From ee97e45cc3c4ab6542238385f71e0b03c681c6ec Mon Sep 17 00:00:00 2001 From: wangruidong <940853815@qq.com> Date: Wed, 16 Apr 2025 17:07:16 +0800 Subject: [PATCH] fix: Allow superusers delete adhoc and playbook --- apps/common/permissions.py | 9 +++++++++ apps/ops/api/adhoc.py | 11 ++--------- apps/ops/api/playbook.py | 10 ++-------- 3 files changed, 13 insertions(+), 17 deletions(-) diff --git a/apps/common/permissions.py b/apps/common/permissions.py index 898308d03..d63b7780a 100644 --- a/apps/common/permissions.py +++ b/apps/common/permissions.py @@ -87,3 +87,12 @@ class IsValidLicense(permissions.BasePermission): def has_permission(self, request, view): return settings.XPACK_LICENSE_IS_VALID + + +class IsOwnerOrAdminWritable(IsValidUser): + def has_object_permission(self, request, view, obj): + if request.user.is_superuser: + return super().has_permission(request, view) + if request.method != 'GET' and obj.creator != request.user: + return False + return super().has_permission(request, view) diff --git a/apps/ops/api/adhoc.py b/apps/ops/api/adhoc.py index d9eb35a51..6a153b83a 100644 --- a/apps/ops/api/adhoc.py +++ b/apps/ops/api/adhoc.py @@ -1,8 +1,8 @@ # -*- coding: utf-8 -*- from django.db.models import Q -from django.utils.translation import gettext_lazy as _ from common.api.generic import JMSBulkModelViewSet +from common.permissions import IsOwnerOrAdminWritable from common.utils.http import is_true from rbac.permissions import RBACPermission from ..const import Scope @@ -17,7 +17,7 @@ __all__ = [ class AdHocViewSet(JMSBulkModelViewSet): queryset = AdHoc.objects.all() serializer_class = AdHocSerializer - permission_classes = (RBACPermission,) + permission_classes = (RBACPermission, IsOwnerOrAdminWritable) search_fields = ('name', 'comment') filterset_fields = ['scope', 'creator'] @@ -26,13 +26,6 @@ class AdHocViewSet(JMSBulkModelViewSet): self.check_object_permissions(self.request, obj) return True - def check_object_permissions(self, request, obj): - if request.method != 'GET' and obj.creator != request.user: - self.permission_denied( - request, message={"detail": _("Deleting other people's script is not allowed")} - ) - return super().check_object_permissions(request, obj) - def get_queryset(self): queryset = super().get_queryset() user = self.request.user diff --git a/apps/ops/api/playbook.py b/apps/ops/api/playbook.py index 292f8bd87..cec43e593 100644 --- a/apps/ops/api/playbook.py +++ b/apps/ops/api/playbook.py @@ -11,6 +11,7 @@ from rest_framework import status from common.api.generic import JMSBulkModelViewSet from common.exceptions import JMSException +from common.permissions import IsOwnerOrAdminWritable from common.utils.http import is_true from rbac.permissions import RBACPermission from ..const import Scope @@ -33,7 +34,7 @@ def unzip_playbook(src, dist): class PlaybookViewSet(JMSBulkModelViewSet): serializer_class = PlaybookSerializer - permission_classes = (RBACPermission,) + permission_classes = (RBACPermission, IsOwnerOrAdminWritable) queryset = Playbook.objects.all() search_fields = ('name', 'comment') filterset_fields = ['scope', 'creator'] @@ -43,13 +44,6 @@ class PlaybookViewSet(JMSBulkModelViewSet): self.check_object_permissions(self.request, obj) return True - def check_object_permissions(self, request, obj): - if request.method != 'GET' and obj.creator != request.user: - self.permission_denied( - request, message={"detail": _("Deleting other people's playbook is not allowed")} - ) - return super().check_object_permissions(request, obj) - def perform_destroy(self, instance): if instance.job_set.exists(): raise JMSException(code='playbook_has_job', detail={"msg": _("Currently playbook is being used in a job")})