Apache DolphinScheduler: Incorrect Authorization vulnerability allows users to access workflow instance information belonging to projects they do not have permission to access.

An authenticated attacker can send crafted API requests to the unprotected endpoints (e.g., `/projects/{projectCode}/workflow-instances/{id}/view-gantt`, `/projects/{projectCode}/workflow-instances/{id}/view-variables`, trigger/backfill endpoints, lineage endpoints, or alert plugin instance endpoints) without having the required project or resource permissions. The server does not verify that the login user has access to the `projectCode` or resource specified in the URL, enabling the attacker to read workflow instance details, trigger workflows, or list alert plugin instances belonging to other projects [patch_id=6329130][patch_id=6329131][patch_id=6329132].

The vulnerability affects multiple endpoints in Apache DolphinScheduler prior to 3.4.2. The `viewGantt` and `viewVariables` methods in `WorkflowInstanceServiceImpl` [patch_id=6329130], the `triggerWorkflowDefinition` and `backfillWorkflowDefinition` methods in `ExecutorServiceImpl` [patch_id=6329130], the lineage and workflow-definition list endpoints in `WorkflowLineageServiceImpl` and `WorkflowDefinitionServiceImpl` [patch_id=6329131], and the alert plugin instance endpoints in `AlertPluginInstanceServiceImpl` [patch_id=6329132] all lacked project or resource permission checks, allowing unauthorized access.

The patches add explicit authorization checks at the beginning of each affected service method. In `WorkflowInstanceServiceImpl`, calls to `projectService.checkProjectAndAuthThrowException(loginUser, projectCode, WORKFLOW_INSTANCE)` are inserted before reading instance data [patch_id=6329130]. In `ExecutorServiceImpl`, the same check is added for `RERUN` permission, plus a cross-project validation that rejects the request if the resolved workflow definition's project code does not match the URL's project code [patch_id=6329130]. The lineage and workflow-definition endpoints similarly gate access with `checkProjectAndAuthThrowException` [patch_id=6329131], and the alert plugin instance endpoints use `canOperatorPermissions` to enforce `ALARM_INSTANCE_MANAGE` permission [patch_id=6329132].