diff --git a/apps/perms/api/user_permission/accounts.py b/apps/perms/api/user_permission/accounts.py index 4d3687c0a..eb20086e7 100644 --- a/apps/perms/api/user_permission/accounts.py +++ b/apps/perms/api/user_permission/accounts.py @@ -1,31 +1,25 @@ from django.shortcuts import get_object_or_404 from rest_framework.generics import ListAPIView, get_object_or_404 -from common.permissions import IsValidUser from common.utils import get_logger, lazyproperty from perms import serializers -from perms.hands import User, Asset +from perms.hands import Asset from perms.utils import PermAccountUtil +from .mixin import SelfOrPKUserMixin logger = get_logger(__name__) __all__ = [ 'UserGrantedAssetAccountsApi', - 'MyGrantedAssetAccountsApi', ] -class UserGrantedAssetAccountsApi(ListAPIView): +class UserGrantedAssetAccountsApi(SelfOrPKUserMixin, ListAPIView): serializer_class = serializers.AccountsGrantedSerializer rbac_perms = ( ('list', 'perms.view_userassets'), ) - @lazyproperty - def user(self) -> User: - user_id = self.kwargs.get('pk') - return User.objects.get(id=user_id) - @lazyproperty def asset(self): asset_id = self.kwargs.get('asset_id') @@ -37,11 +31,3 @@ class UserGrantedAssetAccountsApi(ListAPIView): util = PermAccountUtil() accounts = util.get_permed_accounts_for_user(self.user, self.asset) return accounts - - -class MyGrantedAssetAccountsApi(UserGrantedAssetAccountsApi): - permission_classes = (IsValidUser,) - - @lazyproperty - def user(self): - return self.request.user diff --git a/apps/perms/api/user_permission/mixin.py b/apps/perms/api/user_permission/mixin.py index 2a7cbe221..5b64804e0 100644 --- a/apps/perms/api/user_permission/mixin.py +++ b/apps/perms/api/user_permission/mixin.py @@ -1,10 +1,12 @@ # -*- coding: utf-8 -*- # +from django.shortcuts import get_object_or_404 from rest_framework.request import Request from common.http import is_true from common.mixins.api import RoleAdminMixin, RoleUserMixin from perms.utils.user_permission import UserGrantedTreeRefreshController +from rbac.permissions import RBACPermission from users.models import User @@ -34,3 +36,44 @@ class AssetRoleUserMixin(RebuildTreeMixin, RoleUserMixin): ('get_tree', 'perms.view_myassets'), ('GET', 'perms.view_myassets'), ) + + +class SelfOrPKUserMixin: + kwargs: dict + request: Request + permission_classes = (RBACPermission,) + + @property + def self_rbac_perms(self): + return ( + ('list', 'perms.view_myassets'), + ('retrieve', 'perms.view_myassets'), + ('get_tree', 'perms.view_myassets'), + ('GET', 'perms.view_myassets'), + ) + + @property + def admin_rbac_perms(self): + return ( + ('list', 'perms.view_userassets'), + ('retrieve', 'perms.view_userassets'), + ('get_tree', 'perms.view_userassets'), + ('GET', 'perms.view_userassets'), + ) + + def get_rbac_perms(self): + if self.request_user_is_self(): + return self.self_rbac_perms + else: + return self.admin_rbac_perms + + def request_user_is_self(self): + print("user is: ", self.kwargs) + return self.kwargs.get('user') in ['my', 'self'] + + @property + def user(self): + if self.request_user_is_self(): + return self.request.user + else: + return get_object_or_404(User, pk=self.kwargs.get('user')) diff --git a/apps/perms/urls/api_urls.py b/apps/perms/urls/api_urls.py index 568c226ee..9a4b3f10a 100644 --- a/apps/perms/urls/api_urls.py +++ b/apps/perms/urls/api_urls.py @@ -1,8 +1,9 @@ # coding:utf-8 from .asset_permission import asset_permission_urlpatterns +from .user_permission import user_permission_urlpatterns app_name = 'perms' -urlpatterns = [] -urlpatterns += asset_permission_urlpatterns +urlpatterns = asset_permission_urlpatterns \ + + user_permission_urlpatterns diff --git a/apps/perms/urls/asset_permission.py b/apps/perms/urls/asset_permission.py index 1273edaac..41ffe444a 100644 --- a/apps/perms/urls/asset_permission.py +++ b/apps/perms/urls/asset_permission.py @@ -16,78 +16,6 @@ router.register('asset-permissions-assets-relations', api.AssetPermissionAssetRe