fix: fix rbac to dev (#7636)

* feat: 添加 RBAC 应用模块 * feat: 添加 RBAC Model、API * feat: 添加 RBAC Model、API 2 * feat: 添加 RBAC Model、API 3 * feat: 添加 RBAC Model、API 4 * feat: RBAC * feat: RBAC * feat: RBAC * feat: RBAC * feat: RBAC * feat: RBAC 整理权限位 * feat: RBAC 整理权限位2 * feat: RBAC 整理权限位2 * feat: RBAC 整理权限位 * feat: RBAC 添加默认角色 * feat: RBAC 添加迁移文件；迁移用户角色->用户角色绑定 * feat: RBAC 添加迁移文件；迁移用户角色->用户角色绑定 * feat: RBAC 修改用户模块API * feat: RBAC 添加组织模块迁移文件 & 修改组织模块API * feat: RBAC 添加组织模块迁移文件 & 修改组织模块API * feat: RBAC 修改用户角色属性的使用 * feat: RBAC No.1 * xxx * perf: 暂存 * perf: ... * perf(rbac): 添加 perms 到 profile serializer 中 * stash * perf: 使用init * perf: 修改migrations * perf: rbac * stash * stash * pref: 修改rbac * stash it * stash: 先去修复其他bug * perf: 修改 role 添加 users * pref: 修改 RBAC Model * feat: 添加权限的 tree api * stash: 暂存一下 * stash: 暂存一下 * perf: 修改 model verbose name * feat: 添加model各种 verbose name * perf: 生成 migrations * perf: 优化权限位 * perf: 添加迁移脚本 * feat: 添加组织角色迁移 * perf: 添加迁移脚本 * stash * perf: 添加migrateion * perf: 暂存一下 * perf: 修改rbac * perf: stash it * fix: 迁移冲突 * fix: 迁移冲突 * perf: 暂存一下 * perf: 修改 rbac 逻辑 * stash: 暂存一下 * perf: 修改内置角色 * perf: 解决 root 组织的问题 * perf: stash it * perf: 优化 rbac * perf: 优化 rolebinding 处理 * perf: 完成用户离开组织的问题 * perf: 暂存一下 * perf: 修改翻译 * perf: 去掉了 IsSuperUser * perf: IsAppUser 去掉完成 * perf: 修改 connection token 的权限 * perf: 去掉导入的问题 * perf: perms define 格式，修改 app 用户的全新啊 * perf: 修改 permission * perf: 去掉一些 org admin * perf: 去掉部分 org admin * perf: 再去掉点 org admin role * perf: 再去掉部分 org admin * perf: user 角色搜索 * perf: 去掉很多 js * perf: 添加权限位 * perf: 修改权限 * perf: 去掉一个 todo * merge: with dev * fix: 修复冲突 Co-authored-by: Bai <bugatti_it@163.com> Co-authored-by: Michael Bai <baijiangjie@gmail.com> Co-authored-by: ibuler <ibuler@qq.com>
2025-09-07 18:31:04 +00:00 · 2022-02-17 20:13:31 +08:00
parent b088362ae3
commit e259d2a9e9
263 changed files with 3049 additions and 62465 deletions
--- a/apps/users/serializers/profile.py
+++ b/apps/users/serializers/profile.py
@@ -107,33 +107,32 @@ class UserRoleSerializer(serializers.Serializer):


 class UserProfileSerializer(UserSerializer):
-    admin_or_audit_orgs = UserOrgSerializer(many=True, read_only=True)
-    user_all_orgs = UserOrgSerializer(many=True, read_only=True)
-    current_org_roles = serializers.ListField(read_only=True)
+    MFA_LEVEL_CHOICES = (
+        (0, _('Disable')),
+        (1, _('Enable')),
+    )
+
    public_key_comment = serializers.CharField(
        source='get_public_key_comment', required=False, read_only=True, max_length=128
    )
    public_key_hash_md5 = serializers.CharField(
        source='get_public_key_hash_md5', required=False, read_only=True, max_length=128
    )
-    MFA_LEVEL_CHOICES = (
-        (0, _('Disable')),
-        (1, _('Enable')),
-    )
    mfa_level = serializers.ChoiceField(choices=MFA_LEVEL_CHOICES, label=_('MFA'), required=False)
    guide_url = serializers.SerializerMethodField()
    receive_backends = serializers.ListField(child=serializers.CharField(), read_only=True)
+    orgs = UserOrgSerializer(many=True, read_only=True, source='all_orgs')
+    perms = serializers.ListField(label=_("Perms"), read_only=True)

    class Meta(UserSerializer.Meta):
-        fields = UserSerializer.Meta.fields + [
-            'public_key_comment', 'public_key_hash_md5',
-            'admin_or_audit_orgs', 'current_org_roles',
-            'guide_url', 'user_all_orgs', 'is_org_admin',
-            'is_superuser', 'receive_backends',
-        ]
        read_only_fields = [
-            'date_joined', 'last_login', 'created_by', 'source', 'receive_backends',
+            'date_joined', 'last_login', 'created_by', 'source',
+            'receive_backends', 'orgs', 'perms',
        ]
+        fields = UserSerializer.Meta.fields + [
+            'public_key_comment', 'public_key_hash_md5', 'guide_url',
+        ] + read_only_fields
+
        extra_kwargs = dict(UserSerializer.Meta.extra_kwargs)
        extra_kwargs.update({
            'name': {'read_only': True, 'max_length': 128},
@@ -144,18 +143,25 @@ class UserProfileSerializer(UserSerializer):
            'is_valid': {'read_only': True},
            'is_active': {'read_only': True},
            'groups': {'read_only': True},
-            'roles': {'read_only': True},
            'password_strategy': {'read_only': True},
            'date_expired': {'read_only': True},
            'date_joined': {'read_only': True},
            'last_login': {'read_only': True},
-            'role': {'read_only': True},
+            'system_roles': {'read_only': True},
+            'org_roles': {'read_only': True},
        })

        if 'password' in fields:
            fields.remove('password')
            extra_kwargs.pop('password', None)

+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        system_roles_field = self.fields.get('system_roles')
+        org_roles_field = self.fields.get('org_roles')
+        system_roles_field.read_only = True
+        org_roles_field.read_only = True
+
    @staticmethod
    def get_guide_url(obj):
        return settings.USER_GUIDE_URL
@@ -172,6 +178,20 @@ class UserProfileSerializer(UserSerializer):
            return public_key
        return None

+    def validate_password(self, password):
+        from rbac.models import Role
+        from ..utils import check_password_rules
+        if not self.instance:
+            return password
+
+        is_org_admin = self.instance.org_roles.filter(
+            name=Role.BuiltinRole.org_admin.name
+        ).exsits()
+        if not check_password_rules(password, is_org_admin=is_org_admin):
+            msg = _('Password does not match security rules')
+            raise serializers.ValidationError(msg)
+        return password
+

 class UserPKUpdateSerializer(serializers.ModelSerializer):
    class Meta: