diff --git a/apps/common/migrations/0007_permission.py b/apps/common/migrations/0007_permission.py deleted file mode 100644 index 964e9621e..000000000 --- a/apps/common/migrations/0007_permission.py +++ /dev/null @@ -1,25 +0,0 @@ -# Generated by Django 3.1.14 on 2022-02-23 08:42 - -from django.db import migrations, models - - -class Migration(migrations.Migration): - - initial = True - - dependencies = [ - ('common', '0006_auto_20190304_1515'), - ] - - operations = [ - migrations.CreateModel( - name='Permission', - fields=[ - ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')), - ], - options={ - 'permissions': [('view_resourcestatistics', 'Can view resource statistics')], - 'verbose_name': 'Common permission' - }, - ), - ] diff --git a/apps/common/models.py b/apps/common/models.py deleted file mode 100644 index 100630c21..000000000 --- a/apps/common/models.py +++ /dev/null @@ -1,10 +0,0 @@ -from django.db import models -from django.utils.translation import gettext_lazy as _ - - -class Permission(models.Model): - class Meta: - verbose_name = _("Common permission") - permissions = [ - ('view_resourcestatistics', _('Can view resource statistics')) - ] diff --git a/apps/locale/zh/LC_MESSAGES/django.mo b/apps/locale/zh/LC_MESSAGES/django.mo index f70ef90ae..a1ef67456 100644 --- a/apps/locale/zh/LC_MESSAGES/django.mo +++ b/apps/locale/zh/LC_MESSAGES/django.mo @@ -1,3 +1,3 @@ version https://git-lfs.github.com/spec/v1 -oid sha256:8f6c99abd272924bb5008bc55960af43af3b50ee1312c6aeaec48dbe5a31aa5c -size 102226 +oid sha256:323dbe9835bb3fd4b357d162536d8f38bbacf09c47eb1b68ce4e323a66a01f95 +size 102621 diff --git a/apps/locale/zh/LC_MESSAGES/django.po b/apps/locale/zh/LC_MESSAGES/django.po index e928b0e1f..f11ac290a 100644 --- a/apps/locale/zh/LC_MESSAGES/django.po +++ b/apps/locale/zh/LC_MESSAGES/django.po @@ -7,7 +7,7 @@ msgid "" msgstr "" "Project-Id-Version: JumpServer 0.3.3\n" "Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2022-03-07 10:31+0800\n" +"POT-Creation-Date: 2022-03-07 18:41+0800\n" "PO-Revision-Date: 2021-05-20 10:54+0800\n" "Last-Translator: ibuler \n" "Language-Team: JumpServer team\n" @@ -275,13 +275,13 @@ msgstr "自定义" #: applications/models/account.py:12 applications/models/application.py:219 #: assets/models/backup.py:32 assets/models/cmd_filter.py:45 -#: perms/models/application_permission.py:27 +#: perms/models/application_permission.py:28 msgid "Application" msgstr "应用程序" #: applications/models/account.py:15 assets/models/authbook.py:20 #: assets/models/cmd_filter.py:42 assets/models/user.py:325 audits/models.py:40 -#: perms/models/application_permission.py:32 +#: perms/models/application_permission.py:33 #: perms/models/asset_permission.py:25 terminal/backends/command/models.py:21 #: terminal/backends/command/serializers.py:14 terminal/models/session.py:46 #: users/templates/users/_granted_assets.html:27 @@ -311,7 +311,7 @@ msgstr "可以查看应用账号密码" #: applications/models/application.py:204 #: applications/serializers/application.py:99 assets/models/label.py:21 -#: perms/models/application_permission.py:20 +#: perms/models/application_permission.py:21 #: perms/serializers/application/user_permission.py:33 #: tickets/serializers/ticket/meta/ticket_type/apply_application.py:22 #: xpack/plugins/change_auth_plan/models/app.py:25 @@ -321,7 +321,7 @@ msgstr "类别" #: applications/models/application.py:207 #: applications/serializers/application.py:101 assets/models/backup.py:49 #: assets/models/cmd_filter.py:82 assets/models/user.py:233 -#: perms/models/application_permission.py:23 +#: perms/models/application_permission.py:24 #: perms/serializers/application/user_permission.py:34 #: terminal/models/storage.py:55 terminal/models/storage.py:119 #: tickets/models/flow.py:56 tickets/models/ticket.py:131 @@ -623,14 +623,18 @@ msgid "Created by" msgstr "创建者" #: assets/models/asset.py:358 +msgid "Can refresh asset hardware info" +msgstr "可以更新资产硬件信息" + +#: assets/models/asset.py:359 msgid "Can test asset connectivity" msgstr "可以测试资产连接性" -#: