perf: 修改权限树 (#7757)

* perf: 修改 rbac tree

* perf: 修改权限树

* perf:  修改用户默认权限

Co-authored-by: ibuler <ibuler@qq.com>

apps/common/migrations/0007_permission.py

@@ -1,25 +0,0 @@
-# Generated by Django 3.1.14 on 2022-02-23 08:42
-
-from django.db import migrations, models
-
-
-class Migration(migrations.Migration):
-
-    initial = True
-
-    dependencies = [
-        ('common', '0006_auto_20190304_1515'),
-    ]
-
-    operations = [
-        migrations.CreateModel(
-            name='Permission',
-            fields=[
-                ('id', models.AutoField(auto_created=True, primary_key=True, serialize=False, verbose_name='ID')),
-            ],
-            options={
-                'permissions': [('view_resourcestatistics', 'Can view resource statistics')],
-                'verbose_name': 'Common permission'
-            },
-        ),
-    ]

apps/common/models.py

@@ -1,10 +0,0 @@
-from django.db import models
-from django.utils.translation import gettext_lazy as _
-
-
-class Permission(models.Model):
-    class Meta:
-        verbose_name = _("Common permission")
-        permissions = [
-            ('view_resourcestatistics', _('Can view resource statistics'))
-        ]

apps/locale/zh/LC_MESSAGES/django.mo

@@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:8f6c99abd272924bb5008bc55960af43af3b50ee1312c6aeaec48dbe5a31aa5c
+oid sha256:323dbe9835bb3fd4b357d162536d8f38bbacf09c47eb1b68ce4e323a66a01f95
-size 102226
+size 102621

apps/locale/zh/LC_MESSAGES/django.po

@@ -7,7 +7,7 @@ msgid ""
 msgstr ""
 "Project-Id-Version: JumpServer 0.3.3\n"
 "Report-Msgid-Bugs-To: \n"
-"POT-Creation-Date: 2022-03-07 10:31+0800\n"
+"POT-Creation-Date: 2022-03-07 18:41+0800\n"
 "PO-Revision-Date: 2021-05-20 10:54+0800\n"
 "Last-Translator: ibuler <ibuler@qq.com>\n"
 "Language-Team: JumpServer team<ibuler@qq.com>\n"
@@ -275,13 +275,13 @@ msgstr "自定义"
 
 #: applications/models/account.py:12 applications/models/application.py:219
 #: assets/models/backup.py:32 assets/models/cmd_filter.py:45
-#: perms/models/application_permission.py:27
+#: perms/models/application_permission.py:28
 msgid "Application"
 msgstr "应用程序"
 
 #: applications/models/account.py:15 assets/models/authbook.py:20
 #: assets/models/cmd_filter.py:42 assets/models/user.py:325 audits/models.py:40
-#: perms/models/application_permission.py:32
+#: perms/models/application_permission.py:33
 #: perms/models/asset_permission.py:25 terminal/backends/command/models.py:21
 #: terminal/backends/command/serializers.py:14 terminal/models/session.py:46
 #: users/templates/users/_granted_assets.html:27
@@ -311,7 +311,7 @@ msgstr "可以查看应用账号密码"
 
 #: applications/models/application.py:204
 #: applications/serializers/application.py:99 assets/models/label.py:21
-#: perms/models/application_permission.py:20
+#: perms/models/application_permission.py:21
 #: perms/serializers/application/user_permission.py:33
 #: tickets/serializers/ticket/meta/ticket_type/apply_application.py:22
 #: xpack/plugins/change_auth_plan/models/app.py:25
@@ -321,7 +321,7 @@ msgstr "类别"
 #: applications/models/application.py:207
 #: applications/serializers/application.py:101 assets/models/backup.py:49
 #: assets/models/cmd_filter.py:82 assets/models/user.py:233
-#: perms/models/application_permission.py:23
+#: perms/models/application_permission.py:24
 #: perms/serializers/application/user_permission.py:34
 #: terminal/models/storage.py:55 terminal/models/storage.py:119
 #: tickets/models/flow.py:56 tickets/models/ticket.py:131
@@ -623,14 +623,18 @@ msgid "Created by"
 msgstr "创建者"
 
 #: assets/models/asset.py:358
+msgid "Can refresh asset hardware info"
+msgstr "可以更新资产硬件信息"
+
+#: assets/models/asset.py:359
 msgid "Can test asset connectivity"
 msgstr "可以测试资产连接性"
 
-#: assets/models/asset.py:359
+#: assets/models/asset.py:360
 msgid "Can push system user to asset"
 msgstr "可以推送系统用户到资产"
 
-#: assets/models/asset.py:360
+#: assets/models/asset.py:361
 msgid "Can match asset"
 msgstr "可以匹配资产"
 
