feat: add rpc interface permission check (#3366)

* pb * fix: Modifying other fields while setting IsPrivateChat does not take effect * fix: quote message error revoke * refactoring scheduled tasks * refactoring scheduled tasks * refactoring scheduled tasks * refactoring scheduled tasks * refactoring scheduled tasks * refactoring scheduled tasks * upgrading pkg tools * fix * fix * optimize log output * feat: support GetLastMessage * feat: support GetLastMessage * feat: s3 switch * feat: s3 switch * fix: GetUsersOnline * feat: SendBusinessNotification supported configuration parameters * feat: SendBusinessNotification supported configuration parameters * feat: SendBusinessNotification supported configuration parameters * feat: seq conversion failed without exiting * fix: DeleteDoc crash * fix: fill send time * fix: fill send time * fix: crash caused by withdrawing messages from users who have left the group * fix: user msg timestamp * seq read config * seq read config * fix: the source message of the reference is withdrawn, and the referenced message is deleted * feat: optimize the default notification.yml * fix: shouldPushOffline * fix: the sorting is wrong after canceling the administrator in group settings * feat: Sending messages supports returning fields modified by webhook * feat: Sending messages supports returning fields modified by webhook * feat: Sending messages supports returning fields modified by webhook * fix: oss specifies content-type when uploading * fix: the version number contains a line break * fix: the version number contains a line break * feat: GetConversationsHasReadAndMaxSeq support pinned * feat: GetConversationsHasReadAndMaxSeq support pinned * feat: GetConversationsHasReadAndMaxSeq support pinned * fix: transferring the group owner to a muted member, incremental version error * feat: unified conversion code * feat: update gomake * fix: in standalone mode, the user online status is wrong * fix: add permission check * fix: add permission check
2025-05-20 19:49:17 +08:00 · 2025-05-20 11:30:00 +08:00 · 2025-05-20 11:30:00 +08:00 · 748d783d36
commit 748d783d36
parent 632a65303c
20 changed files with 222 additions and 63 deletions
--- a/internal/api/conversation.go
+++ b/internal/api/conversation.go
@ -49,9 +49,9 @@ func (o *ConversationApi) SetConversations(c *gin.Context) {
 	a2r.Call(c, conversation.ConversationClient.SetConversations, o.Client)
 }

-func (o *ConversationApi) GetConversationOfflinePushUserIDs(c *gin.Context) {
-	a2r.Call(c, conversation.ConversationClient.GetConversationOfflinePushUserIDs, o.Client)
-}
+//func (o *ConversationApi) GetConversationOfflinePushUserIDs(c *gin.Context) {
+//	a2r.Call(c, conversation.ConversationClient.GetConversationOfflinePushUserIDs, o.Client)
+//}

 func (o *ConversationApi) GetFullOwnerConversationIDs(c *gin.Context) {
 	a2r.Call(c, conversation.ConversationClient.GetFullOwnerConversationIDs, o.Client)
--- a/internal/api/router.go
+++ b/internal/api/router.go
@ -262,7 +262,7 @@ func newGinRouter(ctx context.Context, client discovery.Conn, cfg *Config) (*gin
 		conversationGroup.POST("/get_conversation", c.GetConversation)
 		conversationGroup.POST("/get_conversations", c.GetConversations)
 		conversationGroup.POST("/set_conversations", c.SetConversations)
-		conversationGroup.POST("/get_conversation_offline_push_user_ids", c.GetConversationOfflinePushUserIDs)
+		//conversationGroup.POST("/get_conversation_offline_push_user_ids", c.GetConversationOfflinePushUserIDs)
 		conversationGroup.POST("/get_full_conversation_ids", c.GetFullOwnerConversationIDs)
 		conversationGroup.POST("/get_incremental_conversations", c.GetIncrementalConversation)
 		conversationGroup.POST("/get_owner_conversation", c.GetOwnerConversation)
--- a/internal/rpc/conversation/conversation.go
+++ b/internal/rpc/conversation/conversation.go
@ -19,6 +19,7 @@ import (
 	"sort"
 	"time"

+	"github.com/openimsdk/open-im-server/v3/pkg/authverify"
 	"github.com/openimsdk/open-im-server/v3/pkg/dbbuild"
 	"github.com/openimsdk/open-im-server/v3/pkg/rpcli"

@ -117,6 +118,9 @@ func Start(ctx context.Context, config *Config, client discovery.Conn, server gr
 }

 func (c *conversationServer) GetConversation(ctx context.Context, req *pbconversation.GetConversationReq) (*pbconversation.GetConversationResp, error) {
+	if err := authverify.CheckAccess(ctx, req.OwnerUserID); err != nil {
+		return nil, err
+	}
 	conversations, err := c.conversationDatabase.FindConversations(ctx, req.OwnerUserID, []string{req.ConversationID})
 	if err != nil {
 		return nil, err
@ -130,7 +134,9 @@ func (c *conversationServer) GetConversation(ctx context.Context, req *pbconvers
 }

 func (c *conversationServer) GetSortedConversationList(ctx context.Context, req *pbconversation.GetSortedConversationListReq) (resp *pbconversation.GetSortedConversationListResp, err error) {
-	log.ZDebug(ctx, "GetSortedConversationList", "seqs", req, "userID", req.UserID)
+	if err := authverify.CheckAccess(ctx, req.UserID); err != nil {
+		return nil, err
+	}
 	var conversationIDs []string
 	if len(req.ConversationIDs) == 0 {
 		conversationIDs, err = c.conversationDatabase.GetConversationIDs(ctx, req.UserID)
@ -203,6 +209,9 @@ func (c *conversationServer) GetSortedConversationList(ctx context.Context, req
 }

