[Question] 查询审核失效

[linjicong]

描述问题 开启查询审核功能后，只申请一个数据库的权限，通过更改url的方式可实现任意有权限的数据库查询

复现 重现该行为的步骤:

1. 工单申请，查询，提交查询
2. 工单申请，DML，进入任意一个数据库的工单填写界面，将url中的/#/apply/order?替换为/#/apply/query?，source参数切换即可实现不同数据库的查询

期望的结果 只能查询已申请的数据库

截图

部署方式

• [x] Docker
• [ ] Manual

环境 (请填写环境信息):

• 操作系统: [alpine]
• 浏览器 [ chrome,]
• 版本号 [3.1.7]

额外的日志信息 在这里添加有关该问题的所有日志。

[Issues-translate-bot]

Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑‍🤝‍🧑👫🧑🏿‍🤝‍🧑🏻👩🏾‍🤝‍👨🏿👬🏿

---

Title: [Question] Query review failed

Describe the problem After turning on the query review function, you only apply for permission to one database. By changing the URL, you can achieve any authorized database query.

Recurrence Steps to reproduce the behavior:

1. Work order application, query, submit query
2. For work order application, DML, enter the work order filling interface of any database, replace /#/apply/order? in the URL with /#/apply/query?, and switch the source parameter to realize the query of different databases.

Desired results Only the database that has been applied for can be queried

screenshot

Deployment method

• [x] Docker
• [ ] Manual

Environment (please fill in environmental information):

• Operating system: [alpine]
• browser [chrome,]
• Version number [3.1.7]

Additional log information Add all logs about the issue here.

[dosubot[bot]]

@linjicong 你好！我是一个机器人，可以帮助你解决 bug、回答问题，还可以成为贡献者。在等待人类维护者时，我会全程帮助你。

To address the issue of unauthorized database queries by modifying the URL, you can implement the following measures to ensure that only approved databases can be queried:

1. Permission Verification: Use the lib.SourceControl structure's Equal method in the FetchSQLTest function to verify if the user has permission to access a specific data source. If the user lacks permission, return an error message.

   t := new(lib.Token).JwtParse(c)
   control := lib.SourceControl{User: t.Username, Kind: u.Kind, SourceId: u.SourceId, WorkId: u.WorkId}
   if !control.Equal() {
      return c.JSON(http.StatusOK, common.ERR_COMMON_MESSAGE(errors.New("您没有该数据源权限，无法执行该操作")))
   }

2. Query Audit: In the FetchSource function, check if the query audit feature is enabled. If it is, verify if the user has an ongoing query order and return the allowed data sources based on the order status.

   if model.GloOther.Query && model.DB().Model(model.CoreQueryOrder{}).Where("username =? and `status` =2", user.Username).Last(&ord).Error != gorm.ErrRecordNotFound {
      model.DB().Select("source,id_c,source_id").Where("source_id =?", ord.SourceId).Find(&source)
   } else {
      model.DB().Select("source,id_c,source_id").Where("source_id IN (?)", p.QuerySource).Find(&source)
   }

These steps can effectively prevent users from performing unauthorized database queries by altering the URL ^[1].

To continue talking to Dosu, mention @dosu.

[cookieY]

这个复现的条件应该是

1. 开启查询审核
2. 切换的 sourceId 属于用户查询范围?

[Issues-translate-bot]

Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑‍🤝‍🧑👫🧑🏿‍🤝‍🧑🏻👩🏾‍🤝‍👨🏿👬🏿

---

The conditions for this recurrence should be

1. Start query review
2. Does the switched sourceId belong to the user query range?

[linjicong]

这个复现的条件应该是

1. 开启查询审核
2. 切换的 sourceId 属于用户查询范围?

是的，切换的sourceId属于用户查询范围，但是不是申请的那个sourceId

[Issues-translate-bot]

Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑‍🤝‍🧑👫🧑🏿‍🤝‍🧑🏻👩🏾‍🤝‍👨🏿👬🏿

---

The conditions for this recurrence should be

1. Enable query review
2. Does the switched sourceId belong to the user query range?

Yes, the switched sourceId belongs to the user query range, but it is not the applied sourceId.

[cookieY]

最新版本已修复

[Issues-translate-bot]

Bot detected the issue body's language is not English, translate it automatically. 👯👭🏻🧑‍🤝‍🧑👫🧑🏿‍🤝‍🧑🏻👩🏾‍🤝‍👨🏿👬🏿

---

The latest version has been fixed