perf: 修改 migrations (#7794)

* perf: 优化 auditor 权限

* perf: 修改 migrations

Co-authored-by: ibuler <ibuler@qq.com>

apps/applications/migrations/0019_auto_20220310_1853.py

@@ -0,0 +1,17 @@
+# Generated by Django 3.1.14 on 2022-03-10 10:53
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('applications', '0018_auto_20220223_1539'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='application',
+            options={'ordering': ('name',), 'permissions': [('match_application', 'Can match application')], 'verbose_name': 'Application'},
+        ),
+    ]

apps/assets/api/asset.py

@@ -178,6 +178,16 @@ class AssetsTaskCreateApi(AssetsTaskMixin, generics.CreateAPIView):
     model = Asset
     serializer_class = serializers.AssetsTaskSerializer
 
+    def check_permissions(self, request):
+        action = request.data.get('action')
+        action_perm_require = {
+            'refresh': 'assets.refresh_assethardwareinfo1',
+        }
+        perm_required = action_perm_require.get(action)
+        has = self.request.user.has_perm(perm_required)
+        if not has:
+            self.permission_denied(request)
+
 
 class AssetGatewayListApi(generics.ListAPIView):
     serializer_class = serializers.GatewayWithAuthSerializer

apps/rbac/builtin.py

@@ -2,39 +2,29 @@ from django.utils.translation import ugettext_noop
 
 from .const import Scope, system_exclude_permissions, org_exclude_permissions
 
-
-auditor_perms = (
-    ('rbac', 'menupermission', 'view', 'userview'),
-    ('rbac', 'menupermission', 'view', 'auditview'),
-    ('perms', 'assetpermission', 'view,connect', 'myassets'),
-    ('perms', 'applicationpermission', 'view,connect', 'myapps'),
-    ('assets', 'asset', 'match', 'asset'),
-    ('assets', 'systemuser', 'match', 'systemuser'),
-    ('assets', 'node', 'match', 'node'),
-    ('common', 'permission', 'view', 'resourcestatistics'),
-    ('audits', '*', '*', '*'),
-    ('terminal', 'commandstorage', 'view', 'commandstorage'),
-    ('terminal', 'sessionreplay', 'view,download', 'sessionreplay'),
-    ('terminal', 'session', '*', '*'),
-    ('terminal', 'command', '*', '*'),
-    ('ops', 'commandexecution', 'view', 'commandexecution'),
-)
-
 user_perms = (
-    ('rbac', 'menupermission', 'view', 'userview'),
+    ('rbac', 'menupermission', 'view', 'workspace'),
     ('rbac', 'menupermission', 'view', 'webterminal'),
     ('rbac', 'menupermission', 'view', 'filemanager'),
     ('perms', 'permedasset', 'view,connect', 'myassets'),
     ('perms', 'permedapplication', 'view,connect', 'myapps'),
-    ('perms', 'permedkubernetesapp', 'view,connect', 'mykubernetesapp'),
-    ('perms', 'permedremoteApp', 'view,connect', 'myremoteapp'),
-    ('perms', 'permeddatabaseapp', 'view,connect', 'mydatabaseapp'),
     ('assets', 'asset', 'match', 'asset'),
     ('assets', 'systemuser', 'match', 'systemuser'),
     ('assets', 'node', 'match', 'node'),
     ('ops', 'commandexecution', 'add', 'commandexecution'),
 )
 
+auditor_perms = user_perms + (
+    ('rbac', 'menupermission', 'view', 'audit'),
+    ('rbac', 'menupermission', 'view', 'dashboard'),
+    ('audits', '*', '*', '*'),
+    ('terminal', 'commandstorage', 'view', 'commandstorage'),
+    ('terminal', 'sessionreplay', 'view,download', 'sessionreplay'),
+    ('terminal', 'session', '*', '*'),
+    ('terminal', 'command', '*', '*'),
+)
+
+
 app_exclude_perms = [
     ('users', 'user', 'add,delete', 'user'),
     ('orgs', 'org', 'add,delete,change', 'org'),