assets/models/asset.py:359 +#: assets/models/asset.py:360 msgid "Can push system user to asset" msgstr "可以推送系统用户到资产" -#: assets/models/asset.py:360 +#: assets/models/asset.py:361 msgid "Can match asset" msgstr "可以匹配资产" @@ -933,7 +937,7 @@ msgstr "新节点" msgid "empty" msgstr "空" -#: assets/models/node.py:545 perms/models/asset_permission.py:105 +#: assets/models/node.py:545 perms/models/asset_permission.py:99 msgid "Key" msgstr "键" @@ -941,7 +945,7 @@ msgstr "键" msgid "Full value" msgstr "全称" -#: assets/models/node.py:550 perms/models/asset_permission.py:106 +#: assets/models/node.py:550 perms/models/asset_permission.py:100 msgid "Parent key" msgstr "ssh私钥" @@ -1339,7 +1343,7 @@ msgstr "日志审计" #: audits/models.py:27 audits/models.py:57 #: authentication/templates/authentication/_access_key_modal.html:65 -#: rbac/tree.py:301 users/templates/users/user_asset_permission.html:128 +#: rbac/tree.py:317 users/templates/users/user_asset_permission.html:128 #: users/templates/users/user_database_app_permission.html:111 msgid "Delete" msgstr "删除" @@ -1393,11 +1397,11 @@ msgstr "文件管理" #: audits/models.py:55 #: authentication/templates/authentication/_access_key_modal.html:22 -#: rbac/tree.py:298 +#: rbac/tree.py:314 msgid "Create" msgstr "创建" -#: audits/models.py:56 rbac/tree.py:300 templates/_csv_import_export.html:18 +#: audits/models.py:56 rbac/tree.py:316 templates/_csv_import_export.html:18 #: templates/_csv_update_modal.html:6 #: users/templates/users/user_asset_permission.html:127 #: users/templates/users/user_database_app_permission.html:110 @@ -1690,7 +1694,7 @@ msgstr "{ApplicationPermission} 添加 {UserGroup}" msgid "{ApplicationPermission} REMOVE {UserGroup}" msgstr "{ApplicationPermission} 移除 {UserGroup}" -#: audits/signal_handlers.py:156 perms/models/application_permission.py:37 +#: audits/signal_handlers.py:156 perms/models/application_permission.py:38 msgid "Application permission" msgstr "应用授权" @@ -2515,14 +2519,6 @@ msgstr "忽略的" msgid "discard time" msgstr "忽略时间" -#: common/models.py:7 -msgid "Common permission" -msgstr "通用权限" - -#: common/models.py:9 -msgid "Can view resource statistics" -msgstr "可以查看资源统计" - #: common/sdk/im/exceptions.py:23 msgid "Network error, please contact system administrator" msgstr "网络错误,请联系系统管理员" @@ -2838,7 +2834,7 @@ msgstr "当前组织 ({}) 不能被删除" msgid "The organization have resource ({}) cannot be deleted" msgstr "组织存在资源 ({}) 不能被删除" -#: orgs/apps.py:7 rbac/tree.py:170 +#: orgs/apps.py:7 rbac/tree.py:185 msgid "App organizations" msgstr "组织管理" @@ -2873,46 +2869,54 @@ msgstr "管理员正在修改授权,请稍等" msgid "The authorization cannot be revoked for the time being" msgstr "该授权暂时不能撤销" -#: perms/models/application_permission.py:40 +#: perms/models/application_permission.py:110 +msgid "Permed app" +msgstr "授权的应用" + +#: perms/models/application_permission.py:112 msgid "Can view my apps" -msgstr "可以查看授权的应用" +msgstr "可以查看我的应用" -#: perms/models/application_permission.py:41 +#: perms/models/application_permission.py:113 msgid "Can connect my apps" -msgstr "可以连接授权的应用" +msgstr "可以我的应用" -#: perms/models/application_permission.py:42 +#: perms/models/application_permission.py:114 msgid "Can view user apps" -msgstr "可以查看授权的应用" +msgstr "可以查看用户授权的应用" -#: perms/models/application_permission.py:43 +#: perms/models/application_permission.py:115 msgid "Can view usergroup apps" msgstr "可以查看用户组授权的应用" -#: perms/models/asset_permission.py:32 -msgid "Can view my assets" -msgstr "可以查看授权的资产" - -#: perms/models/asset_permission.py:33 -msgid "Can connect my assets" -msgstr "可以连接登录资产" - -#: perms/models/asset_permission.py:34 -msgid "Can view user assets" -msgstr "可以查看用户授权的资产" - -#: perms/models/asset_permission.py:35 -msgid "Can view usergroup assets" -msgstr "可以查看用户组授权的资产" - -#: perms/models/asset_permission.py:138 +#: perms/models/asset_permission.py:132 msgid "Ungrouped" msgstr "未分组" -#: perms/models/asset_permission.py:140 +#: perms/models/asset_permission.py:134 msgid "Favorite" msgstr "收藏夹" +#: perms/models/asset_permission.py:181 +msgid "Permed