fix(group member api): unauthorized access (#294)

saas/backend/apps/group/views.py

@@ -232,6 +232,7 @@ class GroupMemberViewSet(GroupPermissionMixin, GenericViewSet):
 
     permission_classes = [RolePermission]
     action_permission = {
+        "list": PermissionCodeEnum.MANAGE_GROUP.value,
         "create": PermissionCodeEnum.MANAGE_GROUP.value,
         "destroy": PermissionCodeEnum.MANAGE_GROUP.value,
     }
@@ -251,6 +252,11 @@ class GroupMemberViewSet(GroupPermissionMixin, GenericViewSet):
     def list(self, request, *args, **kwargs):
         group = get_object_or_404(self.queryset, pk=kwargs["id"])
 
+        # 校验权限
+        checker = RoleObjectRelationChecker(request.role)
+        if not checker.check_group(group):
+            raise error_codes.FORBIDDEN.format(message=_("用户组({})不在当前用户身份可访问的范围内").format(group.id), replace=True)
+
         pagination = LimitOffsetPagination()
         limit = pagination.get_limit(request)
         offset = pagination.get_offset(request)