perf: 设置默认的角色，系统用户角色添加权限 (#7898)

* perf: 修改 role handler * perf: 设置默认的角色，系统用户角色添加权限 * perf: authentication 还是放到系统中吧 Co-authored-by: ibuler <ibuler@qq.com> Co-authored-by: Jiangjie.Bai <32935519+BaiJiangJie@users.noreply.github.com>
2025-09-19 10:26:27 +00:00 · 2022-03-17 14:08:16 +08:00
parent 8fe84345e4
commit 34e75099a3
9 changed files with 61 additions and 33 deletions
--- a/apps/rbac/api/permission.py
+++ b/apps/rbac/api/permission.py
@@ -41,13 +41,3 @@ class PermissionViewSet(JMSModelViewSet):
            queryset = Permission.get_permissions(self.scope)
        queryset = queryset.prefetch_related('content_type')
        return queryset
-
-
-# class UserPermsApi(ListAPIView):
-#     serializer_class = UserPermsSerializer
-#     permission_classes = (IsValidUser,)
-#
-#     def list(self, request, *args, **kwargs):
-#         perms = RoleBinding.get_user_perms(request.user)
-#         serializer = super().get_serializer(data={'perms': perms})
-#         return Res
--- a/apps/rbac/builtin.py
+++ b/apps/rbac/builtin.py
@@ -2,6 +2,8 @@ from django.utils.translation import ugettext_noop

 from .const import Scope, system_exclude_permissions, org_exclude_permissions

+# Todo: 获取应该区分 系统用户，和组织用户的权限
+# 工作台也区分组织后再考虑
 user_perms = (
    ('rbac', 'menupermission', 'view', 'workspace'),
    ('rbac', 'menupermission', 'view', 'webterminal'),
@@ -12,14 +14,13 @@ user_perms = (
    ('assets', 'systemuser', 'match', 'systemuser'),
    ('assets', 'node', 'match', 'node'),
    ('applications', 'application', 'match', 'application'),
-    ('tickets', 'ticket', 'view', 'ticket'),
    ('ops', 'commandexecution', 'add', 'commandexecution'),
    ('authentication', 'connectiontoken', 'add', 'connectiontoken'),
+    ('tickets', 'ticket', 'view', 'ticket'),
 )

 auditor_perms = user_perms + (
    ('rbac', 'menupermission', 'view', 'audit'),
-    ('rbac', 'menupermission', 'view', 'dashboard'),
    ('audits', '*', '*', '*'),
    ('terminal', 'commandstorage', 'view', 'commandstorage'),
    ('terminal', 'sessionreplay', 'view,download', 'sessionreplay'),
@@ -88,7 +89,7 @@ class PredefineRole:

 class BuiltinRole:
    system_admin = PredefineRole(
-        '1', ugettext_noop('SystemAdmin'), Scope.system, []
+        '1', ugettext_noop('SystemAdmin'), Scope.system, user_perms
    )
    system_auditor = PredefineRole(
        '2', ugettext_noop('SystemAuditor'), Scope.system, auditor_perms
--- a/apps/rbac/signal_handlers.py
+++ b/apps/rbac/signal_handlers.py
@@ -1,7 +1,8 @@
 from django.dispatch import receiver
-from django.db.models.signals import post_migrate
+from django.db.models.signals import post_migrate, post_save
 from django.apps import apps

+from .models import SystemRole, OrgRole
 from .builtin import BuiltinRole


@@ -12,3 +13,15 @@ def after_migrate_update_builtin_role_permissions(sender, app_config, **kwargs):
    if app_config.name == last_app.name:
        print("After migration, update builtin role permissions")
        BuiltinRole.sync_to_db()
+
+
+@receiver(post_save, sender=SystemRole)
+def on_system_role_update(sender, instance, created, **kwargs):
+    from users.models import User
+    User.expire_users_rbac_perms_cache()
+
+
+@receiver(post_save, sender=OrgRole)
+def on_org_role_update(sender, instance, created, **kwargs):
+    from users.models import User
+    User.expire_users_rbac_perms_cache()
--- a/apps/rbac/tree.py
+++ b/apps/rbac/tree.py
@@ -1,6 +1,7 @@
 #!/usr/bin/python
 from collections import defaultdict
 from typing import Callable
+import os

 from django.utils.translation import gettext_lazy as _, gettext, get_language
 from django.conf import settings
@@ -10,6 +11,8 @@ from django.db.models import F, Count
 from common.tree import TreeNode
 from .models import Permission, ContentType

+DEBUG_DB = os.environ.get('DEBUG_DB', '0') == '1'
+
 # 根节点
 root_node_data = {
    'id': '$ROOT$',
@@ -315,7 +318,7 @@ class PermissionTreeUtil:
                continue
            # name 要特殊处理，解决 i18n 问题
            name, icon = self._get_permission_name_icon(p, content_types_name_mapper)
-            if settings.DEBUG:
+            if DEBUG_DB:
                name += '[{}]'.format(p.app_label_codename)

            title = p.app_label_codename
@@ -366,9 +369,9 @@ class PermissionTreeUtil:
        }
        node_data['title'] = node_data['id']
        node = TreeNode(**node_data)
-        if settings.DEBUG:
+        if DEBUG_DB:
            node.name += ('[' + node.id + ']')
-        if settings.DEBUG:
+        if DEBUG_DB:
            node.name += ('-' + node.id)
        node.name += f'({checked_count}/{total_count})'
        return node