refactor: 重构优化用户授权树工具类和用户授权树过期条件处理逻辑 <UserPermTreeRefreshUtil> <UserPermTreeExpireUtil>

2025-07-17 16:31:28 +00:00 · 2022-12-09 13:05:34 +08:00 · 2022-12-09 13:05:34 +08:00 · 1679efe2c9
commit 1679efe2c9
parent 4f5cc56b00
8 changed files with 167 additions and 317 deletions
--- a/apps/perms/api/user_permission/tree/mixin.py
+++ b/apps/perms/api/user_permission/tree/mixin.py
@ -1,9 +1,10 @@
 from rest_framework.request import Request
 from users.models import User
 from perms.utils.user_permission import UserPermTreeUtil
 from common.http import is_true
 from perms.utils.user_permission import UserPermTreeRefreshUtil
 __all__ = ['RebuildTreeMixin']
@ -13,5 +14,5 @@ class RebuildTreeMixin:
    def get(self, request: Request, *args, **kwargs):
        force = is_true(request.query_params.get('rebuild_tree'))
-        UserPermTreeUtil(self.user).refresh_if_need(force)
+        UserPermTreeRefreshUtil(self.user).refresh_if_need(force)
        return super().get(request, *args, **kwargs)
--- a/apps/perms/models/asset_permission.py
+++ b/apps/perms/models/asset_permission.py
@ -1,16 +1,19 @@
 import logging
 import uuid
 import logging
 from django.db import models
 from django.db.models import Q
 from django.utils import timezone
 from django.utils.translation import ugettext_lazy as _
 from users.models import User
 from assets.models import Asset, Account
 from common.db.models import UnionQuerySet
 from common.utils import date_expired_default
 from orgs.mixins.models import OrgManager
 from orgs.mixins.models import OrgModelMixin
 from common.utils.timezone import local_now
 from common.db.models import UnionQuerySet
 from common.utils import date_expired_default
 from perms.const import ActionChoices
 __all__ = ['AssetPermission', 'ActionChoices']
@ -131,3 +134,23 @@ class AssetPermission(OrgModelMixin):
        if not flat:
            return accounts
        return accounts.values_list('id', flat=True)
    @classmethod
    def get_all_users_for_perms(cls, perm_ids, flat=False):
        user_ids = cls.users.through.objects.filter(assetpermission_id__in=perm_ids)\
            .values_list('user_id', flat=True).distinct()
        group_ids = cls.user_groups.through.objects.filter(assetpermission_id__in=perm_ids)\
            .values_list('usergroup_id', flat=True).distinct()
        group_user_ids = User.groups.through.objects.filter(usergroup_id__in=group_ids)\
            .values_list('user_id', flat=True).distinct()
        user_ids = set(user_ids) | set(group_user_ids)
        if flat:
            return user_ids
        return User.objects.filter(id__in=user_ids)
    @classmethod
    def get_expired_permissions(cls):
        now = local_now()
        return cls.objects.filter(Q(date_start__lte=now) | Q(date_expired__gte=now))
--- a/apps/perms/signal_handlers/refresh_perms.py
+++ b/apps/perms/signal_handlers/refresh_perms.py
@ -5,12 +5,12 @@ from django.dispatch import receiver
 from users.models import User, UserGroup
 from assets.models import Asset
-from orgs.utils import current_org, tmp_to_org
+from common.utils import get_logger, get_object_or_none
 from common.utils import get_logger
 from common.exceptions import M2MReverseNotAllowed
 from common.const.signals import POST_ADD, POST_REMOVE, POST_CLEAR
 from perms.models import AssetPermission
-from perms.utils.user_permission import UserPermTreeUtil
+from perms.utils.user_permission import UserPermTreeExpireUtil
 logger = get_logger(__file__)
@ -21,10 +21,7 @@ def on_user_group_delete(sender, instance: UserGroup, using, **kwargs):
    exists = AssetPermission.user_groups.through.objects.filter(usergroup_id=instance.id).exists()
    if not exists:
        return
-
+    UserPermTreeExpireUtil().expire_perm_tree_for_user_group(instance)
