perf: ws/ldap perms check

2026-01-30 06:02:13 +00:00 · 2025-10-23 10:23:04 +08:00
parent 8d7267400d
commit 1039c2e320
2 changed files with 4 additions and 4 deletions
--- a/apps/orgs/mixins/ws.py
+++ b/apps/orgs/mixins/ws.py
@@ -24,5 +24,7 @@ class OrgMixin:

    @sync_to_async
    def has_perms(self, user, perms):
+        self.cookie = self.get_cookie()
+        self.org = self.get_current_org()
        with tmp_to_org(self.org):
            return user.has_perms(perms)
--- a/apps/settings/ws.py
+++ b/apps/settings/ws.py
@@ -56,8 +56,6 @@ class ToolsWebsocket(AsyncJsonWebsocketConsumer, OrgMixin):
    async def connect(self):
        user = self.scope["user"]
        if user.is_authenticated:
-            self.cookie = self.get_cookie()
-            self.org = self.get_current_org()
            has_perm = self.has_perms(user, ['rbac.view_systemtools'])
            if await self.is_superuser(user) or (settings.TOOL_USER_ENABLED and has_perm):
                await self.accept()
@@ -128,14 +126,14 @@ class ToolsWebsocket(AsyncJsonWebsocketConsumer, OrgMixin):
        close_old_connections()


-class LdapWebsocket(AsyncJsonWebsocketConsumer):
+class LdapWebsocket(AsyncJsonWebsocketConsumer, OrgMixin):
    category: str

    async def connect(self):
        user = self.scope["user"]
        query = parse_qs(self.scope['query_string'].decode())
        self.category = query.get('category', [User.Source.ldap.value])[0]
-        if user.is_authenticated:
+        if user.is_authenticated and await self.has_perms(user, ['settings.view_setting']):
            await self.accept()
        else:
            await self.close()