asset" +msgstr "授权的资产" + +#: perms/models/asset_permission.py:183 +msgid "Can view my assets" +msgstr "可以查看资产" + +#: perms/models/asset_permission.py:184 +msgid "Can connect my assets" +msgstr "可以连接资产" + +#: perms/models/asset_permission.py:185 +msgid "Can view user assets" +msgstr "可以查看用户授权的资产" + +#: perms/models/asset_permission.py:186 +msgid "Can view usergroup assets" +msgstr "可以查看用户组授权的资产" + #: perms/models/base.py:55 msgid "Connect" msgstr "连接" @@ -2987,15 +2991,15 @@ msgstr "组织 ({}) 的应用授权" #: perms/serializers/application/permission.py:20 #: perms/serializers/application/permission.py:41 #: perms/serializers/asset/permission.py:19 -#: perms/serializers/asset/permission.py:45 users/serializers/user.py:133 +#: perms/serializers/asset/permission.py:45 users/serializers/user.py:135 msgid "Is valid" msgstr "账号是否有效" #: perms/serializers/application/permission.py:21 #: perms/serializers/application/permission.py:40 #: perms/serializers/asset/permission.py:20 -#: perms/serializers/asset/permission.py:44 users/serializers/user.py:82 -#: users/serializers/user.py:135 +#: perms/serializers/asset/permission.py:44 users/serializers/user.py:84 +#: users/serializers/user.py:137 msgid "Is expired" msgstr "已过期" @@ -3061,7 +3065,11 @@ msgstr "如果有疑问或需求,请联系系统管理员" msgid "Internal role, can't be destroy" msgstr "" -#: rbac/api/role.py:38 +#: rbac/api/role.py:34 +msgid "The role has been bound to users, can't be destroy" +msgstr "" + +#: rbac/api/role.py:41 msgid "Internal role, can't be update" msgstr "" @@ -3102,16 +3110,28 @@ msgid "Menu permission" msgstr "菜单授权" #: rbac/models/menu.py:15 -msgid "view console view" -msgstr "查看控制台" +msgid "Can view resource statistics" +msgstr "可以查看资源统计" #: rbac/models/menu.py:16 -msgid "view audit view" -msgstr "查看安全审计" +msgid "Can view console view" +msgstr "可以查看控制台" #: rbac/models/menu.py:17 -msgid "view workspace view" -msgstr "查看工作台" +msgid "Can view audit view" +msgstr "可以查看审计台" + +#: rbac/models/menu.py:18 +msgid "Can view workspace view" +msgstr "可以查看工作台" + +#: rbac/models/menu.py:19 +msgid "Can view web terminal" +msgstr "Web终端" + +#: rbac/models/menu.py:20 +msgid "Can view file manager" +msgstr "文件管理" #: rbac/models/permission.py:22 msgid "Permission" @@ -3189,7 +3209,7 @@ msgstr "工作台" #: rbac/tree.py:34 msgid "Audit view" -msgstr "安全审计" +msgstr "审计台" #: rbac/tree.py:38 settings/models.py:140 msgid "System setting" @@ -3231,7 +3251,19 @@ msgstr "资产改密" msgid "Terminal setting" msgstr "终端设置" -#: rbac/tree.py:299 +#: rbac/tree.py:138 +msgid "My assets" +msgstr "我的资产" + +#: rbac/tree.py:143 +msgid "My apps" +msgstr "我的应用" + +#: rbac/tree.py:186 +msgid "Ticket comment" +msgstr "工单评论" + +#: rbac/tree.py:315 msgid "View" msgstr "查看" @@ -5203,6 +5235,10 @@ msgstr "工单批准信息" msgid "Ticket flow" msgstr "工单流程" +#: tickets/models/relation.py:10 +msgid "Ticket session relation" +msgstr "工单会话" + #: tickets/models/ticket.py:35 msgid "Ticket step" msgstr "工单步骤" @@ -5505,7 +5541,7 @@ msgid "Public key should not be the same as your old one." msgstr "不能和原来的密钥相同" #: users/forms/profile.py:149 users/serializers/profile.py:95 -#: users/serializers/profile.py:177 users/serializers/profile.py:204 +#: users/serializers/profile.py:175 users/serializers/profile.py:202 msgid "Not a valid ssh public key" msgstr "SSH密钥不合法" @@ -5522,7 +5558,7 @@ msgstr "强制启用" msgid "Local" msgstr "数据库" -#: users/models/user.py:562 users/serializers/user.py:134 +#: users/models/user.py:562 users/serializers/user.py:136 msgid "Is service account" msgstr "服务账号" @@ -5609,7 +5645,7 @@ msgstr "重置 MFA" msgid "The old password is incorrect" msgstr "旧密码错误" -#: users/serializers/profile.py:36 users/serializers/profile.py:191 +#: users/serializers/profile.py:36 users/serializers/profile.py:189 msgid "Password does not match security rules" msgstr "密码不满足安全规则" @@ -5621,97 +5657,97 @@ msgstr "新密码不能是最近 {} 次的密码" msgid "The newly set password is inconsistent" msgstr "两次密码不一致" -#: users/serializers/profile.py:141 users/serializers/user.py:132 +#: users/serializers/profile.py:141 