    org_id = instance.org_id
    user_ids = UserGroup.users.through.objects.filter(usergroup_id=instance.id).values_list('user_id', flat=True)
    UserPermTreeUtil.add_need_refresh_orgs_for_users([org_id], list(user_ids))
@receiver(m2m_changed, sender=User.groups.through)
@ -41,39 +38,34 @@ def on_user_groups_change(sender, instance, action, reverse, pk_set, **kwargs):
        group = UserGroup.objects.get(id=list(group_ids)[0])
        org_id = group.org_id
-    exists = AssetPermission.user_groups.through.objects.filter(usergroup_id__in=group_ids).exists()
+    has_group_perm = AssetPermission.user_groups.through.objects\
-    if not exists:
+        .filter(usergroup_id__in=group_ids).exists()
    if not has_group_perm:
        return
-    org_ids = [org_id]
+    UserPermTreeExpireUtil().expire_perm_tree_for_users_orgs(user_ids, [org_id])
    UserPermTreeUtil.add_need_refresh_orgs_for_users(org_ids, user_ids)
@receiver([pre_delete], sender=AssetPermission)
 def on_asset_perm_pre_delete(sender, instance, **kwargs):
-    # 授权删除之前，查出所有相关用户
+    UserPermTreeExpireUtil().expire_perm_tree_for_perms([instance.id])
    with tmp_to_org(instance.org):
        UserPermTreeUtil.add_need_refresh_by_asset_perm_ids([instance.id])
@receiver([pre_save], sender=AssetPermission)
 def on_asset_perm_pre_save(sender, instance, **kwargs):
-    try:
+    old = get_object_or_none(AssetPermission, pk=instance.id)
-        old = AssetPermission.objects.get(id=instance.id)
+    if not old:
-
+        return
-        if old.is_valid != instance.is_valid:
+    if old.is_valid == instance.is_valid:
-            with tmp_to_org(instance.org):
+        return
-                UserPermTreeUtil.add_need_refresh_by_asset_perm_ids([instance.id])
+    UserPermTreeExpireUtil().expire_perm_tree_for_perms([instance.id])
    except AssetPermission.DoesNotExist:
        pass
@receiver([post_save], sender=AssetPermission)
 def on_asset_perm_post_save(sender, instance, created, **kwargs):
    if not created:
        return
-    with tmp_to_org(instance.org):
+    UserPermTreeExpireUtil().expire_perm_tree_for_perms([instance.id])
        UserPermTreeUtil.add_need_refresh_by_asset_perm_ids([instance.id])
 def need_rebuild_mapping_node(action):
@ -82,69 +74,52 @@ def need_rebuild_mapping_node(action):
@receiver(m2m_changed, sender=AssetPermission.nodes.through)
 def on_permission_nodes_changed(sender, instance, action, reverse, **kwargs):
    if reverse:
        raise M2MReverseNotAllowed
    if not need_rebuild_mapping_node(action):
        return
-
+    if reverse:
-    with tmp_to_org(instance.org):
+        raise M2MReverseNotAllowed
-        UserPermTreeUtil.add_need_refresh_by_asset_perm_ids([instance.id])
+    UserPermTreeExpireUtil().expire_perm_tree_for_perms([instance.id])
@receiver(m2m_changed, sender=AssetPermission.assets.through)
 def on_permission_assets_changed(sender, instance, action, reverse, pk_set, model, **kwargs):
    if reverse:
        raise M2MReverseNotAllowed
    if not need_rebuild_mapping_node(action):
        return
-    with tmp_to_org(instance.org):
+    if reverse:
-        UserPermTreeUtil.add_need_refresh_by_asset_perm_ids([instance.id])
+        raise M2MReverseNotAllowed
    UserPermTreeExpireUtil().expire_perm_tree_for_perms([instance.id])
@receiver(m2m_changed, sender=AssetPermission.users.through)
 def on_asset_permission_users_changed(sender, action, reverse, instance, pk_set, **kwargs):
    if reverse:
        raise M2MReverseNotAllowed
    if not need_rebuild_mapping_node(action):
        return
-
+    user_ids = pk_set
-    with tmp_to_org(instance.org):
+    UserPermTreeExpireUtil().expire_perm_tree_for_users_orgs(user_ids, [instance.org.id])