 func (c *conversationServer) GetAllConversations(ctx context.Context, req *pbconversation.GetAllConversationsReq) (*pbconversation.GetAllConversationsResp, error) {
+	if err := authverify.CheckAccess(ctx, req.OwnerUserID); err != nil {
+		return nil, err
+	}
 	conversations, err := c.conversationDatabase.GetUserAllConversation(ctx, req.OwnerUserID)
 	if err != nil {
 		return nil, err
@ -213,6 +222,9 @@ func (c *conversationServer) GetAllConversations(ctx context.Context, req *pbcon
 }

 func (c *conversationServer) GetConversations(ctx context.Context, req *pbconversation.GetConversationsReq) (*pbconversation.GetConversationsResp, error) {
+	if err := authverify.CheckAccess(ctx, req.OwnerUserID); err != nil {
+		return nil, err
+	}
 	conversations, err := c.getConversations(ctx, req.OwnerUserID, req.ConversationIDs)
 	if err != nil {
 		return nil, err
@ -233,6 +245,9 @@ func (c *conversationServer) getConversations(ctx context.Context, ownerUserID s
 }

 func (c *conversationServer) SetConversation(ctx context.Context, req *pbconversation.SetConversationReq) (*pbconversation.SetConversationResp, error) {
+	if err := authverify.CheckAccess(ctx, req.GetConversation().GetUserID()); err != nil {
+		return nil, err
+	}
 	var conversation dbModel.Conversation
 	if err := datautil.CopyStructFields(&conversation, req.Conversation); err != nil {
 		return nil, err
@ -247,10 +262,11 @@ func (c *conversationServer) SetConversation(ctx context.Context, req *pbconvers
 }

 func (c *conversationServer) SetConversations(ctx context.Context, req *pbconversation.SetConversationsReq) (*pbconversation.SetConversationsResp, error) {
-	if req.Conversation == nil {
-		return nil, errs.ErrArgs.WrapMsg("conversation must not be nil")
+	for _, userID := range req.UserIDs {
+		if err := authverify.CheckAccess(ctx, userID); err != nil {
+			return nil, err
+		}
 	}
-
 	if req.Conversation.ConversationType == constant.WriteGroupChatType {
 		groupInfo, err := c.groupClient.GetGroupInfo(ctx, req.Conversation.GroupID)
 		if err != nil {
@ -331,6 +347,9 @@ func (c *conversationServer) SetConversations(ctx context.Context, req *pbconver
 }

 func (c *conversationServer) UpdateConversationsByUser(ctx context.Context, req *pbconversation.UpdateConversationsByUserReq) (*pbconversation.UpdateConversationsByUserResp, error) {
+	if err := authverify.CheckAccess(ctx, req.UserID); err != nil {
+		return nil, err
+	}
 	m := make(map[string]any)
 	if req.Ex != nil {
 		m["ex"] = req.Ex.Value
@ -343,15 +362,8 @@ func (c *conversationServer) UpdateConversationsByUser(ctx context.Context, req
 	return &pbconversation.UpdateConversationsByUserResp{}, nil
 }

-// Get user IDs with "Do Not Disturb" enabled in super large groups.
-func (c *conversationServer) GetRecvMsgNotNotifyUserIDs(ctx context.Context, req *pbconversation.GetRecvMsgNotNotifyUserIDsReq) (*pbconversation.GetRecvMsgNotNotifyUserIDsResp, error) {
-	return nil, errs.New("deprecated")
-}
-
 // create conversation without notification for msg redis transfer.
-func (c *conversationServer) CreateSingleChatConversations(ctx context.Context,
-	req *pbconversation.CreateSingleChatConversationsReq,
-) (*pbconversation.CreateSingleChatConversationsResp, error) {
+func (c *conversationServer) CreateSingleChatConversations(ctx context.Context, req *pbconversation.CreateSingleChatConversationsReq) (*pbconversation.CreateSingleChatConversationsResp, error) {
 	var conversation dbModel.Conversation
 	switch req.ConversationType {
 	case constant.SingleChatType:
@ -454,6 +466,9 @@ func (c *conversationServer) SetConversationMinSeq(ctx context.Context, req *pbc
 }

 func (c *conversationServer) GetConversationIDs(ctx context.Context, req *pbconversation.GetConversationIDsReq) (*pbconversation.GetConversationIDsResp, error) {
+	if err := authverify.CheckAccess(ctx, req.UserID); err != nil {
+		return nil, err
+	}
 	conversationIDs, err := c.conversationDatabase.GetConversationIDs(ctx, req.UserID)
 	if err != nil {
 		return nil, err
@ -462,6 +477,9 @@ func (c *conversationServer) GetConversationIDs(ctx context.Context, req *pbconv
 }

 func (c *conversationServer) GetUserConversationIDsHash(ctx context.Context, req *pbconversation.GetUserConversationIDsHashReq) (*pbconversation.GetUserConversationIDsHashResp, error) {
+	if err := authverify.CheckAccess(ctx, req.OwnerUserID); err != nil {
+		return nil, err
+	}
 	hash, err := c.conversationDatabase.GetUserConversationIDsHash(ctx, req.OwnerUserID)
 	if err != nil {
 		return nil, err
@ -469,10 +487,7 @@ func (c *conversationServer) GetUserConversationIDsHash(ctx context.Context, req
 	return &pbconversation.GetUserConversationIDsHashResp{Hash: hash}, nil
 }