users/serializers/user.py:134 msgid "Is first login" msgstr "首次登录" -#: users/serializers/user.py:24 users/serializers/user.py:30 +#: users/serializers/user.py:25 users/serializers/user.py:32 msgid "System roles" msgstr "系统角色" -#: users/serializers/user.py:28 users/serializers/user.py:31 +#: users/serializers/user.py:30 users/serializers/user.py:33 msgid "Org roles" msgstr "组织角色" -#: users/serializers/user.py:74 +#: users/serializers/user.py:76 #: xpack/plugins/change_auth_plan/models/base.py:35 #: xpack/plugins/change_auth_plan/serializers/base.py:22 msgid "Password strategy" msgstr "密码策略" -#: users/serializers/user.py:76 +#: users/serializers/user.py:78 msgid "MFA enabled" msgstr "MFA" -#: users/serializers/user.py:77 +#: users/serializers/user.py:79 msgid "MFA force enabled" msgstr "强制 MFA" -#: users/serializers/user.py:79 +#: users/serializers/user.py:81 msgid "MFA level display" msgstr "MFA 等级名称" -#: users/serializers/user.py:81 +#: users/serializers/user.py:83 msgid "Login blocked" msgstr "登录被阻塞" -#: users/serializers/user.py:84 +#: users/serializers/user.py:86 msgid "Can public key authentication" msgstr "能否公钥认证" -#: users/serializers/user.py:136 +#: users/serializers/user.py:138 msgid "Avatar url" msgstr "头像路径" -#: users/serializers/user.py:138 +#: users/serializers/user.py:140 msgid "Groups name" msgstr "用户组名" -#: users/serializers/user.py:139 +#: users/serializers/user.py:141 msgid "Source name" msgstr "用户来源名" -#: users/serializers/user.py:140 +#: users/serializers/user.py:142 msgid "Organization role name" msgstr "组织角色名称" -#: users/serializers/user.py:141 +#: users/serializers/user.py:143 msgid "Super role name" msgstr "超级角色名称" -#: users/serializers/user.py:142 +#: users/serializers/user.py:144 msgid "Total role name" msgstr "汇总角色名称" -#: users/serializers/user.py:144 +#: users/serializers/user.py:146 msgid "Is wecom bound" msgstr "是否绑定了企业微信" -#: users/serializers/user.py:145 +#: users/serializers/user.py:147 msgid "Is dingtalk bound" msgstr "是否绑定了钉钉" -#: users/serializers/user.py:146 +#: users/serializers/user.py:148 msgid "Is feishu bound" msgstr "是否绑定了飞书" -#: users/serializers/user.py:147 +#: users/serializers/user.py:149 msgid "Is OTP bound" msgstr "是否绑定了虚拟 MFA" -#: users/serializers/user.py:149 +#: users/serializers/user.py:151 msgid "System role name" msgstr "系统角色名称" -#: users/serializers/user.py:235 +#: users/serializers/user.py:236 msgid "Select users" msgstr "选择用户" -#: users/serializers/user.py:236 +#: users/serializers/user.py:237 msgid "For security, only list several users" msgstr "为了安全,仅列出几个用户" -#: users/serializers/user.py:269 +#: users/serializers/user.py:270 msgid "name not unique" msgstr "名称重复" @@ -6704,6 +6740,9 @@ msgstr "旗舰版" msgid "Community edition" msgstr "社区版" +#~ msgid "Common permission" +#~ msgstr "通用权限" + #~ msgid "Can view connect token secret" #~ msgstr "可以查看 连接Token 密文" @@ -6748,9 +6787,6 @@ msgstr "社区版" #~ msgid "Commands" #~ msgstr "命令记录" -#~ msgid "Web terminal" -#~ msgstr "Web终端" - #~ msgid "Job Center" #~ msgstr "作业中心" @@ -6772,9 +6808,6 @@ msgstr "社区版" #~ msgid "Sync instance" #~ msgstr "同步实例" -#~ msgid "My assets" -#~ msgstr "我的资产" - #~ msgid "Can update" #~ msgstr "是否可更新" diff --git a/apps/perms/migrations/0024_auto_20220217_2135.py b/apps/perms/migrations/0024_auto_20220217_2135.py index 60fc2cb03..60e1a2ecf 100644 --- a/apps/perms/migrations/0024_auto_20220217_2135.py +++ b/apps/perms/migrations/0024_auto_20220217_2135.py @@ -12,10 +12,10 @@ class Migration(migrations.Migration): operations = [ migrations.AlterModelOptions( name='applicationpermission', - options={'ordering': ('name',), 'permissions': [('view_myapps', 'Can view my apps'), ('connect_myapps', 'Can connect my apps'), ('view_userapps', 'Can view user apps'), ('view_usergroupapps', 'Can view usergroup apps')], 'verbose_name': 'Application permission'}, + options={'ordering': ('name',), 'verbose_name': 'Application permission'}, ), migrations.AlterModelOptions( name='assetpermission', - options={'ordering': ('name',), 