fix: fix rbac to dev (#7636)

* feat: 添加 RBAC 应用模块 * feat: 添加 RBAC Model、API * feat: 添加 RBAC Model、API 2 * feat: 添加 RBAC Model、API 3 * feat: 添加 RBAC Model、API 4 * feat: RBAC * feat: RBAC * feat: RBAC * feat: RBAC * feat: RBAC * feat: RBAC 整理权限位 * feat: RBAC 整理权限位2 * feat: RBAC 整理权限位2 * feat: RBAC 整理权限位 * feat: RBAC 添加默认角色 * feat: RBAC 添加迁移文件；迁移用户角色->用户角色绑定 * feat: RBAC 添加迁移文件；迁移用户角色->用户角色绑定 * feat: RBAC 修改用户模块API * feat: RBAC 添加组织模块迁移文件 & 修改组织模块API * feat: RBAC 添加组织模块迁移文件 & 修改组织模块API * feat: RBAC 修改用户角色属性的使用 * feat: RBAC No.1 * xxx * perf: 暂存 * perf: ... * perf(rbac): 添加 perms 到 profile serializer 中 * stash * perf: 使用init * perf: 修改migrations * perf: rbac * stash * stash * pref: 修改rbac * stash it * stash: 先去修复其他bug * perf: 修改 role 添加 users * pref: 修改 RBAC Model * feat: 添加权限的 tree api * stash: 暂存一下 * stash: 暂存一下 * perf: 修改 model verbose name * feat: 添加model各种 verbose name * perf: 生成 migrations * perf: 优化权限位 * perf: 添加迁移脚本 * feat: 添加组织角色迁移 * perf: 添加迁移脚本 * stash * perf: 添加migrateion * perf: 暂存一下 * perf: 修改rbac * perf: stash it * fix: 迁移冲突 * fix: 迁移冲突 * perf: 暂存一下 * perf: 修改 rbac 逻辑 * stash: 暂存一下 * perf: 修改内置角色 * perf: 解决 root 组织的问题 * perf: stash it * perf: 优化 rbac * perf: 优化 rolebinding 处理 * perf: 完成用户离开组织的问题 * perf: 暂存一下 * perf: 修改翻译 * perf: 去掉了 IsSuperUser * perf: IsAppUser 去掉完成 * perf: 修改 connection token 的权限 * perf: 去掉导入的问题 * perf: perms define 格式，修改 app 用户的全新啊 * perf: 修改 permission * perf: 去掉一些 org admin * perf: 去掉部分 org admin * perf: 再去掉点 org admin role * perf: 再去掉部分 org admin * perf: user 角色搜索 * perf: 去掉很多 js * perf: 添加权限位 * perf: 修改权限 * perf: 去掉一个 todo * merge: with dev * fix: 修复冲突 Co-authored-by: Bai <bugatti_it@163.com> Co-authored-by: Michael Bai <baijiangjie@gmail.com> Co-authored-by: ibuler <ibuler@qq.com>
2025-10-22 00:09:14 +00:00 · 2022-02-17 20:13:31 +08:00
parent b088362ae3
commit e259d2a9e9
263 changed files with 3049 additions and 62465 deletions
--- a/apps/perms/api/application/application_permission_relation.py
+++ b/apps/perms/api/application/application_permission_relation.py
@@ -9,7 +9,6 @@ from applications.models import Application
 from orgs.mixins.api import OrgRelationMixin
 from orgs.mixins.api import OrgBulkModelViewSet
 from orgs.utils import current_org
-from common.permissions import IsOrgAdmin
 from perms import serializers
 from perms import models

