fix: fix ID type in permission (#2006)

AllureCurtain · web-flow · commit d4639d879814 · 2026-03-10T01:08:35.000Z
diff --git a/jupiter/src/storage/note_storage.rs b/jupiter/src/storage/note_storage.rs
@@ -2,7 +2,9 @@ use std::ops::Deref;
 
 use callisto::notes;
 use common::errors::MegaError;
-use sea_orm::{ActiveModelTrait, ActiveValue::Set, EntityTrait, IntoActiveModel};
+use sea_orm::{
+    ActiveModelTrait, ActiveValue::Set, ColumnTrait, EntityTrait, IntoActiveModel, QueryFilter,
+};
 
 use crate::storage::base_storage::{BaseStorage, StorageConnector};
 
@@ -25,6 +27,17 @@ impl NoteStorage {
             .await?;
         Ok(model)
     }
+
+    pub async fn get_note_by_public_id(
+        &self,
+        public_id: &str,
+    ) -> Result<Option<notes::Model>, MegaError> {
+        let model = notes::Entity::find()
+            .filter(notes::Column::PublicId.eq(public_id))
+            .one(self.get_connection())
+            .await?;
+        Ok(model)
+    }
     pub async fn save_note(&self, note: notes::Model) -> Result<(), MegaError> {
         let a_model = note.into_active_model();
         a_model.insert(self.get_connection()).await?;
diff --git a/mono/src/api/api_common/group_permission.rs b/mono/src/api/api_common/group_permission.rs
@@ -24,7 +24,8 @@ pub async fn ensure_admin(state: &MonoApiServiceState, user: &LoginUser) -> Resu
     ))
 }
 
-pub fn parse_resource_context(
+pub async fn resolve_resource_context(
+    state: &MonoApiServiceState,
     resource_type: &str,
     resource_id: &str,
 ) -> Result<(ResourceTypeEnum, ResourceTypeValue, String), ApiError> {
@@ -33,7 +34,8 @@ pub fn parse_resource_context(
         ApiError::bad_request(anyhow!(err))
     })?;
 
-    let validated_resource_id = validate_resource_id(resource_type_value, resource_id)?;
+    let validated_resource_id =
+        resolve_resource_id(state, resource_type_value, resource_id).await?;
 
     Ok((
         resource_type_value.into(),
@@ -62,20 +64,36 @@ pub fn build_user_effective_permission_response(
     }
 }
 
-fn validate_resource_id(
+async fn resolve_resource_id(
+    state: &MonoApiServiceState,
     resource_type: ResourceTypeValue,
     resource_id: &str,
 ) -> Result<String, ApiError> {
+    let normalized_resource_id = resource_id.trim();
+    if normalized_resource_id.is_empty() {
+        tracing::warn!("empty resource_id in request path");
+        return Err(ApiError::bad_request(anyhow!(
+            "resource_id must not be empty"
+        )));
+    }
+
     match resource_type {
         ResourceTypeValue::Note => {
-            let note_id = resource_id.parse::<i64>().map_err(|_| {
-                tracing::warn!("invalid resource_id format");
-                ApiError::bad_request(anyhow!(
-                    "Invalid note resource_id: {}, expected i64 note.id",
-                    resource_id
-                ))
-            })?;
-            Ok(note_id.to_string())
+            let note = state
+                .note_stg()
+                .get_note_by_public_id(normalized_resource_id)
+                .await?
+                .ok_or_else(|| {
+                    tracing::warn!(
+                        resource_id = normalized_resource_id,
+                        "note resource not found"
+                    );
+                    ApiError::not_found(anyhow!(
+                        "Note not found for public_id: {}",
+                        normalized_resource_id
+                    ))
+                })?;
+            Ok(note.public_id)
         }
     }
 }
diff --git a/mono/src/api/router/group_router.rs b/mono/src/api/router/group_router.rs
@@ -19,7 +19,7 @@ use crate::{
     api::{
         MonoApiServiceState,
         api_common::group_permission::{
-            build_user_effective_permission_response, ensure_admin, parse_resource_context,
+            build_user_effective_permission_response, ensure_admin, resolve_resource_context,
         },
         error::ApiError,
         oauth::model::LoginUser,
@@ -393,7 +393,7 @@ async fn list_group_members(
         (status = 400, description = "Invalid request"),
         (status = 401, description = "Unauthorized"),
         (status = 403, description = "Forbidden - admin only"),
-        (status = 404, description = "Group not found"),
+        (status = 404, description = "Resource or group not found"),
     ),
     tag = GROUP_PERMISSION_TAG
 )]
@@ -405,7 +405,7 @@ async fn set_resource_permissions(
 ) -> Result<Json<CommonResult<Vec<ResourcePermissionResponse>>>, ApiError> {
     ensure_admin(&state, &user).await?;
     let (resource_type, _, resource_id) =
-        parse_resource_context(resource_type.as_str(), &resource_id)?;
+        resolve_resource_context(&state, resource_type.as_str(), &resource_id).await?;
 