        UserPermTreeUtil.add_need_refresh_orgs_for_users(
            [current_org.id], pk_set
        )
@receiver(m2m_changed, sender=AssetPermission.user_groups.through)
 def on_asset_permission_user_groups_changed(sender, instance, action, pk_set, reverse, **kwargs):
    if not need_rebuild_mapping_node(action):
        return
    if reverse:
        raise M2MReverseNotAllowed
-    if not need_rebuild_mapping_node(action):
+    group_ids = pk_set
-        return
+    UserPermTreeExpireUtil().expire_perm_tree_for_user_groups_orgs(group_ids, [instance.org.id])
    user_ids = User.groups.through.objects.filter(usergroup_id__in=pk_set) \
        .values_list('user_id', flat=True) \
        .distinct()
    with tmp_to_org(instance.org):
        UserPermTreeUtil.add_need_refresh_orgs_for_users(
            [current_org.id], user_ids
        )
@receiver(m2m_changed, sender=Asset.nodes.through)
 def on_node_asset_change(action, instance, reverse, pk_set, **kwargs):
    if not need_rebuild_mapping_node(action):
        return
    if reverse:
-        asset_pk_set = pk_set
+        asset_ids = pk_set
-        node_pk_set = [instance.id]
+        node_ids = [instance.id]
    else:
-        asset_pk_set = [instance.id]
+        asset_ids = [instance.id]
-        node_pk_set = pk_set
+        node_ids = pk_set
-    with tmp_to_org(instance.org):
+    UserPermTreeExpireUtil().expire_perm_tree_for_nodes_assets(node_ids, asset_ids)
        UserPermTreeUtil.add_need_refresh_on_nodes_assets_relate_change(node_pk_set, asset_pk_set)
--- a/apps/perms/tasks.py
+++ b/apps/perms/tasks.py
@ -7,16 +7,18 @@ from django.db.transaction import atomic
 from django.conf import settings
 from celery import shared_task
 from ops.celery.decorator import register_as_period_task
 from orgs.utils import tmp_to_root_org
 from common.utils import get_logger
-from common.utils.timezone import local_now, dt_formatter, dt_parser
+from common.utils.timezone import local_now, dt_parser
 from common.const.crontab import CRONTAB_AT_AM_TEN
-from ops.celery.decorator import register_as_period_task
+
 from perms.notifications import (
    PermedAssetsWillExpireUserMsg, AssetPermsWillExpireForOrgAdminMsg,
 )
 from perms.models import AssetPermission
-from perms.utils.user_permission import UserPermTreeUtil
+from perms.utils.user_permission import UserPermTreeExpireUtil
 from perms.notifications import (
    PermedAssetsWillExpireUserMsg,
    AssetPermsWillExpireForOrgAdminMsg,
 )
 logger = get_logger(__file__)
@ -26,33 +28,11 @@ logger = get_logger(__file__)
@atomic()
@tmp_to_root_org()
 def check_asset_permission_expired():
-    """
+    """ 这里的任务要足够短，不要影响周期任务 """
-    这里的任务要足够短，不要影响周期任务
+    perms = AssetPermission.get_expired_permissions()
-    """
+    perm_ids = list(perms.distinct().values_list('id', flat=True))
-    from settings.models import Setting
+    logger.info(f'Checking expired permissions: {perm_ids}')
-
+    UserPermTreeExpireUtil().expire_perm_tree_for_perms(perm_ids)
    setting_name = 'last_asset_perm_expired_check'
    end = local_now()
    default_start = end - timedelta(days=36000)  # Long long ago in china
    defaults = {'value': dt_formatter(default_start)}
    setting, created = Setting.objects.get_or_create(
        name=setting_name, defaults=defaults
    )
    if created:
        start = default_start
    else:
        start = dt_parser(setting.value)
    setting.value = dt_formatter(end)
    setting.save()
    asset_perm_ids = AssetPermission.objects.filter(
        date_expired__gte=start, date_expired__lte=end
    ).distinct().values_list('id', flat=True)
    asset_perm_ids = list(asset_perm_ids)
    logger.info(f'>>> checking {start} to {end} have {asset_perm_ids} expired')
