perf: 修改权限树 (#7757)

* perf: 修改 rbac tree * perf: 修改权限树 * perf: 修改用户默认权限 Co-authored-by: ibuler <ibuler@qq.com>
2026-01-29 21:51:31 +00:00 · 2022-03-07 19:02:37 +08:00
parent 3222687aaa
commit 1b007c8c5c
17 changed files with 317 additions and 168 deletions
--- a/apps/rbac/builtin.py
+++ b/apps/rbac/builtin.py
@@ -21,11 +21,14 @@ auditor_perms = (

 user_perms = (
    ('rbac', 'menupermission', 'view', 'userview'),
-    ('perms', 'assetpermission', 'view,connect', 'myassets'),
-    ('perms', 'applicationpermission', 'view,connect', 'myapps'),
+    ('rbac', 'menupermission', 'view', 'webterminal'),
+    ('rbac', 'menupermission', 'view', 'filemanager'),
+    ('perms', 'permedasset', 'view,connect', 'myassets'),
+    ('perms', 'permedapplication', 'view,connect', 'myapps'),
    ('assets', 'asset', 'match', 'asset'),
    ('assets', 'systemuser', 'match', 'systemuser'),
    ('assets', 'node', 'match', 'node'),
+    ('ops', 'commandexecution', 'add', 'commandexecution'),
 )

 app_exclude_perms = [
--- a/apps/rbac/const.py
+++ b/apps/rbac/const.py
@@ -22,6 +22,8 @@ exclude_permissions = (
    ('notifications', '*', '*', '*'),
    ('common', 'setting', '*', '*'),

+    ('authentication', 'privatetoken', '*', '*'),
+    ('users', 'userpasswordhistory', '*', '*'),
    ('applications', 'applicationuser', '*', '*'),
    ('applications', 'historicalaccount', '*', '*'),
    ('applications', 'databaseapp', '*', '*'),
@@ -33,7 +35,6 @@ exclude_permissions = (
    ('assets', 'favoriteasset', '*', '*'),
    ('assets', 'historicalauthbook', '*', '*'),
    ('assets', 'assetuser', '*', '*'),
-    ('authentication', 'privatetoken', '*', '*'),
    ('perms', 'databaseapppermission', '*', '*'),
    ('perms', 'k8sapppermission', '*', '*'),
    ('perms', 'remoteapppermission', '*', '*'),
@@ -41,6 +42,8 @@ exclude_permissions = (
    ('perms', 'usergrantedmappingnode', '*', '*'),
    ('perms', 'permnode', '*', '*'),
    ('perms', 'rebuildusertreetask', '*', '*'),
+    ('perms', 'permedasset', 'add,change,delete', 'permedasset'),
+    ('perms', 'permedapplication', 'add,change,delete', 'permedapplication'),
    ('rbac', 'contenttype', '*', '*'),
    ('rbac', 'permission', 'add,delete,change', 'permission'),
    ('rbac', 'rolebinding', '*', '*'),
@@ -49,22 +52,22 @@ exclude_permissions = (
    ('ops', 'adhocexecution', '*', '*'),
    ('ops', 'celerytask', '*', '*'),
    ('ops', 'task', 'add,change', 'task'),
+    ('ops', 'commandexecution', 'delete,change', 'commandexecution'),
    ('orgs', 'organizationmember', '*', '*'),
    ('settings', 'setting', 'add,delete', 'setting'),
    ('audits', 'operatelog', 'add,delete,change', 'operatelog'),
    ('audits', 'passwordchangelog', 'add,change,delete', 'passwordchangelog'),
    ('audits', 'userloginlog', 'change,delete,change', 'userloginlog'),
    ('audits', 'ftplog', 'change,delete', 'ftplog'),
-    ('terminal', 'session', 'delete', 'session'),
-    ('terminal', 'session', 'delete,change', 'command'),
    ('tickets', 'ticket', '*', '*'),
-    ('users', 'userpasswordhistory', '*', '*'),
    ('xpack', 'interface', '*', '*'),
    ('xpack', 'license', '*', '*'),
    ('common', 'permission', 'add,delete,view,change', 'permission'),
    ('terminal', 'command', 'delete,change', 'command'),
    ('terminal', 'sessionjoinrecord', 'delete', 'sessionjoinrecord'),
    ('terminal', 'sessionreplay', 'delete', 'sessionreplay'),
+    ('terminal', 'session', 'delete', 'session'),
+    ('terminal', 'session', 'delete,change', 'command'),
 )


