fix the potential permission issue with assigning app roles (#2629)

apollo-portal/src/main/java/com/ctrip/framework/apollo/portal/component/PermissionValidator.java

@@ -137,6 +137,8 @@ public class PermissionValidator {
   public boolean hasManageAppMasterPermission(String appId) {
     // the manage app master permission might not be initialized, so we need to check isSuperAdmin first
     return isSuperAdmin() ||
-            systemRoleManagerService.hasManageAppMasterPermission(userInfoHolder.getUser().getUserId(), appId);
+        (hasAssignRolePermission(appId) &&
+         systemRoleManagerService.hasManageAppMasterPermission(userInfoHolder.getUser().getUserId(), appId)
+        );
   }
 }

apollo-portal/src/main/resources/static/app.html

@@ -63,7 +63,7 @@
                             应用负责人</label>
                         <div class="col-sm-6 J_ownerSelectorPanel">
                             <apollouserselector apollo-id="'ownerSelector'"  disabled="isOpenManageAppMasterRoleLimit"></apollouserselector>
-                            <small style="color: maroon" ng-if="isOpenManageAppMasterRoleLimit">(开启应用管理员添加限制后，应用负责人和项目管理员默认为本账号，不可选择)</small>
+                            <small style="color: maroon" ng-if="isOpenManageAppMasterRoleLimit">(开启项目管理员分配权限控制后，应用负责人和项目管理员默认为本账号，不可选择)</small>
                         </div>
                     </div>