@@ -933,7 +937,7 @@ msgstr "新节点"
 msgid "empty"
 msgstr "空"
 
-#: assets/models/node.py:545 perms/models/asset_permission.py:105
+#: assets/models/node.py:545 perms/models/asset_permission.py:99
 msgid "Key"
 msgstr "键"
 
@@ -941,7 +945,7 @@ msgstr "键"
 msgid "Full value"
 msgstr "全称"
 
-#: assets/models/node.py:550 perms/models/asset_permission.py:106
+#: assets/models/node.py:550 perms/models/asset_permission.py:100
 msgid "Parent key"
 msgstr "ssh私钥"
 
@@ -1339,7 +1343,7 @@ msgstr "日志审计"
 
 #: audits/models.py:27 audits/models.py:57
 #: authentication/templates/authentication/_access_key_modal.html:65
-#: rbac/tree.py:301 users/templates/users/user_asset_permission.html:128
+#: rbac/tree.py:317 users/templates/users/user_asset_permission.html:128
 #: users/templates/users/user_database_app_permission.html:111
 msgid "Delete"
 msgstr "删除"
@@ -1393,11 +1397,11 @@ msgstr "文件管理"
 
 #: audits/models.py:55
 #: authentication/templates/authentication/_access_key_modal.html:22
-#: rbac/tree.py:298
+#: rbac/tree.py:314
 msgid "Create"
 msgstr "创建"
 
-#: audits/models.py:56 rbac/tree.py:300 templates/_csv_import_export.html:18
+#: audits/models.py:56 rbac/tree.py:316 templates/_csv_import_export.html:18
 #: templates/_csv_update_modal.html:6
 #: users/templates/users/user_asset_permission.html:127
 #: users/templates/users/user_database_app_permission.html:110
@@ -1690,7 +1694,7 @@ msgstr "{ApplicationPermission} 添加 {UserGroup}"
 msgid "{ApplicationPermission} REMOVE {UserGroup}"
 msgstr "{ApplicationPermission} 移除 {UserGroup}"
 
-#: audits/signal_handlers.py:156 perms/models/application_permission.py:37
+#: audits/signal_handlers.py:156 perms/models/application_permission.py:38
 msgid "Application permission"
 msgstr "应用授权"
 
@@ -2515,14 +2519,6 @@ msgstr "忽略的"
 msgid "discard time"
 msgstr "忽略时间"
 
-#: common/models.py:7
-msgid "Common permission"
-msgstr "通用权限"
-
-#: common/models.py:9
-msgid "Can view resource statistics"
-msgstr "可以查看资源统计"
-
 #: common/sdk/im/exceptions.py:23
 msgid "Network error, please contact system administrator"
 msgstr "网络错误，请联系系统管理员"
@@ -2838,7 +2834,7 @@ msgstr "当前组织 ({}) 不能被删除"
 msgid "The organization have resource ({}) cannot be deleted"
 msgstr "组织存在资源 ({}) 不能被删除"
 
-#: orgs/apps.py:7 rbac/tree.py:170
+#: orgs/apps.py:7 rbac/tree.py:185
 msgid "App organizations"
 msgstr "组织管理"
 
@@ -2873,46 +2869,54 @@ msgstr "管理员正在修改授权，请稍等"
 msgid "The authorization cannot be revoked for the time being"
 msgstr "该授权暂时不能撤销"
 
-#: perms/models/application_permission.py:40
+#: perms/models/application_permission.py:110
+msgid "Permed app"
+msgstr "授权的应用"
+
+#: perms/models/application_permission.py:112
 msgid "Can view my apps"
-msgstr "可以查看授权的应用"
+msgstr "可以查看我的应用"
 
-#: perms/models/application_permission.py:41
+#: perms/models/application_permission.py:113
 msgid "Can connect my apps"
-msgstr "可以连接授权的应用"
+msgstr "可以我的应用"
 
-#: perms/models/application_permission.py:42
+#: perms/models/application_permission.py:114
 msgid "Can view user apps"
-msgstr "可以查看授权的应用"
+msgstr "可以查看用户授权的应用"
 
-#: perms/models/application_permission.py:43
+#: perms/models/application_permission.py:115
 msgid "Can view usergroup apps"
 msgstr "可以查看用户组授权的应用"
 
-#: perms/models/asset_permission.py:32
+#: perms/models/asset_permission.py:132
-msgid "Can view my assets"
-msgstr "可以查看授权的资产"
-
-#: perms/models/asset_permission.py:33
-msgid "Can connect my assets"
-msgstr "可以连接登录资产"
-
-#: perms/models/asset_permission.py:34
-msgid "Can view user assets"
-msgstr "可以查看用户授权的资产"
-
-#: perms/models/asset_permission.py:35
-msgid "Can view usergroup assets"
-msgstr "可以查看用户组授权的资产"
-
-#: perms/models/asset_permission.py:138
 msgid "Ungrouped"
 msgstr "未分组"
 