--- a/apps/rbac/migrations/0001_initial.py
+++ b/apps/rbac/migrations/0001_initial.py
@@ -27,7 +27,7 @@ class Migration(migrations.Migration):
            ],
            options={
                'verbose_name': 'Menu permission',
-                'permissions': [('view_adminview', 'view console view'), ('view_auditview', 'view audit view'), ('view_userview', 'view workspace view')],
+                'permissions': [('view_adminview', 'Can view console view'), ('view_auditview', 'Can view audit view'), ('view_userview', 'Can view workspace view')],
                'default_permissions': [],
            },
        ),
--- a/apps/rbac/migrations/0005_auto_20220307_1524.py
+++ b/apps/rbac/migrations/0005_auto_20220307_1524.py
@@ -0,0 +1,17 @@
+# Generated by Django 3.1.14 on 2022-03-07 07:46
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('rbac', '0004_auto_20211201_1901'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='menupermission',
+            options={'default_permissions': [], 'permissions': [('view_resourcestatistics', 'Can view resource statistics'), ('view_adminview', 'Can view console view'), ('view_auditview', 'Can view audit view'), ('view_userview', 'Can view workspace view'), ('view_webterminal', 'Can view web terminal'), ('view_filemanager', 'Can view file manager')], 'verbose_name': 'Menu permission'},
+        ),
+    ]
--- a/apps/rbac/migrations/0006_auto_20220307_1558.py
+++ b/apps/rbac/migrations/0006_auto_20220307_1558.py
@@ -0,0 +1,39 @@
+# Generated by Django 3.1.14 on 2022-03-07 07:58
+
+from django.db import migrations
+
+
+def delete_unused_permissions(apps, schema_editor):
+    permission_model = apps.get_model('rbac', 'Permission')
+    content_type_model = apps.get_model('rbac', 'ContentType')
+    content_type_delete_required = [
+        ('common', 'permission'),
+    ]
+    for app, model in content_type_delete_required:
+        content_type_model.objects.filter(app_label=app, model=model).delete()
+
+    permissions_delete_required = [
+        ('perms', 'assetpermission', 'connect_myassets'),
+        ('perms', 'assetpermission', 'view_myassets'),
+        ('perms', 'assetpermission', 'view_userassets'),
+        ('perms', 'assetpermission', 'view_usergroupassets'),
+        ('perms', 'applicationpermission', 'view_myapps'),
+        ('perms', 'applicationpermission', 'connect_myapps'),
+        ('perms', 'applicationpermission', 'view_userapps'),
+        ('perms', 'applicationpermission', 'view_usergroupapps'),
+    ]
+    for app, model, codename in permissions_delete_required:
+        permission_model.objects.filter(
+            codename=codename, content_type__model=model, content_type__app_label=app
+        ).delete()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('rbac', '0005_auto_20220307_1524'),
+    ]
+
+    operations = [
+        migrations.RunPython(delete_unused_permissions)
+    ]
--- a/apps/rbac/models/menu.py
+++ b/apps/rbac/models/menu.py
@@ -12,7 +12,10 @@ class MenuPermission(models.Model):
        default_permissions = []
        verbose_name = _('Menu permission')
        permissions = [
-            ('view_adminview', _('view console view')),
-            ('view_auditview', _('view audit view')),
-            ('view_userview', _('view workspace view')),
+            ('view_resourcestatistics', _('Can view resource statistics')),
+            ('view_adminview', _('Can view console view')),
+            ('view_auditview', _('Can view audit view')),
+            ('view_userview', _('Can view workspace view')),
+            ('view_webterminal', _('Can view web terminal')),
+            ('view_filemanager', _('Can view file manager')),
        ]
--- a/apps/rbac/tree.py
+++ b/apps/rbac/tree.py
@@ -132,7 +132,17 @@ extra_nodes_data = [
        "id": "terminal_node",
        "name": _("Terminal setting"),
        "pId": "view_setting"
-    }
+    },
+    {
+        'id': "my_assets",
+        "name": _("My assets"),
+        "pId": "view_workspace"
+    },
+    {
+        'id': "my_apps",
+        "name": _("My apps"),
+        "pId": "view_workspace"
+    },
 ]