'permissions': [('view_myassets', 'Can view my assets'), ('connect_myassets', 'Can connect my assets'), ('view_userassets', 'Can view user assets'), ('view_usergroupassets', 'Can view usergroup assets')], 'verbose_name': 'Asset permission'}, + options={'ordering': ('name',), 'verbose_name': 'Asset permission'}, ), ] diff --git a/apps/perms/migrations/0026_auto_20220307_1500.py b/apps/perms/migrations/0026_auto_20220307_1500.py new file mode 100644 index 000000000..a86365b5f --- /dev/null +++ b/apps/perms/migrations/0026_auto_20220307_1500.py @@ -0,0 +1,41 @@ +# Generated by Django 3.1.14 on 2022-03-07 07:00 + +from django.db import migrations + + +class Migration(migrations.Migration): + + dependencies = [ + ('applications', '0018_auto_20220223_1539'), + ('assets', '0088_auto_20220303_1612'), + ('perms', '0025_auto_20220223_1539'), + ] + + operations = [ + migrations.CreateModel( + name='PermedApplication', + fields=[ + ], + options={ + 'verbose_name': 'Permed app', + 'permissions': [('view_myapps', 'Can view my apps'), ('connect_myapps', 'Can connect my apps'), ('view_userapps', 'Can view user apps'), ('view_usergroupapps', 'Can view usergroup apps')], + 'proxy': True, + 'indexes': [], + 'constraints': [], + }, + bases=('applications.application',), + ), + migrations.CreateModel( + name='PermedAsset', + fields=[ + ], + options={ + 'verbose_name': 'Permed asset', + 'permissions': [('view_myassets', 'Can view my assets'), ('connect_myassets', 'Can connect my assets'), ('view_userassets', 'Can view user assets'), ('view_usergroupassets', 'Can view usergroup assets')], + 'proxy': True, + 'indexes': [], + 'constraints': [], + }, + bases=('assets.asset',), + ), + ] diff --git a/apps/perms/models/application_permission.py b/apps/perms/models/application_permission.py index 5f8a94b45..f391bdc06 100644 --- a/apps/perms/models/application_permission.py +++ b/apps/perms/models/application_permission.py @@ -7,6 +7,7 @@ from django.utils.translation import ugettext_lazy as _ from common.utils import lazyproperty from .base import BasePermission, Action +from applications.models import Application from users.models import User from applications.const import AppCategory, AppType @@ -36,12 +37,7 @@ class ApplicationPermission(BasePermission): unique_together = [('org_id', 'name')] verbose_name = _('Application permission') ordering = ('name',) - permissions = [ - ('view_myapps', _('Can view my apps')), - ('connect_myapps', _('Can connect my apps')), - ('view_userapps', _('Can view user apps')), - ('view_usergroupapps', _('Can view usergroup apps')), - ] + @property def category_remote_app(self): @@ -106,3 +102,15 @@ class ApplicationPermission(BasePermission): include_choices = cls.get_include_actions_choices(category) exclude_choices = set(Action.NAME_MAP.values()) - set(include_choices) return exclude_choices + + +class PermedApplication(Application): + class Meta: + proxy = True + verbose_name = _("Permed app") + permissions = [ + ('view_myapps', _('Can view my apps')), + ('connect_myapps', _('Can connect my apps')), + ('view_userapps', _('Can view user apps')), + ('view_usergroupapps', _('Can view usergroup apps')), + ] diff --git a/apps/perms/models/asset_permission.py b/apps/perms/models/asset_permission.py index dbe836afb..f0f222ee9 100644 --- a/apps/perms/models/asset_permission.py +++ b/apps/perms/models/asset_permission.py @@ -28,12 +28,6 @@ class AssetPermission(BasePermission): unique_together = [('org_id', 'name')] verbose_name = _("Asset permission") ordering = ('name',) - permissions = [ - ('view_myassets', _('Can view my assets')), - ('connect_myassets', _('Can connect my assets')), - ('view_userassets', _('Can view user assets')), - ('view_usergroupassets', _('Can view usergroup assets')), - ] @lazyproperty def users_amount(self): @@ -179,3 +173,16 @@ class PermNode(Node): def save(self): # 这是个只读 Model raise NotImplementedError + + +class PermedAsset(Asset): + class Meta: + proxy = True + verbose_name = _('Permed asset') + permissions = [ + ('view_myassets', _('Can view my assets')), + ('connect_myassets', _('Can connect my assets')), + ('view_userassets', _('Can view user assets')), + ('view_usergroupassets', _('Can view usergroup assets')), + ] + diff --git a/apps/rbac/builtin.py b/apps/rbac/builtin.py index cf5993a7e..d66189505 100644 --- a/apps/rbac/builtin.py +++ b/apps/rbac/builtin.py @@ -21,11 +21,14 @@ auditor_perms = ( user_perms = ( ('rbac', 'menupermission', 'view', 'userview'), - ('perms', 'assetpermission', 'view,connect', 'myassets'), - ('perms', 'applicationpermission', 'view,connect', 'myapps'), + ('rbac', 'menupermission', 'view', 'webterminal'), + ('rbac', 'menupermission', 'view', 'filemanager'), + ('perms', 'permedasset', 'view,connect', 'myassets'), + ('perms', 'permedapplication', 'view,connect', 'myapps'), ('assets', 'asset', 'match', 'asset'), ('assets', 'systemuser', 'match', 'systemuser'), ('assets', 'node', 'match', 'node'), + ('ops', 'commandexecution', 'add', 'commandexecution'), ) app_exclude_perms = [ diff --git a/apps/rbac/const.py b/apps/rbac/const.py index 6a723a1bc..e608b94f4 100644 --- a/apps/rbac/const.py +++ b/apps/rbac/const.py @@ -22,6 +22,8 @@ exclude_permissions = ( ('notifications', '*', '*', '*'), ('common', 'setting', '*', '*'), + ('authentication', 'privatetoken', '*', '*'), + ('users', 'userpasswordhistory', '*', '*'), ('applications', 'applicationuser', '*', '*'), ('applications', 'historicalaccount', '*', '*'), ('applications', 'databaseapp', '*', '*'), @@ -33,7 +35,6 @@ exclude_permissions = ( ('assets', 'favoriteasset', '*', '*'), ('assets', 'historicalauthbook', '*', '*'), ('assets', 'assetuser', '*', '*'), - ('authentication', 'privatetoken', '*', '*'), ('perms', 'databaseapppermission', '*', '*'), ('perms', 'k8sapppermission', '*', '*'), ('perms', 'remoteapppermission', '*', '*'), @@ -41,6 +42,8 @@ exclude_permissions = ( ('perms', 'usergrantedmappingnode', '*', '*'), ('perms', 'permnode', '*', '*'), ('perms', 'rebuildusertreetask', '*', '*'), + ('perms', 'permedasset', 'add,change,delete', 'permedasset'), + ('perms', 'permedapplication', 'add,change,delete', 'permedapplication'), ('rbac', 'contenttype', '*', '*'), ('rbac', 'permission', 'add,delete,change', 'permission'), ('rbac', 'rolebinding', '*', '*'), @@ -49,22 +52,22 @@ exclude_permissions = ( ('ops', 'adhocexecution', '*', '*'), ('ops', 'celerytask', '*', '*'), ('ops', 'task', 'add,change', 'task'), + ('ops', 'commandexecution', 'delete,change', 'commandexecution'), ('orgs', 'organizationmember', '*', '*'), ('settings', 'setting', 'add,delete', 'setting'), ('audits', 'operatelog', 'add,delete,change', 'operatelog'), ('audits', 'passwordchangelog', 'add,change,delete', 'passwordchangelog'), ('audits', 'userloginlog', 'change,delete,change', 'userloginlog'), ('audits', 'ftplog', 'change,delete', 'ftplog'), - ('terminal', 'session', 'delete', 'session'), - ('terminal', 'session', 'delete,change', 'command'), ('tickets', 'ticket', '*', '*'), - ('users', 'userpasswordhistory', '*', '*'), ('xpack', 'interface', '*', '*'), ('xpack', 'license', '*', '*'), ('common', 'permission', 'add,delete,view,change', 'permission'), ('terminal', 'command', 'delete,change', 'command'), ('terminal', 'sessionjoinrecord', 'delete', 'sessionjoinrecord'), ('terminal', 'sessionreplay', 'delete', 'sessionreplay'), + ('terminal', 'session', 'delete', 'session'), + ('terminal', 'session', 'delete,change', 'command'), ) diff --git a/apps/rbac/migrations/0001_initial.py b/apps/rbac/migrations/0001_initial.py index f5ff465f9..ce67374a0 100644 --- a/apps/rbac/migrations/0001_initial.py +++ b/apps/rbac/migrations/0001_initial.py @@ -27,7 +27,7 @@ class Migration(migrations.Migration): ], options={ 'verbose_name': 'Menu permission', - 'permissions': [('view_adminview', 'view console view'), ('view_auditview', 'view audit view'), ('view_userview', 'view workspace view')], + 'permissions': [('view_adminview', 'Can view console view'), ('view_auditview', 'Can view audit view'), ('view_userview', 'Can view