@@ -36,7 +35,6 @@ class RelationMixin(OrgRelationMixin, OrgBulkModelViewSet):
 class ApplicationPermissionUserRelationViewSet(RelationMixin):
    serializer_class = serializers.ApplicationPermissionUserRelationSerializer
    m2m_field = models.ApplicationPermission.users.field
-    permission_classes = (IsOrgAdmin,)
    filterset_fields = [
        'id', "user", "applicationpermission",
    ]
@@ -51,7 +49,6 @@ class ApplicationPermissionUserRelationViewSet(RelationMixin):
 class ApplicationPermissionUserGroupRelationViewSet(RelationMixin):
    serializer_class = serializers.ApplicationPermissionUserGroupRelationSerializer
    m2m_field = models.ApplicationPermission.user_groups.field
-    permission_classes = (IsOrgAdmin,)
    filterset_fields = [
        'id', "usergroup", "applicationpermission"
    ]
@@ -66,7 +63,6 @@ class ApplicationPermissionUserGroupRelationViewSet(RelationMixin):
 class ApplicationPermissionApplicationRelationViewSet(RelationMixin):
    serializer_class = serializers.ApplicationPermissionApplicationRelationSerializer
    m2m_field = models.ApplicationPermission.applications.field
-    permission_classes = (IsOrgAdmin,)
    filterset_fields = [
        'id', 'application', 'applicationpermission',
    ]
@@ -81,7 +77,6 @@ class ApplicationPermissionApplicationRelationViewSet(RelationMixin):
 class ApplicationPermissionSystemUserRelationViewSet(RelationMixin):
    serializer_class = serializers.ApplicationPermissionSystemUserRelationSerializer
    m2m_field = models.ApplicationPermission.system_users.field
-    permission_classes = (IsOrgAdmin,)
    filterset_fields = [
        'id', 'systemuser', 'applicationpermission',
    ]
@@ -100,7 +95,6 @@ class ApplicationPermissionSystemUserRelationViewSet(RelationMixin):


 class ApplicationPermissionAllApplicationListApi(generics.ListAPIView):
-    permission_classes = (IsOrgAdmin,)
    serializer_class = serializers.ApplicationPermissionAllApplicationSerializer
    only_fields = serializers.ApplicationPermissionAllApplicationSerializer.Meta.only_fields
    filterset_fields = ('name',)
@@ -115,7 +109,6 @@ class ApplicationPermissionAllApplicationListApi(generics.ListAPIView):


 class ApplicationPermissionAllUserListApi(generics.ListAPIView):
-    permission_classes = (IsOrgAdmin,)
    serializer_class = serializers.ApplicationPermissionAllUserSerializer
    only_fields = serializers.ApplicationPermissionAllUserSerializer.Meta.only_fields
    filterset_fields = ('username', 'name')
--- a/apps/perms/api/application/user_group_permission.py
+++ b/apps/perms/api/application/user_group_permission.py
@@ -4,7 +4,6 @@
 from django.db.models import Q
 from rest_framework.generics import ListAPIView

-from common.permissions import IsOrgAdminOrAppUser
 from common.mixins.api import CommonApiMixin
 from applications.models import Application
 from perms import serializers
@@ -18,11 +17,13 @@ class UserGroupGrantedApplicationsApi(CommonApiMixin, ListAPIView):
    """
    获取用户组直接授权的应用
    """
-    permission_classes = (IsOrgAdminOrAppUser,)
    serializer_class = serializers.AppGrantedSerializer
    only_fields = serializers.AppGrantedSerializer.Meta.only_fields
    filterset_fields = ['id', 'name', 'category', 'type', 'comment']
    search_fields = ['name', 'comment']
+    rbac_perms = {
+        'list': 'perms.view_applicationpermission'
+    }

    def get_queryset(self):
        user_group_id = self.kwargs.get('pk', '')
--- a/apps/perms/api/application/user_permission/common.py
+++ b/apps/perms/api/application/user_permission/common.py
@@ -16,8 +16,7 @@ from perms.utils.application.permission import (
    get_application_system_user_ids,
    validate_permission,
 )
-from perms.api.asset.user_permission.mixin import RoleAdminMixin, RoleUserMixin
-from common.permissions import IsOrgAdminOrAppUser
+from .mixin import RoleAdminMixin, RoleUserMixin
 from perms.hands import User, SystemUser
 from perms import serializers

@@ -56,7 +55,9 @@ class MyGrantedApplicationSystemUsersApi(RoleUserMixin, GrantedApplicationSystem