-#: perms/models/asset_permission.py:140
+#: perms/models/asset_permission.py:134
 msgid "Favorite"
 msgstr "收藏夹"
 
+#: perms/models/asset_permission.py:181
+msgid "Permed asset"
+msgstr "授权的资产"
+
+#: perms/models/asset_permission.py:183
+msgid "Can view my assets"
+msgstr "可以查看资产"
+
+#: perms/models/asset_permission.py:184
+msgid "Can connect my assets"
+msgstr "可以连接资产"
+
+#: perms/models/asset_permission.py:185
+msgid "Can view user assets"
+msgstr "可以查看用户授权的资产"
+
+#: perms/models/asset_permission.py:186
+msgid "Can view usergroup assets"
+msgstr "可以查看用户组授权的资产"
+
 #: perms/models/base.py:55
 msgid "Connect"
 msgstr "连接"
@@ -2987,15 +2991,15 @@ msgstr "组织 ({}) 的应用授权"
 #: perms/serializers/application/permission.py:20
 #: perms/serializers/application/permission.py:41
 #: perms/serializers/asset/permission.py:19
-#: perms/serializers/asset/permission.py:45 users/serializers/user.py:133
+#: perms/serializers/asset/permission.py:45 users/serializers/user.py:135
 msgid "Is valid"
 msgstr "账号是否有效"
 
 #: perms/serializers/application/permission.py:21
 #: perms/serializers/application/permission.py:40
 #: perms/serializers/asset/permission.py:20
-#: perms/serializers/asset/permission.py:44 users/serializers/user.py:82
+#: perms/serializers/asset/permission.py:44 users/serializers/user.py:84
-#: users/serializers/user.py:135
+#: users/serializers/user.py:137
 msgid "Is expired"
 msgstr "已过期"
 
@@ -3061,7 +3065,11 @@ msgstr "如果有疑问或需求，请联系系统管理员"
 msgid "Internal role, can't be destroy"
 msgstr ""
 
-#: rbac/api/role.py:38
+#: rbac/api/role.py:34
+msgid "The role has been bound to users, can't be destroy"
+msgstr ""
+
+#: rbac/api/role.py:41
 msgid "Internal role, can't be update"
 msgstr ""
 
@@ -3102,16 +3110,28 @@ msgid "Menu permission"
 msgstr "菜单授权"
 
 #: rbac/models/menu.py:15
-msgid "view console view"
+msgid "Can view resource statistics"
-msgstr "查看控制台"
+msgstr "可以查看资源统计"
 
 #: rbac/models/menu.py:16
-msgid "view audit view"
+msgid "Can view console view"
-msgstr "查看安全审计"
+msgstr "可以查看控制台"
 
 #: rbac/models/menu.py:17
-msgid "view workspace view"
+msgid "Can view audit view"
-msgstr "查看工作台"
+msgstr "可以查看审计台"
+
+#: rbac/models/menu.py:18
+msgid "Can view workspace view"
+msgstr "可以查看工作台"
+
+#: rbac/models/menu.py:19
+msgid "Can view web terminal"
+msgstr "Web终端"
+
+#: rbac/models/menu.py:20
+msgid "Can view file manager"
+msgstr "文件管理"
 
 #: rbac/models/permission.py:22
 msgid "Permission"
@@ -3189,7 +3209,7 @@ msgstr "工作台"
 
 #: rbac/tree.py:34
 msgid "Audit view"
-msgstr "安全审计"
+msgstr "审计台"
 
 #: rbac/tree.py:38 settings/models.py:140
 msgid "System setting"
@@ -3231,7 +3251,19 @@ msgstr "资产改密"
 msgid "Terminal setting"
 msgstr "终端设置"
 
-#: rbac/tree.py:299
+#: rbac/tree.py:138
+msgid "My assets"
+msgstr "我的资产"
+
+#: rbac/tree.py:143
+msgid "My apps"
+msgstr "我的应用"
+
+#: rbac/tree.py:186
+msgid "Ticket comment"
+msgstr "工单评论"
+
+#: rbac/tree.py:315
 msgid "View"
 msgstr "查看"
 
@@ -5203,6 +5235,10 @@ msgstr "工单批准信息"
 msgid "Ticket flow"
 msgstr "工单流程"
 
+#: tickets/models/relation.py:10
+msgid "Ticket session relation"
+msgstr "工单会话"
+
 #: tickets/models/ticket.py:35
 msgid "Ticket step"
 msgstr "工单步骤"
@@ -5505,7 +5541,7 @@ msgid "Public key should not be the same as your old one."
 msgstr "不能和原来的密钥相同"
 
