perf: stay top

fix: Any change to the LDAP server URI should require re-authentication and explicit re-entry of
the bind password, not reuse stored credentials
2025-12-16 17:12:53 +00:00 · 2025-10-27 18:02:45 +08:00 · 2025-10-23 18:44:23 +08:00 · 2025-10-23 18:44:23 +08:00 · 2025-10-23 18:44:23 +08:00 · 2025-10-21 11:14:02 +08:00
8 changed files with 39 additions and 10 deletions
--- a/apps/authentication/api/connection_token.py
+++ b/apps/authentication/api/connection_token.py
@@ -362,6 +362,7 @@ class ConnectionTokenViewSet(AuthFaceMixin, ExtraActionApiMixin, RootOrgViewMixi
        self.validate_serializer(serializer)
        return super().perform_create(serializer)
    def _insert_connect_options(self, data, user):
        connect_options = data.pop('connect_options', {})
        default_name_opts = {
@@ -564,7 +565,9 @@ class SuperConnectionTokenViewSet(ConnectionTokenViewSet):
    rbac_perms = {
        'create': 'authentication.add_superconnectiontoken',
        'renewal': 'authentication.add_superconnectiontoken',
        'list': 'authentication.view_superconnectiontoken',
        'check': 'authentication.view_superconnectiontoken',
        'retrieve': 'authentication.view_superconnectiontoken',
        'get_secret_detail': 'authentication.view_superconnectiontokensecret',
        'get_applet_info': 'authentication.view_superconnectiontoken',
        'release_applet_account': 'authentication.view_superconnectiontoken',
@@ -572,7 +575,12 @@ class SuperConnectionTokenViewSet(ConnectionTokenViewSet):
    }
    def get_queryset(self):
-        return ConnectionToken.objects.all()
+        return ConnectionToken.objects.none()
    def get_object(self):
        pk = self.kwargs.get(self.lookup_field)
        token = get_object_or_404(ConnectionToken, pk=pk)
        return token
    def get_user(self, serializer):
        return serializer.validated_data.get('user')
--- a/apps/common/api/action.py
+++ b/apps/common/api/action.py
@@ -1,9 +1,11 @@
 # -*- coding: utf-8 -*-
 #
 from django.conf import settings
 from typing import Callable
 from django.utils.translation import gettext as _
 from rest_framework.decorators import action
 from rest_framework.throttling import UserRateThrottle
 from rest_framework.request import Request
 from rest_framework.response import Response
@@ -14,8 +16,12 @@ from orgs.utils import current_org
 __all__ = ['SuggestionMixin', 'RenderToJsonMixin']
 class CustomUserRateThrottle(UserRateThrottle):
    rate = '60/m'
 class SuggestionMixin:
-    suggestion_limit = 10
+    suggestion_limit = settings.SUGGESTION_LIMIT
    filter_queryset: Callable
    get_queryset: Callable
@@ -35,6 +41,7 @@ class SuggestionMixin:
            queryset = queryset.none()
        queryset = self.filter_queryset(queryset)
        queryset = queryset[:self.suggestion_limit]
        page = self.paginate_queryset(queryset)
@@ -45,6 +52,11 @@ class SuggestionMixin:
        serializer = self.get_serializer(queryset, many=True)
        return Response(serializer.data)
    def get_throttles(self):
        if self.action == 'match':
            return [CustomUserRateThrottle()]
        return super().get_throttles()
 class RenderToJsonMixin:
    @action(methods=[POST, PUT], detail=False, url_path='render-to-json')
--- a/apps/jumpserver/conf.py
+++ b/apps/jumpserver/conf.py
@@ -729,6 +729,9 @@ class Config(dict):
        'LOKI_BASE_URL': 'http://loki:3100',
        'TOOL_USER_ENABLED': False,
        # Suggestion api
        'SUGGESTION_LIMIT': 10,
    }
    old_config_map = {
--- a/apps/jumpserver/settings/custom.py
+++ b/apps/jumpserver/settings/custom.py
@@ -266,3 +266,5 @@ LOKI_LOG_ENABLED = CONFIG.LOKI_LOG_ENABLED