@method_decorator(tmp_to_root_org(), name='get')
 class ValidateUserApplicationPermissionApi(APIView):
-    permission_classes = (IsOrgAdminOrAppUser,)
+    rbac_perms = {
+        'GET': 'view_applicationpermission'
+    }

    def get(self, request, *args, **kwargs):
        user_id = request.query_params.get('user_id', '')
--- a/apps/perms/api/application/user_permission/mixin.py
+++ b/apps/perms/api/application/user_permission/mixin.py
@@ -0,0 +1,28 @@
+# -*- coding: utf-8 -*-
+#
+
+from common.mixins.api import RoleAdminMixin as _RoleAdminMixin
+from common.mixins.api import RoleUserMixin as _RoleUserMixin
+from orgs.utils import tmp_to_root_org
+
+
+class RoleAdminMixin(_RoleAdminMixin):
+    rbac_perms = (
+        ('list', 'perms.view_userapp'),
+        ('retrieve', 'perms.view_userapps'),
+        ('get_tree', 'perms.view_userapps'),
+        ('GET', 'perms.view_userapps'),
+    )
+
+
+class RoleUserMixin(_RoleUserMixin):
+    rbac_perms = (
+        ('list', 'perms.view_myapps'),
+        ('retrieve', 'perms.view_myapps'),
+        ('get_tree', 'perms.view_myapps'),
+        ('GET', 'perms.view_myapps'),
+    )
+
+    def get(self, request, *args, **kwargs):
+        with tmp_to_root_org():
+            return super().get(request, *args, **kwargs)
--- a/apps/perms/api/asset/asset_permission.py
+++ b/apps/perms/api/asset/asset_permission.py
@@ -4,19 +4,15 @@ from perms.filters import AssetPermissionFilter
 from perms.models import AssetPermission
 from orgs.mixins.api import OrgBulkModelViewSet
 from perms import serializers
-from common.permissions import IsOrgAdmin


-__all__ = [
-    'AssetPermissionViewSet',
-]
+__all__ = ['AssetPermissionViewSet']


 class AssetPermissionViewSet(OrgBulkModelViewSet):
    """
    资产授权列表的增删改查api
    """
-    permission_classes = (IsOrgAdmin,)
    model = AssetPermission
    serializer_class = serializers.AssetPermissionSerializer
    filterset_class = AssetPermissionFilter
--- a/apps/perms/api/asset/asset_permission_relation.py
+++ b/apps/perms/api/asset/asset_permission_relation.py
@@ -2,15 +2,12 @@
 #
 from rest_framework import generics
 from django.db.models import F, Value
-from django.db.models import Q
 from django.db.models.functions import Concat
 from django.shortcuts import get_object_or_404

-from assets.models import Node, Asset
 from orgs.mixins.api import OrgRelationMixin
 from orgs.mixins.api import OrgBulkModelViewSet
 from orgs.utils import current_org
-from common.permissions import IsOrgAdmin
 from perms import serializers
 from perms import models
 from perms.utils.asset.user_permission import UserGrantedAssetsQueryUtils
@@ -36,7 +33,6 @@ class RelationMixin(OrgRelationMixin, OrgBulkModelViewSet):
 class AssetPermissionUserRelationViewSet(RelationMixin):
    serializer_class = serializers.AssetPermissionUserRelationSerializer
    m2m_field = models.AssetPermission.users.field
-    permission_classes = (IsOrgAdmin,)
    filterset_fields = [
        'id', "user", "assetpermission",
    ]
@@ -50,7 +46,6 @@ class AssetPermissionUserRelationViewSet(RelationMixin):


 class AssetPermissionAllUserListApi(generics.ListAPIView):
-    permission_classes = (IsOrgAdmin,)
    serializer_class = serializers.AssetPermissionAllUserSerializer
    filterset_fields = ("username", "name")
    search_fields = filterset_fields
@@ -67,7 +62,6 @@ class AssetPermissionAllUserListApi(generics.ListAPIView):
 class AssetPermissionUserGroupRelationViewSet(RelationMixin):
    serializer_class = serializers.AssetPermissionUserGroupRelationSerializer
    m2m_field = models.AssetPermission.user_groups.field
-    permission_classes = (IsOrgAdmin,)
    filterset_fields = [
        'id', "usergroup", "assetpermission"
    ]
@@ -83,7 +77,6 @@ class AssetPermissionUserGroupRelationViewSet(RelationMixin):
 class AssetPermissionAssetRelationViewSet(RelationMixin):
    serializer_class = serializers.AssetPermissionAssetRelationSerializer
    m2m_field = models.AssetPermission.assets.field
-    permission_classes = (IsOrgAdmin,)
    filterset_fields = [
        'id', 'asset', 'assetpermission',
    ]
@@ -97,7 +90,6 @@ class AssetPermissionAssetRelationViewSet(RelationMixin):