 #: users/forms/profile.py:149 users/serializers/profile.py:95
-#: users/serializers/profile.py:177 users/serializers/profile.py:204
+#: users/serializers/profile.py:175 users/serializers/profile.py:202
 msgid "Not a valid ssh public key"
 msgstr "SSH密钥不合法"
 
@@ -5522,7 +5558,7 @@ msgstr "强制启用"
 msgid "Local"
 msgstr "数据库"
 
-#: users/models/user.py:562 users/serializers/user.py:134
+#: users/models/user.py:562 users/serializers/user.py:136
 msgid "Is service account"
 msgstr "服务账号"
 
@@ -5609,7 +5645,7 @@ msgstr "重置 MFA"
 msgid "The old password is incorrect"
 msgstr "旧密码错误"
 
-#: users/serializers/profile.py:36 users/serializers/profile.py:191
+#: users/serializers/profile.py:36 users/serializers/profile.py:189
 msgid "Password does not match security rules"
 msgstr "密码不满足安全规则"
 
@@ -5621,97 +5657,97 @@ msgstr "新密码不能是最近 {} 次的密码"
 msgid "The newly set password is inconsistent"
 msgstr "两次密码不一致"
 
-#: users/serializers/profile.py:141 users/serializers/user.py:132
+#: users/serializers/profile.py:141 users/serializers/user.py:134
 msgid "Is first login"
 msgstr "首次登录"
 
-#: users/serializers/user.py:24 users/serializers/user.py:30
+#: users/serializers/user.py:25 users/serializers/user.py:32
 msgid "System roles"
 msgstr "系统角色"
 
-#: users/serializers/user.py:28 users/serializers/user.py:31
+#: users/serializers/user.py:30 users/serializers/user.py:33
 msgid "Org roles"
 msgstr "组织角色"
 
-#: users/serializers/user.py:74
+#: users/serializers/user.py:76
 #: xpack/plugins/change_auth_plan/models/base.py:35
 #: xpack/plugins/change_auth_plan/serializers/base.py:22
 msgid "Password strategy"
 msgstr "密码策略"
 
-#: users/serializers/user.py:76
+#: users/serializers/user.py:78
 msgid "MFA enabled"
 msgstr "MFA"
 
-#: users/serializers/user.py:77
+#: users/serializers/user.py:79
 msgid "MFA force enabled"
 msgstr "强制 MFA"
 
-#: users/serializers/user.py:79
+#: users/serializers/user.py:81
 msgid "MFA level display"
 msgstr "MFA 等级名称"
 
-#: users/serializers/user.py:81
+#: users/serializers/user.py:83
 msgid "Login blocked"
 msgstr "登录被阻塞"
 
-#: users/serializers/user.py:84
+#: users/serializers/user.py:86
 msgid "Can public key authentication"
 msgstr "能否公钥认证"
 
-#: users/serializers/user.py:136
+#: users/serializers/user.py:138
 msgid "Avatar url"
 msgstr "头像路径"
 
-#: users/serializers/user.py:138
+#: users/serializers/user.py:140
 msgid "Groups name"
 msgstr "用户组名"
 
-#: users/serializers/user.py:139
+#: users/serializers/user.py:141
 msgid "Source name"
 msgstr "用户来源名"
 
-#: users/serializers/user.py:140
+#: users/serializers/user.py:142
 msgid "Organization role name"
 msgstr "组织角色名称"
 
-#: users/serializers/user.py:141
+#: users/serializers/user.py:143
 msgid "Super role name"
 msgstr "超级角色名称"
 
-#: users/serializers/user.py:142
+#: users/serializers/user.py:144
 msgid "Total role name"
 msgstr "汇总角色名称"
 
-#: users/serializers/user.py:144
+#: users/serializers/user.py:146
 msgid "Is wecom bound"
 msgstr "是否绑定了企业微信"
 
-#: users/serializers/user.py:145
+#: users/serializers/user.py:147
 msgid "Is dingtalk bound"
 msgstr "是否绑定了钉钉"
 
-#: users/serializers/user.py:146
+#: users/serializers/user.py:148
 msgid "Is feishu bound"
 msgstr "是否绑定了飞书"
 
-#: users/serializers/user.py:147
+#: users/serializers/user.py:149
 msgid "Is OTP bound"
 msgstr "是否绑定了虚拟 MFA"
 
-#: users/serializers/user.py:149
+#: users/serializers/user.py:151
 msgid "System role name"
 msgstr "系统角色名称"
 
-#: users/serializers/user.py:235
+#: users/serializers/user.py:236
 msgid "Select users"
 msgstr "选择用户"
 