router.register('asset-permissions-nodes-relations', api.AssetPermissionNodeRelationViewSet, 'asset-permissions-nodes-relation') -user_permission_urlpatterns = [ - # 以 serializer 格式返回 - path('/assets/', api.UserAllGrantedAssetsApi.as_view(), name='user-assets'), - path('assets/', api.MyAllGrantedAssetsApi.as_view(), name='my-assets'), - # Tree Node 的数据格式返回 - path('/assets/tree/', api.UserDirectGrantedAssetsAsTreeApi.as_view(), name='user-assets-as-tree'), - path('assets/tree/', api.MyAllAssetsAsTreeApi.as_view(), name='my-assets-as-tree'), - path('ungroup/assets/tree/', api.MyUngroupAssetsAsTreeApi.as_view(), name='my-ungroup-assets-as-tree'), - - # 获取用户所有`直接授权的节点`与`直接授权资产`关联的节点 - # 以 serializer 格式返回 - path('/nodes/', api.UserGrantedNodesApi.as_view(), name='user-nodes'), - path('nodes/', api.MyGrantedNodesApi.as_view(), name='my-nodes'), - # 以 Tree Node 的数据格式返回 - path('/nodes/tree/', api.MyGrantedNodesAsTreeApi.as_view(), name='user-nodes-as-tree'), - path('nodes/tree/', api.MyGrantedNodesAsTreeApi.as_view(), name='my-nodes-as-tree'), - - # 一层一层的获取用户授权的节点, - # 以 Serializer 的数据格式返回 - path('/nodes/children/', api.UserGrantedNodeChildrenForAdminApi.as_view(), name='user-nodes-children'), - path('nodes/children/', api.MyGrantedNodeChildrenApi.as_view(), name='my-nodes-children'), - # 以 Tree Node 的数据格式返回 - path('/nodes/children/tree/', api.UserGrantedNodeChildrenAsTreeForAdminApi.as_view(), - name='user-nodes-children-as-tree'), - # 部分调用位置 - # - 普通用户 -> 我的资产 -> 展开节点 时调用 - path('nodes/children/tree/', api.MyGrantedNodeChildrenAsTreeApi.as_view(), name='my-nodes-children-as-tree'), - - # 此接口会返回整棵树 - # 普通用户 -> 命令执行 -> 左侧树 - path('nodes-with-assets/tree/', api.MyGrantedNodesWithAssetsAsTreeApi.as_view(), - name='my-nodes-with-assets-as-tree'), - - # 主要用于 luna 页面,带资产的节点树 - path('/nodes/children-with-assets/tree/', api.UserGrantedNodeChildrenWithAssetsAsTreeApi.as_view(), - name='user-nodes-children-with-assets-as-tree'), - path('nodes/children-with-assets/tree/', api.MyGrantedNodeChildrenWithAssetsAsTreeApi.as_view(), - name='my-nodes-children-with-assets-as-tree'), - - # 查询授权树上某个节点的所有资产 - path('/nodes//assets/', api.UserGrantedNodeAssetsApi.as_view(), name='user-node-assets'), - path('nodes//assets/', api.MyGrantedNodeAssetsApi.as_view(), name='my-node-assets'), - - # 未分组的资产 - path('/nodes/ungrouped/assets/', api.UserDirectGrantedAssetsApi.as_view(), name='user-ungrouped-assets'), - path('nodes/ungrouped/assets/', api.MyDirectGrantedAssetsApi.as_view(), name='my-ungrouped-assets'), - - # 收藏的资产 - path('/nodes/favorite/assets/', api.UserFavoriteGrantedAssetsApi.as_view(), name='user-ungrouped-assets'), - path('nodes/favorite/assets/', api.MyFavoriteGrantedAssetsApi.as_view(), - name='my-ungrouped-assets'), - - # 获取授权给用户某个资产的所有账号 - path('/assets//accounts/', api.UserGrantedAssetAccountsApi.as_view(), - name='user-asset-accounts'), -] - -user_group_permission_urlpatterns = [ - # 查询某个用户组授权的资产和资产组 - path('/assets/', api.UserGroupGrantedAssetsApi.as_view(), name='user-group-assets'), - path('/nodes/', api.UserGroupGrantedNodesApi.as_view(), name='user-group-nodes'), - path('/nodes/children/', api.UserGroupGrantedNodesApi.as_view(), name='user-group-nodes-children'), - path('/nodes/children/tree/', api.UserGroupGrantedNodeChildrenAsTreeApi.as_view(), - name='user-group-nodes-children-as-tree'), - path('/nodes//assets/', api.UserGroupGrantedNodeAssetsApi.as_view(), - name='user-group-node-assets'), - - # 获取所有和资产-用户组关联的账号列表 - path('/assets//accounts/', api.UserGroupGrantedAssetAccountsApi.as_view(), - name='user-group-asset-accounts'), -] - permission_urlpatterns = [ # 授权规则中授权的资产 path('/assets/all/', api.AssetPermissionAllAssetListApi.as_view(), name='asset-permission-all-assets'), @@ -97,8 +25,6 @@ permission_urlpatterns = [ asset_permission_urlpatterns = [ # Assets - path('users/', include(user_permission_urlpatterns)), - path('user-groups/', include(user_group_permission_urlpatterns)), path('asset-permissions/', include(permission_urlpatterns)), ] diff --git a/apps/perms/urls/user_permission.py b/apps/perms/urls/user_permission.py new file mode 100644 index 000000000..7b5f66897 --- /dev/null +++ b/apps/perms/urls/user_permission.py @@ -0,0 +1,80 @@ +from django.urls import path, include + +from .. import api + +user_permission_urlpatterns = [ + # 以 serializer 格式返回 + path('/assets/', api.UserAllGrantedAssetsApi.as_view(), name='user-assets'), + path('assets/', api.MyAllGrantedAssetsApi.as_view(), name='my-assets'), + # Tree Node 的数据格式返回 + path('/assets/tree/', api.UserDirectGrantedAssetsAsTreeApi.as_view(), name='user-assets-as-tree'), + path('assets/tree/', api.MyAllAssetsAsTreeApi.as_view(), name='my-assets-as-tree'), + path('ungroup/assets/tree/', api.MyUngroupAssetsAsTreeApi.as_view(), name='my-ungroup-assets-as-tree'), + + # 获取用户所有`直接授权的节点`与`直接授权资产`关联的节点 + # 以 serializer 格式返回 + path('/nodes/', api.UserGrantedNodesApi.as_view(), name='user-nodes'), + path('nodes/', api.MyGrantedNodesApi.as_view(), name='my-nodes'), + # 以 Tree Node 的数据格式返回 + path('/nodes/tree/', api.MyGrantedNodesAsTreeApi.as_view(), name='user-nodes-as-tree'), + path('nodes/tree/', api.MyGrantedNodesAsTreeApi.as_view(), name='my-nodes-as-tree'), + + # 一层一层的获取用户授权的节点, + # 以 Serializer 的数据格式返回 + path('/nodes/children/', api.UserGrantedNodeChildrenForAdminApi.as_view(), name='user-nodes-children'), + path('nodes/children/', api.MyGrantedNodeChildrenApi.as_view(), name='my-nodes-children'), + # 以 Tree Node 的数据格式返回 + path('/nodes/children/tree/', api.UserGrantedNodeChildrenAsTreeForAdminApi.as_view(), + name='user-nodes-children-as-tree'), + # 部分调用位置 + # - 普通用户 -> 我的资产 -> 展开节点 时调用 + path('nodes/children/tree/', api.MyGrantedNodeChildrenAsTreeApi.as_view(), name='my-nodes-children-as-tree'), + + # 此接口会返回整棵树 + # 普通用户 -> 命令执行 -> 左侧树 + path('nodes-with-assets/tree/', api.MyGrantedNodesWithAssetsAsTreeApi.as_view(), + name='my-nodes-with-assets-as-tree'), + + # 主要用于 luna 页面,带资产的节点树 + path('/nodes/children-with-assets/tree/', api.UserGrantedNodeChildrenWithAssetsAsTreeApi.as_view(), + name='user-nodes-children-with-assets-as-tree'), + path('nodes/children-with-assets/tree/', api.MyGrantedNodeChildrenWithAssetsAsTreeApi.as_view(), + name='my-nodes-children-with-assets-as-tree'), + + # 查询授权树上某个节点的所有资产 + path('/nodes//assets/', api.UserGrantedNodeAssetsApi.as_view(), name='user-node-assets'), + path('nodes//assets/', api.MyGrantedNodeAssetsApi.as_view(), name='my-node-assets'), + + # 未分组的资产 + path('/nodes/ungrouped/assets/', api.UserDirectGrantedAssetsApi.as_view(), name='user-ungrouped-assets'), + path('nodes/ungrouped/assets/', api.MyDirectGrantedAssetsApi.as_view(), name='my-ungrouped-assets'), + + # 收藏的资产 + path('/nodes/favorite/assets/', api.UserFavoriteGrantedAssetsApi.as_view(), name='user-ungrouped-assets'), + path('nodes/favorite/assets/', api.MyFavoriteGrantedAssetsApi.as_view(), + name='my-ungrouped-assets'), + + # 获取授权给用户某个资产的所有账号 + path('/assets//accounts/', api.UserGrantedAssetAccountsApi.as_view(), + name='user-asset-accounts'), +] + +user_group_permission_urlpatterns = [ + # 查询某个用户组授权的资产和资产组 + path('/assets/', api.UserGroupGrantedAssetsApi.as_view(), name='user-group-assets'), + path('/nodes/', api.UserGroupGrantedNodesApi.as_view(), name='user-group-nodes'), + path('/nodes/children/', api.UserGroupGrantedNodesApi.as_view(), name='user-group-nodes-children'), + path('/nodes/children/tree/', api.UserGroupGrantedNodeChildrenAsTreeApi.as_view(), + name='user-group-nodes-children-as-tree'), + path('/nodes//assets/', api.UserGroupGrantedNodeAssetsApi.as_view(), + name='user-group-node-assets'), + + # 获取所有和资产-用户组关联的账号列表 + path('/assets//accounts/', api.UserGroupGrantedAssetAccountsApi.as_view(), + name='user-group-asset-accounts'), +] + +user_permission_urlpatterns = [ + path('users/', include(user_permission_urlpatterns)), + path('user-groups/', include(user_group_permission_urlpatterns)), +]