fix: 修复 private storage permission

fix: 修复自动化任务原子性error 导致整个任务失败问题
fix: 解决具有超级工单权限的用户无法给指定人申请工单问题 (#10597 )
2025-12-24 04:52:39 +00:00 · 2023-09-11 11:18:53 +08:00 · 2023-06-25 14:42:34 +08:00 · 2023-05-31 10:20:52 +08:00
8 changed files with 16 additions and 13 deletions
--- a/apps/common/permissions.py
+++ b/apps/common/permissions.py
@@ -12,7 +12,7 @@ from common.utils import get_object_or_none
 from orgs.utils import tmp_to_root_org


-class IsValidUser(permissions.IsAuthenticated, permissions.BasePermission):
+class IsValidUser(permissions.IsAuthenticated):
    """Allows access to valid user, is active and not expired"""

    def has_permission(self, request, view):
--- a/apps/jumpserver/rewriting/storage/permissions.py
+++ b/apps/jumpserver/rewriting/storage/permissions.py
@@ -16,6 +16,8 @@ def allow_access(private_file):
    path_base = path_list[1] if len(path_list) > 1 else None
    path_perm = path_perms_map.get(path_base, None)

+    if ".." in request_path:
+        return False
    if not path_perm:
        return False
    if path_perm == '*' or request.user.has_perms([path_perm]):
--- a/apps/ops/ansible/callback.py
+++ b/apps/ops/ansible/callback.py
@@ -109,21 +109,21 @@ class DefaultCallback:
        pass

    def playbook_on_stats(self, event_data, **kwargs):
-        failed = []
        error_func = lambda err, task_detail: err + f"{task_detail[0]}: {task_detail[1]['stderr']};"
        for tp in ['dark', 'failures']:
            for host, tasks in self.result[tp].items():
-                failed.append(host)
                error = reduce(error_func, tasks.items(), '').strip(';')
                self.summary[tp][host] = error
+        failures = list(self.result['failures'].keys())
+        dark_or_failures = list(self.result['dark'].keys()) + failures

        for host, tasks in self.result.get('ignored', {}).items():
            ignore_errors = reduce(error_func, tasks.items(), '').strip(';')
-            if host in failed:
+            if host in failures:
                self.summary['failures'][host] += {ignore_errors}

-        self.summary['ok'] = list(set(self.result['ok'].keys()) - set(failed))
-        self.summary['skipped'] = list(set(self.result['skipped'].keys()) - set(failed))
+        self.summary['ok'] = list(set(self.result['ok'].keys()) - set(dark_or_failures))
+        self.summary['skipped'] = list(set(self.result['skipped'].keys()) - set(dark_or_failures))

    def playbook_on_include(self, event_data, **kwargs):
        pass
--- a/apps/terminal/permissions.py
+++ b/apps/terminal/permissions.py
@@ -1,13 +1,15 @@
 from rest_framework import permissions
+
 from common.utils import get_logger

 logger = get_logger(__file__)

-
 __all__ = ['IsSessionAssignee']


-class IsSessionAssignee(permissions.BasePermission):
+class IsSessionAssignee(permissions.IsAuthenticated):
+    def has_permission(self, request, view):
+        return False

    def has_object_permission(self, request, view, obj):
        try:
--- a/apps/tickets/api/ticket.py
+++ b/apps/tickets/api/ticket.py
@@ -64,7 +64,6 @@ class TicketViewSet(CommonApiMixin, viewsets.ModelViewSet):

    def perform_create(self, serializer):
        instance = serializer.save()
-        instance.applicant = self.request.user
        instance.save(update_fields=['applicant'])
        instance.open()

--- a/apps/tickets/permissions/ticket.py
+++ b/apps/tickets/permissions/ticket.py
@@ -1,12 +1,12 @@
 from rest_framework import permissions


-class IsAssignee(permissions.BasePermission):
+class IsAssignee(permissions.IsAuthenticated):
    def has_object_permission(self, request, view, obj):
        return obj.has_current_assignee(request.user)


-class IsApplicant(permissions.BasePermission):
+class IsApplicant(permissions.IsAuthenticated):

    def has_object_permission(self, request, view, obj):
        return obj.applicant == request.user
--- a/apps/tickets/serializers/ticket/ticket.py
+++ b/apps/tickets/serializers/ticket/ticket.py
@@ -59,6 +59,7 @@ class TicketApplySerializer(TicketSerializer):
    org_id = serializers.CharField(
        required=True, max_length=36, allow_blank=True, label=_("Organization")
    )
+    applicant = serializers.CharField(required=False, allow_blank=True)

    def get_applicant(self, applicant_id):
        current_user = self.context['request'].user
--- a/apps/users/permissions.py
+++ b/apps/users/permissions.py
@@ -1,6 +1,5 @@
 from rest_framework import permissions

-from rbac.builtin import BuiltinRole
 from .utils import is_auth_password_time_valid


@@ -11,7 +10,7 @@ class IsAuthPasswdTimeValid(permissions.IsAuthenticated):
            and is_auth_password_time_valid(request.session)


-class UserObjectPermission(permissions.BasePermission):
+class UserObjectPermission(permissions.IsAuthenticated):

    def has_object_permission(self, request, view, obj):
        if view.action not in ['update', 'partial_update', 'destroy']:
Author	SHA1	Message	Date
ibuler	94374d1de1	fix: 修复 private storage permission	2023-09-11 11:18:53 +08:00
feng	6a75ece739	fix: 修复自动化任务原子性error 导致整个任务失败问题	2023-06-25 14:42:34 +08:00
jiangweidong	aa52dd51b1	fix: 解决具有超级工单权限的用户无法给指定人申请工单问题 (#10597 )	2023-05-31 10:20:52 +08:00