     let permissions = req
         .permissions
@@ -437,6 +437,7 @@ async fn set_resource_permissions(
         (status = 400, description = "Invalid request"),
         (status = 401, description = "Unauthorized"),
         (status = 403, description = "Forbidden - admin only"),
+        (status = 404, description = "Resource not found"),
     ),
     tag = GROUP_PERMISSION_TAG
 )]
@@ -447,7 +448,7 @@ async fn get_resource_permissions(
 ) -> Result<Json<CommonResult<Vec<ResourcePermissionResponse>>>, ApiError> {
     ensure_admin(&state, &user).await?;
     let (resource_type, _, resource_id) =
-        parse_resource_context(resource_type.as_str(), &resource_id)?;
+        resolve_resource_context(&state, resource_type.as_str(), &resource_id).await?;
 
     let permissions = state
         .monorepo()
@@ -471,7 +472,7 @@ async fn get_resource_permissions(
         (status = 400, description = "Invalid request"),
         (status = 401, description = "Unauthorized"),
         (status = 403, description = "Forbidden - admin only"),
-        (status = 404, description = "Group not found"),
+        (status = 404, description = "Resource or group not found"),
     ),
     tag = GROUP_PERMISSION_TAG
 )]
@@ -483,7 +484,7 @@ async fn update_resource_permissions(
 ) -> Result<Json<CommonResult<Vec<ResourcePermissionResponse>>>, ApiError> {
     ensure_admin(&state, &user).await?;
     let (resource_type, _, resource_id) =
-        parse_resource_context(resource_type.as_str(), &resource_id)?;
+        resolve_resource_context(&state, resource_type.as_str(), &resource_id).await?;
 
     let permissions = req
         .permissions
@@ -515,6 +516,7 @@ async fn update_resource_permissions(
         (status = 400, description = "Invalid request"),
         (status = 401, description = "Unauthorized"),
         (status = 403, description = "Forbidden - admin only"),
+        (status = 404, description = "Resource not found"),
     ),
     tag = GROUP_PERMISSION_TAG
 )]
@@ -525,7 +527,7 @@ async fn delete_resource_permissions(
 ) -> Result<Json<CommonResult<DeletePermissionsResponse>>, ApiError> {
     ensure_admin(&state, &user).await?;
     let (resource_type, resource_type_value, resource_id) =
-        parse_resource_context(resource_type.as_str(), &resource_id)?;
+        resolve_resource_context(&state, resource_type.as_str(), &resource_id).await?;
 
     let deleted_count = state
         .monorepo()
@@ -583,6 +585,7 @@ async fn get_user_groups(
         (status = 400, description = "Invalid request"),
         (status = 401, description = "Unauthorized"),
         (status = 403, description = "Forbidden - admin only"),
+        (status = 404, description = "Resource not found"),
     ),
     tag = GROUP_PERMISSION_TAG
 )]
@@ -593,7 +596,7 @@ async fn get_user_effective_permission(
 ) -> Result<Json<CommonResult<UserEffectivePermissionResponse>>, ApiError> {
     ensure_admin(&state, &user).await?;
     let (resource_type, resource_type_value, resource_id) =
-        parse_resource_context(resource_type.as_str(), &resource_id)?;
+        resolve_resource_context(&state, resource_type.as_str(), &resource_id).await?;
 
     let effective = state
         .monorepo()
diff --git a/mono/src/api/router/permission_router.rs b/mono/src/api/router/permission_router.rs
@@ -10,7 +10,7 @@ use crate::{
     api::{
         MonoApiServiceState,
         api_common::group_permission::{
-            build_user_effective_permission_response, parse_resource_context,
+            build_user_effective_permission_response, resolve_resource_context,
         },
         error::ApiError,
         oauth::model::LoginUser,
@@ -36,6 +36,7 @@ pub fn routers() -> OpenApiRouter<MonoApiServiceState> {
         (status = 200, body = CommonResult<UserEffectivePermissionResponse>),
         (status = 400, description = "Invalid resource_type or resource_id"),
         (status = 401, description = "Unauthorized"),
+        (status = 404, description = "Resource not found"),
     ),
     tag = GROUP_PERMISSION_TAG
 )]
@@ -47,7 +48,7 @@ async fn get_my_permission(
     let actor = user.username;
 
     let (db_resource_type, resource_type_value, normalized_id) =
-        parse_resource_context(&resource_type, &resource_id)?;
+        resolve_resource_context(&state, &resource_type, &resource_id).await?;
 
     let effective = state
         .monorepo()
