diff --git a/apps/jumpserver/conf.py b/apps/jumpserver/conf.py index 9b6127c4b..b24ef5746 100644 --- a/apps/jumpserver/conf.py +++ b/apps/jumpserver/conf.py @@ -578,7 +578,9 @@ class Config(dict): 'FTP_FILE_MAX_STORE': 100, # API 请求次数限制 - 'MAX_LIMIT_PER_PAGE': 100 + 'MAX_LIMIT_PER_PAGE': 100, + + 'LIMIT_SUPER_PRIV': False, } old_config_map = { diff --git a/apps/jumpserver/settings/custom.py b/apps/jumpserver/settings/custom.py index 0bc8b380b..18d0bccca 100644 --- a/apps/jumpserver/settings/custom.py +++ b/apps/jumpserver/settings/custom.py @@ -203,3 +203,4 @@ MAX_LIMIT_PER_PAGE = CONFIG.MAX_LIMIT_PER_PAGE # Magnus DB Port MAGNUS_ORACLE_PORTS = CONFIG.MAGNUS_ORACLE_PORTS +LIMIT_SUPER_PRIV = CONFIG.LIMIT_SUPER_PRIV diff --git a/apps/users/models/user.py b/apps/users/models/user.py index 49ac4182f..93228aa9b 100644 --- a/apps/users/models/user.py +++ b/apps/users/models/user.py @@ -400,10 +400,17 @@ class RoleMixin: data = cache.get(key) if data: return data + console_orgs = RoleBinding.get_user_has_the_perm_orgs('rbac.view_console', self) + audit_orgs = RoleBinding.get_user_has_the_perm_orgs('rbac.view_audit', self) + workbench_orgs = RoleBinding.get_user_has_the_perm_orgs('rbac.view_workbench', self) + + if settings.LIMIT_SUPER_PRIV: + audit_orgs = list(set(audit_orgs) - set(console_orgs)) + data = { - 'console_orgs': RoleBinding.get_user_has_the_perm_orgs('rbac.view_console', self), - 'audit_orgs': RoleBinding.get_user_has_the_perm_orgs('rbac.view_audit', self), - 'workbench_orgs': RoleBinding.get_user_has_the_perm_orgs('rbac.view_workbench', self), + 'console_orgs': console_orgs, + 'audit_orgs': audit_orgs, + 'workbench_orgs': workbench_orgs, } cache.set(key, data, 60 * 60) return data @@ -541,6 +548,9 @@ class RoleMixin: def get_all_permissions(self): from rbac.models import RoleBinding perms = RoleBinding.get_user_perms(self) + + if settings.LIMIT_SUPER_PRIV and 'view_console' in perms: + perms = [p for p in perms if p != "view_audit"] return perms