-func (c *conversationServer) GetConversationsByConversationID(
-	ctx context.Context,
-	req *pbconversation.GetConversationsByConversationIDReq,
-) (*pbconversation.GetConversationsByConversationIDResp, error) {
+func (c *conversationServer) GetConversationsByConversationID(ctx context.Context, req *pbconversation.GetConversationsByConversationIDReq) (*pbconversation.GetConversationsByConversationIDResp, error) {
 	conversations, err := c.conversationDatabase.GetConversationsByConversationID(ctx, req.ConversationIDs)
 	if err != nil {
 		return nil, err
@ -526,10 +541,7 @@ func (c *conversationServer) conversationSort(conversations map[int64]string, re
 	resp.ConversationElems = append(resp.ConversationElems, cons...)
 }

-func (c *conversationServer) getConversationInfo(
-	ctx context.Context,
-	chatLogs map[string]*sdkws.MsgData,
-	userID string) (map[string]*pbconversation.ConversationElem, error) {
+func (c *conversationServer) getConversationInfo(ctx context.Context, chatLogs map[string]*sdkws.MsgData, userID string) (map[string]*pbconversation.ConversationElem, error) {
 	var (
 		sendIDs         []string
 		groupIDs        []string
@ -615,6 +627,11 @@ func (c *conversationServer) GetConversationNotReceiveMessageUserIDs(ctx context
 }

 func (c *conversationServer) UpdateConversation(ctx context.Context, req *pbconversation.UpdateConversationReq) (*pbconversation.UpdateConversationResp, error) {
+	for _, userID := range req.UserIDs {
+		if err := authverify.CheckAccess(ctx, userID); err != nil {
+			return nil, err
+		}
+	}
 	m := make(map[string]any)
 	if req.RecvMsgOpt != nil {
 		m["recv_msg_opt"] = req.RecvMsgOpt.Value
@ -661,6 +678,9 @@ func (c *conversationServer) UpdateConversation(ctx context.Context, req *pbconv
 }

 func (c *conversationServer) GetOwnerConversation(ctx context.Context, req *pbconversation.GetOwnerConversationReq) (*pbconversation.GetOwnerConversationResp, error) {
+	if err := authverify.CheckAccess(ctx, req.UserID); err != nil {
+		return nil, err
+	}
 	total, conversations, err := c.conversationDatabase.GetOwnerConversation(ctx, req.UserID, req.Pagination)
 	if err != nil {
 		return nil, err
@ -722,6 +742,9 @@ func (c *conversationServer) GetConversationsNeedClearMsg(ctx context.Context, _
 }

 func (c *conversationServer) GetNotNotifyConversationIDs(ctx context.Context, req *pbconversation.GetNotNotifyConversationIDsReq) (*pbconversation.GetNotNotifyConversationIDsResp, error) {
+	if err := authverify.CheckAccess(ctx, req.UserID); err != nil {
+		return nil, err
+	}
 	conversationIDs, err := c.conversationDatabase.GetNotNotifyConversationIDs(ctx, req.UserID)
 	if err != nil {
 		return nil, err
@ -730,6 +753,9 @@ func (c *conversationServer) GetNotNotifyConversationIDs(ctx context.Context, re
 }

 func (c *conversationServer) GetPinnedConversationIDs(ctx context.Context, req *pbconversation.GetPinnedConversationIDsReq) (*pbconversation.GetPinnedConversationIDsResp, error) {
+	if err := authverify.CheckAccess(ctx, req.UserID); err != nil {
+		return nil, err
+	}
 	conversationIDs, err := c.conversationDatabase.GetPinnedConversationIDs(ctx, req.UserID)
 	if err != nil {
 		return nil, err
--- a/internal/rpc/conversation/sync.go
+++ b/internal/rpc/conversation/sync.go
@ -35,6 +35,9 @@ func (c *conversationServer) GetFullOwnerConversationIDs(ctx context.Context, re
 }

 func (c *conversationServer) GetIncrementalConversation(ctx context.Context, req *conversation.GetIncrementalConversationReq) (*conversation.GetIncrementalConversationResp, error) {
+	if err := authverify.CheckAccess(ctx, req.UserID); err != nil {
+		return nil, err
+	}
 	opt := incrversion.Option[*conversation.Conversation, conversation.GetIncrementalConversationResp]{
 		Ctx:             ctx,
 		VersionKey:      req.UserID,
--- a/internal/rpc/group/cache.go
+++ b/internal/rpc/group/cache.go
@ -17,6 +17,7 @@ package group
 import (
 	"context"

+	"github.com/openimsdk/open-im-server/v3/pkg/authverify"
 	"github.com/openimsdk/open-im-server/v3/pkg/common/convert"
 	pbgroup "github.com/openimsdk/protocol/group"
 )
@ -33,6 +34,9 @@ func (g *groupServer) GetGroupInfoCache(ctx context.Context, req *pbgroup.GetGro
 }

 func (g *groupServer) GetGroupMemberCache(ctx context.Context, req *pbgroup.GetGroupMemberCacheReq) (*pbgroup.GetGroupMemberCacheResp, error) {
+	if err := authverify.CheckAccess(ctx, req.GroupMemberID); err != nil {
+		return nil, err
+	}
 	members, err := g.db.TakeGroupMember(ctx, req.GroupID, req.GroupMemberID)
 	if err != nil {
 		return nil, err
--- a/internal/rpc/group/group.go
+++ b/internal/rpc/group/group.go
@ -476,6 +476,19 @@ func (g *groupServer) GetGroupAllMember(ctx context.Context, req *pbgroup.GetGro
 	if err != nil {
 		return nil, err
 	}
+	if !authverify.IsAdmin(ctx) {
+		var inGroup bool
+		opUserID := mcontext.GetOpUserID(ctx)
+		for _, member := range members {
+			if member.UserID == opUserID {
+				inGroup = true
+				break
+			}
+		}
+		if !inGroup {
+			return nil, errs.ErrNoPermission.WrapMsg("opuser not in group")
+		}
+	}
 	if err := g.PopulateGroupMember(ctx, members...); err != nil {
 		return nil, err
 	}
@ -486,11 +499,24 @@ func (g *groupServer) GetGroupAllMember(ctx context.Context, req *pbgroup.GetGro
 	return &resp, nil
 }

+func (g *groupServer) checkAdminOrInGroup(ctx context.Context, groupID string) error {
+	if authverify.IsAdmin(ctx) {
+		return nil
+	}
+	opUserID := mcontext.GetOpUserID(ctx)
+	members, err := g.db.FindGroupMembers(ctx, groupID, []string{opUserID})
+	if err != nil {
+		return err
+	}
+	if len(members) == 0 {
+		return errs.ErrNoPermission.WrapMsg("op user not in group")
+	}
+	return nil
+}
+
 func (g *groupServer) GetGroupMemberList(ctx context.Context, req *pbgroup.GetGroupMemberListReq) (*pbgroup.GetGroupMemberListResp, error) {
-	if opUserID := mcontext.GetOpUserID(ctx); !datautil.Contain(opUserID, g.config.Share.IMAdminUserID...) {
-		if _, err := g.db.TakeGroupMember(ctx, req.GroupID, opUserID); err != nil {
-			return nil, err
-		}
+	if err := g.checkAdminOrInGroup(ctx, req.GroupID); err != nil {
+		return nil, err
 	}
 	var (
 		total   int64
@ -631,6 +657,9 @@ func (g *groupServer) GetGroupMembersInfo(ctx context.Context, req *pbgroup.GetG
 	if req.GroupID == "" {
 		return nil, errs.ErrArgs.WrapMsg("groupID empty")
 	}
+	if err := g.checkAdminOrInGroup(ctx, req.GroupID); err != nil {
+		return nil, err
+	}
 	members, err := g.getGroupMembersInfo(ctx, req.GroupID, req.UserIDs)
 	if err != nil {
 		return nil, err
@ -658,6 +687,9 @@ func (g *groupServer) getGroupMembersInfo(ctx context.Context, groupID string, u

 // GetGroupApplicationList handles functions that get a list of group requests.
 func (g *groupServer) GetGroupApplicationList(ctx context.Context, req *pbgroup.GetGroupApplicationListReq) (*pbgroup.GetGroupApplicationListResp, error) {
+	if err := authverify.CheckAccess(ctx, req.FromUserID); err != nil {
+		return nil, err
+	}
 	groupIDs, err := g.db.FindUserManagedGroupID(ctx, req.FromUserID)
 	if err != nil {
 		return nil, err
@ -1652,6 +1684,11 @@ func (g *groupServer) GetGroupAbstractInfo(ctx context.Context, req *pbgroup.Get
 	if datautil.Duplicate(req.GroupIDs) {
 		return nil, errs.ErrArgs.WrapMsg("groupIDs duplicate")
 	}
+	for _, groupID := range req.GroupIDs {
+		if err := g.checkAdminOrInGroup(ctx, groupID); err != nil {
+			return nil, err
+		}
+	}
 	groups, err := g.db.FindGroup(ctx, req.GroupIDs)
 	if err != nil {
 		return nil, err
@ -1699,6 +1736,9 @@ func (g *groupServer) GetGroupMemberUserIDs(ctx context.Context, req *pbgroup.Ge
 	if err != nil {
 		return nil, err
 	}
+	if err := authverify.CheckAccessIn(ctx, userIDs...); err != nil {
+		return nil, err
+	}
 	return &pbgroup.GetGroupMemberUserIDsResp{
 		UserIDs: userIDs,
 	}, nil
--- a/internal/rpc/group/statistics.go
+++ b/internal/rpc/group/statistics.go
@ -18,6 +18,7 @@ import (
 	"context"
 	"time"

+	"github.com/openimsdk/open-im-server/v3/pkg/authverify"
 	"github.com/openimsdk/protocol/group"
 	"github.com/openimsdk/tools/errs"
 )
@ -26,6 +27,9 @@ func (g *groupServer) GroupCreateCount(ctx context.Context, req *group.GroupCrea
 	if req.Start > req.End {
 		return nil, errs.ErrArgs.WrapMsg("start > end: %d > %d", req.Start, req.End)
 	}
+	if err := authverify.CheckAdmin(ctx); err != nil {
+		return nil, err
+	}
 	total, err := g.db.CountTotal(ctx, nil)
 	if err != nil {
 		return nil, err
--- a/internal/rpc/group/sync.go
+++ b/internal/rpc/group/sync.go
@ -11,9 +11,6 @@ import (
 	"github.com/openimsdk/protocol/constant"
 	pbgroup "github.com/openimsdk/protocol/group"
 	"github.com/openimsdk/protocol/sdkws"
-	"github.com/openimsdk/tools/errs"
-	"github.com/openimsdk/tools/mcontext"
-	"github.com/openimsdk/tools/utils/datautil"
 )