 LOKI_BASE_URL = CONFIG.LOKI_BASE_URL
 TOOL_USER_ENABLED = CONFIG.TOOL_USER_ENABLED
 SUGGESTION_LIMIT = CONFIG.SUGGESTION_LIMIT
--- a/apps/orgs/mixins/ws.py
+++ b/apps/orgs/mixins/ws.py
@@ -24,5 +24,7 @@ class OrgMixin:
    @sync_to_async
    def has_perms(self, user, perms):
        self.cookie = self.get_cookie()
        self.org = self.get_current_org()
        with tmp_to_org(self.org):
            return user.has_perms(perms)
--- a/apps/settings/ws.py
+++ b/apps/settings/ws.py
@@ -56,8 +56,6 @@ class ToolsWebsocket(AsyncJsonWebsocketConsumer, OrgMixin):
    async def connect(self):
        user = self.scope["user"]
        if user.is_authenticated:
            self.cookie = self.get_cookie()
            self.org = self.get_current_org()
            has_perm = self.has_perms(user, ['rbac.view_systemtools'])
            if await self.is_superuser(user) or (settings.TOOL_USER_ENABLED and has_perm):
                await self.accept()
@@ -128,14 +126,14 @@ class ToolsWebsocket(AsyncJsonWebsocketConsumer, OrgMixin):
        close_old_connections()
-class LdapWebsocket(AsyncJsonWebsocketConsumer):
+class LdapWebsocket(AsyncJsonWebsocketConsumer, OrgMixin):
    category: str
    async def connect(self):
        user = self.scope["user"]
        query = parse_qs(self.scope['query_string'].decode())
        self.category = query.get('category', [User.Source.ldap.value])[0]
-        if user.is_authenticated:
+        if user.is_authenticated and await self.has_perms(user, ['settings.view_setting']):
            await self.accept()
        else:
            await self.close()
@@ -166,8 +164,6 @@ class LdapWebsocket(AsyncJsonWebsocketConsumer):
        config = {
            'server_uri': serializer.validated_data.get(f"{prefix}SERVER_URI"),
            'bind_dn': serializer.validated_data.get(f"{prefix}BIND_DN"),
            'password': (serializer.validated_data.get(f"{prefix}BIND_PASSWORD") or
                         getattr(settings, f"{prefix}BIND_PASSWORD")),
            'use_ssl': serializer.validated_data.get(f"{prefix}START_TLS", False),
            'search_ou': serializer.validated_data.get(f"{prefix}SEARCH_OU"),
            'search_filter': serializer.validated_data.get(f"{prefix}SEARCH_FILTER"),
@@ -175,6 +171,12 @@ class LdapWebsocket(AsyncJsonWebsocketConsumer):
            'auth_ldap': serializer.validated_data.get(f"{prefix.rstrip('_')}", False)
        }
        password = serializer.validated_data.get(f"{prefix}BIND_PASSWORD")
        if not password and config['server_uri'] == getattr(settings, f"{prefix}SERVER_URI"):
            # 只有在没有修改服务器地址的情况下，才使用原有的密码
            config['password'] = getattr(settings, f"{prefix}BIND_PASSWORD")
        else:
            config['password'] = password
        return config
    @staticmethod
--- a/apps/users/api/user.py
+++ b/apps/users/api/user.py
@@ -41,8 +41,8 @@ class UserViewSet(CommonApiMixin, UserQuerysetMixin, SuggestionMixin, BulkModelV
    permission_classes = [RBACPermission, UserObjectPermission]
    serializer_classes = {
        'default': UserSerializer,
        'suggestion': MiniUserSerializer,
        'invite': InviteSerializer,
        'match': MiniUserSerializer,
        'retrieve': UserRetrieveSerializer,
    }
    rbac_perms = {
Author	SHA1	Message	Date
Bai	32aecb79c4	perf: stay top	2025-10-27 18:02:45 +08:00
wangruidong	5afc1c7889	fix: Any change to the LDAP server URI should require re-authentication and explicit re-entry of the bind password, not reuse stored credentials	2025-10-23 18:44:23 +08:00
ibuler	4fe62f1c15	perf: user sugguestion limit and serializer	2025-10-23 18:44:23 +08:00
wangruidong	4af75ff584	perf: ws/ldap perms check	2025-10-23 18:44:23 +08:00
