[Update] 增加审计员权限控制 (#2792)

* [Update] 审计员 * [Update] 增加审计员的权限控制 * [Update] 增加审计员Api全校的控制 * [Update] 优化auditor的api权限控制 * [Update] 优化审计员权限控制 * [Update]优化管理员权限的View * [Update] 优化超级管理权限的View * [Update] 添加审计员切换组织查询会话管理数据 * [Update] 前端禁用审计员在线会话终断按钮 * [Update]优化细节问题
2026-01-29 21:51:31 +00:00 · 2019-06-19 10:47:26 +08:00
parent c71f417ebf
commit 8adaf629b4
36 changed files with 429 additions and 269 deletions
--- a/apps/users/forms.py
+++ b/apps/users/forms.py
@@ -62,6 +62,7 @@ class UserCreateUpdateFormMixin(OrgModelForm):
        if self.request.user.is_superuser:
            roles.append((User.ROLE_ADMIN, dict(User.ROLE_CHOICES).get(User.ROLE_ADMIN)))
            roles.append((User.ROLE_USER, dict(User.ROLE_CHOICES).get(User.ROLE_USER)))
+            roles.append((User.ROLE_AUDITOR, dict(User.ROLE_CHOICES).get(User.ROLE_AUDITOR)))

        # Org admin user
        else:
--- a/apps/users/migrations/0020_auto_20190612_1825.py
+++ b/apps/users/migrations/0020_auto_20190612_1825.py
@@ -0,0 +1,18 @@
+# Generated by Django 2.1.7 on 2019-06-12 10:25
+
+from django.db import migrations, models
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('users', '0019_auto_20190304_1459'),
+    ]
+
+    operations = [
+        migrations.AlterField(
+            model_name='user',
+            name='role',
+            field=models.CharField(blank=True, choices=[('Admin', 'Administrator'), ('User', 'User'), ('App', 'Application'), ('Auditor', 'Auditor')], default='User', max_length=10, verbose_name='Role'),
+        ),
+    ]
--- a/apps/users/models/user.py
+++ b/apps/users/models/user.py
@@ -30,11 +30,13 @@ class User(AbstractUser):
    ROLE_ADMIN = 'Admin'
    ROLE_USER = 'User'
    ROLE_APP = 'App'
+    ROLE_AUDITOR = 'Auditor'

    ROLE_CHOICES = (
        (ROLE_ADMIN, _('Administrator')),
        (ROLE_USER, _('User')),
-        (ROLE_APP, _('Application'))
+        (ROLE_APP, _('Application')),
+        (ROLE_AUDITOR, _("Auditor"))
    )
    OTP_LEVEL_CHOICES = (
        (0, _('Disable')),
@@ -243,6 +245,10 @@ class User(AbstractUser):
        else:
            return False

+    @property
+    def is_auditor(self):
+        return self.role == 'Auditor'
+
    @property
    def is_app(self):
        return self.role == 'App'
--- a/apps/users/utils.py
+++ b/apps/users/utils.py
@@ -24,16 +24,6 @@ from .models import User
 logger = logging.getLogger('jumpserver')


-class AdminUserRequiredMixin(UserPassesTestMixin):
-    def test_func(self):
-        if not self.request.user.is_authenticated:
-            return False
-        elif not self.request.user.is_superuser:
-            self.raise_exception = True
-            return False
-        return True
-
-
 def construct_user_created_email_body(user):
    default_body = _("""
        <link rel="stylesheet" href="//maxcdn.bootstrapcdn.com/bootstrap/3.2.0/css/bootstrap.min.css">
--- a/apps/users/views/group.py
+++ b/apps/users/views/group.py
@@ -9,7 +9,7 @@ from django.contrib.messages.views import SuccessMessageMixin

 from common.utils import get_logger
 from common.const import create_success_msg, update_success_msg
-from common.permissions import AdminUserRequiredMixin
+from common.permissions import PermissionsMixin, IsOrgAdmin
 from orgs.utils import current_org
 from ..models import User, UserGroup
 from .. import forms
@@ -19,8 +19,9 @@ __all__ = ['UserGroupListView', 'UserGroupCreateView', 'UserGroupDetailView',
 logger = get_logger(__name__)


-class UserGroupListView(AdminUserRequiredMixin, TemplateView):
+class UserGroupListView(PermissionsMixin, TemplateView):
    template_name = 'users/user_group_list.html'
+    permission_classes = [IsOrgAdmin]

    def get_context_data(self, **kwargs):
        context = {
@@ -31,12 +32,13 @@ class UserGroupListView(AdminUserRequiredMixin, TemplateView):
        return super().get_context_data(**kwargs)


-class UserGroupCreateView(AdminUserRequiredMixin, SuccessMessageMixin, CreateView):
+class UserGroupCreateView(PermissionsMixin, SuccessMessageMixin, CreateView):
    model = UserGroup
    form_class = forms.UserGroupForm
    template_name = 'users/user_group_create_update.html'
    success_url = reverse_lazy('users:user-group-list')
    success_message = create_success_msg
+    permission_classes = [IsOrgAdmin]

    def get_context_data(self, **kwargs):
        context = {
@@ -47,12 +49,13 @@ class UserGroupCreateView(AdminUserRequiredMixin, SuccessMessageMixin, CreateVie
        return super().get_context_data(**kwargs)


-class UserGroupUpdateView(AdminUserRequiredMixin, SuccessMessageMixin, UpdateView):
+class UserGroupUpdateView(PermissionsMixin, SuccessMessageMixin, UpdateView):
    model = UserGroup
    form_class = forms.UserGroupForm
    template_name = 'users/user_group_create_update.html'
    success_url = reverse_lazy('users:user-group-list')
    success_message = update_success_msg
+    permission_classes = [IsOrgAdmin]

    def get_context_data(self, **kwargs):
        context = {
@@ -64,10 +67,11 @@ class UserGroupUpdateView(AdminUserRequiredMixin, SuccessMessageMixin, UpdateVie
        return super().get_context_data(**kwargs)