    UserPermTreeUtil.add_need_refresh_by_asset_perm_ids_cross_orgs(asset_perm_ids)
@register_as_period_task(crontab=CRONTAB_AT_AM_TEN)
--- a/apps/perms/utils/user_permission.py
+++ b/apps/perms/utils/user_permission.py
@ -7,24 +7,32 @@ from django.core.cache import cache
 from django.db.models import Q, QuerySet
 from django.utils.translation import gettext as _
-from assets.models import (
+from users.models import User
    Asset, FavoriteAsset, AssetQuerySet, NodeQuerySet
 )
 from assets.utils import NodeAssetsUtil
 from assets.models import (
    Asset,
    FavoriteAsset,
    AssetQuerySet,
    NodeQuerySet
 )
 from orgs.models import Organization
 from orgs.utils import (
    tmp_to_org,
    current_org,
    ensure_in_real_or_default_org,
    tmp_to_root_org
 )
 from common.db.models import output_as_string, UnionQuerySet
 from common.decorator import on_transaction_commit
 from common.utils import get_logger
 from common.utils.common import lazyproperty, timeit
-from orgs.models import Organization
+
 from orgs.utils import (
    tmp_to_org, current_org,
    ensure_in_real_or_default_org, tmp_to_root_org
 )
 from perms.locks import UserGrantedTreeRebuildLock
 from perms.models import (
-    AssetPermission, PermNode, UserAssetGrantedTreeNodeRelation
+    AssetPermission,
    PermNode,
    UserAssetGrantedTreeNodeRelation
 )
 from users.models import User
 from .permission import AssetPermissionUtil
 NodeFrom = UserAssetGrantedTreeNodeRelation.NodeFrom
@ -33,50 +41,53 @@ NODE_ONLY_FIELDS = ('id', 'key', 'parent_key', 'org_id')
 logger = get_logger(__name__)
-class UserPermTreeUtil2:
+class UserPermTreeCacheMixin:
    """ 缓存数据 users: {org_id, org_id }, 记录用户授权树已经构建完成的组织集合 """
    cache_key_template = 'perms.user.node_tree.built_orgs.user_id:{user_id}'
    def get_cache_key(self, user_id):
        return self.cache_key_template.format(user_id=user_id)
    @lazyproperty
    def client(self):
        return cache.client.get_client(write=True)
 class UserPermTreeRefreshUtil(UserPermTreeCacheMixin):
    """ 用户授权树刷新工具, 针对某一个用户授权树的刷新 """
    def __init__(self, user):
        self.user = user
        self.orgs = self.user.orgs.distinct()
        self.org_ids = [str(o.id) for o in self.orgs]
    def get_cache_key(self, user_id):
        return self.cache_key_template.format(user_id=user_id)
    @lazyproperty
    def cache_key_user(self):
        return self.get_cache_key(self.user.id)
    @lazyproperty
    def cache_key_all_user(self):
        return self.get_cache_key('*')
    @lazyproperty
    def client(self):
        return cache.client.get_client(write=True)
    @timeit
    def refresh_if_need(self, force=False):
        self.clean_user_perm_tree_nodes_for_legacy_org()
        to_refresh_orgs = self.orgs if force else self.get_user_need_refresh_orgs()
        if not to_refresh_orgs:
            logger.info('Not have to refresh orgs')
            return
        with UserGrantedTreeRebuildLock(self.user.id):
            for org in to_refresh_orgs:
-                with tmp_to_org(org):
+                self.rebuild_user_perm_tree_for_org(org)
                    start = time.time()
                    UserGrantedTreeBuildUtils(self.user).rebuild_user_granted_tree()
                    end = time.time()
                    logger.info(
                        'Refresh user [{user}] org [{org}] perm tree, user {use_time:.2f}s'
                        ''.format(user=self.user, org=org, use_time=end-start)
                    )
        self.mark_user_orgs_refresh_finished(to_refresh_orgs)
    def rebuild_user_perm_tree_for_org(self, org):
        with tmp_to_org(org):
            start = time.time()
            UserGrantedTreeBuildUtils(self.user).rebuild_user_granted_tree()
            end = time.time()
            logger.info(