 class AssetPermissionAllAssetListApi(generics.ListAPIView):
-    permission_classes = (IsOrgAdmin,)
    serializer_class = serializers.AssetPermissionAllAssetSerializer
    filterset_fields = ("hostname", "ip")
    search_fields = filterset_fields
@@ -112,7 +104,6 @@ class AssetPermissionAllAssetListApi(generics.ListAPIView):
 class AssetPermissionNodeRelationViewSet(RelationMixin):
    serializer_class = serializers.AssetPermissionNodeRelationSerializer
    m2m_field = models.AssetPermission.nodes.field
-    permission_classes = (IsOrgAdmin,)
    filterset_fields = [
        'id', 'node', 'assetpermission',
    ]
@@ -128,7 +119,6 @@ class AssetPermissionNodeRelationViewSet(RelationMixin):
 class AssetPermissionSystemUserRelationViewSet(RelationMixin):
    serializer_class = serializers.AssetPermissionSystemUserRelationSerializer
    m2m_field = models.AssetPermission.system_users.field
-    permission_classes = (IsOrgAdmin,)
    filterset_fields = [
        'id', 'systemuser', 'assetpermission',
    ]
--- a/apps/perms/api/asset/user_group_permission.py
+++ b/apps/perms/api/asset/user_group_permission.py
@@ -6,7 +6,6 @@ from django.db.models import Q
 from rest_framework.generics import ListAPIView
 from rest_framework.response import Response

-from common.permissions import IsOrgAdminOrAppUser
 from common.utils import lazyproperty
 from perms.models import AssetPermission
 from assets.models import Asset, Node
@@ -32,11 +31,13 @@ class UserGroupMixin:


 class UserGroupGrantedAssetsApi(ListAPIView):
-    permission_classes = (IsOrgAdminOrAppUser,)
    serializer_class = serializers.AssetGrantedSerializer
    only_fields = serializers.AssetGrantedSerializer.Meta.only_fields
    filterset_fields = ['hostname', 'ip', 'id', 'comment']
    search_fields = ['hostname', 'ip', 'comment']
+    rbac_perms = {
+        'list': 'perms.view_userassets'
+    }

    def get_queryset(self):
        user_group_id = self.kwargs.get('pk', '')
@@ -65,11 +66,13 @@ class UserGroupGrantedAssetsApi(ListAPIView):


 class UserGroupGrantedNodeAssetsApi(ListAPIView):
-    permission_classes = (IsOrgAdminOrAppUser,)
    serializer_class = serializers.AssetGrantedSerializer
    only_fields = serializers.AssetGrantedSerializer.Meta.only_fields
    filterset_fields = ['hostname', 'ip', 'id', 'comment']
    search_fields = ['hostname', 'ip', 'comment']
+    rbac_perms = {
+        'list': 'perms.view_userassets'
+    }

    def get_queryset(self):
        if getattr(self, 'swagger_fake_view', False):
@@ -119,7 +122,9 @@ class UserGroupGrantedNodeAssetsApi(ListAPIView):

 class UserGroupGrantedNodesApi(ListAPIView):
    serializer_class = serializers.NodeGrantedSerializer
-    permission_classes = (IsOrgAdminOrAppUser,)
+    rbac_perms = {
+        'list': 'view_userassets'
+    }

    def get_queryset(self):
        user_group_id = self.kwargs.get('pk', '')
@@ -131,7 +136,9 @@ class UserGroupGrantedNodesApi(ListAPIView):


 class UserGroupGrantedNodeChildrenAsTreeApi(SerializeToTreeNodeMixin, ListAPIView):
-    permission_classes = (IsOrgAdminOrAppUser,)
+    rbac_perms = {
+        'list': 'view_userassets'
+    }

