fix: session viewset api permission validation (#13750)

* fix: session viewset api permission validation * fix: some api permission validation --------- Co-authored-by: Bai <baijiangjie@gmail.com>
2025-09-18 16:39:28 +00:00 · 2024-07-17 15:35:34 +08:00
parent 85825165fc
commit d6f6bb9c1b
4 changed files with 20 additions and 7 deletions
--- a/apps/terminal/permissions.py
+++ b/apps/terminal/permissions.py
@@ -9,7 +9,14 @@ __all__ = ['IsSessionAssignee']

 class IsSessionAssignee(permissions.IsAuthenticated):
    def has_permission(self, request, view):
-        return True
+        if not request.user:
+            return False
+        if request.user.is_anonymous:
+            return False
+        if view.action == 'retrieve':
+            # Why return True? please refer to the issue: #11678
+            return True
+        return False

    def has_object_permission(self, request, view, obj):
        try: