koderover · jamsman94 · Dec 17, 2025 · Dec 8, 2025
diff --git a/pkg/microservice/aslan/core/common/repository/models/release_plan.go b/pkg/microservice/aslan/core/common/repository/models/release_plan.go
@@ -86,10 +86,12 @@ func (ReleasePlan) TableName() string {
 }
 
 type ReleaseJob struct {
-ID string `bson:"id" yaml:"id" json:"id"`
-Name string `bson:"name" yaml:"name" json:"name"`
-Type config.ReleasePlanJobType `bson:"type" yaml:"type" json:"type"`
-Spec interface{} `bson:"spec" yaml:"spec" json:"spec"`
+ID string `bson:"id" yaml:"id" json:"id"`
+Name string `bson:"name" yaml:"name" json:"name"`
+Manager string `bson:"manager" yaml:"manager" json:"manager"`
+ManagerID string `bson:"manager_id" yaml:"manager_id" json:"manager_id"`
+Type config.ReleasePlanJobType `bson:"type" yaml:"type" json:"type"`
+Spec interface{} `bson:"spec" yaml:"spec" json:"spec"`
 
 ReleaseJobRuntime `bson:",inline" yaml:",inline" json:",inline"`
 }

diff --git a/pkg/microservice/aslan/core/release_plan/service/execute.go b/pkg/microservice/aslan/core/release_plan/service/execute.go
@@ -55,6 +55,7 @@ func NewReleaseJobExecutor(c *ExecuteReleaseJobContext, args *ExecuteReleaseJobA
 type TextReleaseJobExecutor struct {
 ID string
 ExecutedBy string
+Ctx *ExecuteReleaseJobContext
 Spec TextReleaseJobSpec
 }
 
@@ -69,6 +70,7 @@ func NewTextReleaseJobExecutor(c *ExecuteReleaseJobContext, args *ExecuteRelease
 }
 executor.ID = args.ID
 executor.ExecutedBy = c.UserName
+executor.Ctx = c
 return &executor, nil
 }
 
@@ -78,9 +80,16 @@ func (e *TextReleaseJobExecutor) Execute(plan *models.ReleasePlan) error {
 if job.ID != e.ID {
 continue
 }
+
 if err := models.IToi(job.Spec, spec); err != nil {
 return errors.Wrap(err, "invalid spec")
 }
+
+err := jobManagerAuth(plan.Name, plan.ManagerID, job, e.ExecutedBy, e.Ctx.UserID, e.Ctx.AuthResources)
+if err != nil {
+return err
+}
+
 if job.Status != config.ReleasePlanJobStatusTodo {
 return errors.Errorf("job %s status is not todo", job.Name)
 }
@@ -119,12 +128,19 @@ func (e *WorkflowReleaseJobExecutor) Execute(plan *models.ReleasePlan) error {
 if job.ID != e.ID {
 continue
 }
+
 if err := models.IToi(job.Spec, spec); err != nil {
 return errors.Wrap(err, "invalid spec")
 }
 if spec.Workflow == nil {
 return errors.Errorf("workflow is nil")
 }
+
+err := jobManagerAuth(plan.Name, plan.ManagerID, job, e.Ctx.UserName, e.Ctx.UserID, e.Ctx.AuthResources)
+if err != nil {
+return err
+}
+
 // workflow support retry after failed
 if job.Status != config.ReleasePlanJobStatusTodo && job.Status != config.ReleasePlanJobStatusFailed {
 return errors.Errorf("job %s status %s can't execute", job.Name, job.Status)
@@ -156,3 +172,20 @@ func (e *WorkflowReleaseJobExecutor) Execute(plan *models.ReleasePlan) error {
 }
 return errors.Errorf("job %s not found", e.ID)
 }
+
+func jobManagerAuth(planName, planManageID string, job *models.ReleaseJob, userName string, userID string, authResources *user.AuthorizedResources) error {
+if job.ManagerID != "" {
+if job.ManagerID != userID && planManageID != userID && !authResources.IsSystemAdmin {
+return errors.Errorf("user %s is not the manager of the job %s", userName, job.Name)
+}
+} else {
+if planManageID == "" {
+return errors.Errorf("plan manager is not set")
+}
+
+if planManageID != userID && !authResources.IsSystemAdmin {
+return errors.Errorf("user %s is not the manager of the plan %s", userName, planName)
+}
+}
+return nil
+}
diff --git a/pkg/microservice/aslan/core/release_plan/service/release_plan.go b/pkg/microservice/aslan/core/release_plan/service/release_plan.go
@@ -512,10 +512,6 @@ func ExecuteReleaseJob(c *handler.Context, planID string, args *ExecuteReleaseJo
 }
 }
 
-if plan.ManagerID != c.UserID && !isSystemAdmin {
-return errors.Errorf("only manager can execute")
-}
-
 executor, err := NewReleaseJobExecutor(&ExecuteReleaseJobContext{
 AuthResources: c.Resources,
 UserID: c.UserID,
@@ -757,10 +753,6 @@ func SkipReleaseJob(c *handler.Context, planID string, args *SkipReleaseJobArgs,
 }
 }
 
