroupID)
 	if err != nil {
@@ -69,6 +64,9 @@ func (g *groupServer) GetFullJoinGroupIDs(ctx context.Context, req *pbgroup.GetF
 }

 func (g *groupServer) GetIncrementalGroupMember(ctx context.Context, req *pbgroup.GetIncrementalGroupMemberReq) (*pbgroup.GetIncrementalGroupMemberResp, error) {
+	if err := g.checkAdminOrInGroup(ctx, req.GroupID); err != nil {
+		return nil, err
+	}
 	group, err := g.db.TakeGroup(ctx, req.GroupID)
 	if err != nil {
 		return nil, err
@@ -76,9 +74,6 @@ func (g *groupServer) GetIncrementalGroupMember(ctx context.Context, req *pbgrou
 	if group.Status == constant.GroupStatusDismissed {
 		return nil, servererrs.ErrDismissedAlready.Wrap()
 	}
-	if _, err := g.db.TakeGroupMember(ctx, req.GroupID, mcontext.GetOpUserID(ctx)); err != nil {
-		return nil, err
-	}
 	var (
 		hasGroupUpdate bool
 		sortVersion    uint64