!61 修复可能导致权限验证失效的问题

2022-05-31 02:12:13 +00:00 · 2022-05-31 02:12:13 +00:00 · eded552582
parent 5b53331f80 61904e3248
commit eded552582
7 changed files with 7 additions and 21 deletions
--- a/backend/dvadmin/system/urls.py
+++ b/backend/dvadmin/system/urls.py
@ -28,12 +28,6 @@ system_url.register(r'api_white_list', ApiWhiteListViewSet)
 system_url.register(r'system_config', SystemConfigViewSet)

 urlpatterns = [
-    path('role/roleId_get_menu/<int:pk>/', RoleViewSet.as_view({'get': 'roleId_get_menu'})),
-    path('menu/web_router/', MenuViewSet.as_view({'get': 'web_router'})),
-    path('user/user_info/', UserViewSet.as_view({'get': 'user_info', 'put': 'update_user_info'})),
-    path('user/change_password/<int:pk>/', UserViewSet.as_view({'put': 'change_password'})),
-    path('user/reset_to_default_password/<int:pk>/', UserViewSet.as_view({'put': 'reset_to_default_password'})),
-    path('user/reset_password/<int:pk>/', UserViewSet.as_view({'put': 'reset_password'})),
    path('user/export/', UserViewSet.as_view({'post': 'export_data', })),
    path('user/import/', UserViewSet.as_view({'get': 'import_data', 'post': 'import_data'})),
    path('system_config/save_content/', SystemConfigViewSet.as_view({'put': 'save_content'})),
--- a/backend/dvadmin/system/views/menu.py
+++ b/backend/dvadmin/system/views/menu.py
@ -157,7 +157,7 @@ class MenuViewSet(CustomModelViewSet):
    filter_fields = ['parent', 'name', 'status', 'is_link', 'visible', 'cache', 'is_catalog']
    extra_filter_backends = []

-    @action(methods=['GET'], detail=True, permission_classes=[])
+    @action(methods=['GET'], detail=False, permission_classes=[])
    def web_router(self, request):
        """用于前端获取当前角色的路由"""
        user = request.user
--- a/backend/dvadmin/system/views/user.py
+++ b/backend/dvadmin/system/views/user.py
@ -229,7 +229,7 @@ class UserViewSet(CustomModelViewSet):
        "role": "角色ID",
    }

-    @action(methods=["GET"], detail=True, permission_classes=[IsAuthenticated])
+    @action(methods=["GET"], detail=False, permission_classes=[IsAuthenticated])
    def user_info(self, request):
        """获取当前用户信息"""
        user = request.user
@ -242,7 +242,7 @@ class UserViewSet(CustomModelViewSet):
        }
        return DetailResponse(data=result, msg="获取成功")

-    @action(methods=["PUT"], detail=True, permission_classes=[IsAuthenticated])
+    @action(methods=["PUT"], detail=False, permission_classes=[IsAuthenticated])
    def update_user_info(self, request):
        """修改当前用户信息"""
        user = request.user
--- a/backend/dvadmin/utils/permission.py
+++ b/backend/dvadmin/utils/permission.py
@ -65,14 +65,6 @@ class CustomPermission(BasePermission):
    def has_permission(self, request, view):
        if isinstance(request.user, AnonymousUser):
            return False
-        # 对ViewSet下的def方法进行权限判断
-        # 当权限为空时,则可以访问
-        is_head = getattr(view, 'head', None)
-        if is_head:
-            head_kwargs = getattr(view.head, 'kwargs', {})
-            _permission_classes = head_kwargs.get('permission_classes', None)
-            if _permission_classes == []:
-                return True
        # 判断是否是超级管理员
        if request.user.is_superuser:
            return True
--- a/web/src/layout/header-aside/components/header-user/userinfo.vue
+++ b/web/src/layout/header-aside/components/header-user/userinfo.vue
@ -218,7 +218,7 @@ export default {
      _self.$refs.userInfoForm.validate((valid) => {
        if (valid) {
          request({
-            url: '/api/system/user/user_info/',
+            url: '/api/system/user/update_user_info/',
            method: 'put',
            data: _self.userInfo
          }).then((res) => {
@ -266,7 +266,7 @@ export default {
            params.newPassword = _self.$md5(params.newPassword)
            params.newPassword2 = _self.$md5(params.newPassword2)
            request({
-              url: '/api/system/user/change_password/' + userId + '/',
+              url: '/api/system/user/' + userId + '/change_password/',
              method: 'put',
              data: params
            }).then((res) => {
--- a/web/src/views/system/rolePermission/api.js
+++ b/web/src/views/system/rolePermission/api.js
@ -47,7 +47,7 @@ export function DelObj (id) {
 // 通过角色id,获取菜单数据
 export function GetMenuData (obj) {
  return request({
-    url: '/api/system/role/roleId_get_menu/' + obj.id + '/',
+    url: '/api/system/role/' + obj.id + '/roleId_get_menu/',
    method: 'get',
    params: {}
  }).then(res => {
--- a/web/src/views/system/user/api.js
+++ b/web/src/views/system/user/api.js
@ -50,7 +50,7 @@ export function DelObj (id) {
 */
 export function ResetPwd (obj) {
  return request({
-    url: urlPrefix + 'reset_password/' + obj.id + '/',
+    url: urlPrefix + obj.id + '/reset_password/',
    method: 'put',
    data: obj
  })