workspace view')], 'default_permissions': [], }, ), diff --git a/apps/rbac/migrations/0005_auto_20220307_1524.py b/apps/rbac/migrations/0005_auto_20220307_1524.py new file mode 100644 index 000000000..fb97ac9c5 --- /dev/null +++ b/apps/rbac/migrations/0005_auto_20220307_1524.py @@ -0,0 +1,17 @@ +# Generated by Django 3.1.14 on 2022-03-07 07:46 + +from django.db import migrations + + +class Migration(migrations.Migration): + + dependencies = [ + ('rbac', '0004_auto_20211201_1901'), + ] + + operations = [ + migrations.AlterModelOptions( + name='menupermission', + options={'default_permissions': [], 'permissions': [('view_resourcestatistics', 'Can view resource statistics'), ('view_adminview', 'Can view console view'), ('view_auditview', 'Can view audit view'), ('view_userview', 'Can view workspace view'), ('view_webterminal', 'Can view web terminal'), ('view_filemanager', 'Can view file manager')], 'verbose_name': 'Menu permission'}, + ), + ] diff --git a/apps/rbac/migrations/0006_auto_20220307_1558.py b/apps/rbac/migrations/0006_auto_20220307_1558.py new file mode 100644 index 000000000..7c4249271 --- /dev/null +++ b/apps/rbac/migrations/0006_auto_20220307_1558.py @@ -0,0 +1,39 @@ +# Generated by Django 3.1.14 on 2022-03-07 07:58 + +from django.db import migrations + + +def delete_unused_permissions(apps, schema_editor): + permission_model = apps.get_model('rbac', 'Permission') + content_type_model = apps.get_model('rbac', 'ContentType') + content_type_delete_required = [ + ('common', 'permission'), + ] + for app, model in content_type_delete_required: + content_type_model.objects.filter(app_label=app, model=model).delete() + + permissions_delete_required = [ + ('perms', 'assetpermission', 'connect_myassets'), + ('perms', 'assetpermission', 'view_myassets'), + ('perms', 'assetpermission', 'view_userassets'), + ('perms', 'assetpermission', 'view_usergroupassets'), + ('perms', 'applicationpermission', 'view_myapps'), + ('perms', 'applicationpermission', 'connect_myapps'), + ('perms', 'applicationpermission', 'view_userapps'), + ('perms', 'applicationpermission', 'view_usergroupapps'), + ] + for app, model, codename in permissions_delete_required: + permission_model.objects.filter( + codename=codename, content_type__model=model, content_type__app_label=app + ).delete() + + +class Migration(migrations.Migration): + + dependencies = [ + ('rbac', '0005_auto_20220307_1524'), + ] + + operations = [ + migrations.RunPython(delete_unused_permissions) + ] diff --git a/apps/rbac/models/menu.py b/apps/rbac/models/menu.py index b89fef6f0..0990f7109 100644 --- a/apps/rbac/models/menu.py +++ b/apps/rbac/models/menu.py @@ -12,7 +12,10 @@ class MenuPermission(models.Model): default_permissions = [] verbose_name = _('Menu permission') permissions = [ - ('view_adminview', _('view console view')), - ('view_auditview', _('view audit view')), - ('view_userview', _('view workspace view')), + ('view_resourcestatistics', _('Can view resource statistics')), + ('view_adminview', _('Can view console view')), + ('view_auditview', _('Can view audit view')), + ('view_userview', _('Can view workspace view')), + ('view_webterminal', _('Can view web terminal')), + ('view_filemanager', _('Can view file manager')), ] diff --git a/apps/rbac/tree.py b/apps/rbac/tree.py index e55976db7..4ebe2c866 100644 --- a/apps/rbac/tree.py +++ b/apps/rbac/tree.py @@ -132,7 +132,17 @@ extra_nodes_data = [ "id": "terminal_node", "name": _("Terminal setting"), "pId": "view_setting" - } + }, + { + 'id': "my_assets", + "name": _("My assets"), + "pId": "view_workspace" + }, + { + 'id': "my_apps", + "name": _("My apps"), + "pId": "view_workspace" + }, ] # 将 model 放到其它节点下,而不是本来的 app 中 @@ -164,10 +174,16 @@ special_model_pid_mapper = { 'terminal.task': 'terminal_node', 'audits.ftplog': 'terminal', 'rbac.menupermission': 'view_other', + 'perms.view_myassets': 'my_assets', + 'perms.connect_myassets': 'my_assets', + 'perms.view_myapps': 'my_apps', + 'perms.connect_myapps': 'my_apps', + 'ops.commandexecution': 'view_workspace', } model_verbose_name_mapper = { 'orgs.organization': _("App organizations"), + 'tickets.comment': _("Ticket comment"), } xpack_apps = [ @@ -259,28 +275,28 @@ class PermissionTreeUtil: def _create_models_nodes(self): content_types = ContentType.objects.all() - total_counts_mapper, checked_counts_mapper = self._get_model_counts_mapper() nodes = [] for ct in content_types: - total_count = total_counts_mapper.get(ct.id, 0) - checked_count = checked_counts_mapper.get(ct.id, 0) - if total_count == 0: - continue - model_id = '{}.