 const versionSyncLimit = 500
@ -23,10 +20,8 @@ func (g *groupServer) GetFullGroupMemberUserIDs(ctx context.Context, req *pbgrou
 	if err != nil {
 		return nil, err
 	}
-	if opUserID := mcontext.GetOpUserID(ctx); !datautil.Contain(opUserID, g.config.Share.IMAdminUserID...) {
-		if !datautil.Contain(opUserID, userIDs...) {
-			return nil, errs.ErrNoPermission.WrapMsg("user not in group")
-		}
+	if err := authverify.CheckAccessIn(ctx, userIDs...); err != nil {
+		return nil, err
 	}
 	vl, err := g.db.FindMaxGroupMemberVersionCache(ctx, req.GroupID)
 	if err != nil {
@ -69,6 +64,9 @@ func (g *groupServer) GetFullJoinGroupIDs(ctx context.Context, req *pbgroup.GetF
 }

 func (g *groupServer) GetIncrementalGroupMember(ctx context.Context, req *pbgroup.GetIncrementalGroupMemberReq) (*pbgroup.GetIncrementalGroupMemberResp, error) {
+	if err := g.checkAdminOrInGroup(ctx, req.GroupID); err != nil {
+		return nil, err
+	}
 	group, err := g.db.TakeGroup(ctx, req.GroupID)
 	if err != nil {
 		return nil, err
@ -76,9 +74,6 @@ func (g *groupServer) GetIncrementalGroupMember(ctx context.Context, req *pbgrou
 	if group.Status == constant.GroupStatusDismissed {
 		return nil, servererrs.ErrDismissedAlready.Wrap()
 	}
-	if _, err := g.db.TakeGroupMember(ctx, req.GroupID, mcontext.GetOpUserID(ctx)); err != nil {
-		return nil, err
-	}
 	var (
 		hasGroupUpdate bool
 		sortVersion    uint64
--- a/internal/rpc/msg/as_read.go
+++ b/internal/rpc/msg/as_read.go
@ -18,6 +18,7 @@ import (
 	"context"
 	"errors"

+	"github.com/openimsdk/open-im-server/v3/pkg/authverify"
 	cbapi "github.com/openimsdk/open-im-server/v3/pkg/callbackstruct"
 	"github.com/openimsdk/protocol/constant"
 	"github.com/openimsdk/protocol/msg"
@ -29,6 +30,9 @@ import (
 )

 func (m *msgServer) GetConversationsHasReadAndMaxSeq(ctx context.Context, req *msg.GetConversationsHasReadAndMaxSeqReq) (*msg.GetConversationsHasReadAndMaxSeqResp, error) {
+	if err := authverify.CheckAccess(ctx, req.UserID); err != nil {
+		return nil, err
+	}
 	var conversationIDs []string
 	if len(req.ConversationIDs) == 0 {
 		var err error
@ -82,6 +86,9 @@ func (m *msgServer) GetConversationsHasReadAndMaxSeq(ctx context.Context, req *m
 }

 func (m *msgServer) SetConversationHasReadSeq(ctx context.Context, req *msg.SetConversationHasReadSeqReq) (*msg.SetConversationHasReadSeqResp, error) {
+	if err := authverify.CheckAccess(ctx, req.UserID); err != nil {
+		return nil, err
+	}
 	maxSeq, err := m.MsgDatabase.GetMaxSeq(ctx, req.ConversationID)
 	if err != nil {
 		return nil, err
@ -97,8 +104,8 @@ func (m *msgServer) SetConversationHasReadSeq(ctx context.Context, req *msg.SetC
 }

 func (m *msgServer) MarkMsgsAsRead(ctx context.Context, req *msg.MarkMsgsAsReadReq) (*msg.MarkMsgsAsReadResp, error) {
-	if len(req.Seqs) < 1 {
-		return nil, errs.ErrArgs.WrapMsg("seqs must not be empty")
+	if err := authverify.CheckAccess(ctx, req.UserID); err != nil {
+		return nil, err
 	}
 	maxSeq, err := m.MsgDatabase.GetMaxSeq(ctx, req.ConversationID)
 	if err != nil {
@ -139,6 +146,9 @@ func (m *msgServer) MarkMsgsAsRead(ctx context.Context, req *msg.MarkMsgsAsReadR
 }

 func (m *msgServer) MarkConversationAsRead(ctx context.Context, req *msg.MarkConversationAsReadReq) (*msg.MarkConversationAsReadResp, error) {
+	if err := authverify.CheckAccess(ctx, req.UserID); err != nil {
+		return nil, err
+	}
 	conversation, err := m.ConversationLocalCache.GetConversation(ctx, req.UserID, req.ConversationID)
 	if err != nil {
 		return nil, err
@ -216,5 +226,4 @@ func (m *msgServer) sendMarkAsReadNotification(ctx context.Context, conversation
 		HasReadSeq:       hasReadSeq,
 	}
 	m.notificationSender.NotificationWithSessionType(ctx, sendID, recvID, constant.HasReadReceipt, sessionType, tips)
-
 }
--- a/internal/rpc/msg/delete.go
+++ b/internal/rpc/msg/delete.go
@ -94,6 +94,9 @@ func (m *msgServer) DeleteMsgs(ctx context.Context, req *msg.DeleteMsgsReq) (*ms
 }

 func (m *msgServer) DeleteMsgPhysicalBySeq(ctx context.Context, req *msg.DeleteMsgPhysicalBySeqReq) (*msg.DeleteMsgPhysicalBySeqResp, error) {
+	if err := authverify.CheckAdmin(ctx); err != nil {
+		return nil, err
+	}
 	err := m.MsgDatabase.DeleteMsgsPhysicalBySeqs(ctx, req.ConversationID, req.Seqs)
 	if err != nil {
 		return nil, err
--- a/internal/rpc/msg/send.go
+++ b/internal/rpc/msg/send.go
@ -17,6 +17,7 @@ package msg
 import (
 	"context"