    def get_children_nodes(self, parent_key):
        return Node.objects.filter(parent_key=parent_key)
--- a/apps/perms/api/asset/user_permission/common.py
+++ b/apps/perms/api/asset/user_permission/common.py
@@ -13,7 +13,7 @@ from rest_framework.generics import (

 from orgs.utils import tmp_to_root_org
 from perms.utils.asset.permission import get_asset_system_user_ids_with_actions_by_user, validate_permission
-from common.permissions import IsOrgAdminOrAppUser, IsOrgAdmin, IsValidUser
+from common.permissions import IsValidUser
 from common.utils import get_logger, lazyproperty

 from perms.hands import User, Asset, SystemUser
@@ -33,8 +33,10 @@ __all__ = [

@method_decorator(tmp_to_root_org(), name='get')
 class GetUserAssetPermissionActionsApi(RetrieveAPIView):
-    permission_classes = (IsOrgAdminOrAppUser,)
    serializer_class = serializers.ActionsSerializer
+    rbac_perms = {
+        'retrieve': 'perms.view_userassets'
+    }

    def get_user(self):
        user_id = self.request.query_params.get('user_id', '')
@@ -61,10 +63,9 @@ class GetUserAssetPermissionActionsApi(RetrieveAPIView):

@method_decorator(tmp_to_root_org(), name='get')
 class ValidateUserAssetPermissionApi(APIView):
-    permission_classes = (IsOrgAdminOrAppUser,)
-
-    def get_cache_policy(self):
-        return 0
+    rbac_perms = {
+        'GET': 'perms.view_userassets'
+    }

    def get(self, request, *args, **kwargs):
        user_id = self.request.query_params.get('user_id', '')
@@ -97,16 +98,16 @@ class ValidateUserAssetPermissionApi(APIView):

 # TODO 删除
 class RefreshAssetPermissionCacheApi(RetrieveAPIView):
-    permission_classes = (IsOrgAdmin,)
-
    def retrieve(self, request, *args, **kwargs):
        return Response({'msg': True}, status=200)


 class UserGrantedAssetSystemUsersForAdminApi(ListAPIView):
-    permission_classes = (IsOrgAdminOrAppUser,)
    serializer_class = serializers.AssetSystemUserSerializer
    only_fields = serializers.AssetSystemUserSerializer.Meta.only_fields
+    rbac_perms = {
+        'list': 'perms.view_userassets'
+    }

    @lazyproperty
    def user(self):
@@ -142,7 +143,5 @@ class MyGrantedAssetSystemUsersApi(UserGrantedAssetSystemUsersForAdminApi):

 # TODO 删除
 class UserAssetPermissionsCacheApi(DestroyAPIView):
-    permission_classes = (IsOrgAdmin,)
-
    def destroy(self, request, *args, **kwargs):
        return Response(status=204)
--- a/apps/perms/api/asset/user_permission/mixin.py
+++ b/apps/perms/api/asset/user_permission/mixin.py
@@ -2,7 +2,6 @@
 #
 from rest_framework.request import Request

-from common.permissions import IsOrgAdminOrAppUser, IsValidUser
 from common.http import is_true
 from common.mixins.api import RoleAdminMixin as _RoleAdminMixin
 from common.mixins.api import RoleUserMixin as _RoleUserMixin
@@ -22,11 +21,21 @@ class PermBaseMixin:


 class RoleAdminMixin(PermBaseMixin, _RoleAdminMixin):
-    permission_classes = (IsOrgAdminOrAppUser,)
+    rbac_perms = (
+        ('list', 'perms.view_userassets'),
+        ('retrieve', 'perms.view_userassets'),
+        ('get_tree', 'perms.view_userassets'),
+        ('GET', 'perms.view_userassets'),
+    )


 class RoleUserMixin(PermBaseMixin, _RoleUserMixin):
-    permission_classes = (IsValidUser,)
+    rbac_perms = (
+        ('list', 'perms.view_myassets'),
+        ('retrieve', 'perms.view_myassets'),
+        ('get_tree', 'perms.view_myassets'),
+        ('GET', 'perms.view_myassets'),
+    )

