2022-02-17 12:13:31 +00:00
|
|
|
|
from django.db import models
|
2022-12-20 08:48:18 +00:00
|
|
|
|
from django.utils.translation import ugettext_lazy as _, gettext
|
2022-02-17 12:13:31 +00:00
|
|
|
|
|
2022-04-07 10:51:35 +00:00
|
|
|
|
from common.db.models import JMSBaseModel
|
2022-02-17 12:13:31 +00:00
|
|
|
|
from common.utils import lazyproperty
|
|
|
|
|
from .permission import Permission
|
|
|
|
|
from .. import const
|
2022-12-20 08:48:18 +00:00
|
|
|
|
from ..builtin import BuiltinRole
|
2022-02-17 12:13:31 +00:00
|
|
|
|
|
|
|
|
|
__all__ = ['Role', 'SystemRole', 'OrgRole']
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class SystemRoleManager(models.Manager):
|
|
|
|
|
def get_queryset(self):
|
|
|
|
|
queryset = super().get_queryset()
|
|
|
|
|
return queryset.filter(scope=const.Scope.system)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class OrgRoleManager(models.Manager):
|
|
|
|
|
def get_queryset(self):
|
|
|
|
|
queryset = super().get_queryset()
|
|
|
|
|
return queryset.filter(scope=const.Scope.org)
|
|
|
|
|
|
|
|
|
|
|
2022-04-07 10:51:35 +00:00
|
|
|
|
class Role(JMSBaseModel):
|
2022-02-17 12:13:31 +00:00
|
|
|
|
""" 定义 角色 | 角色-权限 关系 """
|
|
|
|
|
Scope = const.Scope
|
|
|
|
|
|
|
|
|
|
name = models.CharField(max_length=128, verbose_name=_('Name'))
|
|
|
|
|
scope = models.CharField(
|
|
|
|
|
max_length=128, choices=Scope.choices, default=Scope.system, verbose_name=_('Scope')
|
|
|
|
|
)
|
|
|
|
|
permissions = models.ManyToManyField(
|
|
|
|
|
'rbac.Permission', related_name='roles', blank=True, verbose_name=_('Permissions')
|
|
|
|
|
)
|
2022-12-20 08:48:18 +00:00
|
|
|
|
builtin = models.BooleanField(default=False, verbose_name=_('Builtin'))
|
2022-02-17 12:13:31 +00:00
|
|
|
|
comment = models.TextField(max_length=128, default='', blank=True, verbose_name=_('Comment'))
|
|
|
|
|
|
|
|
|
|
BuiltinRole = BuiltinRole
|
|
|
|
|
objects = models.Manager()
|
|
|
|
|
org_roles = OrgRoleManager()
|
|
|
|
|
system_roles = SystemRoleManager()
|
|
|
|
|
|
|
|
|
|
class Meta:
|
|
|
|
|
unique_together = [('name', 'scope')]
|
|
|
|
|
verbose_name = _('Role')
|
|
|
|
|
|
|
|
|
|
def __str__(self):
|
|
|
|
|
return '%s(%s)' % (self.name, self.get_scope_display())
|
|
|
|
|
|
|
|
|
|
def is_system_admin(self):
|
2022-02-21 08:24:03 +00:00
|
|
|
|
return str(self.id) == self.BuiltinRole.system_admin.id and self.builtin
|
2022-02-17 12:13:31 +00:00
|
|
|
|
|
|
|
|
|
def is_org_admin(self):
|
2022-02-21 08:24:03 +00:00
|
|
|
|
return str(self.id) == self.BuiltinRole.org_admin.id and self.builtin
|
2022-02-17 12:13:31 +00:00
|
|
|
|
|
|
|
|
|
def is_admin(self):
|
|
|
|
|
yes = self.is_system_admin() or self.is_org_admin()
|
|
|
|
|
return yes
|
|
|
|
|
|
|
|
|
|
@staticmethod
|
|
|
|
|
def get_scope_roles_perms(roles, scope):
|
|
|
|
|
has_admin = any([r.is_admin() for r in roles])
|
|
|
|
|
if has_admin:
|
|
|
|
|
perms = Permission.objects.all()
|
|
|
|
|
else:
|
|
|
|
|
perms = Permission.objects.filter(roles__in=roles).distinct()
|
|
|
|
|
perms = Permission.clean_permissions(perms, scope=scope)
|
|
|
|
|
return perms
|
|
|
|
|
|
|
|
|
|