+	"github.com/openimsdk/open-im-server/v3/pkg/authverify"
 	"google.golang.org/protobuf/proto"

 	"github.com/openimsdk/open-im-server/v3/pkg/common/prommetrics"
@ -37,6 +38,9 @@ func (m *msgServer) SendMsg(ctx context.Context, req *pbmsg.SendMsgReq) (*pbmsg.
 	if req.MsgData == nil {
 		return nil, errs.ErrArgs.WrapMsg("msgData is nil")
 	}
+	if err := authverify.CheckAccess(ctx, req.MsgData.SendID); err != nil {
+		return nil, err
+	}
 	before := new(*sdkws.MsgData)
 	resp, err := m.sendMsg(ctx, req, before)
 	if err != nil {
@ -172,13 +176,7 @@ func (m *msgServer) sendMsgSingleChat(ctx context.Context, req *pbmsg.SendMsgReq
 	isSend := true
 	isNotification := msgprocessor.IsNotificationByMsg(req.MsgData)
 	if !isNotification {
-		isSend, err = m.modifyMessageByUserMessageReceiveOpt(
-			ctx,
-			req.MsgData.RecvID,
-			conversationutil.GenConversationIDForSingle(req.MsgData.SendID, req.MsgData.RecvID),
-			constant.SingleChatType,
-			req,
-		)
+		isSend, err = m.modifyMessageByUserMessageReceiveOpt(authverify.WithTempAdmin(ctx), req.MsgData.RecvID, conversationutil.GenConversationIDForSingle(req.MsgData.SendID, req.MsgData.RecvID), constant.SingleChatType, req)
 		if err != nil {
 			return nil, err
 		}
--- a/internal/rpc/msg/seq.go
+++ b/internal/rpc/msg/seq.go
@ -17,9 +17,10 @@ package msg
 import (
 	"context"
 	"errors"
+	"sort"
+
 	pbmsg "github.com/openimsdk/protocol/msg"
 	"github.com/redis/go-redis/v9"
-	"sort"
 )

 func (m *msgServer) GetConversationMaxSeq(ctx context.Context, req *pbmsg.GetConversationMaxSeqReq) (*pbmsg.GetConversationMaxSeqResp, error) {
--- a/internal/rpc/msg/statistics.go
+++ b/internal/rpc/msg/statistics.go
@ -16,15 +16,20 @@ package msg

 import (
 	"context"
-	"github.com/openimsdk/open-im-server/v3/pkg/common/storage/model"
 	"time"

+	"github.com/openimsdk/open-im-server/v3/pkg/authverify"
+	"github.com/openimsdk/open-im-server/v3/pkg/common/storage/model"
+
 	"github.com/openimsdk/protocol/msg"
 	"github.com/openimsdk/protocol/sdkws"
 	"github.com/openimsdk/tools/utils/datautil"
 )

 func (m *msgServer) GetActiveUser(ctx context.Context, req *msg.GetActiveUserReq) (*msg.GetActiveUserResp, error) {
+	if err := authverify.CheckAdmin(ctx); err != nil {
+		return nil, err
+	}
 	msgCount, userCount, users, dateCount, err := m.MsgDatabase.RangeUserSendCount(ctx, time.UnixMilli(req.Start), time.UnixMilli(req.End), req.Group, req.Ase, req.Pagination.PageNumber, req.Pagination.ShowNumber)
 	if err != nil {
 		return nil, err
@ -60,6 +65,9 @@ func (m *msgServer) GetActiveUser(ctx context.Context, req *msg.GetActiveUserReq
 }

 func (m *msgServer) GetActiveGroup(ctx context.Context, req *msg.GetActiveGroupReq) (*msg.GetActiveGroupResp, error) {
+	if err := authverify.CheckAdmin(ctx); err != nil {
+		return nil, err
+	}
 	msgCount, groupCount, groups, dateCount, err := m.MsgDatabase.RangeGroupSendCount(ctx, time.UnixMilli(req.Start), time.UnixMilli(req.End), req.Ase, req.Pagination.PageNumber, req.Pagination.ShowNumber)
 	if err != nil {
 		return nil, err
--- a/internal/rpc/msg/sync_msg.go
+++ b/internal/rpc/msg/sync_msg.go
@ -29,6 +29,9 @@ import (
 )

 func (m *msgServer) PullMessageBySeqs(ctx context.Context, req *sdkws.PullMessageBySeqsReq) (*sdkws.PullMessageBySeqsResp, error) {
+	if err := authverify.CheckAccess(ctx, req.UserID); err != nil {
+		return nil, err
+	}
 	resp := &sdkws.PullMessageBySeqsResp{}
 	resp.Msgs = make(map[string]*sdkws.PullMsgs)
 	resp.NotificationMsgs = make(map[string]*sdkws.PullMsgs)
--- a/internal/rpc/relation/black.go
+++ b/internal/rpc/relation/black.go
@ -46,6 +46,9 @@ func (s *friendServer) GetPaginationBlacks(ctx context.Context, req *relation.Ge
 }

