diff --git a/apps/perms/api.py b/apps/perms/api.py index ce0193b89..5b0e0a35e 100644 --- a/apps/perms/api.py +++ b/apps/perms/api.py @@ -201,21 +201,21 @@ class UserGroupGrantedAssetGroupsApi(ListAPIView): return queryset -class CheckUserAssetSystemPermission(APIView): +class ValidateUserAssetPermissionView(APIView): permission_classes = (IsAppUser,) - def get(self, request): + @staticmethod + def get(request): user_id = request.params.get('user_id', '') asset_id = request.params.get('asset_id', '') system_id = request.params.get('system_id', '') - user = get_object_or_none(User, id=user_id) - asset = get_object_or_none(Asset, id=asset_id) - system_user = get_object_or_none(SystemUser, id=system_id) - - if not (user and asset and system_user): - return Response(status=403) + user = get_object_or_404(User, id=user_id) + asset = get_object_or_404(Asset, id=asset_id) + system_user = get_object_or_404(SystemUser, id=system_id) assets_granted = get_user_granted_assets(user) - - + if system_user in assets_granted.get(asset, []): + return Response({'msg': True}, status=200) + else: + return Response({'msg': False}, status=403) diff --git a/apps/perms/urls/api_urls.py b/apps/perms/urls/api_urls.py index faac46676..0e97a441e 100644 --- a/apps/perms/urls/api_urls.py +++ b/apps/perms/urls/api_urls.py @@ -7,30 +7,50 @@ from .. import api app_name = 'perms' router = routers.DefaultRouter() -router.register('v1/asset-permissions', api.AssetPermissionViewSet, 'asset-permission') +router.register('v1/asset-permissions', + api.AssetPermissionViewSet, + 'asset-permission') urlpatterns = [ - url(r'^v1/user/my/assets/$', api.MyGrantedAssetsApi.as_view(), name='my-assets'), - url(r'^v1/user/my/asset-groups/$', api.MyGrantedAssetsGroupsApi.as_view(), name='my-asset-groups'), - url(r'^v1/user/my/asset-group/(?P[0-9]+)/assets/$', api.MyAssetGroupAssetsApi.as_view(), + # 用户可以使用自己的Token或其它认证查看自己授权的资产,资产组等 + url(r'^v1/user/my/assets/$', + api.MyGrantedAssetsApi.as_view(), + name='my-assets'), + url(r'^v1/user/my/asset-groups/$', + api.MyGrantedAssetsGroupsApi.as_view(), + name='my-asset-groups'), + url(r'^v1/user/my/asset-group/(?P[0-9]+)/assets/$', + api.MyAssetGroupAssetsApi.as_view(), name='user-my-asset-group-assets'), - # Select user permission of asset and asset group - url(r'^v1/user/(?P[0-9]+)/assets/$', api.UserGrantedAssetsApi.as_view(), name='user-assets'), - url(r'^v1/user/(?P[0-9]+)/asset-groups/$', api.UserGrantedAssetGroupsApi.as_view(), + # 查询某个用户授权的资产和资产组 + url(r'^v1/user/(?P[0-9]+)/assets/$', + api.UserGrantedAssetsApi.as_view(), + name='user-assets'), + url(r'^v1/user/(?P[0-9]+)/asset-groups/$', + api.UserGrantedAssetGroupsApi.as_view(), name='user-asset-groups'), - # Select user group permission of asset and asset group - url(r'^v1/user-group/(?P[0-9]+)/assets/$', api.UserGroupGrantedAssetsApi.as_view(), name='user-group-assets'), - url(r'^v1/user-group/(?P[0-9]+)/asset-groups/$', api.UserGroupGrantedAssetGroupsApi.as_view(), + # 查询某个用户组授权的资产和资产组 + url(r'^v1/user-group/(?P[0-9]+)/assets/$', + api.UserGroupGrantedAssetsApi.as_view(), + name='user-group-assets'), + url(r'^v1/user-group/(?P[0-9]+)/asset-groups/$', + api.UserGroupGrantedAssetGroupsApi.as_view(), name='user-group-asset-groups'), - - # Revoke permission api - url(r'^v1/asset-permissions/user/revoke/', api.RevokeUserAssetPermission.as_view(), + # 回收用户或用户组授权 + url(r'^v1/asset-permissions/user/revoke/$', + api.RevokeUserAssetPermission.as_view(), name='revoke-user-asset-permission'), - url(r'^v1/asset-permissions/user-group/revoke/', api.RevokeUserGroupAssetPermission.as_view(), + url(r'^v1/asset-permissions/user-group/revoke/$', + api.RevokeUserGroupAssetPermission.as_view(), name='revoke-user-group-asset-permission'), + + # 验证用户是否有某个资产和系统用户的权限 + url(r'v1/asset-permission/user/validate/$', + api.ValidateUserAssetPermissionView.as_view(), + name='validate-user-asset-permission') ] urlpatterns += router.urls diff --git a/apps/perms/views.py b/apps/perms/views.py index 546eff80b..72db844c9 100644 --- a/apps/perms/views.py +++ b/apps/perms/views.py @@ -39,22 +39,25 @@ class AssetPermissionListView(AdminUserRequiredMixin, ListView): self.sort = sort = self.request.GET.get('sort', '-date_created') if keyword: - self.queryset = self.queryset.filter(Q(users__name__contains=keyword) | - Q(users__username__contains=keyword) | - Q(user_groups__name__contains=keyword) | - Q(assets__ip__contains=keyword) | - Q(assets__hostname__contains=keyword) | - Q(system_users__username__icontains=keyword) | - Q(system_users__name__icontains=keyword) | - Q(asset_groups__name__icontains=keyword) | - Q(comment__icontains=keyword) | - Q(name__icontains=keyword)).distinct() + self.queryset = self.queryset\ + .filter(Q(users__name__contains=keyword) | + Q(users__username__contains=keyword) | + Q(user_groups__name__contains=keyword) | + Q(assets__ip__contains=keyword) | + Q(assets__hostname__contains=keyword) | + Q(system_users__username__icontains=keyword) | + Q(system_users__name__icontains=keyword) | + Q(asset_groups__name__icontains=keyword) | + Q(comment__icontains=keyword) | + Q(name__icontains=keyword)).distinct() if sort: self.queryset = self.queryset.order_by(sort) return self.queryset -class AssetPermissionCreateView(AdminUserRequiredMixin, SuccessMessageMixin, CreateView): +class AssetPermissionCreateView(AdminUserRequiredMixin, + SuccessMessageMixin, + CreateView): model = AssetPermission form_class = AssetPermissionForm template_name = 'perms/asset_permission_create_update.html' @@ -69,11 +72,11 @@ class AssetPermissionCreateView(AdminUserRequiredMixin, SuccessMessageMixin, Cre return super(AssetPermissionCreateView, self).get_context_data(**kwargs) def get_success_message(self, cleaned_data): - success_message = _('Create asset permission %s successfully.' % - ( - reverse_lazy('perms:asset-permission-detail', kwargs={'pk': self.object.pk}), - self.object.name, - )) + success_message = _( + 'Create asset permission %s ' + 'successfully.' % (reverse_lazy('perms:asset-permission-detail', + kwargs={'pk': self.object.pk}), + self.object.name,)) return success_message @@ -81,7 +84,8 @@ class AssetPermissionUpdateView(AdminUserRequiredMixin, UpdateView): model = AssetPermission form_class = AssetPermissionForm template_name = 'perms/asset_permission_create_update.html' - success_message = _('Update asset permission %s successfully.') + success_message = _('Update asset permission ' + ' %s successfully.') def get_context_data(self, **kwargs): context = { @@ -92,7 +96,8 @@ class AssetPermissionUpdateView(AdminUserRequiredMixin, UpdateView): return super(AssetPermissionUpdateView, self).get_context_data(**kwargs) def get_success_url(self): - success_url = reverse_lazy('perms:asset-permission-detail', kwargs={'pk': self.object.pk}) + success_url = reverse_lazy('perms:asset-permission-detail', + kwargs={'pk': self.object.pk}) return success_url @@ -105,8 +110,9 @@ class AssetPermissionDetailView(AdminUserRequiredMixin, DetailView): context = { 'app': _('Perms'), 'action': _('Asset permission detail'), - 'system_users_remain': [system_user for system_user in SystemUser.objects.all() - if system_user not in self.object.system_users.all()], + 'system_users_remain': [ + system_user for system_user in SystemUser.objects.all() + if system_user not in self.object.system_users.all()], 'system_users': self.object.system_users.all(), } kwargs.update(context) @@ -119,7 +125,9 @@ class AssetPermissionDeleteView(AdminUserRequiredMixin, DeleteView): success_url = reverse_lazy('perms:asset-permission-list') -class AssetPermissionUserView(AdminUserRequiredMixin, SingleObjectMixin, ListView): +class