From 572c5b6925201ba2ad24ef216d3d18940d000856 Mon Sep 17 00:00:00 2001 From: "Jiangjie.Bai" Date: Wed, 16 Mar 2022 14:43:20 +0800 Subject: [PATCH] =?UTF-8?q?fix:=20=E4=BF=AE=E6=94=B9=E5=B7=A5=E5=8D=95?= =?UTF-8?q?=E7=AE=A1=E7=90=86=E6=9D=83=E9=99=90=E4=BD=8D?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- apps/rbac/const.py | 6 +++--- apps/rbac/permissions.py | 8 +++++--- apps/rbac/tree.py | 8 +++++++- apps/tickets/api/comment.py | 3 +++ apps/tickets/api/relation.py | 3 +++ apps/tickets/api/ticket.py | 8 ++++++-- 6 files changed, 27 insertions(+), 9 deletions(-) diff --git a/apps/rbac/const.py b/apps/rbac/const.py index a3b69c33a..ff2534e72 100644 --- a/apps/rbac/const.py +++ b/apps/rbac/const.py @@ -62,12 +62,12 @@ exclude_permissions = ( ('audits', 'ftplog', 'change,delete', 'ftplog'), ('tickets', 'ticketassignee', '*', 'ticketassignee'), ('tickets', 'ticketflow', 'add,delete', 'ticketflow'), - ('tickets', 'comment', 'change,delete', 'comment'), - ('tickets', 'ticket', 'delete', 'ticket'), + ('tickets', 'comment', '*', '*'), + ('tickets', 'ticket', 'add,delete,change', 'ticket'), ('tickets', 'ticketstep', '*', '*'), ('tickets', 'approvalrule', '*', '*'), ('tickets', 'superticket', 'delete', 'superticket'), - ('tickets', 'ticketsession', 'delete', 'ticketsession'), + ('tickets', 'ticketsession', 'view,delete', 'ticketsession'), ('xpack', 'interface', '*', '*'), ('xpack', 'license', '*', '*'), ('xpack', 'syncinstancedetail', 'add,delete,change', 'syncinstancedetail'), diff --git a/apps/rbac/permissions.py b/apps/rbac/permissions.py index dc1260d67..877cf06b2 100644 --- a/apps/rbac/permissions.py +++ b/apps/rbac/permissions.py @@ -69,13 +69,16 @@ class RBACPermission(permissions.DjangoModelPermissions): def _get_action_perms(self, action, model_cls, view): action_perms_map = self.get_rbac_perms(view, model_cls) - if action not in action_perms_map: + if action in action_perms_map: + perms = action_perms_map[action] + elif '*' in action_perms_map: + perms = action_perms_map['*'] + else: msg = 'Action not allowed: {}, only `{}` supported'.format( action, ','.join(list(action_perms_map.keys())) ) logger.error(msg) raise exceptions.PermissionDenied(msg) - perms = action_perms_map[action] return perms def get_model_cls(self, view): @@ -96,7 +99,6 @@ class RBACPermission(permissions.DjangoModelPermissions): :param view: :return: """ - model_cls = self.get_model_cls(view) action = getattr(view, 'action', None) if not action: diff --git a/apps/rbac/tree.py b/apps/rbac/tree.py index 8b8b23c4f..ff7027db0 100644 --- a/apps/rbac/tree.py +++ b/apps/rbac/tree.py @@ -104,11 +104,13 @@ special_pid_mapper = { "rbac.view_workspace": "view_workspace", "rbac.view_webterminal": "view_workspace", "rbac.view_filemanager": "view_workspace", + 'tickets.view_ticket': 'tickets' } verbose_name_mapper = { 'orgs.organization': _("App organizations"), 'tickets.comment': _("Ticket comment"), + 'tickets.view_ticket': _("Ticket"), 'settings.setting': _("Common setting"), } @@ -279,13 +281,17 @@ class PermissionTreeUtil: def _get_permission_name_icon(self, p: Permission, content_types_name_mapper: dict): action, resource = p.codename.split('_', 1) + icon = self.action_icon.get(action, 'file') + name = verbose_name_mapper.get(p.app_label_codename) + if name: + return name, icon + app_model = '%s.%s' % (p.content_type.app_label, resource) if action in self.action_mapper and app_model in content_types_name_mapper: action_name = self.action_mapper[action] name = action_name + content_types_name_mapper[app_model] else: name = gettext(p.name) - icon = self.action_icon.get(action, 'file') name = name.replace('Can ', '').replace('可以', '') return name, icon diff --git a/apps/tickets/api/comment.py b/apps/tickets/api/comment.py index 3bdf55079..ab0584eed 100644 --- a/apps/tickets/api/comment.py +++ b/apps/tickets/api/comment.py @@ -16,6 +16,9 @@ __all__ = ['CommentViewSet'] class CommentViewSet(mixins.CreateModelMixin, viewsets.ReadOnlyModelViewSet): serializer_class = serializers.CommentSerializer permission_classes = (RBACPermission, IsSwagger | IsAssignee | IsApplicant) + rbac_perms = { + '*': 'tickets.view_ticket' + } @lazyproperty def ticket(self): diff --git a/apps/tickets/api/relation.py b/apps/tickets/api/relation.py index cbb661259..2dfa33146 100644 --- a/apps/tickets/api/relation.py +++ b/apps/tickets/api/relation.py @@ -18,6 +18,9 @@ class TicketSessionRelationViewSet(CreateModelMixin, JMSGenericViewSet): # Todo: 放到上面的 ViewSet 中 class TicketSessionApi(views.APIView): perm_model = TicketSession + rbac_perms = { + '*': ['tickets.view_ticket'] + } def get(self, request, *args, **kwargs): with tmp_to_root_org(): diff --git a/apps/tickets/api/ticket.py b/apps/tickets/api/ticket.py index f112dae0c..a7e4fa485 100644 --- a/apps/tickets/api/ticket.py +++ b/apps/tickets/api/ticket.py @@ -7,9 +7,10 @@ from rest_framework.response import Response from common.const.http import POST, PUT from common.mixins.api import CommonApiMixin -from common.permissions import IsValidUser from common.drf.api import JMSBulkModelViewSet +from rbac.permissions import RBACPermission + from tickets import serializers from tickets.models import Ticket, TicketFlow from tickets.filters import TicketFilter @@ -33,6 +34,9 @@ class TicketViewSet(CommonApiMixin, viewsets.ModelViewSet): 'date_created', 'serial_num', ) ordering = ('-date_created',) + rbac_perms = { + 'open': 'tickets.view_ticket' + } def create(self, request, *args, **kwargs): raise MethodNotAllowed(self.action) @@ -53,7 +57,7 @@ class TicketViewSet(CommonApiMixin, viewsets.ModelViewSet): instance.process_map = instance.create_process_map() instance.open(applicant=self.request.user) - @action(detail=False, methods=[POST], permission_classes=[IsValidUser, ]) + @action(detail=False, methods=[POST], permission_classes=[RBACPermission, ]) def open(self, request, *args, **kwargs): return super().create(request, *args, **kwargs)