                'Refresh user [{user}] org [{org}] perm tree, user {use_time:.2f}s'
                ''.format(user=self.user, org=org, use_time=end-start)
            )
    def clean_user_perm_tree_nodes_for_legacy_org(self):
        with tmp_to_root_org():
            """ Clean user legacy org node relations """
@ -95,7 +106,14 @@ class UserPermTreeUtil2:
    def mark_user_orgs_refresh_finished(self, org_ids):
        self.client.sadd(self.cache_key_user, *org_ids)
-    # cls
+
 class UserPermTreeExpireUtil(UserPermTreeCacheMixin):
    """ 用户授权树过期工具 """
    @lazyproperty
    def cache_key_all_user(self):
        return self.get_cache_key('*')
    def expire_perm_tree_for_all_user(self):
        keys = self.client.keys(self.cache_key_all_user)
        with self.client.pipline() as p:
@ -103,6 +121,34 @@ class UserPermTreeUtil2:
                p.delete(k)
            p.execute()
    def expire_perm_tree_for_nodes_assets(self, node_ids, asset_ids):
        node_perm_ids = AssetPermissionUtil().get_permissions_for_nodes(node_ids, flat=True)
        asset_perm_ids = AssetPermissionUtil().get_permissions_for_assets(asset_ids, flat=True)
        perm_ids = set(node_perm_ids) | set(asset_perm_ids)
        self.expire_perm_tree_for_perms(perm_ids)
    @tmp_to_root_org()
    def expire_perm_tree_for_perms(self, perm_ids):
        org_perm_ids = AssetPermission.objects.filter(id__in=perm_ids).values_list('org_id', 'id')
        org_perms_mapper = defaultdict(set)
        for org_id, perm_id in org_perm_ids:
            org_perms_mapper[org_id].add(perm_id)
        for org_id, perms_id in org_perms_mapper.items():
            org_ids = [org_id]
            user_ids = AssetPermission.get_all_users_for_perms(perm_ids, flat=True)
            self.expire_perm_tree_for_users_orgs(user_ids, org_ids)
    def expire_perm_tree_for_user_group(self, user_group):
        group_ids = [user_group.id]
        org_ids = [user_group.org_id]
        self.expire_perm_tree_for_user_groups_orgs(group_ids, org_ids)
    def expire_perm_tree_for_user_groups_orgs(self, group_ids, org_ids):
        user_ids = User.groups.through.objects.filter(usergroup_id__in=group_ids)\
            .values_list('user_id', flat=True).distinct()
        self.expire_perm_tree_for_users_orgs(user_ids, org_ids)
    @on_transaction_commit
    def expire_perm_tree_for_users_orgs(self, user_ids, org_ids):
        org_ids = [str(oid) for oid in org_ids]
        with self.client.pipline() as p:
@ -112,183 +158,6 @@ class UserPermTreeUtil2:
            p.execute()
        logger.info('Expire perm tree for users: [{}], orgs: [{}]'.format(user_ids, org_ids))
    def expire_perm_tree_for_nodes_assets(self, node_ids, asset_ids):
        node_perm_ids = AssetPermissionUtil().get_permissions_for_nodes(node_ids, flat=True)
        asset_perm_ids = AssetPermissionUtil().get_permissions_for_assets(asset_ids, flat=True)
        perm_ids = set(node_perm_ids) | set(asset_perm_ids)
 class UserPermTreeUtil:
    key_template = 'perms.user.node_tree.built_orgs.user_id:{user_id}'
    def __init__(self, user):
        self.user = user
        self.key = self.key_template.format(user_id=user.id)
        self.client = self.get_redis_client()
    @timeit
    def refresh_if_need(self, force=False):
        user = self.user
        orgs = user.orgs.all().distinct()
        org_ids = [str(o.id) for o in orgs]
        with tmp_to_root_org():
            user_relations = UserAssetGrantedTreeNodeRelation.objects.filter(user=user)
            user_legacy_org_relations = user_relations.exclude(org_id__in=org_ids)
            user_legacy_org_relations.delete()
        need_refresh_orgs = []
        if not force and not self.have_need_refresh_orgs():
            return
