From c1635929401f8303e949e960732209d5366c0edb Mon Sep 17 00:00:00 2001
From: nannan00 <17491932+nannan00@users.noreply.github.com>
Date: Fri, 22 Oct 2021 16:17:55 +0800
Subject: [PATCH] fix(group member api): unauthorized access (#294)

---
 saas/backend/apps/group/views.py | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/saas/backend/apps/group/views.py b/saas/backend/apps/group/views.py
index ac053feeb..b03db2905 100644
--- a/saas/backend/apps/group/views.py
+++ b/saas/backend/apps/group/views.py
@@ -232,6 +232,7 @@ class GroupMemberViewSet(GroupPermissionMixin, GenericViewSet):
 
     permission_classes = [RolePermission]
     action_permission = {
+        "list": PermissionCodeEnum.MANAGE_GROUP.value,
         "create": PermissionCodeEnum.MANAGE_GROUP.value,
         "destroy": PermissionCodeEnum.MANAGE_GROUP.value,
     }
@@ -251,6 +252,11 @@ class GroupMemberViewSet(GroupPermissionMixin, GenericViewSet):
     def list(self, request, *args, **kwargs):
         group = get_object_or_404(self.queryset, pk=kwargs["id"])
 
+        # 校验权限
+        checker = RoleObjectRelationChecker(request.role)
+        if not checker.check_group(group):
+            raise error_codes.FORBIDDEN.format(message=_("用户组({})不在当前用户身份可访问的范围内").format(group.id), replace=True)
+
         pagination = LimitOffsetPagination()
         limit = pagination.get_limit(request)
         offset = pagination.get_offset(request)