From a6af7130b10973ca8ad6dbf06b284542b2879ed8 Mon Sep 17 00:00:00 2001
From: chenweiqing <chenweiqing@nmgbigdata.com>
Date: Tue, 17 Jun 2025 17:30:48 +0800
Subject: [PATCH] =?UTF-8?q?=E5=A2=9E=E5=8A=A0=E5=A4=87=E4=BB=BD=E5=8A=9F?=
 =?UTF-8?q?=E8=83=BD=E7=9A=84=E6=9D=83=E9=99=90=E6=A0=A1=E9=AA=8C?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../magicapi/backup/web/MagicBackupController.java    |  6 ++++++
 .../ssssssss/magicapi/core/web/MagicController.java   | 11 ++++++++---
 2 files changed, 14 insertions(+), 3 deletions(-)

diff --git a/magic-api/src/main/java/org/ssssssss/magicapi/backup/web/MagicBackupController.java b/magic-api/src/main/java/org/ssssssss/magicapi/backup/web/MagicBackupController.java
index 0142144c..a6d8fbe1 100644
--- a/magic-api/src/main/java/org/ssssssss/magicapi/backup/web/MagicBackupController.java
+++ b/magic-api/src/main/java/org/ssssssss/magicapi/backup/web/MagicBackupController.java
@@ -7,6 +7,7 @@ import org.springframework.web.bind.annotation.PostMapping;
 import org.springframework.web.bind.annotation.ResponseBody;
 import org.ssssssss.magicapi.backup.model.Backup;
 import org.ssssssss.magicapi.core.config.Constants;
+import org.ssssssss.magicapi.core.interceptor.Authorization;
 import org.ssssssss.magicapi.core.web.MagicController;
 import org.ssssssss.magicapi.core.web.MagicExceptionHandler;
 import org.ssssssss.magicapi.core.config.MagicConfiguration;
@@ -33,6 +34,7 @@ public class MagicBackupController extends MagicController implements MagicExcep
 	@GetMapping("/backups")
 	@ResponseBody
 	public JsonBean<List<Backup>> backups(Long timestamp) {
+		isTrue(allowVisit(Authorization.VIEW), PERMISSION_INVALID);
 		if(service == null){
 			return new JsonBean<>(Collections.emptyList());
 		}
@@ -42,6 +44,7 @@ public class MagicBackupController extends MagicController implements MagicExcep
 	@GetMapping("/backup/{id}")
 	@ResponseBody
 	public JsonBean<List<Backup>> backups(@PathVariable("id") String id) {
+		isTrue(allowVisit(Authorization.VIEW), PERMISSION_INVALID);
 		if(service == null || StringUtils.isBlank(id)){
 			return new JsonBean<>(Collections.emptyList());
 		}
@@ -51,6 +54,7 @@ public class MagicBackupController extends MagicController implements MagicExcep
 	@PostMapping("/backup/rollback")
 	@ResponseBody
 	public JsonBean<Boolean> rollback(String id, Long timestamp) throws IOException {
+		isTrue(allowVisit(Authorization.SAVE), PERMISSION_INVALID);
 		notNull(service, BACKUP_NOT_ENABLED);
 		Backup backup = service.backupInfo(id, timestamp);
 		if("full".equals(id)){
@@ -77,6 +81,7 @@ public class MagicBackupController extends MagicController implements MagicExcep
 	@GetMapping("/backup")
 	@ResponseBody
 	public JsonBean<String> backup(Long timestamp, String id) {
+		isTrue(allowVisit(Authorization.VIEW), PERMISSION_INVALID);
 		notNull(service, BACKUP_NOT_ENABLED);
 		notBlank(id, PARAMETER_INVALID);
 		notNull(timestamp, PARAMETER_INVALID);
@@ -88,6 +93,7 @@ public class MagicBackupController extends MagicController implements MagicExcep
 	@PostMapping("/backup/full")
 	@ResponseBody
 	public JsonBean<Boolean> doBackup() throws IOException {
+		isTrue(allowVisit(Authorization.SAVE), PERMISSION_INVALID);
 		notNull(service, BACKUP_NOT_ENABLED);
 		service.doBackupAll("主动全量备份", WebUtils.currentUserName());
 		return new JsonBean<>(true);
diff --git a/magic-api/src/main/java/org/ssssssss/magicapi/core/web/MagicController.java b/magic-api/src/main/java/org/ssssssss/magicapi/core/web/MagicController.java
index d494acf4..ef30d554 100644
--- a/magic-api/src/main/java/org/ssssssss/magicapi/core/web/MagicController.java
+++ b/magic-api/src/main/java/org/ssssssss/magicapi/core/web/MagicController.java
@@ -17,6 +17,7 @@ import org.ssssssss.magicapi.core.model.MagicEntity;
 import org.ssssssss.magicapi.core.service.MagicAPIService;
 import org.ssssssss.magicapi.core.service.MagicResourceService;
 import org.ssssssss.magicapi.core.servlet.MagicHttpServletRequest;
+import org.ssssssss.magicapi.utils.WebUtils;
 
 import java.util.List;
 import java.util.Objects;
@@ -53,7 +54,11 @@ public class MagicController implements JsonCodeConstants {
 	/**
 	 * 判断是否有权限访问按钮
 	 */
-	boolean allowVisit(MagicHttpServletRequest request, Authorization authorization) {
+	public boolean allowVisit(Authorization authorization) {
+		return allowVisit(WebUtils.magicRequestContextHolder.getRequest(), authorization);
+	}
+
+	public boolean allowVisit(MagicHttpServletRequest request, Authorization authorization) {
 		if (authorization == null) {
 			return true;
 		}
@@ -61,7 +66,7 @@ public class MagicController implements JsonCodeConstants {
 		return configuration.getAuthorizationInterceptor().allowVisit(magicUser, request, authorization);
 	}
 
-	boolean allowVisit(MagicHttpServletRequest request, Authorization authorization, MagicEntity entity) {
+	public boolean allowVisit(MagicHttpServletRequest request, Authorization authorization, MagicEntity entity) {
 		if (authorization == null) {
 			return true;
 		}
@@ -69,7 +74,7 @@ public class MagicController implements JsonCodeConstants {
 		return configuration.getAuthorizationInterceptor().allowVisit(magicUser, request, authorization, entity);
 	}
 
-	boolean allowVisit(MagicHttpServletRequest request, Authorization authorization, Group group) {
+	public boolean allowVisit(MagicHttpServletRequest request, Authorization authorization, Group group) {
 		if (authorization == null) {
 			return true;
 		}
-- 
Gitee