Apache DolphinScheduler: DataSource API Missing Authorization Check Leads to Arbitrary Data Source Metadata Disclosure

An authenticated attacker can exploit the missing authorization checks by sending crafted HTTP requests to the affected API endpoints. For example, calling `/executors/start-workflow-instance` with a `projectCode` belonging to another project triggers a workflow in that project without permission. Similarly, calling `/workflow-instances/{id}/view-variables` or `/workflow-instances/{id}/view-gantt` with an arbitrary `projectCode` discloses workflow instance details. The data source endpoints (`/datasources/{id}/connection-test`, `/datasources/tables`, `/datasources/tableColumns`, `/datasources/databases`) accept a `datasourceId` parameter and return metadata without verifying the user's authorization on that data source. No special privileges beyond a valid session are required.

The vulnerability spans multiple controllers and service implementations in the Apache DolphinScheduler API layer. In `ExecutorController` and `ExecutorServiceImpl`, the `triggerWorkflowDefinition` and `backfillWorkflowDefinition` methods lacked a project authorization check, allowing any authenticated user to trigger workflows in projects they do not own. Similarly, `WorkflowInstanceServiceImpl`'s `viewVariables` and `viewGantt` methods did not verify the caller's permission on the project before returning instance details. `TaskDefinitionServiceImpl.deleteByCodeAndVersion` failed to confirm that the task definition's `projectCode` matched the caller's project, enabling cross-project deletion. Finally, `DataSourceController` endpoints (`connectionTest`, `getDatabases`, `getTables`, `getTableColumns`) and the underlying `DataSourceServiceImpl` methods omitted permission checks, allowing any authenticated user to probe metadata of any data source.

Each patch inserts an authorization gate before the sensitive operation. For workflow endpoints, `projectService.checkProjectAndAuthThrowException` is called with the login user, project code, and the required permission identifier (`RERUN` or `WORKFLOW_INSTANCE`). The `ExecutorServiceImpl` also verifies that the resolved workflow definition's `projectCode` matches the URL's `projectCode`, rejecting cross-project requests. For task definition deletion, the patch adds a check that `projectCode != taskDefinition.getProjectCode()`, returning `TASK_DEFINE_NOT_EXIST` on mismatch. For data source endpoints, `canOperatorPermissions` is invoked with `AuthorizationType.DATASOURCE` and the datasource ID, throwing `USER_NO_OPERATION_PERM` if the user lacks access. These changes ensure that every API call is scoped to the authenticated user's authorized projects and data sources.