Merge pull request #9601 from jumpserver/pr@dev@feat_protect_resource

feat: 增加media权限控制
pull/9603/head
老广 2 years ago committed by GitHub
commit 40bd197581
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -0,0 +1,24 @@
# ~*~ coding: utf-8 ~*~
path_perms_map = {
'xpack': '*',
'replay': 'default',
'applets': 'terminal.view_applet',
'playbooks': 'ops.view_playbook'
}
def allow_access(private_file):
request = private_file.request
request_path = private_file.request.path
path_list = str(request_path)[1:].split('/')
path_base = path_list[1] if len(path_list) > 1 else None
path_perm = path_perms_map.get(path_base, None)
if not path_perm:
return False
if path_perm == '*' or request.user.has_perms([path_perm]):
return True
if path_perm == 'default':
return request.user.is_authenticated and request.user.is_staff
return False

@ -102,6 +102,7 @@ INSTALLED_APPS = [
'django_filters',
'bootstrap3',
'captcha',
'private_storage',
'django_celery_beat',
'django.contrib.auth',
'django.contrib.admin',
@ -263,11 +264,11 @@ STATICFILES_DIRS = (
)
# Media files (File, ImageField) will be save these
MEDIA_URL = '/media/'
MEDIA_ROOT = os.path.join(PROJECT_DIR, 'data', 'media').replace('\\', '/') + '/'
PRIVATE_STORAGE_ROOT = MEDIA_ROOT
PRIVATE_STORAGE_AUTH_FUNCTION = 'jumpserver.rewriting.storage.permissions.allow_access'
# Use django-bootstrap-form to format template, input max width arg
# BOOTSTRAP_COLUMN_COUNT = 11

@ -2,6 +2,8 @@
from __future__ import unicode_literals
import os
import private_storage.urls
from django.urls import path, include, re_path
from django.conf import settings
from django.conf.urls.static import static
@ -57,8 +59,11 @@ urlpatterns = [
]
# 静态文件处理路由
urlpatterns += static(settings.MEDIA_URL, document_root=settings.MEDIA_ROOT) \
+ static(settings.STATIC_URL, document_root=settings.STATIC_ROOT)
urlpatterns += static(settings.STATIC_URL, document_root=settings.STATIC_ROOT)
urlpatterns += [
# Protect media
path('media/', include(private_storage.urls)),
]
# js i18n 路由文件
urlpatterns += [

@ -4,6 +4,7 @@ import uuid
from django.conf import settings
from django.db import models
from django.utils.translation import gettext_lazy as _
from private_storage.fields import PrivateFileField
from ops.const import CreateMethods
from ops.exception import PlaybookNoValidEntry
@ -20,7 +21,7 @@ dangerous_keywords = (
class Playbook(JMSOrgBaseModel):
id = models.UUIDField(default=uuid.uuid4, primary_key=True)
name = models.CharField(max_length=128, verbose_name=_('Name'), null=True)
path = models.FileField(upload_to='playbooks/')
path = PrivateFileField(upload_to='playbooks/')
creator = models.ForeignKey('users.User', verbose_name=_("Creator"), on_delete=models.SET_NULL, null=True)
comment = models.CharField(max_length=1024, default='', verbose_name=_('Comment'), null=True, blank=True)
create_method = models.CharField(max_length=128, choices=CreateMethods.choices, default=CreateMethods.blank,

@ -76,6 +76,7 @@ django-timezone-field==5.0
djangorestframework==3.13.1
djangorestframework-bulk==0.2.1
django-simple-history==3.1.1
django-private-storage==3.0
drf-nested-routers==0.93.4
drf-writable-nested==0.6.4
rest_condition==1.0.3

Loading…
Cancel
Save