fix: 修复子流程模板权限校验问题 --story=149102381 #443
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# Reviewed, transaction id: 64092
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
代码审查总结
已审查 PR #443 的权限校验改进,发现以下需要关注的问题:
🚨 高优先级问题
1. 运行时安全 (bkflow/permission/models.py:174)
if not getattr(cls, map_func)(db_token, resource_id):getattr(cls, map_func) 缺少异常处理。如果 map_func 为 None 或方法不存在会抛出 AttributeError。
建议:if map_func and hasattr(cls, map_func) and not getattr(cls, map_func)(db_token, resource_id): ...
⚡ 性能风险
2. N+1 查询问题 (bkflow/permission/models.py:205)
template_reference = TemplateReference.objects.filter(subprocess_template_id=current_template_id)每次递归都执行数据库查询,深层嵌套时可能触发大量查询,影响性能。
建议:考虑使用 CTE、缓存或添加递归深度限制(如最大10层)
⚠️ 逻辑完整性
3. 循环引用风险 (bkflow/permission/models.py:211-217)
如果模板引用存在循环依赖(A→B→A),递归会导致无限循环或栈溢出。
建议:添加访问路径跟踪集合 visited_ids = set() 或最大递归深度检查
整体改进合理,建议重点处理第1项的运行时安全问题。
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Reviewed, transaction id: 64092