perf: 添加 is_org_admin (#7644)

* fix: 修复 org members 的问题

* perf: 修改 org member

* perf: 修改 is sa

* perf: 修改 active

* perf: 修复写法

* perf: is_sa to is_service_account

Co-authored-by: ibuler <ibuler@qq.com>

apps/users/migrations/0039_auto_20211229_1852.py

@@ -6,7 +6,7 @@ from django.db import migrations, models
 def migrate_app_users(apps, schema_editor):
     user_model = apps.get_model('users', 'User')
     app_users = user_model.objects.filter(role='App')
-    app_users.update(is_app=True)
+    app_users.update(is_service_account=True)
 
 
 class Migration(migrations.Migration):
@@ -18,8 +18,8 @@ class Migration(migrations.Migration):
     operations = [
         migrations.AddField(
             model_name='user',
-            name='is_app',
-            field=models.BooleanField(default=False),
+            name='is_service_account',
+            field=models.BooleanField(default=False, verbose_name='Is service account'),
         ),
         migrations.RunPython(migrate_app_users),
         migrations.AlterModelOptions(

apps/users/models/user.py

@@ -270,9 +270,14 @@ class RoleMixin:
     @lazyproperty
     def is_superuser(self):
         from rbac.builtin import BuiltinRole
-        names = [r.name for r in self.system_roles.all()]
-        yes = BuiltinRole.system_admin.name in names
-        return yes
+        return self.system_roles.filter(id=BuiltinRole.system_admin.id).exists()
+
+    @lazyproperty
+    def is_org_admin(self):
+        from rbac.builtin import BuiltinRole
+        if self.is_superuser:
+            return True
+        return self.org_roles.filter(id=BuiltinRole.org_admin.id).exists()
 
     @property
     def is_staff(self):
@@ -286,8 +291,8 @@ class RoleMixin:
     def create_service_account(cls, name, comment):
         app = cls.objects.create(
             username=name, name=name, email='{}@local.domain'.format(name),
-            is_active=False, comment=comment, is_first_login=False,
-            created_by='System', is_app=True,
+            comment=comment, is_first_login=False,
+            created_by='System', is_service_account=True,
         )
         access_key = app.create_access_key()
         return app, access_key
@@ -319,7 +324,7 @@ class RoleMixin:
 
     @classmethod
     def get_nature_users(cls):
-        return cls.objects.filter(is_app=False)
+        return cls.objects.filter(is_service_account=False)
 
     @classmethod
     def get_org_users(cls, org=None):
@@ -528,7 +533,7 @@ class User(AuthMixin, TokenMixin, RoleMixin, MFAMixin, AbstractUser):
         default='User', max_length=10,
         blank=True, verbose_name=_('Role')
     )
-    is_app = models.BooleanField(default=False)
+    is_service_account = models.BooleanField(default=False, verbose_name=_("Is service account"))
     avatar = models.ImageField(
         upload_to="avatar", null=True, verbose_name=_('Avatar')
     )

apps/users/serializers/user.py

@@ -101,7 +101,7 @@ class UserSerializer(RolesSerializerMixin, CommonBulkSerializerMixin, serializer
         fields_small = fields_mini + fields_write_only + [
             'email', 'wechat', 'phone', 'mfa_level', 'source', 'source_display',
             'can_public_key_auth', 'need_update_password',
-            'mfa_enabled', 'is_app', 'is_valid', 'is_expired', 'is_active',  # 布尔字段
+            'mfa_enabled', 'is_service_account', 'is_valid', 'is_expired', 'is_active',  # 布尔字段
             'date_expired', 'date_joined', 'last_login',  # 日期字段
             'created_by', 'comment',  # 通用字段
             'is_wecom_bound', 'is_dingtalk_bound', 'is_feishu_bound', 'is_otp_secret_key_bound',
@@ -132,7 +132,7 @@ class UserSerializer(RolesSerializerMixin, CommonBulkSerializerMixin, serializer
             'public_key': {'write_only': True},
             'is_first_login': {'label': _('Is first login'), 'read_only': True},
             'is_valid': {'label': _('Is valid')},
-            'is_app':  {'label': _('Is app user')},
+            'is_service_account':  {'label': _('Is service account')},
             'is_expired': {'label': _('Is expired')},
             'avatar_url': {'label': _('Avatar url')},
             'created_by': {'read_only': True, 'allow_blank': True},