-if plan.ManagerID != c.UserID && !isSystemAdmin {
-return errors.Errorf("only manager can skip")
-}
-
 skipper, err := NewReleaseJobSkipper(&SkipReleaseJobContext{
 AuthResources: c.Resources,
 UserID: c.UserID,

diff --git a/pkg/microservice/aslan/core/release_plan/service/skip.go b/pkg/microservice/aslan/core/release_plan/service/skip.go
@@ -80,6 +80,11 @@ func (e *WorkflowReleaseJobSkipper) Skip(plan *models.ReleasePlan) error {
 return errors.Errorf("job %s status %s can't skip", job.Name, job.Status)
 }
 
+err := jobManagerAuth(plan.Name, plan.ManagerID, job, e.Ctx.UserName, e.Ctx.UserID, e.Ctx.AuthResources)
+if err != nil {
+return err
+}
+
 job.Status = config.ReleasePlanJobStatusSkipped
 job.ExecutedBy = e.Ctx.Account
 job.ExecutedTime = time.Now().Unix()
@@ -91,6 +96,7 @@ func (e *WorkflowReleaseJobSkipper) Skip(plan *models.ReleasePlan) error {
 type TextReleaseJobSkipper struct {
 ID string
 SkippedBy string
+Ctx *SkipReleaseJobContext
 Spec TextReleaseJobSpec
 }
 
@@ -101,6 +107,7 @@ func NewTextReleaseJobSkipper(c *SkipReleaseJobContext, args *SkipReleaseJobArgs
 }
 executor.ID = args.ID
 executor.SkippedBy = c.UserName
+executor.Ctx = c
 return &executor, nil
 }
 
@@ -116,6 +123,12 @@ func (e *TextReleaseJobSkipper) Skip(plan *models.ReleasePlan) error {
 if job.Status != config.ReleasePlanJobStatusTodo {
 return errors.Errorf("job %s status is not todo", job.Name)
 }
+
+err := jobManagerAuth(plan.Name, plan.ManagerID, job, e.Ctx.UserName, e.Ctx.UserID, e.Ctx.AuthResources)
+if err != nil {
+return err
+}
+
 spec.Remark = e.Spec.Remark
 job.Spec = spec
 job.Status = config.ReleasePlanJobStatusSkipped

diff --git a/pkg/microservice/aslan/core/release_plan/service/update.go b/pkg/microservice/aslan/core/release_plan/service/update.go
@@ -289,9 +289,11 @@ func (u *ManagerUpdater) Verb() string {
 }
 
 type CreateReleaseJobUpdater struct {
-Name string `json:"name"`
-Type config.ReleasePlanJobType `json:"type"`
-Spec interface{} `json:"spec"`
+Name string `json:"name"`
+Type config.ReleasePlanJobType `json:"type"`
+Manager string `json:"manager"`
+ManagerID string `json:"manager_id"`
+Spec interface{} `json:"spec"`
 }
 
 func NewCreateReleaseJobUpdater(args *UpdateReleasePlanArgs) (*CreateReleaseJobUpdater, error) {
@@ -305,10 +307,12 @@ func NewCreateReleaseJobUpdater(args *UpdateReleasePlanArgs) (*CreateReleaseJobU
 func (u *CreateReleaseJobUpdater) Update(plan *models.ReleasePlan) (before interface{}, after interface{}, err error) {
 before, after = nil, u
 job := &models.ReleaseJob{
-ID: uuid.New().String(),
-Name: u.Name,
-Type: u.Type,
-Spec: u.Spec,
+ID: uuid.New().String(),
+Name: u.Name,
+Manager: u.Manager,
+ManagerID: u.ManagerID,
+Type: u.Type,
+Spec: u.Spec,
 }
 plan.Jobs = append(plan.Jobs, job)
 return
@@ -335,10 +339,12 @@ func (u *CreateReleaseJobUpdater) Verb() string {
 }
 
 type UpdateReleaseJobUpdater struct {
-ID string `json:"id"`
-Name string `json:"name"`
-Type config.ReleasePlanJobType `json:"type"`
-Spec interface{} `json:"spec"`
+ID string `json:"id"`
+Name string `json:"name"`
+Manager string `json:"manager"`
+ManagerID string `json:"manager_id"`
+Type config.ReleasePlanJobType `json:"type"`
+Spec interface{} `json:"spec"`
 }
 
 func NewUpdateReleaseJobUpdater(args *UpdateReleasePlanArgs) (*UpdateReleaseJobUpdater, error) {
@@ -357,6 +363,8 @@ func (u *UpdateReleaseJobUpdater) Update(plan *models.ReleasePlan) (before inter
 }
 before, after = job, u
 job.Name = u.Name
+job.Manager = u.Manager
+job.ManagerID = u.ManagerID
 job.Spec = u.Spec
 job.Updated = true
 return