        with UserGrantedTreeRebuildLock(user_id=user.id):
            if force:
                orgs = self.orgs
                self.set_all_orgs_as_built()
            else:
                orgs = self.get_need_refresh_orgs_and_fill_up()
            for org in orgs:
                with tmp_to_org(org):
                    t_start = time.time()
                    logger.info(f'Rebuild user tree: user={self.user} org={current_org}')
                    utils = UserGrantedTreeBuildUtils(user)
                    utils.rebuild_user_granted_tree()
                    logger.info(
                        f'Rebuild user tree ok: cost={time.time() - t_start} '
                        f'user={self.user} org={current_org}'
                    )
    @lazyproperty
    def org_ids(self):
        ret = {str(org.id) for org in self.orgs}
        return ret
    @lazyproperty
    def orgs(self):
        orgs = {*self.user.orgs.all().distinct()}
        return orgs
    def set_all_orgs_as_built(self):
        self.client.sadd(self.key, *self.org_ids)
    def have_need_refresh_orgs(self):
        built_org_ids = self.client.smembers(self.key)
        built_org_ids = {org_id.decode() for org_id in built_org_ids}
        have = self.org_ids - built_org_ids
        return have
    def get_need_refresh_orgs_and_fill_up(self):
        org_ids = self.org_ids
        with self.client.pipeline() as p:
            p.smembers(self.key)
            p.sadd(self.key, *org_ids)
            old_org_ids, new_orgs_count = p.execute()
            old_org_ids = {oid.decode() for oid in old_org_ids}
            need_refresh_org_ids = org_ids - old_org_ids
            need_refresh_orgs = Organization.objects.filter(id__in=need_refresh_org_ids)
            logger.info(f'Need refresh orgs: {need_refresh_orgs}')
            return need_refresh_orgs
    # cls
    @classmethod
    def get_redis_client(cls):
        return cache.client.get_client(write=True)
    @classmethod
    def clean_all_user_tree_built_mark(cls):
        """ 清除所有用户已构建树的标记 """
        client = cls.get_redis_client()
        key_match = cls.key_template.format(user_id='*')
        keys = client.keys(key_match)
        with client.pipeline() as p:
            for key in keys:
                p.delete(key)
            p.execute()
    @classmethod
    @on_transaction_commit
    def remove_built_orgs_from_users(cls, org_ids, user_ids):
        client = cls.get_redis_client()
        org_ids = [str(org_id) for org_id in org_ids]
        with client.pipeline() as p:
            for user_id in user_ids:
                key = cls.key_template.format(user_id=user_id)
                p.srem(key, *org_ids)
            p.execute()
        logger.info(f'Remove orgs from users built tree: users:{user_ids} orgs:{org_ids}')
    @classmethod
    def add_need_refresh_orgs_for_users(cls, org_ids, user_ids):
        cls.remove_built_orgs_from_users(org_ids, user_ids)
    @classmethod
    @ensure_in_real_or_default_org
    def add_need_refresh_on_nodes_assets_relate_change(cls, node_ids, asset_ids):
        """
        1，计算与这些资产有关的授权
        2，计算与这些节点以及祖先节点有关的授权
        """
        node_ids = set(node_ids)
        ancestor_node_keys = set()
        asset_perm_ids = set()
        nodes = PermNode.objects.filter(id__in=node_ids).only('id', 'key')
        for node in nodes:
            ancestor_node_keys.update(node.get_ancestor_keys())
        ancestor_id = PermNode.objects.filter(key__in=ancestor_node_keys).values_list('id', flat=True)
        node_ids.update(ancestor_id)
        assets_related_perm_ids = AssetPermission.nodes.through.objects.filter(
            node_id__in=node_ids
        ).values_list('assetpermission_id', flat=True)
        asset_perm_ids.update(assets_related_perm_ids)
