From 1039c2e32089fe7474ede1c0c0a3e99bdc0bd4f4 Mon Sep 17 00:00:00 2001
From: wangruidong <940853815@qq.com>
Date: Thu, 23 Oct 2025 10:23:04 +0800
Subject: [PATCH] perf: ws/ldap perms check

---
 apps/orgs/mixins/ws.py | 2 ++
 apps/settings/ws.py    | 6 ++----
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/apps/orgs/mixins/ws.py b/apps/orgs/mixins/ws.py
index 46ea9dfb7..89f7e4fbd 100644
--- a/apps/orgs/mixins/ws.py
+++ b/apps/orgs/mixins/ws.py
@@ -24,5 +24,7 @@ class OrgMixin:
 
     @sync_to_async
     def has_perms(self, user, perms):
+        self.cookie = self.get_cookie()
+        self.org = self.get_current_org()
         with tmp_to_org(self.org):
             return user.has_perms(perms)
diff --git a/apps/settings/ws.py b/apps/settings/ws.py
index 9941f1218..30bbba381 100644
--- a/apps/settings/ws.py
+++ b/apps/settings/ws.py
@@ -56,8 +56,6 @@ class ToolsWebsocket(AsyncJsonWebsocketConsumer, OrgMixin):
     async def connect(self):
         user = self.scope["user"]
         if user.is_authenticated:
-            self.cookie = self.get_cookie()
-            self.org = self.get_current_org()
             has_perm = self.has_perms(user, ['rbac.view_systemtools'])
             if await self.is_superuser(user) or (settings.TOOL_USER_ENABLED and has_perm):
                 await self.accept()
@@ -128,14 +126,14 @@ class ToolsWebsocket(AsyncJsonWebsocketConsumer, OrgMixin):
         close_old_connections()
 
 
-class LdapWebsocket(AsyncJsonWebsocketConsumer):
+class LdapWebsocket(AsyncJsonWebsocketConsumer, OrgMixin):
     category: str
 
     async def connect(self):
         user = self.scope["user"]
         query = parse_qs(self.scope['query_string'].decode())
         self.category = query.get('category', [User.Source.ldap.value])[0]
-        if user.is_authenticated:
+        if user.is_authenticated and await self.has_perms(user, ['settings.view_setting']):
             await self.accept()
         else:
             await self.close()