perf: 修改 migrations (#7794)

* perf: 优化 auditor 权限 * perf: 修改 migrations Co-authored-by: ibuler <ibuler@qq.com>
2022-03-10 18:55:53 +08:00 · 2022-03-10 18:55:53 +08:00 · 147e4cce94
parent d1e25e1fef
commit 147e4cce94
3 changed files with 39 additions and 22 deletions
--- a/apps/applications/migrations/0019_auto_20220310_1853.py
+++ b/apps/applications/migrations/0019_auto_20220310_1853.py
@ -0,0 +1,17 @@
+# Generated by Django 3.1.14 on 2022-03-10 10:53
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('applications', '0018_auto_20220223_1539'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='application',
+            options={'ordering': ('name',), 'permissions': [('match_application', 'Can match application')], 'verbose_name': 'Application'},
+        ),
+    ]
--- a/apps/assets/api/asset.py
+++ b/apps/assets/api/asset.py
@ -178,6 +178,16 @@ class AssetsTaskCreateApi(AssetsTaskMixin, generics.CreateAPIView):
    model = Asset
    serializer_class = serializers.AssetsTaskSerializer

+    def check_permissions(self, request):
+        action = request.data.get('action')
+        action_perm_require = {
+            'refresh': 'assets.refresh_assethardwareinfo1',
+        }
+        perm_required = action_perm_require.get(action)
+        has = self.request.user.has_perm(perm_required)
+        if not has:
+            self.permission_denied(request)
+

 class AssetGatewayListApi(generics.ListAPIView):
    serializer_class = serializers.GatewayWithAuthSerializer
--- a/apps/rbac/builtin.py
+++ b/apps/rbac/builtin.py
@ -2,39 +2,29 @@ from django.utils.translation import ugettext_noop

 from .const import Scope, system_exclude_permissions, org_exclude_permissions

-
-auditor_perms = (
-    ('rbac', 'menupermission', 'view', 'userview'),
-    ('rbac', 'menupermission', 'view', 'auditview'),
-    ('perms', 'assetpermission', 'view,connect', 'myassets'),
-    ('perms', 'applicationpermission', 'view,connect', 'myapps'),
-    ('assets', 'asset', 'match', 'asset'),
-    ('assets', 'systemuser', 'match', 'systemuser'),
-    ('assets', 'node', 'match', 'node'),
-    ('common', 'permission', 'view', 'resourcestatistics'),
-    ('audits', '*', '*', '*'),
-    ('terminal', 'commandstorage', 'view', 'commandstorage'),
-    ('terminal', 'sessionreplay', 'view,download', 'sessionreplay'),
-    ('terminal', 'session', '*', '*'),
-    ('terminal', 'command', '*', '*'),
-    ('ops', 'commandexecution', 'view', 'commandexecution'),
-)
-
 user_perms = (
-    ('rbac', 'menupermission', 'view', 'userview'),
+    ('rbac', 'menupermission', 'view', 'workspace'),
    ('rbac', 'menupermission', 'view', 'webterminal'),
    ('rbac', 'menupermission', 'view', 'filemanager'),
    ('perms', 'permedasset', 'view,connect', 'myassets'),
    ('perms', 'permedapplication', 'view,connect', 'myapps'),
-    ('perms', 'permedkubernetesapp', 'view,connect', 'mykubernetesapp'),
-    ('perms', 'permedremoteApp', 'view,connect', 'myremoteapp'),
-    ('perms', 'permeddatabaseapp', 'view,connect', 'mydatabaseapp'),
    ('assets', 'asset', 'match', 'asset'),
    ('assets', 'systemuser', 'match', 'systemuser'),
    ('assets', 'node', 'match', 'node'),
    ('ops', 'commandexecution', 'add', 'commandexecution'),
 )

+auditor_perms = user_perms + (
+    ('rbac', 'menupermission', 'view', 'audit'),
+    ('rbac', 'menupermission', 'view', 'dashboard'),
+    ('audits', '*', '*', '*'),
+    ('terminal', 'commandstorage', 'view', 'commandstorage'),
+    ('terminal', 'sessionreplay', 'view,download', 'sessionreplay'),
+    ('terminal', 'session', '*', '*'),
+    ('terminal', 'command', '*', '*'),
+)
+
+
 app_exclude_perms = [
    ('users', 'user', 'add,delete', 'user'),
    ('orgs', 'org', 'add,delete,change', 'org'),