-#: users/serializers/user.py:236
+#: users/serializers/user.py:237
 msgid "For security, only list several users"
 msgstr "为了安全，仅列出几个用户"
 
-#: users/serializers/user.py:269
+#: users/serializers/user.py:270
 msgid "name not unique"
 msgstr "名称重复"
 
@@ -6704,6 +6740,9 @@ msgstr "旗舰版"
 msgid "Community edition"
 msgstr "社区版"
 
+#~ msgid "Common permission"
+#~ msgstr "通用权限"
+
 #~ msgid "Can view connect token secret"
 #~ msgstr "可以查看 连接Token 密文"
 
@@ -6748,9 +6787,6 @@ msgstr "社区版"
 #~ msgid "Commands"
 #~ msgstr "命令记录"
 
-#~ msgid "Web terminal"
-#~ msgstr "Web终端"
-
 #~ msgid "Job Center"
 #~ msgstr "作业中心"
 
@@ -6772,9 +6808,6 @@ msgstr "社区版"
 #~ msgid "Sync instance"
 #~ msgstr "同步实例"
 
-#~ msgid "My assets"
-#~ msgstr "我的资产"
-
 #~ msgid "Can update"
 #~ msgstr "是否可更新"
 

apps/perms/migrations/0024_auto_20220217_2135.py

@@ -12,10 +12,10 @@ class Migration(migrations.Migration):
     operations = [
         migrations.AlterModelOptions(
             name='applicationpermission',
-            options={'ordering': ('name',), 'permissions': [('view_myapps', 'Can view my apps'), ('connect_myapps', 'Can connect my apps'), ('view_userapps', 'Can view user apps'), ('view_usergroupapps', 'Can view usergroup apps')], 'verbose_name': 'Application permission'},
+            options={'ordering': ('name',), 'verbose_name': 'Application permission'},
         ),
         migrations.AlterModelOptions(
             name='assetpermission',
-            options={'ordering': ('name',), 'permissions': [('view_myassets', 'Can view my assets'), ('connect_myassets', 'Can connect my assets'), ('view_userassets', 'Can view user assets'), ('view_usergroupassets', 'Can view usergroup assets')], 'verbose_name': 'Asset permission'},
+            options={'ordering': ('name',), 'verbose_name': 'Asset permission'},
         ),
     ]

apps/perms/migrations/0026_auto_20220307_1500.py

@@ -0,0 +1,41 @@
+# Generated by Django 3.1.14 on 2022-03-07 07:00
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('applications', '0018_auto_20220223_1539'),
+        ('assets', '0088_auto_20220303_1612'),
+        ('perms', '0025_auto_20220223_1539'),
+    ]
+
+    operations = [
+        migrations.CreateModel(
+            name='PermedApplication',
+            fields=[
+            ],
+            options={
+                'verbose_name': 'Permed app',
+                'permissions': [('view_myapps', 'Can view my apps'), ('connect_myapps', 'Can connect my apps'), ('view_userapps', 'Can view user apps'), ('view_usergroupapps', 'Can view usergroup apps')],
+                'proxy': True,
+                'indexes': [],
+                'constraints': [],
+            },
+            bases=('applications.application',),
+        ),
+        migrations.CreateModel(
+            name='PermedAsset',
+            fields=[
+            ],
+            options={
+                'verbose_name': 'Permed asset',
+                'permissions': [('view_myassets', 'Can view my assets'), ('connect_myassets', 'Can connect my assets'), ('view_userassets', 'Can view user assets'), ('view_usergroupassets', 'Can view usergroup assets')],
+                'proxy': True,
+                'indexes': [],
+                'constraints': [],
+            },
+            bases=('assets.asset',),
+        ),
+    ]

apps/perms/models/application_permission.py

@@ -7,6 +7,7 @@ from django.utils.translation import ugettext_lazy as _
 
 from common.utils import lazyproperty
 from .base import BasePermission, Action
+from applications.models import Application
 from users.models import User
 from applications.const import AppCategory, AppType
 
@@ -36,12 +37,7 @@ class ApplicationPermission(BasePermission):
         unique_together = [('org_id', 'name')]
         verbose_name = _('Application permission')
         ordering = ('name',)
-        permissions = [
+
-            ('view_myapps', _('Can view my apps')),
-            ('connect_myapps', _('Can connect my apps')),
-            ('view_userapps', _('Can view user apps')),
-            ('view_usergroupapps', _('Can view usergroup apps')),
-        ]
 
