From a4ff2181c57dff9827c1f1aa7865fc2e84e5d0b4 Mon Sep 17 00:00:00 2001
From: ibuler <ibuler@qq.com>
Date: Tue, 10 Apr 2018 09:41:06 +0800
Subject: [PATCH] =?UTF-8?q?[Update]=20=E4=BF=AE=E6=94=B9=E7=94=A8=E6=88=B7?=
 =?UTF-8?q?view=E7=9A=84api?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 apps/users/api.py | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/apps/users/api.py b/apps/users/api.py
index 69818f741..5cedd0c5f 100644
--- a/apps/users/api.py
+++ b/apps/users/api.py
@@ -26,11 +26,15 @@ logger = get_logger(__name__)
 
 class UserViewSet(IDInFilterMixin, BulkModelViewSet):
     queryset = User.objects.exclude(role="App")
-    # queryset = User.objects.all().exclude(role="App").order_by("date_joined")
     serializer_class = UserSerializer
-    permission_classes = (IsSuperUserOrAppUser, IsAuthenticated)
+    permission_classes = (IsSuperUser,)
     filter_fields = ('username', 'email', 'name', 'id')
 
+    def get_permissions(self):
+        if self.action == "retrieve":
+            self.permission_classes = (IsSuperUserOrAppUser,)
+        return super().get_permissions()
+
 
 class ChangeUserPasswordApi(generics.RetrieveUpdateAPIView):
     permission_classes = (IsSuperUser,)
@@ -57,7 +61,6 @@ class UserResetPasswordApi(generics.UpdateAPIView):
     def perform_update(self, serializer):
         # Note: we are not updating the user object here.
         # We just do the reset-password stuff.
-        import uuid
         from .utils import send_reset_password_mail
         user = self.get_object()
         user.password_raw = str(uuid.uuid4())
@@ -68,6 +71,7 @@ class UserResetPasswordApi(generics.UpdateAPIView):
 class UserResetPKApi(generics.UpdateAPIView):
     queryset = User.objects.all()
     serializer_class = UserSerializer
+    permission_classes = (IsAuthenticated,)
 
     def perform_update(self, serializer):
         from .utils import send_reset_ssh_key_mail
@@ -91,6 +95,7 @@ class UserUpdatePKApi(generics.UpdateAPIView):
 class UserGroupViewSet(IDInFilterMixin, BulkModelViewSet):
     queryset = UserGroup.objects.all()
     serializer_class = UserGroupSerializer
+    permission_classes = (IsSuperUser,)
 
 
 class UserGroupUpdateUserApi(generics.RetrieveUpdateAPIView):