From 66a52082797be0828aafce7f7d59b8d3a54cfabd Mon Sep 17 00:00:00 2001
From: withchao <993506633@qq.com>
Date: Thu, 22 May 2025 15:31:12 +0800
Subject: [PATCH] fix: add rpc interface permission check

(cherry picked from commit 8483d770810486d6902e261da88c60023a66d91a)
---
 internal/push/push.go       | 3 ++-
 internal/rpc/group/cache.go | 3 +--
 internal/rpc/group/group.go | 9 +++++++++
 3 files changed, 12 insertions(+), 3 deletions(-)

diff --git a/internal/push/push.go b/internal/push/push.go
index 13818e93d..f720a52ac 100644
--- a/internal/push/push.go
+++ b/internal/push/push.go
@@ -6,6 +6,7 @@ import (
 	"strconv"
 
 	"github.com/openimsdk/open-im-server/v3/internal/push/offlinepush"
+	"github.com/openimsdk/open-im-server/v3/pkg/authverify"
 	"github.com/openimsdk/open-im-server/v3/pkg/common/config"
 	"github.com/openimsdk/open-im-server/v3/pkg/common/storage/cache"
 	"github.com/openimsdk/open-im-server/v3/pkg/common/storage/cache/mcache"
@@ -106,7 +107,7 @@ func Start(ctx context.Context, config *Config, client discovery.Conn, server gr
 	go func() {
 		pushHandler.WaitCache()
 		fn := func(ctx context.Context, key string, value []byte) error {
-			pushHandler.HandleMs2PsChat(ctx, value)
+			pushHandler.HandleMs2PsChat(authverify.WithTempAdmin(ctx), value)
 			return nil
 		}
 		consumerCtx := mcontext.SetOperationID(context.Background(), "push_"+strconv.Itoa(int(rand.Uint32())))
diff --git a/internal/rpc/group/cache.go b/internal/rpc/group/cache.go
index ec0e5b566..27b9eb126 100644
--- a/internal/rpc/group/cache.go
+++ b/internal/rpc/group/cache.go
@@ -17,7 +17,6 @@ package group
 import (
 	"context"
 
-	"github.com/openimsdk/open-im-server/v3/pkg/authverify"
 	"github.com/openimsdk/open-im-server/v3/pkg/common/convert"
 	pbgroup "github.com/openimsdk/protocol/group"
 )
@@ -34,7 +33,7 @@ func (g *groupServer) GetGroupInfoCache(ctx context.Context, req *pbgroup.GetGro
 }
 
 func (g *groupServer) GetGroupMemberCache(ctx context.Context, req *pbgroup.GetGroupMemberCacheReq) (*pbgroup.GetGroupMemberCacheResp, error) {
-	if err := authverify.CheckAccess(ctx, req.GroupMemberID); err != nil {
+	if err := g.checkAdminOrInGroup(ctx, req.GroupID); err != nil {
 		return nil, err
 	}
 	members, err := g.db.TakeGroupMember(ctx, req.GroupID, req.GroupMemberID)
diff --git a/internal/rpc/group/group.go b/internal/rpc/group/group.go
index 2026ba71b..bdf28e273 100644
--- a/internal/rpc/group/group.go
+++ b/internal/rpc/group/group.go
@@ -1308,6 +1308,9 @@ func (g *groupServer) GetGroups(ctx context.Context, req *pbgroup.GetGroupsReq)
 }
 
 func (g *groupServer) GetGroupMembersCMS(ctx context.Context, req *pbgroup.GetGroupMembersCMSReq) (*pbgroup.GetGroupMembersCMSResp, error) {
+	if err := g.checkAdminOrInGroup(ctx, req.GroupID); err != nil {
+		return nil, err
+	}
 	total, members, err := g.db.SearchGroupMember(ctx, req.UserName, req.GroupID, req.Pagination)
 	if err != nil {
 		return nil, err
@@ -1717,6 +1720,9 @@ func (g *groupServer) GetUserInGroupMembers(ctx context.Context, req *pbgroup.Ge
 	if len(req.GroupIDs) == 0 {
 		return nil, errs.ErrArgs.WrapMsg("groupIDs empty")
 	}
+	if err := authverify.CheckAccess(ctx, req.UserID); err != nil {
+		return nil, err
+	}
 	members, err := g.db.FindGroupMemberUser(ctx, req.GroupIDs, req.UserID)
 	if err != nil {
 		return nil, err
@@ -1748,6 +1754,9 @@ func (g *groupServer) GetGroupMemberRoleLevel(ctx context.Context, req *pbgroup.
 	if len(req.RoleLevels) == 0 {
 		return nil, errs.ErrArgs.WrapMsg("RoleLevels empty")
 	}
+	if err := g.checkAdminOrInGroup(ctx, req.GroupID); err != nil {
+		return nil, err
+	}
 	members, err := g.db.FindGroupMemberRoleLevels(ctx, req.GroupID, req.RoleLevels)
 	if err != nil {
 		return nil, err