     @property
     def category_remote_app(self):
@@ -106,3 +102,15 @@ class ApplicationPermission(BasePermission):
         include_choices = cls.get_include_actions_choices(category)
         exclude_choices = set(Action.NAME_MAP.values()) - set(include_choices)
         return exclude_choices
+
+
+class PermedApplication(Application):
+    class Meta:
+        proxy = True
+        verbose_name = _("Permed app")
+        permissions = [
+            ('view_myapps', _('Can view my apps')),
+            ('connect_myapps', _('Can connect my apps')),
+            ('view_userapps', _('Can view user apps')),
+            ('view_usergroupapps', _('Can view usergroup apps')),
+        ]

apps/perms/models/asset_permission.py

@@ -28,12 +28,6 @@ class AssetPermission(BasePermission):
         unique_together = [('org_id', 'name')]
         verbose_name = _("Asset permission")
         ordering = ('name',)
-        permissions = [
-            ('view_myassets', _('Can view my assets')),
-            ('connect_myassets', _('Can connect my assets')),
-            ('view_userassets', _('Can view user assets')),
-            ('view_usergroupassets', _('Can view usergroup assets')),
-        ]
 
     @lazyproperty
     def users_amount(self):
@@ -179,3 +173,16 @@ class PermNode(Node):
     def save(self):
         # 这是个只读 Model
         raise NotImplementedError
+
+
+class PermedAsset(Asset):
+    class Meta:
+        proxy = True
+        verbose_name = _('Permed asset')
+        permissions = [
+            ('view_myassets', _('Can view my assets')),
+            ('connect_myassets', _('Can connect my assets')),
+            ('view_userassets', _('Can view user assets')),
+            ('view_usergroupassets', _('Can view usergroup assets')),
+        ]
+

apps/rbac/builtin.py

@@ -21,11 +21,14 @@ auditor_perms = (
 
 user_perms = (
     ('rbac', 'menupermission', 'view', 'userview'),
-    ('perms', 'assetpermission', 'view,connect', 'myassets'),
+    ('rbac', 'menupermission', 'view', 'webterminal'),
-    ('perms', 'applicationpermission', 'view,connect', 'myapps'),
+    ('rbac', 'menupermission', 'view', 'filemanager'),
+    ('perms', 'permedasset', 'view,connect', 'myassets'),
+    ('perms', 'permedapplication', 'view,connect', 'myapps'),
     ('assets', 'asset', 'match', 'asset'),
     ('assets', 'systemuser', 'match', 'systemuser'),
     ('assets', 'node', 'match', 'node'),
+    ('ops', 'commandexecution', 'add', 'commandexecution'),
 )
 
 app_exclude_perms = [

apps/rbac/const.py

@@ -22,6 +22,8 @@ exclude_permissions = (
     ('notifications', '*', '*', '*'),
     ('common', 'setting', '*', '*'),
 
+    ('authentication', 'privatetoken', '*', '*'),
+    ('users', 'userpasswordhistory', '*', '*'),
     ('applications', 'applicationuser', '*', '*'),
     ('applications', 'historicalaccount', '*', '*'),
     ('applications', 'databaseapp', '*', '*'),
@@ -33,7 +35,6 @@ exclude_permissions = (
     ('assets', 'favoriteasset', '*', '*'),
     ('assets', 'historicalauthbook', '*', '*'),
     ('assets', 'assetuser', '*', '*'),
-    ('authentication', 'privatetoken', '*', '*'),
     ('perms', 'databaseapppermission', '*', '*'),
     ('perms', 'k8sapppermission', '*', '*'),
     ('perms', 'remoteapppermission', '*', '*'),
@@ -41,6 +42,8 @@ exclude_permissions = (
     ('perms', 'usergrantedmappingnode', '*', '*'),
     ('perms', 'permnode', '*', '*'),
     ('perms', 'rebuildusertreetask', '*', '*'),
+    ('perms', 'permedasset', 'add,change,delete', 'permedasset'),
+    ('perms', 'permedapplication', 'add,change,delete', 'permedapplication'),
     ('rbac', 'contenttype', '*', '*'),
     ('rbac', 'permission', 'add,delete,change', 'permission'),
     ('rbac', 'rolebinding', '*', '*'),
@@ -49,22 +52,22 @@ exclude_permissions = (
     ('ops', 'adhocexecution', '*', '*'),
     ('ops', 'celerytask', '*', '*'),
     ('ops', 'task', 'add,change', 'task'),
+    ('ops', 'commandexecution', 'delete,change', 'commandexecution'),
     ('orgs', 'organizationmember', '*', '*'),
     ('settings', 'setting', 'add,delete', 'setting'),
     ('audits', 'operatelog', 'add,delete,change', 'operatelog'),
     ('audits', 'passwordchangelog', 'add,change,delete', 'passwordchangelog'),
     ('audits', 'userloginlog', 'change,delete,change', 'userloginlog'),
     ('audits', 'ftplog', 'change,delete', 'ftplog'),
-    ('terminal', 'session', 'delete', 'session'),
-    ('terminal', 'session', 'delete,change', 'command'),
     ('tickets', 'ticket', '*', '*'),
-    ('users', 'userpasswordhistory', '*', '*'),
     ('xpack', 'interface', '*', '*'),
     ('xpack', 'license', '*', '*'),
     ('common', 'permission', 'add,delete,view,change', 'permission'),
     ('terminal', 'command', 'delete,change', 'command'),
     ('terminal', 'sessionjoinrecord', 'delete', 'sessionjoinrecord'),
     ('terminal', 'sessionreplay', 'delete', 'sessionreplay'),
+    ('terminal', 'session', 'delete', 'session'),
+    ('terminal', 'session', 'delete,change', 'command'),
 )
 