        nodes_related_perm_ids = AssetPermission.assets.through.objects.filter(
            asset_id__in=asset_ids
        ).values_list('assetpermission_id', flat=True)
        asset_perm_ids.update(nodes_related_perm_ids)
        cls.add_need_refresh_by_asset_perm_ids(asset_perm_ids)
    @classmethod
    def add_need_refresh_by_asset_perm_ids_cross_orgs(cls, asset_perm_ids):
        org_id_perm_ids_mapper = defaultdict(set)
        pairs = AssetPermission.objects.filter(id__in=asset_perm_ids).values_list('org_id', 'id')
        for org_id, perm_id in pairs:
            org_id_perm_ids_mapper[org_id].add(perm_id)
        for org_id, perm_ids in org_id_perm_ids_mapper.items():
            with tmp_to_org(org_id):
                cls.add_need_refresh_by_asset_perm_ids(perm_ids)
    @classmethod
    @ensure_in_real_or_default_org
    def add_need_refresh_by_asset_perm_ids(cls, asset_perm_ids):
        group_ids = AssetPermission.user_groups.through.objects.filter(
            assetpermission_id__in=asset_perm_ids
        ).values_list('usergroup_id', flat=True)
        user_ids = set()
        direct_user_id = AssetPermission.users.through.objects.filter(
            assetpermission_id__in=asset_perm_ids
        ).values_list('user_id', flat=True)
        user_ids.update(direct_user_id)
        group_user_ids = User.groups.through.objects.filter(
            usergroup_id__in=group_ids
        ).values_list('user_id', flat=True)
        user_ids.update(group_user_ids)
        cls.remove_built_orgs_from_users(
            [current_org.id], user_ids
        )
 class UserGrantedUtilsBase:
    user: User
--- a/apps/settings/models.py
+++ b/apps/settings/models.py
@ -43,6 +43,9 @@ class Setting(models.Model):
    def __str__(self):
        return self.name
    def is_name(self, name):
        return self.name == name
    @property
    def cleaned_value(self):
        try:
--- a/apps/settings/signal_handlers.py
+++ b/apps/settings/signal_handlers.py
@ -8,11 +8,13 @@ from django.db.utils import ProgrammingError, OperationalError
 from django.dispatch import receiver
 from django.utils.functional import LazyObject
 from jumpserver.utils import current_request
 from common.decorator import on_transaction_commit
 from common.signals import django_ready
 from common.utils import get_logger, ssh_key_gen
 from common.utils.connection import RedisPubSub
-from jumpserver.utils import current_request
+
 from .models import Setting
 logger = get_logger(__file__)
@ -31,15 +33,12 @@ setting_pub_sub = SettingSubPub()
 def refresh_settings_on_changed(sender, instance=None, **kwargs):
    if not instance:
        return
    setting_pub_sub.publish(instance.name)
-
+    if instance.is_name('PERM_SINGLE_ASSET_TO_UNGROUP_NODE'):
-    # 配置变化: PERM_SINGLE_ASSET_TO_UNGROUP_NODE
+        """ 过期所有用户授权树 """
-    if instance.name == 'PERM_SINGLE_ASSET_TO_UNGROUP_NODE':
+        logger.debug('Expire all user perm tree')
-        # 清除所有用户授权树已构建的标记，下次访问重新生成
+        from perms.utils.user_permission import UserPermTreeExpireUtil
-        logger.debug('Clean ALL User perm tree built mark')
+        UserPermTreeExpireUtil().expire_perm_tree_for_all_user()
        from perms.utils.user_permission import UserPermTreeUtil
        UserPermTreeUtil.clean_all_user_tree_built_mark()
@receiver(django_ready)
--- a/apps/users/models/group.py
+++ b/apps/users/models/group.py
@ -1,11 +1,11 @@
 # -*- coding: utf-8 -*-
 import uuid
-from django.db import models, IntegrityError
+from django.db import models
 from django.utils.translation import ugettext_lazy as _
 from common.utils import lazyproperty
 from orgs.mixins.models import OrgModelMixin
 from common.utils import lazyproperty
 __all__ = ['UserGroup']