ibuler	91f6614711	perf: token retrieve	2025-10-21 11:14:02 +08:00
老广	e617245b26	merge: to master	2025-10-16 17:30:34 +08:00
Bryan	9280884c1c	Merge pull request #16056 from jumpserver/dev v4.10.8-lts	2025-09-18 16:52:13 +08:00
Bryan	f31994fdcd	Merge pull request #15899 from jumpserver/dev	2025-08-21 19:03:18 +08:00
Bryan	71766418bb	Merge pull request #15742 from jumpserver/dev merge: v4.10.4-lts	2025-07-17 15:12:58 +08:00
Bryan	a9399dd709	Merge pull request #15608 from jumpserver/dev v4.10.2	2025-06-19 20:14:21 +08:00
Bryan	d0cb9e5432	Merge pull request #15412 from jumpserver/dev v4.10.0	2025-05-15 17:11:43 +08:00
老广	558188da90	merge: dev to master Ready to relase	2025-04-17 20:24:45 +08:00
Bryan	ad5460dab8	Merge pull request #15086 from jumpserver/dev v4.8.0	2025-03-20 18:44:44 +08:00
Bryan	4d37dca0de	Merge pull request #14901 from jumpserver/dev v4.7.0	2025-02-20 10:21:16 +08:00
Bryan	2ca4002624	Merge pull request #14813 from jumpserver/dev v4.6.0	2025-01-15 14:38:17 +08:00
Bryan	053d640e4c	Merge pull request #14699 from jumpserver/dev v4.5.0	2024-12-19 16:04:45 +08:00
Bryan	f3acc28ded	Merge pull request #14697 from jumpserver/dev v4.5.0	2024-12-19 15:57:11 +08:00
Bryan	25987545db	Merge pull request #14511 from jumpserver/dev v4.4.0	2024-11-21 19:00:35 +08:00
Bryan	6720ecc6e0	Merge pull request #14319 from jumpserver/dev v4.3.0	2024-10-17 14:55:38 +08:00
老广	0b3a7bb020	Merge pull request #14203 from jumpserver/dev merge: from dev to master	2024-09-19 19:37:19 +08:00
Bryan	56373e362b	Merge pull request #13988 from jumpserver/dev v4.1.0	2024-08-16 18:40:35 +08:00
Bryan	02fc045370	Merge pull request #13600 from jumpserver/dev v4.0.0	2024-07-03 19:04:35 +08:00
Bryan	e4ac73896f	Merge pull request #13452 from jumpserver/dev v3.10.11-lts	2024-06-19 16:01:26 +08:00
Bryan	1518f792d6	Merge pull request #13236 from jumpserver/dev v3.10.10-lts	2024-05-16 16:04:07 +08:00
Bai	67277dd622	fix: 修复仪表盘会话排序数量都是 1 的问题	2024-04-22 19:42:33 +08:00
Bryan	82e7f020ea	Merge pull request #13094 from jumpserver/dev v3.10.9 (dev to master)	2024-04-22 19:39:53 +08:00
Bryan	f20b9e01ab	Merge pull request #13062 from jumpserver/dev v3.10.8 dev to master	2024-04-18 18:01:20 +08:00
Bryan	8cf8a3701b	Merge pull request #13059 from jumpserver/dev v3.10.8	2024-04-18 17:16:37 +08:00
Bryan	7ba24293d1	Merge pull request #12736 from jumpserver/pr@dev@master_fix fix: 解决冲突	2024-02-29 16:38:43 +08:00
Bai	f10114c9ed	fix: 解决冲突	2024-02-29 16:37:10 +08:00
Bryan	cf31cbfb07	Merge pull request #12729 from jumpserver/dev v3.10.4	2024-02-29 16:19:59 +08:00
wangruidong	0edad24d5d	fix: 资产过期消息提示发送失败	2024-02-04 11:41:48 +08:00
ibuler	1f1c1a9157	fix: 修复定时检测用户是否活跃任务无法执行的问题	2024-01-23 09:28:38 +00:00
feng	6c9d271ae1	fix: redis 密码有特殊字符celery beat启动失败	2024-01-22 06:18:34 +00:00
Bai	6ff852e225	perf: 修复 Count 时没有去重的问题	2024-01-22 06:16:25 +00:00
Bryan	baa75dc735	Merge pull request #12566 from jumpserver/master v3.10.2	2024-01-17 07:34:28 -04:00
Bryan	8a9f0436b8	Merge pull request #12565 from jumpserver/dev v3.10.2	2024-01-17 07:23:30 -04:00
Bryan	a9620a3cbe	Merge pull request #12461 from jumpserver/master v3.10.1	2023-12-29 11:33:05 +05:00
Bryan	769e7dc8a0	Merge pull request #12460 from jumpserver/dev v3.10.1	2023-12-29 11:20:36 +05:00
Bryan	2a70449411	Merge pull request #12458 from jumpserver/dev v3.10.1	2023-12-29 11:01:13 +05:00
Bryan	8df720f19e	Merge pull request #12401 from jumpserver/dev v3.10	2023-12-21 15:14:19 +05:00
老广	dabbb45f6e	Merge pull request #12144 from jumpserver/dev v3.9.0	2023-11-16 18:23:05 +08:00
Bryan	ce24c1c3fd	Merge pull request #11914 from jumpserver/dev v3.8.0	2023-10-19 03:37:39 -05:00
Bryan	3c54c82ce9	Merge pull request #11636 from jumpserver/dev v3.7.0	2023-09-21 17:02:48 +08:00