 

apps/rbac/migrations/0001_initial.py

@@ -27,7 +27,7 @@ class Migration(migrations.Migration):
             ],
             options={
                 'verbose_name': 'Menu permission',
-                'permissions': [('view_adminview', 'view console view'), ('view_auditview', 'view audit view'), ('view_userview', 'view workspace view')],
+                'permissions': [('view_adminview', 'Can view console view'), ('view_auditview', 'Can view audit view'), ('view_userview', 'Can view workspace view')],
                 'default_permissions': [],
             },
         ),

apps/rbac/migrations/0005_auto_20220307_1524.py

@@ -0,0 +1,17 @@
+# Generated by Django 3.1.14 on 2022-03-07 07:46
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('rbac', '0004_auto_20211201_1901'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='menupermission',
+            options={'default_permissions': [], 'permissions': [('view_resourcestatistics', 'Can view resource statistics'), ('view_adminview', 'Can view console view'), ('view_auditview', 'Can view audit view'), ('view_userview', 'Can view workspace view'), ('view_webterminal', 'Can view web terminal'), ('view_filemanager', 'Can view file manager')], 'verbose_name': 'Menu permission'},
+        ),
+    ]

apps/rbac/migrations/0006_auto_20220307_1558.py

@@ -0,0 +1,39 @@
+# Generated by Django 3.1.14 on 2022-03-07 07:58
+
+from django.db import migrations
+
+
+def delete_unused_permissions(apps, schema_editor):
+    permission_model = apps.get_model('rbac', 'Permission')
+    content_type_model = apps.get_model('rbac', 'ContentType')
+    content_type_delete_required = [
+        ('common', 'permission'),
+    ]
+    for app, model in content_type_delete_required:
+        content_type_model.objects.filter(app_label=app, model=model).delete()
+
+    permissions_delete_required = [
+        ('perms', 'assetpermission', 'connect_myassets'),
+        ('perms', 'assetpermission', 'view_myassets'),
+        ('perms', 'assetpermission', 'view_userassets'),
+        ('perms', 'assetpermission', 'view_usergroupassets'),
+        ('perms', 'applicationpermission', 'view_myapps'),
+        ('perms', 'applicationpermission', 'connect_myapps'),
+        ('perms', 'applicationpermission', 'view_userapps'),
+        ('perms', 'applicationpermission', 'view_usergroupapps'),
+    ]
+    for app, model, codename in permissions_delete_required:
+        permission_model.objects.filter(
+            codename=codename, content_type__model=model, content_type__app_label=app
+        ).delete()
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('rbac', '0005_auto_20220307_1524'),
+    ]
+
+    operations = [
+        migrations.RunPython(delete_unused_permissions)
+    ]

apps/rbac/models/menu.py

@@ -12,7 +12,10 @@ class MenuPermission(models.Model):
         default_permissions = []
         verbose_name = _('Menu permission')
         permissions = [
-            ('view_adminview', _('view console view')),
+            ('view_resourcestatistics', _('Can view resource statistics')),
-            ('view_auditview', _('view audit view')),
+            ('view_adminview', _('Can view console view')),
-            ('view_userview', _('view workspace view')),
+            ('view_auditview', _('Can view audit view')),
+            ('view_userview', _('Can view workspace view')),
+            ('view_webterminal', _('Can view web terminal')),
+            ('view_filemanager', _('Can view file manager')),
         ]

apps/rbac/tree.py

@@ -132,7 +132,17 @@ extra_nodes_data = [
         "id": "terminal_node",
         "name": _("Terminal setting"),
         "pId": "view_setting"
-    }
+    },
+    {
+        'id': "my_assets",
+        "name": _("My assets"),
+        "pId": "view_workspace"
+    },
+    {
+        'id': "my_apps",
+        "name": _("My apps"),
+        "pId": "view_workspace"
+    },
 ]
 