@classmethod
|
|
|
|
|
def get_roles_permissions(cls, roles):
|
|
|
|
|
org_roles = [role for role in roles if role.scope == cls.Scope.org]
|
2022-12-20 08:48:18 +00:00
|
|
|
|
org_perms_id = cls.get_scope_roles_perms(org_roles, cls.Scope.org) \
|
2022-02-17 12:13:31 +00:00
|
|
|
|
.values_list('id', flat=True)
|
|
|
|
|
|
|
|
|
|
system_roles = [role for role in roles if role.scope == cls.Scope.system]
|
2022-12-20 08:48:18 +00:00
|
|
|
|
system_perms_id = cls.get_scope_roles_perms(system_roles, cls.Scope.system) \
|
2022-02-17 12:13:31 +00:00
|
|
|
|
.values_list('id', flat=True)
|
|
|
|
|
perms_id = set(org_perms_id) | set(system_perms_id)
|
2022-12-20 08:48:18 +00:00
|
|
|
|
permissions = Permission.objects.filter(id__in=perms_id) \
|
2022-02-17 12:13:31 +00:00
|
|
|
|
.prefetch_related('content_type')
|
|
|
|
|
return permissions
|
|
|
|
|
|
|
|
|
|
@classmethod
|
|
|
|
|
def get_roles_perms(cls, roles):
|
|
|
|
|
permissions = cls.get_roles_permissions(roles)
|
|
|
|
|
return Permission.to_perms(permissions)
|
|
|
|
|
|
|
|
|
|
def get_permissions(self):
|
|
|
|
|
if self.is_admin():
|
|
|
|
|
permissions = Permission.objects.all()
|
|
|
|
|
else:
|
|
|
|
|
permissions = self.permissions.all()
|
|
|
|
|
permissions = Permission.clean_permissions(permissions, self.scope)
|
|
|
|
|
return permissions
|
|
|
|
|
|
|
|
|
|
@lazyproperty
|
|
|
|
|
def users(self):
|
|
|
|
|
from .rolebinding import RoleBinding
|
|
|
|
|
return RoleBinding.get_role_users(self)
|
|
|
|
|
|
|
|
|
|
@lazyproperty
|
|
|
|
|
def users_amount(self):
|
2023-02-07 08:21:26 +00:00
|
|
|
|
return 0
|
2022-02-17 12:13:31 +00:00
|
|
|
|
|
|
|
|
|
@lazyproperty
|
|
|
|
|
def permissions_amount(self):
|
|
|
|
|
return self.permissions.count()
|
|
|
|
|
|
|
|
|
|
@classmethod
|
|
|
|
|
def create_builtin_roles(cls):
|
|
|
|
|
BuiltinRole.sync_to_db()
|
|
|
|
|
|
|
|
|
|
@property
|
|
|
|
|
def display_name(self):
|
|
|
|
|
if not self.builtin:
|
|
|
|
|
return self.name
|
|
|
|
|
return gettext(self.name)
|
|
|
|
|
|
2022-03-21 08:40:14 +00:00
|
|
|
|
def is_org(self):
|
|
|
|
|
return self.scope == const.Scope.org
|
|
|
|
|
|
2022-04-18 09:17:23 +00:00
|
|
|
|
@classmethod
|
|
|
|
|
def get_roles_by_perm(cls, perm):
|
|
|
|
|
app_label, codename = perm.split('.')
|
|
|
|
|
p = Permission.objects.filter(
|
|
|
|
|
codename=codename,
|
|
|
|
|
content_type__app_label=app_label
|
|
|
|
|
).first()
|
|
|
|
|
if not p:
|
|
|
|
|
return p.roles.none()
|
|
|
|
|
role_ids = list(p.roles.all().values_list('id', flat=True))
|
|
|
|
|
admin_ids = [BuiltinRole.system_admin.id, BuiltinRole.org_admin.id]
|
|
|
|
|
role_ids += admin_ids
|
|
|
|
|
return cls.objects.filter(id__in=role_ids)
|
|
|
|
|
|
2022-02-17 12:13:31 +00:00
|
|
|
|
|
|
|
|
|
class SystemRole(Role):
|
|
|
|
|
objects = SystemRoleManager()
|
|
|
|
|
|
|
|
|
|
class Meta:
|
|
|
|
|
proxy = True
|
|
|
|
|
verbose_name = _('System role')
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class OrgRole(Role):
|
|
|
|
|
objects = OrgRoleManager()
|
|
|
|
|
|
|
|
|
|
class Meta:
|
|
|
|
|
proxy = True
|
|
|
|
|
verbose_name = _('Organization role')
|