Skip to content

[Fix-18299][API] Enforce access token owner checks#18300

Merged
ruanwenjun merged 1 commit into
apache:devfrom
ruanwenjun:fix-18299-access-token-ownership
May 28, 2026
Merged

[Fix-18299][API] Enforce access token owner checks#18300
ruanwenjun merged 1 commit into
apache:devfrom
ruanwenjun:fix-18299-access-token-ownership

Conversation

@ruanwenjun
Copy link
Copy Markdown
Member

@ruanwenjun ruanwenjun commented May 27, 2026

Purpose of the pull request

Close #18299.

Ensure non-admin users can only create or update access tokens for their own user id.

Brief change log

  • Add a service-layer ownership check for access-token create/update target user ids.
  • Add regression tests for non-admin create/update attempts that target another user.

Verify this pull request

  • ./mvnw -q -pl dolphinscheduler-api -am clean test -Dtest=AccessTokenServiceTest#testCreateTokenForOtherUserDeniedForGeneralUser+testUpdateTokenToOtherUserDeniedForGeneralUser -DfailIfNoTests=false -Dsurefire.failIfNoSpecifiedTests=false -Djacoco.skip=true -Dspotless.check.skip=true -Drat.skip=true -Dcheckstyle.skip=true
  • ./mvnw -q -pl dolphinscheduler-api -Dtest=AccessTokenServiceTest -DfailIfNoTests=false -Dsurefire.failIfNoSpecifiedTests=false -Djacoco.skip=true -Dspotless.check.skip=true -Drat.skip=true -Dcheckstyle.skip=true test
  • ./mvnw -q -pl dolphinscheduler-api -Dtest=AccessTokenServiceTest,AccessTokenControllerTest,AccessTokenResourcePermissionCheckTest -DfailIfNoTests=false -Dsurefire.failIfNoSpecifiedTests=false -Djacoco.skip=true -Dspotless.check.skip=true -Drat.skip=true -Dcheckstyle.skip=true test
  • git diff --check

@ruanwenjun ruanwenjun added bug Something isn't working priority:high labels May 27, 2026
@ruanwenjun ruanwenjun added this to the 3.4.2 milestone May 27, 2026
@ruanwenjun ruanwenjun force-pushed the fix-18299-access-token-ownership branch from 15050f4 to 4fd3b6a Compare May 27, 2026 12:38
@ruanwenjun ruanwenjun force-pushed the fix-18299-access-token-ownership branch from 4fd3b6a to 4edfd32 Compare May 27, 2026 12:51
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 27, 2026

Quality Gate Failed Quality Gate failed

Failed conditions
0.0% Coverage on New Code (required ≥ 60%)

See analysis details on SonarQube Cloud

SbloodyS
SbloodyS approved these changes May 27, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@SbloodyS SbloodyS left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ruanwenjun ruanwenjun merged commit 25c6a87 into apache:dev May 28, 2026
121 of 123 checks passed
@ruanwenjun ruanwenjun deleted the fix-18299-access-token-ownership branch May 28, 2026 06:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@SbloodyS SbloodyS SbloodyS approved these changes

@caishunfeng caishunfeng Awaiting requested review from caishunfeng caishunfeng is a code owner

Assignees

@ruanwenjun ruanwenjun

Labels

backend bug Something isn't working priority:high test

Projects

None yet

Milestone

3.4.2

Development

Successfully merging this pull request may close these issues.

[Bug][API] Non-admin users can create or update access tokens for other users

2 participants

@ruanwenjun @SbloodyS