 # 将 model 放到其它节点下，而不是本来的 app 中
@@ -164,10 +174,16 @@ special_model_pid_mapper = {
     'terminal.task': 'terminal_node',
     'audits.ftplog': 'terminal',
     'rbac.menupermission': 'view_other',
+    'perms.view_myassets': 'my_assets',
+    'perms.connect_myassets': 'my_assets',
+    'perms.view_myapps': 'my_apps',
+    'perms.connect_myapps': 'my_apps',
+    'ops.commandexecution': 'view_workspace',
 }
 
 model_verbose_name_mapper = {
     'orgs.organization': _("App organizations"),
+    'tickets.comment': _("Ticket comment"),
 }
 
 xpack_apps = [
@@ -259,28 +275,28 @@ class PermissionTreeUtil:
 
     def _create_models_nodes(self):
         content_types = ContentType.objects.all()
-        total_counts_mapper, checked_counts_mapper = self._get_model_counts_mapper()
 
         nodes = []
         for ct in content_types:
-            total_count = total_counts_mapper.get(ct.id, 0)
-            checked_count = checked_counts_mapper.get(ct.id, 0)
-            if total_count == 0:
-                continue
-
             model_id = '{}.{}'.format(ct.app_label, ct.model)
             if not self._check_model_xpack(model_id):
                 continue
+
+            total_count = self.total_counts[model_id]
+            checked_count = self.checked_counts[model_id]
+            if total_count == 0:
+                continue
+
             # 获取 pid
             app = ct.app_label
-            if special_model_pid_mapper.get(model_id):
+            if model_id in special_model_pid_mapper:
                 app = special_model_pid_mapper[model_id]
             self.total_counts[app] += total_count
             self.checked_counts[app] += checked_count
 
             # 获取 name
             name = f'{ct.name}'
-            if model_verbose_name_mapper.get(model_id):
+            if model_id in model_verbose_name_mapper:
                 name = model_verbose_name_mapper[model_id]
 
             node = self._create_node({
@@ -336,11 +352,21 @@ class PermissionTreeUtil:
             if settings.DEBUG:
                 name += '({})'.format(p.app_label_codename)
 
+            title = p.app_label_codename
+            pid = model_id
+            if title in special_model_pid_mapper:
+                pid = special_model_pid_mapper[title]
+
+            self.total_counts[pid] += 1
+            checked = p.id in permissions_id
+            if checked:
+                self.checked_counts[pid] += 1
+
             node = TreeNode(**{
                 'id': p.id,
                 'name': name,
-                'title': p.app_label_codename,
+                'title': title,
-                'pId': model_id,
+                'pId': pid,
                 'isParent': False,
                 'chkDisabled': self.check_disabled,
                 'iconSkin': 'file',
@@ -395,10 +421,10 @@ class PermissionTreeUtil:
             checked_count = self.checked_counts[view]
             if total_count == 0:
                 continue
-            node = self._create_node(data, total_count, checked_count, 'view')
+            node = self._create_node(data, total_count, checked_count, 'view', is_open=False)
             nodes.append(node)
         return nodes
-    
+
     def _create_extra_nodes(self):
         nodes = []
         for data in extra_nodes_data:
@@ -423,8 +449,8 @@ class PermissionTreeUtil:
         perms_nodes = self._create_perms_nodes()
         models_nodes = self._create_models_nodes()
         apps_nodes = self.create_apps_nodes()
-        views_nodes = self._create_views_node()
         extra_nodes = self._create_extra_nodes()
+        views_nodes = self._create_views_node()
 
         nodes += views_nodes + apps_nodes + models_nodes + perms_nodes + extra_nodes
         return nodes

apps/tickets/migrations/0012_ticketsession.py

@@ -19,5 +19,6 @@ class Migration(migrations.Migration):
                 ('session', models.ForeignKey(db_constraint=False, on_delete=django.db.models.deletion.CASCADE, related_name='ticket_relation', to='terminal.session')),
                 ('ticket', models.ForeignKey(db_constraint=False, on_delete=django.db.models.deletion.CASCADE, related_name='session_relation', to='tickets.ticket')),
             ],
+            options={'verbose_name': 'Ticket session relation'},
         ),
     ]

apps/tickets/models/relation.py

@@ -1,11 +1,14 @@
 from django.db import models
-from django.db.models import Model
+from django.utils.translation import ugettext_lazy as _
 
 
-class TicketSession(Model):
+class TicketSession(models.Model):
     ticket = models.ForeignKey('tickets.Ticket', related_name='session_relation', on_delete=models.CASCADE, db_constraint=False)
     session = models.ForeignKey('terminal.Session', related_name='ticket_relation', on_delete=models.CASCADE, db_constraint=False)
 
+    class Meta:
+        verbose_name = _("Ticket session relation")
+
     @classmethod
     def get_ticket_by_session_id(cls, session_id):
         relation = cls.objects.filter(session=session_id).first()