Fix rbac (#7728)

* perf: 重命名 signal handlers * fix: 修复 ticket processor 问题 * perf: 修改 ticket 处理人api * fix: 修复创建系统账号bug * fix: 升级celery_beat==2.2.1和flower==1.0.0;修改celery进程启动参数先后顺序 * perf: 修改 authentication token * fix: 修复上传权限bug * fix: 登录页面增加i18n切换; * fix: 系统角色删除限制 * perf: 修改一下 permissions tree * perf: 生成 i18n * perf: 修改一点点 Co-authored-by: ibuler <ibuler@qq.com> Co-authored-by: feng626 <1304903146@qq.com> Co-authored-by: Jiangjie.Bai <bugatti_it@163.com>
2025-09-10 20:00:10 +00:00 · 2022-03-02 20:48:43 +08:00
parent 04e46e4b1c
commit dafc416783
69 changed files with 929 additions and 519 deletions
--- a/apps/authentication/api/connection_token.py
+++ b/apps/authentication/api/connection_token.py
@@ -302,16 +302,26 @@ class SecretDetailMixin:
            user=user, system_user=system_user,
            expired_at=expired_at, actions=actions
        )
+        cmd_filter_kwargs = {
+            'system_user_id': system_user.id,
+            'user_id': user.id,
+        }
        if asset:
            asset_detail = self._get_asset_secret_detail(asset)
            system_user.load_asset_more_auth(asset.id, user.username, user.id)
            data['type'] = 'asset'
            data.update(asset_detail)
+            cmd_filter_kwargs['asset_id'] = asset.id
        else:
            app_detail = self._get_application_secret_detail(app)
            system_user.load_app_more_auth(app.id, user.username, user.id)
            data['type'] = 'application'
            data.update(app_detail)
+            cmd_filter_kwargs['application_id'] = app.id
+
+        from assets.models import CommandFilterRule
+        cmd_filter_rules = CommandFilterRule.get_queryset(**cmd_filter_kwargs)
+        data['cmd_filter_rules'] = cmd_filter_rules

        serializer = self.get_serializer(data)
        return Response(data=serializer.data, status=200)
@@ -350,8 +360,10 @@ class UserConnectionTokenViewSet(
        return True

    def create_token(self, user, asset, application, system_user, ttl=5 * 60):
-        if not self.request.user.is_superuser and user != self.request.user:
-            raise PermissionDenied('Only super user can create user token')
+        # 再次强调一下权限
+        perm_required = 'authentication.add_superconnectiontoken'
+        if user != self.request.user and not self.request.user.has_perm(perm_required):
+            raise PermissionDenied('Only can create user token')
        self.check_resource_permission(user, asset, application, system_user)
        token = random_string(36)
        secret = random_string(16)