 # 将 model 放到其它节点下，而不是本来的 app 中
@@ -164,10 +174,16 @@ special_model_pid_mapper = {
    'terminal.task': 'terminal_node',
    'audits.ftplog': 'terminal',
    'rbac.menupermission': 'view_other',
+    'perms.view_myassets': 'my_assets',
+    'perms.connect_myassets': 'my_assets',
+    'perms.view_myapps': 'my_apps',
+    'perms.connect_myapps': 'my_apps',
+    'ops.commandexecution': 'view_workspace',
 }

 model_verbose_name_mapper = {
    'orgs.organization': _("App organizations"),
+    'tickets.comment': _("Ticket comment"),
 }

 xpack_apps = [
@@ -259,28 +275,28 @@ class PermissionTreeUtil:

    def _create_models_nodes(self):
        content_types = ContentType.objects.all()
-        total_counts_mapper, checked_counts_mapper = self._get_model_counts_mapper()

        nodes = []
        for ct in content_types:
-            total_count = total_counts_mapper.get(ct.id, 0)
-            checked_count = checked_counts_mapper.get(ct.id, 0)
-            if total_count == 0:
-                continue
-
            model_id = '{}.{}'.format(ct.app_label, ct.model)
            if not self._check_model_xpack(model_id):
                continue
+
+            total_count = self.total_counts[model_id]
+            checked_count = self.checked_counts[model_id]
+            if total_count == 0:
+                continue
+
            # 获取 pid
            app = ct.app_label
-            if special_model_pid_mapper.get(model_id):
+            if model_id in special_model_pid_mapper:
                app = special_model_pid_mapper[model_id]
            self.total_counts[app] += total_count
            self.checked_counts[app] += checked_count

            # 获取 name
            name = f'{ct.name}'
-            if model_verbose_name_mapper.get(model_id):
+            if model_id in model_verbose_name_mapper:
                name = model_verbose_name_mapper[model_id]

            node = self._create_node({
@@ -336,11 +352,21 @@ class PermissionTreeUtil:
            if settings.DEBUG:
                name += '({})'.format(p.app_label_codename)

+            title = p.app_label_codename
+            pid = model_id
+            if title in special_model_pid_mapper:
+                pid = special_model_pid_mapper[title]
+
+            self.total_counts[pid] += 1
+            checked = p.id in permissions_id
+            if checked:
+                self.checked_counts[pid] += 1
+
            node = TreeNode(**{
                'id': p.id,
                'name': name,
-                'title': p.app_label_codename,
-                'pId': model_id,
+                'title': title,
+                'pId': pid,
                'isParent': False,
                'chkDisabled': self.check_disabled,
                'iconSkin': 'file',
@@ -395,10 +421,10 @@ class PermissionTreeUtil:
            checked_count = self.checked_counts[view]
            if total_count == 0:
                continue
-            node = self._create_node(data, total_count, checked_count, 'view')
+            node = self._create_node(data, total_count, checked_count, 'view', is_open=False)
            nodes.append(node)
        return nodes
-    
+
    def _create_extra_nodes(self):
        nodes = []
        for data in extra_nodes_data:
@@ -423,8 +449,8 @@ class PermissionTreeUtil:
        perms_nodes = self._create_perms_nodes()
        models_nodes = self._create_models_nodes()
        apps_nodes = self.create_apps_nodes()
-        views_nodes = self._create_views_node()
        extra_nodes = self._create_extra_nodes()
+        views_nodes = self._create_views_node()

        nodes += views_nodes + apps_nodes + models_nodes + perms_nodes + extra_nodes
        return nodes