    def get(self, request, *args, **kwargs):
        with tmp_to_root_org():
--- a/apps/perms/api/asset/user_permission/user_permission_nodes.py
+++ b/apps/perms/api/asset/user_permission/user_permission_nodes.py
@@ -113,7 +113,9 @@ class UserGrantedNodeChildrenAsTreeForAdminApi(RoleAdminMixin, UserGrantedNodeCh


 class MyGrantedNodeChildrenAsTreeApi(RoleUserMixin, UserGrantedNodeChildrenMixin, BaseNodeChildrenAsTreeApi):
-    pass
+    def get_permissions(self):
+        permissions = super().get_permissions()
+        return permissions


 class UserGrantedNodesForAdminApi(RoleAdminMixin, UserGrantedNodesMixin, BaseGrantedNodeApi):
--- a/apps/perms/api/base.py
+++ b/apps/perms/api/base.py
@@ -1,5 +1,4 @@
 from django.db.models import Q
-from common.permissions import IsOrgAdmin
 from common.utils import get_object_or_none
 from orgs.mixins.api import OrgBulkModelViewSet
 from assets.models import SystemUser
@@ -14,7 +13,6 @@ class BasePermissionViewSet(OrgBulkModelViewSet):
        'user_id', 'username', 'system_user_id', 'system_user',
        'user_group_id', 'user_group'
    ]
-    permission_classes = (IsOrgAdmin,)

    def filter_valid(self, queryset):
        valid_query = self.request.query_params.get('is_valid', None)
--- a/apps/perms/apps.py
+++ b/apps/perms/apps.py
@@ -1,10 +1,12 @@
 from __future__ import unicode_literals

 from django.apps import AppConfig
+from django.utils.translation import ugettext_lazy as _


 class PermsConfig(AppConfig):
    name = 'perms'
+    verbose_name = _('Permissions')

    def ready(self):
        super().ready()
--- a/apps/perms/migrations/0021_auto_20220104_1537.py
+++ b/apps/perms/migrations/0021_auto_20220104_1537.py
@@ -0,0 +1,21 @@
+# Generated by Django 3.1.13 on 2022-01-04 07:37
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('perms', '0020_auto_20210910_1103'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='applicationpermission',
+            options={'ordering': ('name',), 'permissions': [('view_myapps', 'Can view my apps'), ('connect_myapps', 'Can connect my apps'), ('view_userapps', 'Can view user apps'), ('view_usergroupapps', 'Can view usergroup apps')], 'verbose_name': 'Application permission'},
+        ),
+        migrations.AlterModelOptions(
+            name='assetpermission',
+            options={'ordering': ('name',), 'permissions': [('view_myassets', 'Can view my assets'), ('connect_myassets', 'Can connect my assets'), ('view_userassets', 'Can view user assets'), ('view_usergroupassets', 'Can view usergroup assets')], 'verbose_name': 'Asset permission'},
+        ),
+    ]
--- a/apps/perms/models/application_permission.py
+++ b/apps/perms/models/application_permission.py
@@ -36,6 +36,12 @@ class ApplicationPermission(BasePermission):
        unique_together = [('org_id', 'name')]
        verbose_name = _('Application permission')
        ordering = ('name',)
+        permissions = [
+            ('view_myapps', _('Can view my apps')),
+            ('connect_myapps', _('Can connect my apps')),
+            ('view_userapps', _('Can view user apps')),
+            ('view_usergroupapps', _('Can view usergroup apps')),
+        ]

    @property
    def category_remote_app(self):
--- a/apps/perms/models/asset_permission.py
+++ b/apps/perms/models/asset_permission.py
@@ -29,6 +29,12 @@ class AssetPermission(BasePermission):
        unique_together = [('org_id', 'name')]
        verbose_name = _("Asset permission")
        ordering = ('name',)
+        permissions = [
+            ('view_myassets', _('Can view my assets')),
+            ('connect_myassets', _('Can connect my assets')),
+            ('view_userassets', _('Can view user assets')),
+            ('view_usergroupassets', _('Can view usergroup assets')),
+        ]

    @lazyproperty
    def users_amount(self):