{}'.format(ct.app_label, ct.model) if not self._check_model_xpack(model_id): continue + + total_count = self.total_counts[model_id] + checked_count = self.checked_counts[model_id] + if total_count == 0: + continue + # 获取 pid app = ct.app_label - if special_model_pid_mapper.get(model_id): + if model_id in special_model_pid_mapper: app = special_model_pid_mapper[model_id] self.total_counts[app] += total_count self.checked_counts[app] += checked_count # 获取 name name = f'{ct.name}' - if model_verbose_name_mapper.get(model_id): + if model_id in model_verbose_name_mapper: name = model_verbose_name_mapper[model_id] node = self._create_node({ @@ -336,11 +352,21 @@ class PermissionTreeUtil: if settings.DEBUG: name += '({})'.format(p.app_label_codename) + title = p.app_label_codename + pid = model_id + if title in special_model_pid_mapper: + pid = special_model_pid_mapper[title] + + self.total_counts[pid] += 1 + checked = p.id in permissions_id + if checked: + self.checked_counts[pid] += 1 + node = TreeNode(**{ 'id': p.id, 'name': name, - 'title': p.app_label_codename, - 'pId': model_id, + 'title': title, + 'pId': pid, 'isParent': False, 'chkDisabled': self.check_disabled, 'iconSkin': 'file', @@ -395,10 +421,10 @@ class PermissionTreeUtil: checked_count = self.checked_counts[view] if total_count == 0: continue - node = self._create_node(data, total_count, checked_count, 'view') + node = self._create_node(data, total_count, checked_count, 'view', is_open=False) nodes.append(node) return nodes - + def _create_extra_nodes(self): nodes = [] for data in extra_nodes_data: @@ -423,8 +449,8 @@ class PermissionTreeUtil: perms_nodes = self._create_perms_nodes() models_nodes = self._create_models_nodes() apps_nodes = self.create_apps_nodes() - views_nodes = self._create_views_node() extra_nodes = self._create_extra_nodes() + views_nodes = self._create_views_node() nodes += views_nodes + apps_nodes + models_nodes + perms_nodes + extra_nodes return nodes diff --git a/apps/tickets/migrations/0012_ticketsession.py b/apps/tickets/migrations/0012_ticketsession.py index 63f19bf38..ac4afdad8 100644 --- a/apps/tickets/migrations/0012_ticketsession.py +++ b/apps/tickets/migrations/0012_ticketsession.py @@ -19,5 +19,6 @@ class Migration(migrations.Migration): ('session', models.ForeignKey(db_constraint=False, on_delete=django.db.models.deletion.CASCADE, related_name='ticket_relation', to='terminal.session')), ('ticket', models.ForeignKey(db_constraint=False, on_delete=django.db.models.deletion.CASCADE, related_name='session_relation', to='tickets.ticket')), ], + options={'verbose_name': 'Ticket session relation'}, ), ] diff --git a/apps/tickets/models/relation.py b/apps/tickets/models/relation.py index ee5889587..ca159804d 100644 --- a/apps/tickets/models/relation.py +++ b/apps/tickets/models/relation.py @@ -1,11 +1,14 @@ from django.db import models -from django.db.models import Model +from django.utils.translation import ugettext_lazy as _ -class TicketSession(Model): +class TicketSession(models.Model): ticket = models.ForeignKey('tickets.Ticket', related_name='session_relation', on_delete=models.CASCADE, db_constraint=False) session = models.ForeignKey('terminal.Session', related_name='ticket_relation', on_delete=models.CASCADE, db_constraint=False) + class Meta: + verbose_name = _("Ticket session relation") + @classmethod def get_ticket_by_session_id(cls, session_id): relation = cls.objects.filter(session=session_id).first()