 func (s *friendServer) IsBlack(ctx context.Context, req *relation.IsBlackReq) (*relation.IsBlackResp, error) {
+	if err := authverify.CheckAccessIn(ctx, req.UserID1, req.UserID2); err != nil {
+		return nil, err
+	}
 	in1, in2, err := s.blackDatabase.CheckIn(ctx, req.UserID1, req.UserID2)
 	if err != nil {
 		return nil, err
--- a/internal/rpc/relation/friend.go
+++ b/internal/rpc/relation/friend.go
@ -280,6 +280,9 @@ func (s *friendServer) SetFriendRemark(ctx context.Context, req *relation.SetFri
 }

 func (s *friendServer) GetFriendInfo(ctx context.Context, req *relation.GetFriendInfoReq) (*relation.GetFriendInfoResp, error) {
+	if err := authverify.CheckAccess(ctx, req.OwnerUserID); err != nil {
+		return nil, err
+	}
 	friends, err := s.db.FindFriendsWithError(ctx, req.OwnerUserID, req.FriendUserIDs)
 	if err != nil {
 		return nil, err
@ -288,6 +291,9 @@ func (s *friendServer) GetFriendInfo(ctx context.Context, req *relation.GetFrien
 }

 func (s *friendServer) GetDesignatedFriends(ctx context.Context, req *relation.GetDesignatedFriendsReq) (resp *relation.GetDesignatedFriendsResp, err error) {
+	if err := authverify.CheckAccess(ctx, req.OwnerUserID); err != nil {
+		return nil, err
+	}
 	resp = &relation.GetDesignatedFriendsResp{}
 	if datautil.Duplicate(req.FriendUserIDs) {
 		return nil, errs.ErrArgs.WrapMsg("friend userID repeated")
@ -313,9 +319,10 @@ func (s *friendServer) getFriend(ctx context.Context, ownerUserID string, friend
 }

 // Get the list of friend requests sent out proactively.
-func (s *friendServer) GetDesignatedFriendsApply(ctx context.Context,
-	req *relation.GetDesignatedFriendsApplyReq,
-) (resp *relation.GetDesignatedFriendsApplyResp, err error) {
+func (s *friendServer) GetDesignatedFriendsApply(ctx context.Context, req *relation.GetDesignatedFriendsApplyReq) (resp *relation.GetDesignatedFriendsApplyResp, err error) {
+	if err := authverify.CheckAccessIn(ctx, req.FromUserID, req.ToUserID); err != nil {
+		return nil, err
+	}
 	friendRequests, err := s.db.FindBothFriendRequests(ctx, req.FromUserID, req.ToUserID)
 	if err != nil {
 		return nil, err
@ -374,6 +381,9 @@ func (s *friendServer) GetPaginationFriendsApplyFrom(ctx context.Context, req *r

 // ok.
 func (s *friendServer) IsFriend(ctx context.Context, req *relation.IsFriendReq) (resp *relation.IsFriendResp, err error) {
+	if err := authverify.CheckAccessIn(ctx, req.UserID1, req.UserID2); err != nil {
+		return nil, err
+	}
 	resp = &relation.IsFriendResp{}
 	resp.InUser1Friends, resp.InUser2Friends, err = s.db.CheckIn(ctx, req.UserID1, req.UserID2)
 	if err != nil {
@ -426,6 +436,9 @@ func (s *friendServer) GetSpecifiedFriendsInfo(ctx context.Context, req *relatio
 		return nil, errs.ErrArgs.WrapMsg("userIDList repeated")
 	}

+	if err := authverify.CheckAccess(ctx, req.OwnerUserID); err != nil {
+		return nil, err
+	}
 	userMap, err := s.userClient.GetUsersInfoMap(ctx, req.UserIDList)
 	if err != nil {
 		return nil, err
@ -494,10 +507,7 @@ func (s *friendServer) GetSpecifiedFriendsInfo(ctx context.Context, req *relatio
 	return resp, nil
 }

-func (s *friendServer) UpdateFriends(
-	ctx context.Context,
-	req *relation.UpdateFriendsReq,
-) (*relation.UpdateFriendsResp, error) {
+func (s *friendServer) UpdateFriends(ctx context.Context, req *relation.UpdateFriendsReq) (*relation.UpdateFriendsResp, error) {
 	if len(req.FriendUserIDs) == 0 {
 		return nil, errs.ErrArgs.WrapMsg("friendIDList is empty")
 	}
@ -505,6 +515,10 @@ func (s *friendServer) UpdateFriends(
 		return nil, errs.ErrArgs.WrapMsg("friendIDList repeated")
 	}

+	if err := authverify.CheckAccess(ctx, req.OwnerUserID); err != nil {
+		return nil, err
+	}
+
 	_, err := s.db.FindFriendsWithError(ctx, req.OwnerUserID, req.FriendUserIDs)
 	if err != nil {
 		return nil, err
--- a/internal/rpc/third/log.go
+++ b/internal/rpc/third/log.go
@ -25,6 +25,7 @@ import (
 	"github.com/openimsdk/protocol/constant"
 	"github.com/openimsdk/protocol/third"
 	"github.com/openimsdk/tools/errs"
+	"github.com/openimsdk/tools/mcontext"
 	"github.com/openimsdk/tools/utils/datautil"
 )