AssetPermissionUserView(AdminUserRequiredMixin, + SingleObjectMixin, + ListView): template_name = 'perms/asset_permission_user.html' context_object_name = 'asset_permission' paginate_by = settings.CONFIG.DISPLAY_PER_PAGE @@ -132,9 +140,11 @@ class AssetPermissionUserView(AdminUserRequiredMixin, SingleObjectMixin, ListVie def get_queryset(self): queryset = self.object.get_granted_users() if self.keyword: - search_func = functools.partial(search_object_attr, value=self.keyword, - attr_list=['username', 'name', 'email'], - ignore_case=True) + search_func = functools.partial( + search_object_attr, + value=self.keyword, + attr_list=['username', 'name', 'email'], + ignore_case=True) queryset = filter(search_func, queryset) return queryset @@ -144,17 +154,22 @@ class AssetPermissionUserView(AdminUserRequiredMixin, SingleObjectMixin, ListVie context = { 'app': _('Perms'), 'action': _('Asset permission user list'), - 'users_remain': [user for user in User.objects.all() if user not in users_granted], + 'users_remain': [ + user for user in User.objects.all() + if user not in users_granted], 'user_groups': self.object.user_groups.all(), - 'user_groups_remain': [user_group for user_group in UserGroup.objects.all() - if user_group not in user_groups_granted], + 'user_groups_remain': [ + user_group for user_group in UserGroup.objects.all() + if user_group not in user_groups_granted], 'keyword': self.keyword, } kwargs.update(context) return super(AssetPermissionUserView, self).get_context_data(**kwargs) -class AssetPermissionAssetView(AdminUserRequiredMixin, SingleObjectMixin, ListView): +class AssetPermissionAssetView(AdminUserRequiredMixin, + SingleObjectMixin, + ListView): template_name = 'perms/asset_permission_asset.html' context_object_name = 'asset_permission' paginate_by = settings.CONFIG.DISPLAY_PER_PAGE @@ -162,14 +177,16 @@ class AssetPermissionAssetView(AdminUserRequiredMixin, SingleObjectMixin, ListVi def get(self, request, *args, **kwargs): self.object = self.get_object(queryset=AssetPermission.objects.all()) self.keyword = self.request.GET.get('keyword', '') - return super(AssetPermissionAssetView, self).get(request, *args, **kwargs) + return super(AssetPermissionAssetView, self)\ + .get(request, *args, **kwargs) def get_queryset(self): queryset = self.object.get_granted_assets() if self.keyword: - search_func = functools.partial(search_object_attr, value=self.keyword, - attr_list=['hostname', 'ip'], - ignore_case=True) + search_func = functools.partial( + search_object_attr, value=self.keyword, + attr_list=['hostname', 'ip'], + ignore_case=True) queryset = filter(search_func, queryset) return queryset @@ -179,10 +196,13 @@ class AssetPermissionAssetView(AdminUserRequiredMixin, SingleObjectMixin, ListVi context = { 'app': _('Perms'), 'action': _('Asset permission asset list'), - 'assets_remain': (asset for asset in Asset.objects.all() if asset not in assets_granted), + 'assets_remain': [ + asset for asset in Asset.objects.all() + if asset not in assets_granted], 'asset_groups': self.object.asset_groups.all(), - 'asset_groups_remain': [asset_group for asset_group in AssetGroup.objects.all() - if asset_group not in asset_groups_granted], + 'asset_groups_remain': [ + asset_group for asset_group in AssetGroup.objects.all() + if asset_group not in asset_groups_granted], 'keyword': self.keyword, } kwargs.update(context) diff --git a/apps/users/api.py b/apps/users/api.py index 393a5f15e..824ad890c 100644 --- a/apps/users/api.py +++ b/apps/users/api.py @@ -18,7 +18,7 @@ from .utils import check_user_valid, generate_token from .models import User, UserGroup from .hands import write_login_log_async from .permissions import ( - IsSuperUser, IsAppUser, IsValidUser, IsSuperUserOrAppUser) + IsSuperUser, IsAppUser, IsValidUser) from . import serializers