-class UserGroupDetailView(AdminUserRequiredMixin, DetailView):
+class UserGroupDetailView(PermissionsMixin, DetailView):
    model = UserGroup
    context_object_name = 'user_group'
    template_name = 'users/user_group_detail.html'
+    permission_classes = [IsOrgAdmin]

    def get_context_data(self, **kwargs):
        users = current_org.get_org_users().exclude(id__in=self.object.users.all())
@@ -80,11 +84,12 @@ class UserGroupDetailView(AdminUserRequiredMixin, DetailView):
        return super().get_context_data(**kwargs)


-class UserGroupGrantedAssetView(AdminUserRequiredMixin, DetailView):
+class UserGroupGrantedAssetView(PermissionsMixin, DetailView):
    model = UserGroup
    template_name = 'users/user_group_granted_asset.html'
    context_object_name = 'user_group'
    object = None
+    permission_classes = [IsOrgAdmin]

    def get_context_data(self, **kwargs):
        context = {
--- a/apps/users/views/user.py
+++ b/apps/users/views/user.py
@@ -36,7 +36,7 @@ from common.const import (
 )
 from common.mixins import JSONResponseMixin
 from common.utils import get_logger, get_object_or_none, is_uuid, ssh_key_gen
-from common.permissions import AdminUserRequiredMixin
+from common.permissions import PermissionsMixin, IsOrgAdmin
 from orgs.utils import current_org
 from .. import forms
 from ..models import User, UserGroup
@@ -61,8 +61,9 @@ __all__ = [
 logger = get_logger(__name__)


-class UserListView(AdminUserRequiredMixin, TemplateView):
+class UserListView(PermissionsMixin, TemplateView):
    template_name = 'users/user_list.html'
+    permission_classes = [IsOrgAdmin]

    def get_context_data(self, **kwargs):
        context = super().get_context_data(**kwargs)
@@ -73,12 +74,13 @@ class UserListView(AdminUserRequiredMixin, TemplateView):
        return context


-class UserCreateView(AdminUserRequiredMixin, SuccessMessageMixin, CreateView):
+class UserCreateView(PermissionsMixin, SuccessMessageMixin, CreateView):
    model = User
    form_class = forms.UserCreateForm
    template_name = 'users/user_create.html'
    success_url = reverse_lazy('users:user-list')
    success_message = create_success_msg
+    permission_classes = [IsOrgAdmin]

    def get_context_data(self, **kwargs):
        check_rules = get_password_check_rules()
@@ -106,13 +108,14 @@ class UserCreateView(AdminUserRequiredMixin, SuccessMessageMixin, CreateView):
        return kwargs


-class UserUpdateView(AdminUserRequiredMixin, SuccessMessageMixin, UpdateView):
+class UserUpdateView(PermissionsMixin, SuccessMessageMixin, UpdateView):
    model = User
    form_class = forms.UserUpdateForm
    template_name = 'users/user_update.html'
    context_object_name = 'user_object'
    success_url = reverse_lazy('users:user-list')
    success_message = update_success_msg
+    permission_classes = [IsOrgAdmin]

    def _deny_permission(self):
        obj = self.get_object()
@@ -153,7 +156,7 @@ class UserUpdateView(AdminUserRequiredMixin, SuccessMessageMixin, UpdateView):
        return kwargs


-class UserBulkUpdateView(AdminUserRequiredMixin, TemplateView):
+class UserBulkUpdateView(PermissionsMixin, TemplateView):
    model = User
    form_class = forms.UserBulkUpdateForm
    template_name = 'users/user_bulk_update.html'
@@ -161,6 +164,7 @@ class UserBulkUpdateView(AdminUserRequiredMixin, TemplateView):
    success_message = _("Bulk update user success")
    form = None
    id_list = None
+    permission_classes = [IsOrgAdmin]

    def get(self, request, *args, **kwargs):
        spm = request.GET.get('spm', '')
@@ -193,11 +197,12 @@ class UserBulkUpdateView(AdminUserRequiredMixin, TemplateView):
        return super().get_context_data(**kwargs)


-class UserDetailView(AdminUserRequiredMixin, DetailView):
+class UserDetailView(PermissionsMixin, DetailView):
    model = User
    template_name = 'users/user_detail.html'
    context_object_name = "user_object"
    key_prefix_block = "_LOGIN_BLOCK_{}"
+    permission_classes = [IsOrgAdmin]

    def get_context_data(self, **kwargs):
        user = self.get_object()
@@ -263,8 +268,9 @@ class UserExportView(View):
        return JsonResponse({'redirect': url})


-class UserBulkImportView(AdminUserRequiredMixin, JSONResponseMixin, FormView):
+class UserBulkImportView(PermissionsMixin, JSONResponseMixin, FormView):
    form_class = forms.FileForm
+    permission_classes = [IsOrgAdmin]

    def form_invalid(self, form):
        try:
@@ -359,9 +365,10 @@ class UserBulkImportView(AdminUserRequiredMixin, JSONResponseMixin, FormView):
        return self.render_json_response(data)


-class UserGrantedAssetView(AdminUserRequiredMixin, DetailView):
+class UserGrantedAssetView(PermissionsMixin, DetailView):
    model = User
    template_name = 'users/user_granted_asset.html'
+    permission_classes = [IsOrgAdmin]

    def get_context_data(self, **kwargs):
        context = {