@ -45,7 +46,7 @@ func genLogID() string {

 func (t *thirdServer) UploadLogs(ctx context.Context, req *third.UploadLogsReq) (*third.UploadLogsResp, error) {
 	var dbLogs []*relationtb.Log
-	userID := ctx.Value(constant.OpUserID).(string)
+	userID := mcontext.GetOpUserID(ctx)
 	platform := constant.PlatformID2Name[int(req.Platform)]
 	for _, fileURL := range req.FileURLs {
 		log := relationtb.Log{
--- a/internal/rpc/third/third.go
+++ b/internal/rpc/third/third.go
@ -19,6 +19,7 @@ import (
 	"fmt"
 	"time"

+	"github.com/openimsdk/open-im-server/v3/pkg/authverify"
 	"github.com/openimsdk/open-im-server/v3/pkg/common/storage/cache"
 	"github.com/openimsdk/open-im-server/v3/pkg/common/storage/cache/mcache"
 	"github.com/openimsdk/open-im-server/v3/pkg/dbbuild"
@ -148,6 +149,9 @@ func (t *thirdServer) FcmUpdateToken(ctx context.Context, req *third.FcmUpdateTo
 }

 func (t *thirdServer) SetAppBadge(ctx context.Context, req *third.SetAppBadgeReq) (resp *third.SetAppBadgeResp, err error) {
+	if err := authverify.CheckAccess(ctx, req.UserID); err != nil {
+		return nil, err
+	}
 	err = t.thirdDatabase.SetAppBadge(ctx, req.UserID, int(req.AppUnreadCount))
 	if err != nil {
 		return nil, err
--- a/pkg/authverify/token.go
+++ b/pkg/authverify/token.go
@ -64,16 +64,57 @@ func GetIMAdminUserIDs(ctx context.Context) []string {
 }

 func IsAdmin(ctx context.Context) bool {
-	return datautil.Contain(mcontext.GetOpUserID(ctx), GetIMAdminUserIDs(ctx)...)
+	return IsTempAdmin(ctx) || IsSystemAdmin(ctx)
 }

 func CheckAccess(ctx context.Context, ownerUserID string) error {
-	opUserID := mcontext.GetOpUserID(ctx)
-	if opUserID == ownerUserID {
+	if mcontext.GetOpUserID(ctx) == ownerUserID {
 		return nil
 	}
-	if datautil.Contain(mcontext.GetOpUserID(ctx), GetIMAdminUserIDs(ctx)...) {
+	if IsAdmin(ctx) {
 		return nil
 	}
 	return servererrs.ErrNoPermission.WrapMsg("ownerUserID", ownerUserID)
 }
+
+func CheckAccessIn(ctx context.Context, ownerUserIDs ...string) error {
+	opUserID := mcontext.GetOpUserID(ctx)
+	for _, userID := range ownerUserIDs {
+		if opUserID == userID {
+			return nil
+		}
+	}
+	if IsAdmin(ctx) {
+		return nil
+	}
+	return servererrs.ErrNoPermission.WrapMsg("opUser in ownerUserIDs")
+}
+
+var tempAdminValue = []string{"1"}
+
+const ctxTempAdminKey = "ctxImTempAdminKey"
+
+func WithTempAdmin(ctx context.Context) context.Context {
+	keys, _ := ctx.Value(constant.RpcCustomHeader).([]string)
+	if datautil.Contain(ctxTempAdminKey, keys...) {
+		return ctx
+	}
+	if len(keys) > 0 {
+		temp := make([]string, 0, len(keys)+1)
+		temp = append(temp, keys...)
+		keys = append(temp, ctxTempAdminKey)
+	} else {
+		keys = []string{ctxTempAdminKey}
+	}
+	ctx = context.WithValue(ctx, constant.RpcCustomHeader, keys)
+	return context.WithValue(ctx, ctxTempAdminKey, tempAdminValue)
+}
+
+func IsTempAdmin(ctx context.Context) bool {
+	values, _ := ctx.Value(ctxTempAdminKey).([]string)
+	return datautil.Equal(tempAdminValue, values)
+}
+
+func IsSystemAdmin(ctx context.Context) bool {
+	return datautil.Contain(mcontext.GetOpUserID(ctx), GetIMAdminUserIDs(ctx)...)
+}
--- a/pkg/tools/batcher/batcher.go
+++ b/pkg/tools/batcher/batcher.go
@ -7,6 +7,7 @@ import (
 	"sync"
 	"time"

+	"github.com/openimsdk/open-im-server/v3/pkg/authverify"
 	"github.com/openimsdk/tools/errs"
 	"github.com/openimsdk/tools/utils/idutil"
 )
@ -253,13 +254,14 @@ func (b *Batcher[T]) distributeMessage(messages map[string][]*T, totalCount int,

 func (b *Batcher[T]) run(channelID int, ch <-chan *Msg[T]) {
 	defer b.wait.Done()
+	ctx := authverify.WithTempAdmin(context.Background())
 	for {
 		select {
 		case messages, ok := <-ch:
 			if !ok {
 				return
 			}
-			b.Do(context.Background(), channelID, messages)
+			b.Do(ctx, channelID, messages)
 			if b.config.syncWait {
 				b.counter.Done()
 			}